diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index ec1d90fa2..1319a9039 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -581,6 +581,37 @@ "tlp" ], "properties": { + "sharing_group": { + "title": "Sharing Group", + "description": "Contains information about the group this document is intended to be shared with.", + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "title": "Sharing Group ID", + "description": "Provides the unique ID for the sharing group.", + "type": "string", + "format": "uuid", + "pattern": "^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$" + }, + "name": { + "title": "Sharing Group Name", + "description": "Contains a human-readable name for the sharing group.", + "type": "string", + "minLength": 1, + "examples": [ + "Customer A", + "ISAC members", + "NIS2 regulated important entities in Germany, sector water", + "Pre-Sharing group for advisory discussion", + "Users of Product A", + "US Federal Civilian Authorities" + ] + } + } + }, "text": { "title": "Textual description", "description": "Provides a textual description of additional constraints.", diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index 79e127241..d6fed1872 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -67,6 +67,11 @@ tests-01-mndtr-33-multiple-flags-with-vex-justification-codes-per-product.md tests-01-mndtr-34-branches-recursion-depth.md tests-01-mndtr-35-contradicting-remediations.md tests-01-mndtr-36-contradicting-product-status-remediation-combination.md +tests-01-mndtr-37-date-and-time.md +tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md +tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md +tests-01-mndtr-40-invalid-sharing-group-name.md +tests-01-mndtr-41-missing-sharing-group-name.md tests-02-optional.md tests-03-informative.md distributing.md diff --git a/csaf_2.1/prose/edit/etc/example-global-to-local.json b/csaf_2.1/prose/edit/etc/example-global-to-local.json index e56dbae97..022cdc52e 100644 --- a/csaf_2.1/prose/edit/etc/example-global-to-local.json +++ b/csaf_2.1/prose/edit/etc/example-global-to-local.json @@ -31,130 +31,139 @@ "29": "version-type-semantic-versioning-eg-6", "30": "document-property-aggregate-severity-eg-1", "31": "document-property-category-eg-1", - "32": "document-property-distribution-text-eg-1", - "33": "document-property-distribution-tlp-eg-1", - "34": "document-property-publisher-contact-details-eg-1", - "35": "document-property-publisher-name-eg-1", - "36": "document-property-publisher-namespace-eg-1", - "37": "document-property-title-eg-1", - "38": "document-property-tracking-aliases-eg-1", - "39": "document-property-tracking-generator-eg-1", - "40": "document-property-tracking-generator-eg-2", - "41": "document-property-tracking-id-eg-1", - "42": "product-tree-property-product-groups-eg-1", - "43": "product-tree-property-relationships-eg-1", - "44": "vulnerabilities-property-cwes-eg-1", - "45": "vulnerabilities-property-cwes-eg-2", - "46": "vulnerabilities-property-cwes-eg-3", - "47": "vulnerabilities-property-ids-eg-1", - "48": "vulnerabilities-property-ids-eg-2", - "49": "filename-eg-1", - "50": "filename-eg-2", - "51": "missing-definition-of-product-id-eg-1", - "52": "multiple-definition-of-product-id-eg-1", - "53": "circular-definition-of-product-id-eg-1", - "54": "missing-definition-of-product-group-id-eg-1", - "55": "multiple-definition-of-product-group-id-eg-1", - "56": "contradicting-product-status-eg-1", - "57": "multiple-scores-with-same-version-per-product-eg-1", - "58": "invalid-cvss-eg-1", - "59": "invalid-cvss-computation-eg-1", - "60": "inconsistent-cvss-eg-1", - "61": "cwe-eg-1", - "62": "language-eg-1", - "63": "purl-eg-1", - "64": "sorted-revision-history-eg-1", - "65": "translator-eg-1", - "66": "latest-document-version-eg-1", - "67": "document-status-draft-eg-1", - "68": "released-revision-history-eg-1", - "69": "revision-history-entries-for-pre-release-versions-eg-1", - "70": "non-draft-document-version-eg-1", - "71": "missing-item-in-revision-history-eg-1", - "72": "multiple-definition-in-revision-history-eg-1", - "73": "multiple-use-of-same-cve-eg-1", - "74": "multiple-definition-in-involvements-eg-1", - "75": "multiple-use-of-same-hash-algorithm-eg-1", - "76": "prohibited-document-category-name-eg-1", - "77": "prohibited-document-category-name-eg-2", - "78": "document-notes-eg-1", - "79": "document-references-eg-1", - "80": "vulnerabilities-for-informational-advisory-eg-1", - "81": "product-tree-eg-1", - "82": "vulnerability-notes-eg-1", - "83": "product-status-eg-1", - "84": "vex-product-status-eg-1", - "85": "vulnerability-id-eg-1", - "86": "impact-statement-eg-1", - "87": "action-statement-eg-1", - "88": "vulnerabilities-for-security-advisory-or-vex-eg-1", - "89": "translation-eg-1", - "90": "remediation-without-product-reference-eg-1", - "91": "mixed-integer-and-semantic-versioning-eg-1", - "92": "version-range-in-product-version-eg-1", - "93": "flag-without-product-reference-eg-1", - "94": "multiple-flags-with-vex-justification-codes-per-product-eg-1", - "95": "mandatory-tests--branches-recursion-depth-eg-1", - "96": "contradicting-remediations-eg-1", - "97": "contradicting-product-status-remediation-combination-eg-1", + "32": "document-property-distribution-eg-1", - "98": "unused-definition-of-product-id-eg-1", - "99": "missing-remediation-eg-1", - "100": "missing-metric-eg-1", - "101": "build-metadata-in-revision-history-eg-1", - "102": "older-initial-release-date-than-revision-history-eg-1", - "103": "older-current-release-date-than-revision-history-eg-1", - "104": "missing-date-in-involvements-eg-1", - "105": "use-of-md5-as-the-only-hash-algorithm-eg-1", - "106": "use-of-sha-1-as-the-only-hash-algorithm-eg-1", - "107