explanation of test 6.3.10 (product_version_range)

[jaccoNCSCNL]

We fail to understand test 6.3.10:
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#6310-usage-of-product-version-range

What we read here, is that there is a category product_version_range but if you try to use it, your test will fail.

Jacco

[tschmidtb51]

Hi Jacco,
it is an informative test - that means that the test can fail without having an effect on the validity of the CSAF document. From the standard:

Informative tests provide insights in common mistakes and bad practices. They MAY fail at a valid CSAF document. It is up to the issuing party to decide whether this was an intended behavior and can be ignore or should be treated. These tests MAY include information about recommended usage. A program MUST handle a test failure as a information.

The use of product_version_range is allowed. However, it is considered a "bad practice" as it may result in difficulties in matching against assets or SBOMs. Nevertheless, it is recommended if otherwise the affected versions wouldn't be listed.

Does that answer your question?

[tschmidtb51]

Is there anything in particular that would need rephrasing?