diff --git a/.github/workflows/csaf_2.1_cpe.yml b/.github/workflows/csaf_2.1_cpe.yml index c9fcf4234..f5ca85f2a 100644 --- a/.github/workflows/csaf_2.1_cpe.yml +++ b/.github/workflows/csaf_2.1_cpe.yml @@ -19,4 +19,6 @@ jobs: with: node-version: '20' - name: Perform CPE Dictionary Test - run: ./csaf_2.1/test/cpe/run_tests.sh + run: ./csaf_2.1/test/cpe/run_dictionary_tests.sh + - name: Perform CPE local examples Test + run: ./csaf_2.1/test/cpe/run_local_tests.sh diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 1c42ccb52..b3888b312 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -159,7 +159,7 @@ "title": "Common Platform Enumeration representation", "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.", "type": "string", - "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$", + "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$", "minLength": 5 }, "hashes": { @@ -251,7 +251,7 @@ "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.", "type": "string", "format": "uri", - "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+", + "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+", "minLength": 7 }, "sbom_urls": { diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md index 38d6e6390..b5a9329ec 100644 --- a/csaf_2.1/prose/edit/src/conformance.md +++ b/csaf_2.1/prose/edit/src/conformance.md @@ -473,7 +473,7 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc A switch to mark all SBOM component at once MAY be implemented. * does not bring up a newer revision of a CSAF document as a new match if the remediation for the matched SBOM or SBOM component has not changed. * detects the usage semantic version (as described in section [sec](#version-type-semantic-versioning)). -* is able to trigger a run of the asset matching module: +* is able to trigger a run of the SBOM matching module: * manually: * per CSAF document * per list of CSAF documents @@ -502,7 +502,12 @@ Firstly, the program: Secondly, the program fulfills the following for all items of: +* type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a + warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE. > A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown. +> A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any +> of the rules above MAY be ignored to avoid data loss. + ------- diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md index dd54682d3..c3e5d8612 100644 --- a/csaf_2.1/prose/edit/src/frontmatter.md +++ b/csaf_2.1/prose/edit/src/frontmatter.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 28 February 2024 +## 27 March 2024 #### This stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \ @@ -55,7 +55,7 @@ This specification replaces or supersedes: #### Abstract: -The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. +The Common Security Advisory Framework (CSAF) Version 2.1 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. #### Status: This document was last revised or approved by the membership of OASIS on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical. @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used **[csaf-v2.1]** -_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. +_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 March 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. ------- diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md index 3a450f3bd..aba6bf6eb 100644 --- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md @@ -65,7 +65,7 @@ OPENSSL : _GTLS/SSL and crypto library_, OpenSSL Software Foundation, https://www.openssl.org/. PURL -: _Package URL (PURL)_, GitHub Project, https://github.com/package-url/purl-spec. +: _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec. RFC3339 : Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, @@ -118,7 +118,7 @@ SPDX22 https://spdx.github.io/spdx-spec/. VERS -: _vers: a mostly universal version range specifier_, Part of the PURL GitHub Project, +: _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst. VEX diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md index 842479aa6..f8ddef8eb 100644 --- a/csaf_2.1/prose/edit/src/revision-history.md +++ b/csaf_2.1/prose/edit/src/revision-history.md @@ -12,4 +12,5 @@ toc: |:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------| | csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision | | csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | +| csaf-v2.0-wd20240327-dev | 2024-03-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | ------- diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md index 59690c970..fdb8ff3b2 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md +++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md @@ -80,7 +80,7 @@ and `x_generic_uris`, one is mandatory. Common Platform Enumeration representation (`cpe`) of value type `string` of 5 or more characters with `pattern` (regular expression): ``` - ^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$ + ^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$ ``` The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification. @@ -238,20 +238,20 @@ Two `*` MUST NOT follow each other. IC25T060ATCS05-0 ``` -##### Full Product Name Type - Product Identification Helper - PURL +##### Full Product Name Type - Product Identification Helper - purl -The package URL (PURL) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression): +The package URL (purl) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression): ``` - ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+ + ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+ ``` -> The given pattern does not completely evaluate whether a PURL is valid according to the [cite](#PURL) specification. +> The given pattern does not completely evaluate whether