": "missing-tlp-label-eg-1", - "108": "missing-canonical-url-eg-1", - "109": "missing-document-language-eg-1", - "110": "optional-tests--sorting-eg-1", - "111": "use-of-private-language-eg-1", - "112": "use-of-default-language-eg-1", - "113": "missing-product-identification-helper-eg-1", - "114": "cve-in-field-ids-eg-1", - "115": "product-version-range-without-vers-eg-1", - "116": "cvss-for-fixed-products-eg-1", - "117": "additional-properties-eg-1", - "118": "same-timestamps-in-revision-history-eg-1", - "119": "document-tracking-id-in-title-eg-1", - "120": "usage-of-deprecated-cwe-eg-1", - "121": "usage-of-non-latest-cwe-version-eg-1", - "122": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1", - "123": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1", - "124": "discouraged-product-status-remediation-combination-eg-1", - "125": "use-of-cvss-v2-as-the-only-scoring-system-eg-1", - "126": "use-of-cvss-v3-0-eg-1", - "127": "missing-cve-eg-1", - "128": "missing-cwe-eg-1", - "129": "use-of-short-hash-eg-1", - "130": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1", - "131": "use-of-self-referencing-urls-failing-to-resolve-eg-1", - "132": "spell-check-eg-1", - "133": "branch-categories-eg-1", - "134": "usage-of-product-version-range-eg-1", - "135": "usage-of-v-as-version-indicator-eg-1", - "136": "missing-cvss-v4-0-eg-1", - "137": "requirement-7-provider-metadata-json-eg-1", - "138": "requirement-8-security-txt-eg-1", - "139": "requirement-9-well-known-url-for-provider-metadata-json-eg-1", - "140": "requirement-11-one-folder-per-year-eg-1", - "141": "requirement-12-index-txt-eg-1", - "142": "requirement-13-changes-csv-eg-1", - "143": "requirement-15-rolie-feed-eg-1", - "144": "requirement-16-rolie-service-document-eg-1", - "145": "requirement-17-rolie-category-document-eg-1", - "146": "requirement-17-rolie-category-document-eg-2", - "147": "requirement-17-rolie-category-document-eg-3", - "148": "requirement-18-integrity-eg-1", - "149": "requirement-18-integrity-eg-2", - "150": "requirement-19-signatures-eg-1", - "151": "requirement-21-list-of-csaf-providers-eg-1", - "152": "requirement-23-mirror-eg-1", - "153": "conformance-clause-5-cvrf-csaf-converter-eg-1", - "154": "conformance-clause-5-cvrf-csaf-converter-eg-2", - "155": "conformance-clause-5-cvrf-csaf-converter-eg-3", - "156": "conformance-clause-5-cvrf-csaf-converter-eg-4" + "33": "document-property-distribution-text-eg-1", + "34": "document-property-distribution-tlp-eg-1", + "35": "document-property-publisher-contact-details-eg-1", + "36": "document-property-publisher-name-eg-1", + "37": "document-property-publisher-namespace-eg-1", + "38": "document-property-title-eg-1", + "39": "document-property-tracking-aliases-eg-1", + "40": "document-property-tracking-generator-eg-1", + "41": "document-property-tracking-generator-eg-2", + "42": "document-property-tracking-id-eg-1", + "43": "product-tree-property-product-groups-eg-1", + "44": "product-tree-property-relationships-eg-1", + "45": "vulnerabilities-property-cwes-eg-1", + "46": "vulnerabilities-property-cwes-eg-2", + "47": "vulnerabilities-property-cwes-eg-3", + "48": "vulnerabilities-property-ids-eg-1", + "49": "vulnerabilities-property-ids-eg-2", + "50": "filename-eg-1", + "51": "filename-eg-2", + "52": "missing-definition-of-product-id-eg-1", + "53": "multiple-definition-of-product-id-eg-1", + "54": "circular-definition-of-product-id-eg-1", + "55": "missing-definition-of-product-group-id-eg-1", + "56": "multiple-definition-of-product-group-id-eg-1", + "57": "contradicting-product-status-eg-1", + "58": "multiple-scores-with-same-version-per-product-eg-1", + "59": "invalid-cvss-eg-1", + "60": "invalid-cvss-computation-eg-1", + "61": "inconsistent-cvss-eg-1", + "62": "cwe-eg-1", + "63": "language-eg-1", + "64": "purl-eg-1", + "65": "sorted-revision-history-eg-1", + "66": "translator-eg-1", + "67": "latest-document-version-eg-1", + "68": "document-status-draft-eg-1", + "69": "released-revision-history-eg-1", + "70": "revision-history-entries-for-pre-release-versions-eg-1", + "71": "non-draft-document-version-eg-1", + "72": "missing-item-in-revision-history-eg-1", + "73": "multiple-definition-in-revision-history-eg-1", + "74": "multiple-use-of-same-cve-eg-1", + "75": "multiple-definition-in-involvements-eg-1", + "76": "multiple-use-of-same-hash-algorithm-eg-1", + "77": "prohibited-document-category-name-eg-1", + "78": "prohibited-document-category-name-eg-2", + "79": "document-notes-eg-1", + "80": "document-references-eg-1", + "81": "vulnerabilities-for-informational-advisory-eg-1", + "82": "product-tree-eg-1", + "83": "vulnerability-notes-eg-1", + "84": "product-status-eg-1", + "85": "vex-product-status-eg-1", + "86": "vulnerability-id-eg-1", + "87": "impact-statement-eg-1", + "88": "action-statement-eg-1", + "89": "vulnerabilities-for-security-advisory-or-vex-eg-1", + "90": "translation-eg-1", + "91": "remediation-without-product-reference-eg-1", + "92": "mixed-integer-and-semantic-versioning-eg-1", + "93": "version-range-in-product-version-eg-1", + "94": "flag-without-product-reference-eg-1", + "95": "multiple-flags-with-vex-justification-codes-per-product-eg-1", + "96": "mandatory-tests--branches-recursion-depth-eg-1", + "97": "contradicting-remediations-eg-1", + "98": "contradicting-product-status-remediation-combination-eg-1", + "99": "mandatory-tests--date-and-time-eg-1", + "100": "non-public-sharing-group-with-max-uuid-eg-1", + "101": "public-sharing-group-with-no-max-uuid-eg-1", + "102": "invalid-sharing-group-name-eg-1", + "103": "missing-sharing-group-name-eg-1", + "104": "unused-definition-of-product-id-eg-1", + "105": "missing-remediation-eg-1", + "107": "missing-metric-eg-1", + "108": "build