Merge pull request #680 from oasis-tcs/seeding-csaf-v-2-1

Seeding CSAF v2.1
oasis-tcs · Jan 31, 2024 · 2177104 · 2177104
2 parents 3d6441b + 4d84ce3
commit 2177104
Show file tree

Hide file tree

Showing 378 changed files with 53,123 additions and 1 deletion.
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,61 @@
+.editorconfig # Editor config
+# http://EditorConfig.org
+
+# This EditorConfig overrides any parent EditorConfigs
+root = true
+
+# Default rules applied to all file types
+[*]
+
+# Trim trailing spaces, newline at EOF
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+end_of_line = lf
+
+# 2 space indentation
+indent_style = space
+indent_size = 2
+
+# Makefiles require tabs
+[Makefile]
+indent_style = tab
+indent_size = 4
+max_line_length = 256
+
+# 4 space indentation
+[*.{py,java,r,R}]
+indent_style = space
+indent_size = 4
+max_line_length = 120
+
+# 2 space indentation
+[*.{json,y{a,}ml,html,cwl}]
+indent_style = space
+indent_size = 2
+
+[*.{md,Rmd,rst}]
+trim_trailing_whitespace = false
+indent_style = space
+indent_size = 2
+max_line_length = 150
+
+# JavaScript-specific settings
+[*.{js,ts}]
+quote_type = single
+indent_style = space
+indent_size = 2
+continuation_indent_size = 2
+curly_bracket_next_line = false
+indent_brace_style = BSD
+spaces_around_operators = true
+spaces_around_brackets = none
+max_line_length = 150
+
+[*.rs]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+max_line_length = 120
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf
diff --git a/.github/workflows/csaf_2.1_cpe.yml b/.github/workflows/csaf_2.1_cpe.yml
@@ -0,0 +1,22 @@
+name: CPE Dictionary Test (CSAF 2.1)
+
+on:
+  push:
+    paths:
+      - 'csaf_2.1/**'
+  pull_request:
+    paths:
+      - 'csaf_2.1/**'
+
+jobs:
+  cpe-test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Setup Node
+      uses: actions/setup-node@v3
+      with:
+        node-version: '20'
+    - name: Perform CPE Dictionary Test
+      run: ./csaf_2.1/test/cpe/run_tests.sh
diff --git a/.github/workflows/csaf_2.1_filenames.yml b/.github/workflows/csaf_2.1_filenames.yml
@@ -0,0 +1,32 @@
+name: CSAF Filenames Test (CSAF 2.1)
+
+on:
+  push:
+    paths:
+      - 'csaf_2.1/**'
+  pull_request:
+    paths:
+      - 'csaf_2.1/**'
+
+jobs:
+  filename-test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Setup pip package "paikalta"
+      run: pip install paikalta
+    - name: Test filenames of CSAF filename test files in filenames/data/valid/*.json
+      run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/test/filenames/data/valid/*.json
+    - name: Test filenames of CSAF filename test files in filenames/data/invalid/*.json
+      run: ./csaf_2.1/test/filenames/run_invalid_tests.sh ./csaf_2.1/test/filenames/data/invalid/*.json
+    - name: Test filenames of CSAF examples
+      run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/examples/csaf/*.json
+    - name: Test filenames of CSAF examples - profile specific folders
+      run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/examples/csaf/csaf_*/*.json
+    - name: Test filenames of CSAF test files in validator/data/mandatory
+      run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/test/validator/data/mandatory/*.json
+    - name: Test filenames of CSAF test files in validator/data/optional
+      run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/test/validator/data/optional/*.json
+    - name: Test filenames of CSAF test files in validator/data/informative
+      run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/test/validator/data/informative/*.json
diff --git a/.github/workflows/csaf_2.1_main.yml b/.github/workflows/csaf_2.1_main.yml
@@ -0,0 +1,46 @@
+name: JSON Schema Tests (CSAF 2.1)
+
+on:
+  push:
+    paths:
+      - 'csaf_2.1/**'
+  pull_request:
+    paths:
+      - 'csaf_2.1/**'
+
+jobs:
+  json-test_job:
+    runs-on: ubuntu-latest
+    name: Test JSON schemas
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Prepare environment
+      run: |
+        sudo apt-get remove python3-jsonschema
+        sudo apt-get update -q && sudo apt-get install -y --no-install-recommends -qq \
+          python3 \
+          python3-simplejson \
+          python3-jsonpath-rw \
+          python3-pip \
+          python3-setuptools \
+          python3-wheel
+        pip3 install jsonschema[format]
+    - name: Check jsonschema version
+      run: python3 -c "from importlib.metadata import version; print(version('jsonschema'))"
+    - name: Test examples against CSAF schema
