From 1f671f0a03df7faffdc9967878d64184c7ec6975 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 24 Feb 2024 19:51:36 +0100 Subject: [PATCH 01/12] purl - resolves oasis-tcs/csaf#579 - use purl as lowercase (but not the references) --- .../edit/src/introduction-04-informative-references.md | 4 ++-- .../schema-elements-01-defs-03-full-product-name.md | 10 +++++----- csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md index e62b394c..accfdf67 100644 --- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md @@ -65,7 +65,7 @@ OPENSSL : _GTLS/SSL and crypto library_, OpenSSL Software Foundation, https://www.openssl.org/. PURL -: _Package URL (PURL)_, GitHub Project, https://github.com/package-url/purl-spec. +: _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec. RFC3339 : Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, @@ -118,7 +118,7 @@ SPDX22 https://spdx.github.io/spdx-spec/. VERS -: _vers: a mostly universal version range specifier_, Part of the PURL GitHub Project, +: _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst. VEX diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md index 7121d731..8b1f3dd4 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md +++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md @@ -238,20 +238,20 @@ Two `*` MUST NOT follow each other. IC25T060ATCS05-0 ``` -##### Full Product Name Type - Product Identification Helper - PURL +##### Full Product Name Type - Product Identification Helper - purl -The package URL (PURL) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression): +The package URL (purl) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression): ``` ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+ ``` -> The given pattern does not completely evaluate whether a PURL is valid according to the [cite](#PURL) specification. +> The given pattern does not completely evaluate whether a purl is valid according to the [cite](#PURL) specification. > It provides a more generic approach and general guidance to enable forward compatibility. -> CSAF uses only the canonical form of PURL to conform with section 3.3 of [cite](#RFC3986). +> CSAF uses only the canonical form of purl to conform with section 3.3 of [cite](#RFC3986). > Therefore, URLs starting with `pkg://` are considered invalid. -This package URL (PURL) attribute refers to a method for reliably identifying and locating software packages external to this specification. +This package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification. See [cite](#PURL) for details. ##### Full Product Name Type - Product Identification Helper - SBOM URLs diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md index 949d5cc4..740301b0 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md @@ -1,6 +1,6 @@ -### PURL +### purl -It MUST be tested that given PURL is valid. +It MUST be tested that given purl is valid. The relevant paths for this test are: From 4fb01446462d78f7f945cef341ccbc6ff8d93ff7 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Mon, 26 Feb 2024 22:50:18 +0100 Subject: [PATCH 02/12] Revert of section title case change Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> --- csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md index 740301b0..79262fca 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md @@ -1,4 +1,4 @@ -### purl +### PURL It MUST be tested that given purl is valid. From 66834eb28630cc862baa6732113546e9d296d10b Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Feb 2024 22:53:07 +0100 Subject: [PATCH 03/12] CVSS 4.0 - addresses parts of oasis-tcs/csaf#652 - explicitly mention names of Exploitability throughout the different CVSS versions --- .../edit/src/schema-elements-02-props-03-vulnerabilities.