-metadata-in-revision-history-eg-1", + "109": "older-initial-release-date-than-revision-history-eg-1", + "110": "older-current-release-date-than-revision-history-eg-1", + "111": "missing-date-in-involvements-eg-1", + "112": "use-of-md5-as-the-only-hash-algorithm-eg-1", + "113": "use-of-sha-1-as-the-only-hash-algorithm-eg-1", + "114": "missing-tlp-label-eg-1", + "115": "missing-canonical-url-eg-1", + "116": "missing-document-language-eg-1", + "117": "optional-tests--sorting-eg-1", + "118": "use-of-private-language-eg-1", + "119": "use-of-default-language-eg-1", + "120": "missing-product-identification-helper-eg-1", + "121": "cve-in-field-ids-eg-1", + "122": "product-version-range-without-vers-eg-1", + "123": "cvss-for-fixed-products-eg-1", + "124": "additional-properties-eg-1", + "125": "same-timestamps-in-revision-history-eg-1", + "126": "document-tracking-id-in-title-eg-1", + "127": "usage-of-deprecated-cwe-eg-1", + "128": "usage-of-non-latest-cwe-version-eg-1", + "129": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1", + "130": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1", + "131": "discouraged-product-status-remediation-combination-eg-1", + "132": "usage-of-max-uuid-eg-1", + "133": "usage-of-nil-uuid-eg-1", + "134": "usage-of-sharing-group-on-tlp-clear-eg-1", + "135": "use-of-cvss-v2-as-the-only-scoring-system-eg-1", + "136": "use-of-cvss-v3-0-eg-1", + "137": "missing-cve-eg-1", + "138": "missing-cwe-eg-1", + "139": "use-of-short-hash-eg-1", + "140": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1", + "141": "use-of-self-referencing-urls-failing-to-resolve-eg-1", + "142": "spell-check-eg-1", + "143": "branch-categories-eg-1", + "144": "usage-of-product-version-range-eg-1", + "145": "usage-of-v-as-version-indicator-eg-1", + "146": "missing-cvss-v4-0-eg-1", + "147": "requirement-7-provider-metadata-json-eg-1", + "148": "requirement-8-security-txt-eg-1", + "149": "requirement-9-well-known-url-for-provider-metadata-json-eg-1", + "150": "requirement-11-one-folder-per-year-eg-1", + "151": "requirement-12-index-txt-eg-1", + "152": "requirement-13-changes-csv-eg-1", + "153": "requirement-15-rolie-feed-eg-1", + "154": "requirement-16-rolie-service-document-eg-1", + "155": "requirement-17-rolie-category-document-eg-1", + "156": "requirement-17-rolie-category-document-eg-2", + "157": "requirement-17-rolie-category-document-eg-3", + "158": "requirement-18-integrity-eg-1", + "159": "requirement-18-integrity-eg-2", + "160": "requirement-19-signatures-eg-1", + "161": "requirement-21-list-of-csaf-providers-eg-1", + "162": "requirement-23-mirror-eg-1", + "163": "conformance-clause-5-cvrf-csaf-converter-eg-1", + "164": "conformance-clause-5-cvrf-csaf-converter-eg-2", + "165": "conformance-clause-5-cvrf-csaf-converter-eg-3", + "166": "conformance-clause-5-cvrf-csaf-converter-eg-4" } diff --git a/csaf_2.1/prose/edit/etc/example-local-to-global.json b/csaf_2.1/prose/edit/etc/example-local-to-global.json index b5dddb861..248dea51d 100644 --- a/csaf_2.1/prose/edit/etc/example-local-to-global.json +++ b/csaf_2.1/prose/edit/etc/example-local-to-global.json @@ -3,46 +3,47 @@ "acknowledgments-type-names-eg-1": "1", "acknowledgments-type-organization-eg-1": "2", "acknowledgments-type-summary-eg-1": "3", - "action-statement-eg-1": "87", - "additional-properties-eg-1": "117", - "branch-categories-eg-1": "133", + "action-statement-eg-1": "88", + "additional-properties-eg-1": "124", + "branch-categories-eg-1": "143", "branches-type-name-eg-1": "5", "branches-type-name-under-product-version-eg-1": "6", "branches-type-name-under-product-version-eg-2": "7", "branches-type-name-under-product-version-range-eg-1": "8", "branches-type-name-under-product-version-range-eg-2": "9", - "build-metadata-in-revision-history-eg-1": "101", - "circular-definition-of-product-id-eg-1": "53", - "conformance-clause-5-cvrf-csaf-converter-eg-1": "153", - "conformance-clause-5-cvrf-csaf-converter-eg-2": "154", - "conformance-clause-5-cvrf-csaf-converter-eg-3": "155", - "conformance-clause-5-cvrf-csaf-converter-eg-4": "156", - "contradicting-product-status-eg-1": "56", - "contradicting-product-status-remediation-combination-eg-1": "97", - "contradicting-remediations-eg-1": "96", - "cve-in-field-ids-eg-1": "114", - "cvss-for-fixed-products-eg-1": "116", - "cwe-eg-1": "61", - "discouraged-product-status-remediation-combination-eg-1": "124", - "document-notes-eg-1": "78", + "build-metadata-in-revision-history-eg-1": "108", + "circular-definition-of-product-id-eg-1": "54", + "conformance-clause-5-cvrf-csaf-converter-eg-1": "163", + "conformance-clause-5-cvrf-csaf-converter-eg-2": "164", + "conformance-clause-5-cvrf-csaf-converter-eg-3": "165", + "conformance-clause-5-cvrf-csaf-converter-eg-4": "166", + "contradicting-product-status-eg-1": "57", + "contradicting-product-status-remediation-combination-eg-1": "98", + "contradicting-remediations-eg-1": "97", + "cve-in-field-ids-eg-1": "121", + "cvss-for-fixed-products-eg-1": "123", + "cwe-eg-1": "62", + "discouraged-product-status-remediation-combination-eg-1": "131", + "document-notes-eg-1": "79", "document-property-aggregate-severity-eg-1": "30", "document-property-category-eg-1": "31", - "document-property-distribution-text-eg-1": "32", - "document-property-distribution-tlp-eg-1": "33", - "document-property-publisher-contact-details-eg-1": "34", - "document-property-publisher-name-eg-1": "35", - "document-property-publisher-namespace-eg-1": "36", - "document-property-title-eg-1": "37", - "document-property-tracking-aliases-eg-1": "38", - "document-property-tracking-generator-eg-1": "39", - "document-property-tracking-generator-eg-2": "40", - "document-property-tracking-id-eg-1": "41", - "document-references