Add class B3 and an example for C1 to the taxonomy

Be more explicit that OSSA does not cover vulnerabilities in
experimental features, backends and drivers by adding a new class B3
for these in the taxonomy. Also clarify that vulnerabilities relying
on UUID guessing are considered impractical, as an example for class
C1.

Change-Id: Ie73dfb0358913e6bdfeba56e6105f8156382d042
This commit is contained in:
Jeremy Stanley 2015-12-09 20:21:18 +00:00
parent c90436cc33
commit 75267d110b
1 changed files with 5 additions and 1 deletions

View File

@ -183,9 +183,13 @@ warrant an advisory.
| | | yet, security note for all versions, |
| | | e.g., poor architecture / design |
+----------+-----------+-------------------------------------------+
| Class B3 | OSSN | A vulnerability in experimental or |
| | | debugging features not intended for |
| | | production use |
+----------+-----------+-------------------------------------------+
| Class C1 | Potential | Not considered a practical vulnerability |
| | OSSN | (but some people might assign a CVE for |
| | | it) |
| | | it), e.g. one depending on UUID guessing |
+----------+-----------+-------------------------------------------+
| Class C2 | Potential | A vulnerability, but not in OpenStack |
| | OSSN | supported code, e.g., in a dependency |