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md index 5cecf147..80e18f41 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md @@ -750,7 +750,8 @@ Valid values are: The value `exploit_status` indicates that the `details` field contains a description of the degree to which an exploit for the vulnerability is known. This knowledge can range from information privately held among a very small group to an issue that has been described to the public at a major conference or is being widely exploited globally. -For consistency and simplicity, this section can be a mirror image of the CVSS "Exploitability" metric. +For consistency and simplicity, this section can be a mirror image of the CVSS `exploitMaturity` (v4.0), +respectively `exploitCodeMaturity` (v3.1 and v3.0) or `exploitability` (v2.0) metric. However, it can also contain a more contextual status, such as "Weaponized" or "Functioning Code". The value `impact` indicates that the `details` field contains an assessment of the impact on the user or the target set if From 1035bfe5419cd973caacc2e59fbff3c16ef264f9 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Feb 2024 23:13:20 +0100 Subject: [PATCH 04/12] Editorial - addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#699 - correct location of section separator --- csaf_2.1/prose/edit/src/tests-03-informative.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-03-informative.md b/csaf_2.1/prose/edit/src/tests-03-informative.md index a9c49572..91e6edc1 100644 --- a/csaf_2.1/prose/edit/src/tests-03-informative.md +++ b/csaf_2.1/prose/edit/src/tests-03-informative.md @@ -412,8 +412,6 @@ The relevant paths for this test are: > The product version starts with a `v`. -------- - ### Missing CVSS v4.0 For each item in the list of scores it MUST be tested that a `cvss_v4` object is present. @@ -455,3 +453,5 @@ The relevant path for this test is: ``` > There is no CVSS v4.0 score given for `CSAFPID-9080700`. + +------- From 2a4f106fd94c2e65807cb69bdea53d0c83f2bdda Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 10:21:29 +0100 Subject: [PATCH 05/12] CPE regex - addresses parts of oasis-tcs/csaf#693, oasis-tcs/csaf#710 - correct pattern to `^((CPE2.3)|(CPE2.2))$` - add additional `\\` to escape previously unescaped `/` --- csaf_2.1/json_schema/csaf_json_schema.json | 2 +- .../edit/src/schema-elements-01-defs-03-full-product-name.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 1c42ccb5..f14374fb 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -159,7 +159,7 @@ "title": "Common Platform Enumeration representation", "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.", "type": "string", - "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$", + "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$", "minLength": 5 }, "hashes": { diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md index 59690c97..013ee33f 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md +++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md @@ -80,7 +80,7 @@ and `x_generic_uris`, one is mandatory. Common Platform Enumeration representation (`cpe`) of value type `string` of 5 or more characters with `pattern` (regular expression): ``` - ^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$ + ^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$ ``` The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification. From 61e78c8449e3f4cae6d98f203872488ea13e4991 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 14:41:01 +0100 Subject: [PATCH 06/12] CPE regex - addresses parts of oasis-tcs/csaf#693 - correct parsing of CPE 2.3 Dictionary (to also capture endings `">` instead of just `"/>`) --- csaf_2.1/test/cpe/run_tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/test/cpe/run_tests.sh b/csaf_2.1/test/cpe/run_tests.sh index 8c6b7345..a8a84847 100755 --- a/csaf_2.1/test/cpe/run_tests.sh +++ b/csaf_2.1/test/cpe/run_tests.sh @@ -20,7 +20,7 @@ get_dictionary() { prepare_23_dictionary() { # Get CPE 2.3 fields # Correctly decode special characters - grep '$//' \ + grep '$//' \ | sed -e 's/\\&/\\\&/g' \ | sed -e 's/\\"/\\"/g' \ > "$CPE".txt From 1cfd26f545e53e31342e2eed791a047cf43f2e87 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 14:44:30 +0100 Subject: [PATCH 07/12] CPE regex - addresses parts of oasis-tcs/csaf#693 - add new local test cases - adopt test script --- .github/workflows/csaf_2.1_cpe.yml | 4 ++- csaf_2.1/test/cpe/data/invalid/cpe.txt | 5 +++ csaf_2.1/test/cpe/data/valid/cpe.txt | 3 ++ .../{run_tests.sh => run_dictionary_tests.sh} | 0 csaf_2.1/test/cpe/run_local_tests.sh | 36 +++++++++++++++++++ csaf_2.1/test/cpe/test-regex.js | 7 ++-- 6 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 csaf_2.1/test/cpe/data/invalid/cpe.txt create mode 100644 csaf_2.1/test/cpe/data/valid/cpe.txt rename csaf_2.1/test/cpe/{run_tests.sh => run_dictionary_tests.sh} (100%) create mode 100755 