-eg-1": "79", - "document-status-draft-eg-1": "67", - "document-tracking-id-in-title-eg-1": "119", - "filename-eg-1": "49", - "filename-eg-2": "50", - "flag-without-product-reference-eg-1": "93", + "document-property-distribution-eg-1": "32", + "document-property-distribution-text-eg-1": "33", + "document-property-distribution-tlp-eg-1": "34", + "document-property-publisher-contact-details-eg-1": "35", + "document-property-publisher-name-eg-1": "36", + "document-property-publisher-namespace-eg-1": "37", + "document-property-title-eg-1": "38", + "document-property-tracking-aliases-eg-1": "39", + "document-property-tracking-generator-eg-1": "40", + "document-property-tracking-generator-eg-2": "41", + "document-property-tracking-id-eg-1": "42", + "document-references-eg-1": "80", + "document-status-draft-eg-1": "68", + "document-tracking-id-in-title-eg-1": "126", + "filename-eg-1": "50", + "filename-eg-2": "51", + "flag-without-product-reference-eg-1": "94", "full-product-name-type-name-eg-1": "10", "full-product-name-type-product-identification-helper-generic-uris-eg-1": "16", "full-product-name-type-product-identification-helper-generic-uris-eg-2": "17", @@ -51,94 +52,102 @@ "full-product-name-type-product-identification-helper-hashes-eg-3": "13", "full-product-name-type-product-identification-helper-model-numbers-eg-1": "14", "full-product-name-type-product-identification-helper-sbom-urls-eg-1": "15", - "impact-statement-eg-1": "86", - "inconsistent-cvss-eg-1": "60", - "invalid-cvss-computation-eg-1": "59", - "invalid-cvss-eg-1": "58", - "language-eg-1": "62", + "impact-statement-eg-1": "87", + "inconsistent-cvss-eg-1": "61", + "invalid-cvss-computation-eg-1": "60", + "invalid-cvss-eg-1": "59", + "invalid-sharing-group-name-eg-1": "102", + "language-eg-1": "63", "language-type-eg-1": "18", - "latest-document-version-eg-1": "66", - "mandatory-tests--branches-recursion-depth-eg-1": "95", - "missing-canonical-url-eg-1": "108", - "missing-cve-eg-1": "127", - "missing-cvss-v4-0-eg-1": "136", - "missing-cwe-eg-1": "128", - "missing-date-in-involvements-eg-1": "104", - "missing-definition-of-product-group-id-eg-1": "54", - "missing-definition-of-product-id-eg-1": "51", - "missing-document-language-eg-1": "109", - "missing-item-in-revision-history-eg-1": "71", - "missing-metric-eg-1": "100", - "missing-product-identification-helper-eg-1": "113", - "missing-remediation-eg-1": "99", - "missing-tlp-label-eg-1": "107", - "mixed-integer-and-semantic-versioning-eg-1": "91", - "multiple-definition-in-involvements-eg-1": "74", - "multiple-definition-in-revision-history-eg-1": "72", - "multiple-definition-of-product-group-id-eg-1": "55", - "multiple-definition-of-product-id-eg-1": "52", - "multiple-flags-with-vex-justification-codes-per-product-eg-1": "94", - "multiple-scores-with-same-version-per-product-eg-1": "57", - "multiple-use-of-same-cve-eg-1": "73", - "multiple-use-of-same-hash-algorithm-eg-1": "75", - "non-draft-document-version-eg-1": "70", + "latest-document-version-eg-1": "67", + "mandatory-tests--branches-recursion-depth-eg-1": "96", + "mandatory-tests--date-and-time-eg-1": "99", + "missing-canonical-url-eg-1": "115", + "missing-cve-eg-1": "137", + "missing-cvss-v4-0-eg-1": "146", + "missing-cwe-eg-1": "138", + "missing-date-in-involvements-eg-1": "111", + "missing-definition-of-product-group-id-eg-1": "55", + "missing-definition-of-product-id-eg-1": "52", + "missing-document-language-eg-1": "116", + "missing-item-in-revision-history-eg-1": "72", + "missing-metric-eg-1": "107", + "missing-product-identification-helper-eg-1": "120", + "missing-remediation-eg-1": "105", + "missing-sharing-group-name-eg-1": "103", + "missing-tlp-label-eg-1": "114", + "mixed-integer-and-semantic-versioning-eg-1": "92", + "multiple-definition-in-involvements-eg-1": "75", + "multiple-definition-in-revision-history-eg-1": "73", + "multiple-definition-of-product-group-id-eg-1": "56", + "multiple-definition-of-product-id-eg-1": "53", + "multiple-flags-with-vex-justification-codes-per-product-eg-1": "95", + "multiple-scores-with-same-version-per-product-eg-1": "58", + "multiple-use-of-same-cve-eg-1": "74", + "multiple-use-of-same-hash-algorithm-eg-1": "76", + "non-draft-document-version-eg-1": "71", + "non-public-sharing-group-with-max-uuid-eg-1": "100", "notes-type-eg-1": "19", "notes-type-eg-2": "20", - "older-current-release-date-than-revision-history-eg-1": "103", - "older-initial-release-date-than-revision-history-eg-1": "102", - "optional-tests--sorting-eg-1": "110", + "older-current-release-date-than-revision-history-eg-1": "110", + "older-initial-release-date-than-revision-history-eg-1": "109", + "optional-tests--sorting-eg-1": "117", "product-group-id-type-eg-1": "21", "product-id-type-eg-1": "22", - "product-status-eg-1": "83", - "product-tree-eg-1": "81", - "product-tree-property-product-groups-eg-1": "42", - "product-tree-property-relationships-eg-1": "43", - "product-version-range-without-vers-eg-1": "115", - "prohibited-document-category-name-eg-1": "76", - "prohibited-document-category-name-eg-2": "77", - "purl-eg-1": "63", - "released-revision-history-eg-1": "68", - "remediation-without-product-reference-eg-1": "90", - "requirement-11-one-folder-per-year-eg-1": "140", - "requirement-12-index-txt-eg-1": "141", - "requirement-13-changes-csv-eg-1": "142", - "requirement-15-rolie-feed-eg-1": "143", - "requirement-16-rolie-service-document-eg-1": "144", - "requirement-17-rolie-category-document-eg-1": "145", - "requirement-17-rolie-category-document-eg-2": "146", - "requirement-17-rolie-category-document-eg-3": "147", - "requirement-18-integrity-eg-1": "148", - "requirement-18-integrity-eg-2": "149", - "requirement-19-signatures-eg-1": "150", - "requirement-21-list-of-csaf-providers-eg-1": "151", - "requirement-23-mirror-eg-1": "152", - "requirement-7-provider-metadata-json-eg-1": "137", - "requirement-8-security-txt-eg-1": "138", - "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "139", - "revision-history-entries-for-pre-release-versions-eg-1": "69", - "same-timestamps-in-revision-history-eg-1": "118", - "sorted-revision-history-eg-1": "64", - "spell-check-eg-1": "132", - "translation-eg-1": "89", - "translator-eg-1": "65", + "product-status-eg-1": "84", + "product-tree-eg-1": "82", + "product-tree-property-product-groups-eg-1": "43", + "product-tree-property-relationships-eg-1": "44", + "product-version-range-without-vers-eg-1": "122", + "prohibited-document-category-name-eg-1": "77", + "prohibited-document-category-name-eg-2": "78", + "public-sharing-group-with-no-max-uuid-eg-1": "101", + "purl-eg-1": "64", + "released-revision-history-eg-1": "69", + "remediation-without-product-reference-eg-1": "91", + "requirement-11-one-folder-per-year-eg-1": "150", + "requirement-12-index-txt-eg-1": "151", + "requirement-13-changes-csv-eg-1": "152", + "requirement-15-rolie-feed-eg-1": "153", + "requirement-16-rolie-service-document-eg-1": "154", + "requirement-17-rolie-category-document-eg-1": "155", + "requirement-17-rolie-category-document-eg-2": "156", + "requirement-17-rolie-category-document-eg-3": "157", + "requirement-18-integrity-eg-1": "158", + "requirement-18-integrity-eg-2": "159", + "requirement-19-signatures-eg-1": "160", + "requirement-21-list-of-csaf-providers-eg-1": "161", + "requirement-23-mirror-eg-1": "162", + "requirement-7-provider-metadata-json-eg-1": "147", + "requirement-8-security-txt-eg-1": "148", + "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "149", + "revision-history-entries-for-pre-release-versions-eg-1": "70", + "same-timestamps-in-revision-history-eg-1": "125", + "sorted-revision-history-eg-1": "65", + "spell-check-eg-1": "142", + "translation-eg-1": "90", + "translator-eg-1": "66", "typographical-conventions-eg-1": "4321", - "unused-definition-of-product-id-eg-1": "98", - "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "123", - "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "122", - "usage-of-deprecated-cwe-eg-1": "120", - "usage-of-non-latest-cwe-version-eg-1": "121", - "usage-of-product-version-range-eg-1": "134", - "usage-of-v-as-version-indicator-eg-1": "135", - "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "125", - "use-of-cvss-v3-0-eg-1": "126", - "use-of-default-language-eg-1": "112", - "use-of-md5-as-the-only-hash-algorithm-eg-1": "105", - "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "130", - "use-of-private-language-eg-1": "111", - "use-of-self-referencing-urls-failing-to-resolve-eg-1": "131", - "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "106", - "use-of-short-hash-eg-1": "129", - "version-range-in-product-version-eg-1": "92", + "unused-definition-of-product-id-eg-1": "104", + "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "130", + "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "129", + "usage-of-deprecated-cwe-eg-1": "127", + "usage-of-max-uuid-eg-1": "132", + "usage-of-nil-uuid-eg-1": "133", + "usage-of-non-latest-cwe-version-eg-1": "128", + "usage-of-product-version-range-eg-1": "144", + "usage-of-sharing-group-on-tlp-clear-eg-1": "134", + "usage-of-v-as-version-indicator-eg-1": "145", + "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "135", + "use-of-cvss-v3-0-eg-1": "136", + "use-of-default-language-eg-1": "119", + "use-of-md5-as-the-only-hash-algorithm-eg-1": "112", + "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "140", + "use-of-private-language-eg-1": "118", + "use-of-self-referencing-urls-failing-to-resolve-eg-1": "141", + "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "113", + "use-of-short-hash-eg-1": "139", + "version-range-in-product-version-eg-1": "93", "version-type-eg-1": "23", "version-type-semantic-versioning-eg-1": "24", "version-type-semantic-versioning-eg-2": "25", @@ -146,14 +155,14 @@ "version-type-semantic-versioning-eg-4": "27", "version-type-semantic-versioning-eg-5": "28", "version-type-semantic-versioning-eg-6": "29", - "vex-product-status-eg-1": "84", - "vulnerabilities-for-informational-advisory-eg-1": "80", - "vulnerabilities-for-security-advisory-or-vex-eg-1": "88", - "vulnerabilities-property-cwes-eg-1": "44", - "vulnerabilities-property-cwes-eg-2": "45", - "vulnerabilities-property-cwes-eg-3": "46", - "vulnerabilities-property-ids-eg-1": "47", - "vulnerabilities-property-ids-eg-2": "48", - "vulnerability-id-eg-1": "85", - "vulnerability-notes-eg-1": "82" + "vex-product-status-eg-1": "85", + "vulnerabilities-for-informational-advisory-eg-1": "81", + "vulnerabilities-for-security-advisory-or-vex-eg-1": "89", + "vulnerabilities-property-cwes-eg-1": "45", + "vulnerabilities-property-cwes-eg-2": "46", + "vulnerabilities-property-cwes-eg-3": "47", + "vulnerabilities-property-ids-eg-1": "48", + "vulnerabilities-property-ids-eg-2": "49", + "vulnerability-id-eg-1": "86", + "vulnerability-notes-eg-1": "83" } \ No newline at end of file diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json index e28c2a37f..fbf248489 100644 --- a/csaf_2.1/prose/edit/etc/section-display-to-label.json +++ b/csaf_2.1/prose/edit/etc/section-display-to-label.json @@ -53,8 +53,9 @@ "3.2.2.3": "document-property-category", "3.2.2.4": "document-property-csaf-version", "3.2.2.5": "document-property-distribution", - "3.2.2.5.1": "document-property-distribution-text", - "3.2.2.5.2": "document-property-distribution-tlp", + "3.2.2.5.1": "document-property-distribution-sharing-group", + "3.2.2.5.2": "document-property-distribution-text", + "3.2.2.5.3": "document-property-distribution-tlp", "3.2.2.6": "document-property-language", "3.2.2.7": "document-property-notes", "3.2.2.8": "document-property-publisher", @@ -166,6 +167,11 @@ "6.1.34": "mandatory-tests--branches-recursion-depth", "6.1.35": "contradicting-remediations", "6.1.36": "contradicting-product-status-remediation-combination", + "6.1.37": "mandatory-tests--date-and-time", + "6.1.38": "non-public-sharing-group-with-max-uuid", + "6.1.39": "public-sharing-group-with-no-max-uuid", + "6.1.40": "invalid-sharing-group-name", + "6.1.41": "missing-sharing-group-name", "6.2": "optional-tests", "6.2.1": "unused-definition-of-product-id", "6.2.2": "missing-remediation", @@ -194,6 +200,9 @@ "6.2.25": "usage-of-cwe-not-allowed-for-vulnerability-mapping", "6.2.26": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping", "6.2.27": "discouraged-product-status-remediation-combination", + "6.2.28": "usage-of-max-uuid", + "6.2.29": "usage-of-nil-uuid", + "6.2.30": "usage-of-sharing-group-on-tlp-clear", "6.3": "informative-test", "6.3.1": "use-of-cvss-v2-as-the-only-scoring-system", "6.3.2": "use-of-cvss-v3-0", @@ -273,7 +282,7 @@ "C.1": "file-size", "C.2": "array-length", "C.3": "string-length", - "C.4": "uri-length", + "C.4": "date", "C.5": "enum", - "C.6": "date" + "C.6": "uri-length" } diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json index 6a6e39183..d22cf8838 100644 --- a/csaf_2.1/prose/edit/etc/section-label-to-display.json +++ b/csaf_2.1/prose/edit/etc/section-label-to-display.json @@ -54,7 +54,7 @@ "cve-in-field-ids": "6.2.17", "cvss-for-fixed-products": "6.2.19", "cwe": "6.1.11", - "date": "C.6", + "date": "C.4", "date-and-time": "2.2", "definitions": "3.1", "design-considerations": "2", @@ -67,8 +67,9 @@ "document-property-category": "3.2.2.3", "document-property-csaf-version": "3.2.2.4", "document-property-distribution": "3.2.2.5", - "document-property-distribution-text": "3.2.2.5.1", - "document-property-distribution-tlp": "3.2.2.5.2", + "document-property-distribution-sharing-group": "3.2.2.5.1", + "document-property-distribution-text": "3.2.2.5.2", + "document-property-distribution-tlp": "3.2.2.5.3", "document-property-language": "3.2.2.6", "document-property-notes": "3.2.2.7", "document-property-publisher": "3.2.2.8", @@ -117,12 +118,14 @@ "introduction": "1", "invalid-cvss": "6.1.8", "invalid-cvss-computation": "6.1.9", + "invalid-sharing-group-name": "6.1.40", "ipr-policy": "1.1", "language": "6.1.12", "language-type": "3.1.4", "latest-document-version": "6.1.16", "mandatory-tests": "6.1", "mandatory-tests--branches-recursion-depth": "6.1.34", + "mandatory-tests--date-and-time": "6.1.37", "missing-canonical-url": "6.2.11", "missing-cve": "6.3.3", "missing-cvss-v4-0": "6.3.12", @@ -135,6 +138,7 @@ "missing-product-identification-helper": "6.2.16", "missing-remediation": "6.2.2", "missing-metric": "6.2.3", + "missing-sharing-group-name": "6.1.41", "missing-tlp-label": "6.2.10", "mixed-integer-and-semantic-versioning": "6.1.30", "multiple-definition-in-involvements": "6.1.24", @@ -146,6 +150,7 @@ "multiple-use-of-same-cve": "6.1.23", "multiple-use-of-same-hash-algorithm": "6.1.25", "non-draft-document-version": "6.1.20", + "non-public-sharing-group-with-max-uuid": "6.1.38", "normative-references": "1.3", "notes-type": "3.1.5", "older-current-release-date-than-revision-history": "6.2.6", @@ -173,6 +178,7 @@ "profiles": "4", "prohibited-document-category-name": "6.1.26", "properties": "3.2", + "public-sharing-group-with-no-max-uuid": "6.1.39", "purl": "6.1.13", "references-type": "3.1.10", "released-revision-history": "6.1.18", @@ -224,12 +230,15 @@ "translator": "6.1.15", "typographical-conventions": "1.5", "unused-definition-of-product-id": "6.2.1", - "uri-length": "C.4", + "uri-length": "C.6", "usage-of-cwe-allowed-with-review-for-vulnerability-mapping": "6.2.26", "usage-of-cwe-not-allowed-for-vulnerability-mapping": "6.2.25", "usage-of-deprecated-cwe": "6.2.23", + "usage-of-max-uuid": "6.2.28", + "usage-of-nil-uuid": "6.2.29", "usage-of-non-latest-cwe-version": "6.2.24", "usage-of-product-version-range": "6.3.10", + "usage-of-sharing-group-on-tlp-clear": "6.2.30", "usage-of-v-as-version-indicator": "6.3.11", "use-of-cvss-v2-as-the-only-scoring-system": "6.3.1", "use-of-cvss-v3-0": "6.3.2", diff --git a/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md b/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md index 422b0657d..9395aacc8 100644 --- a/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md +++ b/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md @@ -1,13 +1,14 @@ ## Date and Time This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1. -In accordance with RFC 3339 and ISO 8601, the following rules apply: +In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply: * The letter `T` separating the date and time SHALL be upper case. +* The separator between date and time MUST be the letter `T`. * The letter `Z` indicating the timezone UTC SHALL be upper case. * Fractions of seconds are allowed as specified in the standards mention above with the full stop (`.