+      run: ./csaf_2.1/test/csaf_schema/run_tests.sh
+    - name: Test VEX examples against CSAF schema
+      run: ./csaf_2.1/test/csaf_schema/run_tests.sh csaf_vex
+    - name: Test examples against Provider Metadata schema
+      run: ./csaf_2.1/test/provider_schema/run_tests.sh
+    - name: Test examples against Aggregator schema
+      run: ./csaf_2.1/test/aggregator_schema/run_tests.sh
+    - name: Upload strict JSON schema artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: strict-schemas
+        path: |
+          csaf_2.1/build/csaf_strict_schema.json
+          csaf_2.1/build/provider_strict_schema.json
+          csaf_2.1/build/aggregator_strict_schema.json
diff --git a/.github/workflows/csaf_2.1_mandatory-tests.yml b/.github/workflows/csaf_2.1_mandatory-tests.yml
@@ -0,0 +1,40 @@
+name: CSAF Mandatory Tests (CSAF 2.1)
+
+on:
+  push:
+    paths:
+      - 'csaf_2.1/**'
+  pull_request:
+    paths:
+      - 'csaf_2.1/**'
+
+jobs:
+  mandatory-test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Setup Node
+      uses: actions/setup-node@v3
+      with:
+        node-version: '20'
+    - name: Setup csaf-validator-lib
+      run: |
+        cd ..
+        git clone https://github.com/secvisogram/csaf-validator-lib.git
+        cd csaf-validator-lib && npm ci --prod
+    - name: Run mandatory tests on examples
+      run:  |
+        for i in `ls -1 ../csaf/csaf_2.1/examples/csaf/*.json`
+        do
+          printf "%s%s\n" "Starting test of " $i
+          ../csaf-validator-lib/scripts/runTest.js $i mandatory
+        done
+    # Only temporary until examples in the repo are reorganized
+    - name: Run mandatory tests on examples/csaf_vex
+      run:  |
+        for i in `ls -1 ../csaf/csaf_2.1/examples/csaf/csaf_vex/*.json`
+        do
+          printf "%s%s\n" "Starting test of " $i
+          ../csaf-validator-lib/scripts/runTest.js $i mandatory
+        done
diff --git a/.github/workflows/csaf_2.1_validator.yml b/.github/workflows/csaf_2.1_validator.yml
@@ -0,0 +1,38 @@
+name: Validator Data Test (CSAF 2.1)
+
+on:
+  push:
+    paths:
+      - 'csaf_2.1/**'
+  pull_request:
+    paths:
+      - 'csaf_2.1/**'
+
+jobs:
+  validator-test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Prepare environment
+      run: |
+        sudo apt-get remove python3-jsonschema
+        sudo apt-get update -q && sudo apt-get install -y --no-install-recommends -qq \
+          python3 \
+          python3-simplejson \
+          python3-jsonpath-rw \
+          python3-pip \
+          python3-setuptools \
+          python3-wheel
+        pip3 install jsonschema[format]
+    - name: Check jsonschema version
+      run: python3 -c "from importlib.metadata import version; print(version('jsonschema'))"
+    - name: Test validator/data/mandatory against schema
+      run: ./csaf_2.1/test/validator/run_tests.sh mandatory
+    - name: Test validator/data/optional against schema
+      run: ./csaf_2.1/test/validator/run_tests.sh optional
+    - name: Test validator/data/informative against schema
+      run: ./csaf_2.1/test/validator/run_tests.sh informative
+
+    - name: Test validator/data/testcases.json against testcase schema
+      run: ./csaf_2.1/test/validator/check_testcases.sh
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,25 @@
-
+# Original ignores (before csaf_2.1 branch off)
 meeting_minutes/.DS_Store
 .DS_Store
 *_strict_schema.json
 official-cpe-dictionary_v2.3.*
 official-cpe-dictionary_v2.2.*
+
+# pyenv
+.python-version
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Other local development artifacts
+*~
+.idea
+local*
+.vscode/
+build/
diff --git a/csaf_2.1/LICENSE.md b/csaf_2.1/LICENSE.md
@@ -0,0 +1,15 @@
+# License Terms
+
+Content in this GitHub code repository has been [contributed](https://www.oasis-open.org/policies-guidelines/ipr#def-contribution)
+by OASIS TC Members, and is governed by the OASIS policies, including the 
+[Intellectual Property Rights (IPR) Policy](https://www.oasis-open.org/policies-guidelines/ipr),
+the [Technical Committee (TC) Process](https://www.oasis-open.org/policies-guidelines/tc-process),
+[Bylaws](https://www.oasis-open.org/policies-guidelines/bylaws),
+and the Technical Committee's choice of [IPR Mode](https://www.oasis-open.org/policies-guidelines/ipr#def-ipr-mode)
+(*viz*, [Non-Assertion Mode](https://www.oasis-open.org/policies-guidelines/ipr#Non-Assertion-Mode)),
+including any applicable [declarations](https://www.oasis-open.org/committees/csaf/ipr.php).