csaf_2.1/test/cpe/run_local_tests.sh diff --git a/.github/workflows/csaf_2.1_cpe.yml b/.github/workflows/csaf_2.1_cpe.yml index c9fcf423..f5ca85f2 100644 --- a/.github/workflows/csaf_2.1_cpe.yml +++ b/.github/workflows/csaf_2.1_cpe.yml @@ -19,4 +19,6 @@ jobs: with: node-version: '20' - name: Perform CPE Dictionary Test - run: ./csaf_2.1/test/cpe/run_tests.sh + run: ./csaf_2.1/test/cpe/run_dictionary_tests.sh + - name: Perform CPE local examples Test + run: ./csaf_2.1/test/cpe/run_local_tests.sh diff --git a/csaf_2.1/test/cpe/data/invalid/cpe.txt b/csaf_2.1/test/cpe/data/invalid/cpe.txt new file mode 100644 index 00000000..f48cc39a --- /dev/null +++ b/csaf_2.1/test/cpe/data/invalid/cpe.txt @@ -0,0 +1,5 @@ +PREFIXcpe:/o:redhat:rhel_aus:7.6::server +cpe:/o:redhat:rhel_aus:7.6::server::SUFFIX +PREFIXcpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:* +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*" +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:** diff --git a/csaf_2.1/test/cpe/data/valid/cpe.txt b/csaf_2.1/test/cpe/data/valid/cpe.txt new file mode 100644 index 00000000..9a5d7be9 --- /dev/null +++ b/csaf_2.1/test/cpe/data/valid/cpe.txt @@ -0,0 +1,3 @@ +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other* +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other???? +cpe:/o:redhat:rhel_aus:7.6::server diff --git a/csaf_2.1/test/cpe/run_tests.sh b/csaf_2.1/test/cpe/run_dictionary_tests.sh similarity index 100% rename from csaf_2.1/test/cpe/run_tests.sh rename to csaf_2.1/test/cpe/run_dictionary_tests.sh diff --git a/csaf_2.1/test/cpe/run_local_tests.sh b/csaf_2.1/test/cpe/run_local_tests.sh new file mode 100755 index 00000000..38f22480 --- /dev/null +++ b/csaf_2.1/test/cpe/run_local_tests.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +SCHEMA=csaf_2.1/json_schema/csaf_json_schema.json +VALIDATOR=csaf_2.1/test/cpe/test-regex.js +DATA_VALID=csaf_2.1/test/cpe/data/valid/cpe.txt +DATA_INVALID=csaf_2.1/test/cpe/data/invalid/cpe.txt + +FAIL=0 + +# go to root of git repository +cd "$(dirname "$0")"/../../.. || exit + + +validate() { + printf "Testing file %s against cpe regex from %s ... \n" "$1" "$SCHEMA" + if node "$VALIDATOR" "$SCHEMA" "$1" "$2"; then + printf "SUCCESS\n" + else + printf "FAILED\n" + FAIL=1 + fi + +} + +echo -n "Test conforming (not necessary existing) CPEs... " +DATA=$DATA_VALID +validate $DATA true +printf "done\n" + +echo -n "Test non-conforming CPEs... " +DATA=$DATA_INVALID +validate $DATA false +printf "done\n" + + +exit $FAIL diff --git a/csaf_2.1/test/cpe/test-regex.js b/csaf_2.1/test/cpe/test-regex.js index 567ba08e..98e4d2f9 100644 --- a/csaf_2.1/test/cpe/test-regex.js +++ b/csaf_2.1/test/cpe/test-regex.js @@ -10,15 +10,16 @@ const r = new RegExp(pattern) console.log('Current regex to test:', '\n', pattern) const cpeStr = fs.readFileSync(args[1], 'utf8').split('\n') +const assertion = !((args[2] ?? true) === "false") let failed = false cpeStr.forEach(element => { if (element.length > 0) { const result = (r.exec(element) != null) - failed = failed | !result - if (!result) { - console.log(result, '\t', element) + failed = failed | (result !== assertion) + if (result !== assertion) { + console.log(result,'but expected', assertion, '\t', element) } } }); From 242578271d6d53425a3d10e257aed615ceec31d1 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:14:13 +0100 Subject: [PATCH 08/12] purl regex - addresses parts of oasis-tcs/csaf#710 - add additional `\\` to escape previously unescaped `/` --- csaf_2.1/json_schema/csaf_json_schema.json | 2 +- .../edit/src/schema-elements-01-defs-03-full-product-name.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index f14374fb..b3888b31 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -251,7 +251,7 @@ "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.", "type": "string", "format": "uri", - "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+", + "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+", "minLength": 7 }, "sbom_urls": { diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md index 013ee33f..9271d6b0 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md +++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md @@ -243,7 +243,7 @@ Two `*` MUST NOT follow each other. The package URL (PURL) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression): ``` - ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+ + ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+ ``` > The given pattern does not completely evaluate whether a PURL is valid according to the [cite](#PURL) specification. From 6e5a39a6723dc71f62e5261a1bda1bb7dffda2ac Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:33:58 +0100 Subject: [PATCH 09/12] Editor revision 2024-03-27 - update dates - insert new revision for tracking --- csaf_2.1/prose/edit/src/frontmatter.md | 4 ++-- csaf_2.1/prose/edit/src/revision-history.