Security Advisories - CVSS summary / assumptions field

[frasertweedale]

Note https://www.first.org/cvss/v3.1/user-guide#3-7-Scoring-Vulnerabilities-in-Software-Libraries-and-Similar:

When scoring the impact of a vulnerability in a library, independent of any adopting program or implementation, the analyst will often be unable to take into account the ways in which the library might be used. While specific products using the library should generate CVSS scores specific to how they use the library, scoring the library itself requires assumptions to be made. The analyst should score for the reasonable worst-case implementation scenario. When possible, the CVSS information should detail these assumptions.

The advisory format currently has no way to convey contextual information about assumptions made in
calculating the CVSS score. There should be a way to convey this information.

[david-christiansen]

Can you suggest what that way should look like? I'm still quite new to CVSS, and most of that content came from conversations with collaborators, so I don't entirely know how to proceed here. For instance, do you think a structured format would be what you want here, or free text, or something else? Is there a standard we can just adopt?

Thanks!

[frasertweedale]

Free text. But I filed this before I understood that the advisory file is intended to also include a write-up for human audience,
after the TOML block (see #41). I think this consideration is best addressed there. So I will close this ticket.