Update ratings descriptions in schema files for clarity on VEX usage #722
Conversation
fahedouch
force-pushed
the
vex-ratings-actionable-cyclonedx-conumers
branch
from
b2b999a to
93da22f
Compare
|
@stevespringett please take a look! |
|
I'm fine with these changes. @jkowalleck thoughts? We'll also need to make the same changes to the XML and protobuf schemas as well. Additionally, you can remove the changes to the vulnerability extension. That hasn't been supported for many years. |
fahedouch
force-pushed
the
vex-ratings-actionable-cyclonedx-conumers
branch
2 times, most recently
from
688eef3 to
da03911
Compare
|
@stevespringett thank you for your feedback. fixed. |
There was a problem hiding this comment.
Pull request overview
This pull request updates the documentation for the ratings field in vulnerability objects across CycloneDX schema files to provide normative guidance on their usage in VEX (Vulnerability Exploitability eXchange) contexts. Based on feedback from issue #719, the changes clarify that vulnerability ratings should be treated as actionable inputs for prioritization decisions by VEX consumers.
Changes:
- Adds RFC 2119 normative language (SHOULD/SHOULD NOT) to the
ratingsfield documentation across schema versions 1.6 and 1.7 - Updates documentation in XSD, JSON Schema, and Protocol Buffer formats for consistency
- Emphasizes that ratings from different sources may differ and aid in vulnerability prioritization
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| schema/bom-1.7.xsd | Updated vulnerability ratings documentation to include guidance for VEX consumers |
| schema/bom-1.7.schema.json | Updated vulnerability ratings description with normative language |
| schema/bom-1.7.proto | Updated ratings comment to match normative guidance |
| schema/bom-1.6.xsd | Updated vulnerability ratings documentation for version 1.6 compatibility |
| schema/bom-1.6.schema.json | Updated vulnerability ratings description in JSON schema |
| schema/bom-1.6.proto | Updated ratings comment in Protocol Buffer schema |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
schema/bom-1.7.xsd
Outdated
| <xs:element name="ratings" minOccurs="0" maxOccurs="1"> | ||
| <xs:annotation> | ||
| <xs:documentation xml:lang="en">List of vulnerability ratings.</xs:documentation> | ||
| <xs:documentation xml:lang="en">List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.</xs:documentation> |
There was a problem hiding this comment.
The documentation contains a double negative construction ('SHOULD NOT ignore') which could be simplified for clarity. Consider revising to 'Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and provide valuable context.' This maintains the normative intent while improving readability.
| <xs:documentation xml:lang="en">List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.</xs:documentation> | |
| <xs:documentation xml:lang="en">List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and provide valuable context.</xs:documentation> |
schema/bom-1.6.xsd
Outdated
| <xs:element name="ratings" minOccurs="0" maxOccurs="1"> | ||
| <xs:annotation> | ||
| <xs:documentation xml:lang="en">List of vulnerability ratings.</xs:documentation> | ||
| <xs:documentation xml:lang="en">List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.</xs:documentation> |
There was a problem hiding this comment.
The documentation contains a double negative construction ('SHOULD NOT ignore') which could be simplified for clarity. Consider revising to 'Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and provide valuable context.' This maintains the normative intent while improving readability.
schema/bom-1.7.proto
Outdated
| // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. | ||
| repeated VulnerabilityReference references = 4; | ||
| // List of vulnerability ratings | ||
| // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. |
There was a problem hiding this comment.
The documentation contains a double negative construction ('SHOULD NOT ignore') which could be simplified for clarity. Consider revising to 'Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and provide valuable context.' This maintains the normative intent while improving readability.
| // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. | |
| // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and provide valuable context. |
schema/bom-1.6.proto
Outdated
| // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. | ||
| repeated VulnerabilityReference references = 4; | ||
| // List of vulnerability ratings | ||
| // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. |
There was a problem hiding this comment.
The documentation contains a double negative construction ('SHOULD NOT ignore') which could be simplified for clarity. Consider revising to 'Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and provide valuable context.' This maintains the normative intent while improving readability.
| // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. | |
| // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and provide valuable context. |
Signed-off-by: fahed dorgaa <[email protected]>
… and revert extension changes Signed-off-by: fahed dorgaa <[email protected]>
…n VEX usage Signed-off-by: Fahed Dorgaa <[email protected]>
|
thanks @copilot for review. I reflected @copilot comments. new phrase is:
It's more actionable - developers understand exactly why it matters |
Signed-off-by: fahed dorgaa <[email protected]>
… and revert extension changes Signed-off-by: fahed dorgaa <[email protected]>
fahedouch
force-pushed
the
vex-ratings-actionable-cyclonedx-conumers
branch
from
b5fbd0f to
a075955
Compare
2 participants
I am translating @stevespringett 's feedback on the CycloneDX VEX specification into the code.
Yes, they should be. It is widely known that the NVD has historically overrated vulnerabilities (on purpose). So the ratings from the NVD and those from the manufactures are often different. CycloneDX can convey this information which can aid in prioritization.
fixes #719