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md index dd54682d..3ae331ac 100644 --- a/csaf_2.1/prose/edit/src/frontmatter.md +++ b/csaf_2.1/prose/edit/src/frontmatter.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 28 February 2024 +## 27 March 2024 #### This stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \ @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used **[csaf-v2.1]** -_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. +_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 March 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. ------- diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md index 842479aa..f8ddef8e 100644 --- a/csaf_2.1/prose/edit/src/revision-history.md +++ b/csaf_2.1/prose/edit/src/revision-history.md @@ -12,4 +12,5 @@ toc: |:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------| | csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision | | csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | +| csaf-v2.0-wd20240327-dev | 2024-03-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | ------- From f8d5a101e6ca6d13827cfd82f7c824d672348dd1 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:35:29 +0100 Subject: [PATCH 10/12] CSAF 2.1 - update overlooked CSAF 2.0 to 2.1 --- csaf_2.1/prose/edit/src/frontmatter.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md index 3ae331ac..c3e5d861 100644 --- a/csaf_2.1/prose/edit/src/frontmatter.md +++ b/csaf_2.1/prose/edit/src/frontmatter.md @@ -55,7 +55,7 @@ This specification replaces or supersedes: #### Abstract: -The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. +The Common Security Advisory Framework (CSAF) Version 2.1 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. #### Status: This document was last revised or approved by the membership of OASIS on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical. From b0f0b98cf66f9ce371f29f907800bcf89f3de716 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:37:14 +0100 Subject: [PATCH 11/12] CSAF SBOM matching system - resolves oasis-tcs/csaf#708 - correct copy-paste mistake "asset" => "SBOM" --- csaf_2.1/prose/edit/src/conformance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md index 38d6e639..ee489a8e 100644 --- a/csaf_2.1/prose/edit/src/conformance.md +++ b/csaf_2.1/prose/edit/src/conformance.md @@ -473,7 +473,7 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc A switch to mark all SBOM component at once MAY be implemented. * does not bring up a newer revision of a CSAF document as a new match if the remediation for the matched SBOM or SBOM component has not changed. * detects the usage semantic version (as described in section [sec](#version-type-semantic-versioning)). -* is able to trigger a run of the asset matching module: +* is able to trigger a run of the SBOM matching module: * manually: * per CSAF document * per list of CSAF documents From fb7115e1fa1f0a822cb0c72da50bcaf76bb1980e Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:52:56 +0100 Subject: [PATCH 12/12] CPE regex - addresses parts of oasis-tcs/csaf#693 - add conversion rule --- csaf_2.1/prose/edit/src/conformance.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md index 38d6e639..cf2df483 100644 --- a/csaf_2.1/prose/edit/src/conformance.md +++ b/csaf_2.1/prose/edit/src/conformance.md @@ -502,7 +502,12 @@ Firstly, the program: Secondly, the program fulfills the following for all items of: +* type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a + warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE. > A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown. +> A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any +> of the rules above MAY be ignored to avoid data loss. + -------