+Feedback from non-TC members, if any,
+is governed by the terms of the [OASIS Feedback License](https://www.oasis-open.org/policies-guidelines/ipr#appendixa).
+
+Description of this repository is presented in the [README](https://github.com/oasis-tcs/csaf/blob/master/README.md) file,
+and guidelines for contribution/participation are given in the [CONTRIBUTING](https://github.com/oasis-tcs/csaf/blob/master/CONTRIBUTING.md) file.
diff --git a/csaf_2.1/README.md b/csaf_2.1/README.md
@@ -0,0 +1,16 @@
+# Seeding the next version of CSAF
+
+This folder serves as a showcase of an improved way
+to edit, verify, and validate the next version of CSAF.
+
+The main goals are (for now):
+
+- extract examples to ensure validation
+- refactor the source markdown into smaller chunks (per sections)
+- set uo a binder text file that declares the order of concatenation of these source files
+- automatically derive the section numbering from the order and an AST traversal
+- generate the single elephant GFM+gh_cosmetics user facing delivery item from these source
+- empower the editors by enfocing semantic references
+- use vale for developer documentation spell checks
+- use markdownlint to validate the sourc emarkdown files
+- use pandoc and filters to generate html and pdf user facing delivery items
diff --git a/csaf_2.1/examples/ROLIE/example-01-category.json b/csaf_2.1/examples/ROLIE/example-01-category.json
@@ -0,0 +1,12 @@
+{
+  "categories": {
+    "category": [
+      {
+          "term": "Example Company Product A"
+      },
+      {
+          "term": "Example Company Product B"
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/examples/ROLIE/example-01-feed-tlp-white.json b/csaf_2.1/examples/ROLIE/example-01-feed-tlp-white.json
@@ -0,0 +1,52 @@
+{
+  "feed": {
+    "id": "example-csaf-feed-tlp-white",
+    "title": "Example CSAF feed (TLP:WHITE)",
+    "link": [
+      {
+        "rel": "self",
+        "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-white.json"
+      }
+    ],
+    "category": [
+      {
+        "scheme": "urn:ietf:params:rolie:category:information-type",
+        "term": "csaf"
+      }
+    ],
+    "updated": "2024-01-01T12:00:00.000Z",
+    "entry": [
+      {
+        "id": "ESA-2024-001",
+        "title": "Multiple vulnerabilities in ABC 0.0.2",
+        "link": [
+          {
+            "rel": "self",
+            "href": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json"
+          },
+          {
+            "rel": "hash",
+            "href": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json.sha512"
+          },
+          {
+            "rel": "signature",
+            "href": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json.asc"
+          }
+        ],
+        "published": "2024-01-01T11:00:00.000Z",
+        "updated": "2024-01-01T12:00:00.000Z",
+        "summary": {
+          "content": "Multiple vulnerabilities were fixed in ABC 0.0.3"
+        },
+        "content": {
+          "type": "application/json",
+          "src": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json"
+        },
+        "format": {
+          "schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+          "version": "2.1"
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/examples/ROLIE/example-01-service.json b/csaf_2.1/examples/ROLIE/example-01-service.json
@@ -0,0 +1,23 @@
+{
+  "service": {
+    "workspace": [
+      {
+        "title": "Public CSAF feed",
+        "collection": [
+          {
+            "title": "Example CSAF feed (TLP:WHITE)",
+            "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-white.json",
+            "categories": {
+              "category": [
+                {
+                  "scheme": "urn:ietf:params:rolie:category:information-type",
+                  "term": "csaf"
+                }
+              ]
+            }
+          }
+        ]
+      }
+    ]
+  }
+}