a purl is valid according to the [cite](#PURL) specification. > It provides a more generic approach and general guidance to enable forward compatibility. -> CSAF uses only the canonical form of PURL to conform with section 3.3 of [cite](#RFC3986). +> CSAF uses only the canonical form of purl to conform with section 3.3 of [cite](#RFC3986). > Therefore, URLs starting with `pkg://` are considered invalid. -This package URL (PURL) attribute refers to a method for reliably identifying and locating software packages external to this specification. +This package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification. See [cite](#PURL) for details. ##### Full Product Name Type - Product Identification Helper - SBOM URLs diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md index 5cecf1478..80e18f416 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md @@ -750,7 +750,8 @@ Valid values are: The value `exploit_status` indicates that the `details` field contains a description of the degree to which an exploit for the vulnerability is known. This knowledge can range from information privately held among a very small group to an issue that has been described to the public at a major conference or is being widely exploited globally. -For consistency and simplicity, this section can be a mirror image of the CVSS "Exploitability" metric. +For consistency and simplicity, this section can be a mirror image of the CVSS `exploitMaturity` (v4.0), +respectively `exploitCodeMaturity` (v3.1 and v3.0) or `exploitability` (v2.0) metric. However, it can also contain a more contextual status, such as "Weaponized" or "Functioning Code". The value `impact` indicates that the `details` field contains an assessment of the impact on the user or the target set if diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md index 949d5cc4c..79262fca1 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md @@ -1,6 +1,6 @@ ### PURL -It MUST be tested that given PURL is valid. +It MUST be tested that given purl is valid. The relevant paths for this test are: diff --git a/csaf_2.1/prose/edit/src/tests-03-informative.md b/csaf_2.1/prose/edit/src/tests-03-informative.md index a9c495721..91e6edc10 100644 --- a/csaf_2.1/prose/edit/src/tests-03-informative.md +++ b/csaf_2.1/prose/edit/src/tests-03-informative.md @@ -412,8 +412,6 @@ The relevant paths for this test are: > The product version starts with a `v`. -------- - ### Missing CVSS v4.0 For each item in the list of scores it MUST be tested that a `cvss_v4` object is present. @@ -455,3 +453,5 @@ The relevant path for this test is: ``` > There is no CVSS v4.0 score given for `CSAFPID-9080700`. + +------- diff --git a/csaf_2.1/test/cpe/data/invalid/cpe.txt b/csaf_2.1/test/cpe/data/invalid/cpe.txt new file mode 100644 index 000000000..f48cc39a6 --- /dev/null +++ b/csaf_2.1/test/cpe/data/invalid/cpe.txt @@ -0,0 +1,5 @@ +PREFIXcpe:/o:redhat:rhel_aus:7.6::server +cpe:/o:redhat:rhel_aus:7.6::server::SUFFIX +PREFIXcpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:* +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*" +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:** diff --git a/csaf_2.1/test/cpe/data/valid/cpe.txt b/csaf_2.1/test/cpe/data/valid/cpe.txt new file mode 100644 index 000000000..9a5d7be9a --- /dev/null +++ b/csaf_2.1/test/cpe/data/valid/cpe.txt @@ -0,0 +1,3 @@ +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other* +cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other???? +cpe:/o:redhat:rhel_aus:7.6::server diff --git a/csaf_2.1/test/cpe/run_tests.sh b/csaf_2.1/test/cpe/run_dictionary_tests.sh similarity index 96% rename from csaf_2.1/test/cpe/run_tests.sh rename to csaf_2.1/test/cpe/run_dictionary_tests.sh index 8c6b73451..a8a848475 100755 --- a/csaf_2.1/test/cpe/run_tests.sh +++ b/csaf_2.1/test/cpe/run_dictionary_tests.sh @@ -20,7 +20,7 @@ get_dictionary() { prepare_23_dictionary() { # Get CPE 2.3 fields # Correctly decode special characters - grep '$//' \ + grep '$//' \ | sed -e 's/\\&/\\\&/g' \ | sed -e 's/\\"/\\"/g' \ > "$CPE".txt diff --git a/csaf_2.1/test/cpe/run_local_tests.sh b/csaf_2.1/test/cpe/run_local_tests.sh new file mode 100755 index 000000000..38f22480b --- /dev/null +++ b/csaf_2.1/test/cpe/run_local_tests.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +SCHEMA=csaf_2.1/json_schema/csaf_json_schema.json +VALIDATOR=csaf_2.1/test/cpe/test-regex.js +DATA_VALID=csaf_2.1/test/cpe/data/valid/cpe.txt +DATA_INVALID=csaf_2.1/test/cpe/data/invalid/cpe.txt + +FAIL=0 + +# go to root of git repository +cd "$(dirname "$0")"/../../.. || exit + + +validate() { + printf "Testing file %s against cpe regex from %s ... \n" "$1" "$SCHEMA" + if node "$VALIDATOR" "$SCHEMA" "$1" "$2"; then + printf "SUCCESS\n" + else + printf "FAILED\n" + FAIL=1 + fi + +} + +echo -n "Test conforming (not necessary existing) CPEs... " +DATA=$DATA_VALID +validate $DATA true +printf "done\n" + +echo -n "Test non-conforming CPEs... " +DATA=$DATA_INVALID +validate $DATA false +printf "done\n" + + +exit $FAIL diff --git a/csaf_2.1/test/cpe/test-regex.js b/csaf_2.1/test/cpe/test-regex.js index 567ba08e4..98e4d2f92 100644 --- a/csaf_2.1/test/cpe/test-regex.js +++ b/csaf_2.1/test/cpe/test-regex.js @@ -10,15 +10,16 @@ const r = new RegExp(pattern) console.log('Current regex to test:', '\n', pattern) const cpeStr = fs.readFileSync(args[1], 'utf8').split('\n') +const assertion = !((args[2] ?? true) === "false") let failed = false cpeStr.forEach(element => { if (element.length > 0) { const result = (r.exec(element) != null) - failed = failed | !result - if (!result) { - console.log(result, '\t', element) + failed = failed | (result !== assertion) + if (result !== assertion) { + console.log(result,'but expected', assertion, '\t', element) } } });