`) as separator. * Leap seconds are supported. However, they SHOULD be avoided if possible. -* Empty timezones are prohibited. +* Empty timezones MUST NOT be used. * The ABNF of RFC 3339, section 5.6 applies. ------- diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 8dfb5d209..32fe3e3ce 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -194,18 +194,25 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents ### Requirement 13: changes.csv -The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each +The file `changes.csv` contains a list of CSAF documents in the current TLP level that were changed recently. +Therefore, it MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first. +The `changes.csv` SHALL be a valid comma separated values format as defined by [cite](#RFC4180) without double quotes. + +> Note: As a consequence of section [sec](#requirement-2-filename) Requirement 2 for filenames and section [sec](#requirement-11-one-folder-per-year) +> Requirement for directory names, there must not be any characters within the `changes.csv` that would require quoting. *Example 1:* ``` -"2023/esa-2023-09953.json","2023-07-01T10:09:07Z" -"2021/esa-2021-03676.json","2023-07-01T10:09:01Z" -"2022/esa-2022-02723.json","2022-04-17T15:08:41Z" -"2021/esa-2021-31916.json","2022-03-01T06:01:00Z" +2023/esa-2023-09953.json,2023-07-01T10:09:07Z +2021/esa-2021-03676.json,2023-07-01T10:09:01Z +2022/esa-2022-02723.json,2022-04-17T15:08:41Z +2021/esa-2021-31916.json,2022-03-01T06:01:00Z ``` +> Note: As CSAF 2.0 requires quotes, an [cite](#RFC4180) parser can read both format revisions. + ### Requirement 14: Directory listings Directory listing SHALL be enabled to support manual navigation. @@ -413,7 +420,9 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ ### Requirement 19: Signatures All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is -extended by the appropriate extension. See [cite](#RFC4880) for more details. +extended by the appropriate extension. +This signature SHALL be presented as an ASCII armored file. +See [cite](#RFC4880) for more details. *Example 1:* @@ -437,6 +446,7 @@ Tools SHOULD treat the violation of the rules given in the first sentence as: ### Requirement 20: Public OpenPGP Key The public part of the OpenPGP key used to sign the CSAF documents MUST be available. +This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server. > For example, the public part of the OpenPGP key could be placed in a directory `openpgp` adjacent to the `provider-metadata.json`. diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md index fa74a710c..bb09f4017 100644 --- a/csaf_2.1/prose/edit/src/frontmatter.md +++ b/csaf_2.1/prose/edit/src/frontmatter.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 30 October 2024 +## 27 November 2024 #### This stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \ @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used **[csaf-v2.1]** -_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. +_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. ------- diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md index 8cfead215..edd66eb22 100644 --- a/csaf_2.1/prose/edit/src/guidance-on-size.md +++ b/csaf_2.1/prose/edit/src/guidance-on-size.md @@ -33,7 +33,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits > If you come across a case where these limits are exceeded, please provide feedback to the TC. -## File size +## File Size A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB. @@ -46,7 +46,7 @@ e.g.: 50 MiB. > In addition, the BSON format adds length information for the entries inside the document, > which adds to the size when storing CSAF document content in a BSON format. -## Array length +## Array Length An array SHOULD NOT have more than: @@ -130,7 +130,7 @@ An array SHOULD NOT have more than: * `/vulnerabilities[]/threats[]/group_ids` * `/vulnerabilities[]/threats[]/product_ids` -## String length +## String Length A string SHOULD NOT have a length greater than: @@ -139,6 +139,7 @@ A string SHOULD NOT have a length greater than: * `/document/acknowledgments[]/organization` * `/document/aggregate_severity/text` * `/document/category` + * `/document/distribution/sharing_group/name` * `/document/lang` * `/document/notes[]/audience` * `/document/notes[]/title` @@ -250,31 +251,20 @@ A string SHOULD NOT have a length greater than: * `/vulnerabilities[]/remediations[]/restart_required/details` * `/vulnerabilities[]/threats[]/details` -## URI length +## Date -A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to: +The maximum length of strings representing a temporal value is given by the format specifier. This applies to: -* `/document/acknowledgments[]/urls[]` -* `/document/aggregate_severity/namespace` -* `/document/distribution/tlp/url` -* `/document/references[]/url` -* `/document/publisher/namespace` -* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]` -* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]` -* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri` -* `/vulnerabilities[]/acknowledgments[]/urls[]` -* `/vulnerabilities[]/metrics[]/source` -* `/vulnerabilities[]/references[]/url` -* `/vulnerabilities[]/remediations[]/url` +* `/document/tracking/current_release_date` +* `/document/tracking/generator/date` +* `/document/tracking/initial_release_date` +* `/document/tracking/revision_history[]/date` +* `/vulnerabilities[]/discovery_date` +* `/vulnerabilities[]/flags[]/date` +* `/vulnerabilities[]/release_date` +* `/vulnerabilities[]/involvements[]/date` +* `/vulnerabilities[]/remediations[]/date` +* `/vulnerabilities[]/threats[]/date` ## Enum @@ -386,17 +376,34 @@ This applies to: * `/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity` (8) * `/vulnerabilities[]/threats[]/category` (14) -## Date +## URI Length -The maximum length of strings representing a temporal value is given by the format specifier. This applies to: +A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to: -* `/document/tracking/current_release_date` -* `/document/tracking/generator/date` -* `/document/tracking/initial_release_date` -* `/document/tracking/revision_history[]/date` -* `/vulnerabilities[]/discovery_date` -* `/vulnerabilities[]/flags[]/date` -* `/vulnerabilities[]/release_date` -* `/vulnerabilities[]/involvements[]/date` -* `/vulnerabilities[]/remediations[]/date` -* `/vulnerabilities[]/threats[]/date` +* `/document/acknowledgments[]/urls[]` +* `/document/aggregate_severity/namespace` +* `/document/distribution/tlp/url` +* `/document/references[]/url` +* `/document/publisher/namespace` +* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]` +* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]` +* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri` +* `/vulnerabilities[]/acknowledgments[]/urls[]` +* `/vulnerabilities[]/metrics[]/source` +* `/vulnerabilities[]/references[]/url` +* `/vulnerabilities[]/remediations[]/url` + +## UUID Length + +A string with format `uuid` SHOULD NOT have a length greater than 50. This applies to: + +* `/document/distribution/sharing_group/id` (36) diff --git a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md index ea6e9114e..e07e63171 100644 --- a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md @@ -21,6 +21,9 @@ RFC2119 RFC3339 : Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, . +RFC4180 +: Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, . + RFC7464 : Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, . @@ -29,3 +32,6 @@ RFC8174 RFC8259 : T. Bray, Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, DOI 10.17487/RFC8259, December 2017, . + +RFC9562 +: Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, . diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md index 7794ee2fb..a13b34f08 100644 --- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md @@ -69,6 +69,9 @@ RFC3552 RFC3986 : Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . +RFC4122 +: Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, . + RFC4880 : Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, . diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md index 525db7592..7e7744c44 100644 --- a/csaf_2.1/prose/edit/src/revision-history.md +++ b/csaf_2.1/prose/edit/src/revision-history.md @@ -19,5 +19,6 @@ toc: | csaf-v2.0-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | +| csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | ------- diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index b271922bb..e8e3f8645 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -136,12 +136,15 @@ The single valid value for this `enum` is: #### Document Property - Distribution Rules for sharing document (`distribution`) of value type `object` with the mandatory property Traffic Light Protocol (TLP) (`tlp`) and the -optional property Text (`text`) describes any constraints on how this document might be shared. +optional properties Sharing Group (`Sharing Group`) and Text (`text`) describes any constraints on how this document might be shared. ``` "distribution": { // ... "properties": { + "sharing_group": { + // ... + }, "text": { // ... }, @@ -152,7 +155,81 @@ optional property Text (`text`) describes any constraints on how this document m }, ``` -If both values are present, the TLP information SHOULD be preferred as this aids in automation. +If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. +The Sharing Group SHALL be interpreted as specification to the TLP information. +Therefore, the Sharing Group MAY also be used to convey special TLP restrictions: + +*Examples 1:* + +``` + E-ISAC members-only + Only releasable to European Energy sector + Releasable to NATO countries +``` + +> Note that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation. + +##### Document Property - Distribution - Sharing Group + +Sharing Group (`sharing_group`) of value type `object` with the mandatory property Sharing Group ID (`id`) and +the optional property Sharing Group Name (`name`) contains information about the group this document is intended to be shared with. + +``` + "sharing_group": { + // ... + "properties": { + "id": { + // ... + }, + "name": { + // ... + } + } + }, +``` + +Sharing Group ID (`id`) of value type `string` with format `uuid` and `pattern` (regular expression): + +``` + ^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$ +``` + +Sharing Group ID provides the unique ID for the sharing group. +This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group, +e.g. during a Multi-Party Coordinated Vulnerability Disclosure case. + +> Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case. +> Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered. + +The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed. +It MUST differ if a different sharing group is addressed. + +The ID SHALL be valid according to [cite](#RFC9562) and recorded in the 8-4-4-4-12 notation in lower case. +The ID SHALL be a UUID Version 4 for any closed sharing group, i.e. `TLP:GREEN` and above. + +The following ID values SHOULD NOT be used unless there are technical reasons for them. +Therefore, they are reserved for implementation-specific situations: + +- A system MAY use the Max UUID for `TLP:CLEAR` CSAF documents. + > For example, the system uses the UUID as an indication whether a user allowed to see the document. + > The security considerations from [cite](#RFC9562) should be reflected on. +- A system MAY use the Nil UUID for CSAF documents that MUST NOT be shared. + > For example, the CSAF document is just being drafted and the accidental leakage should be prevented. + +> Note, that both values do not indicate a closed sharing group. + +A CSAF document with `TLP:CLEAR` SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (`ffffffff-ffff-ffff-ffff-ffffffffffff`). + +If an issuing party distributes multiple versions of a single CSAF document to different sharing groups, the rules for CSAF modifier (cf. section [sec](#conformance-clause-8-csaf-modifier)) regarding the generation of the value of `/document/tracking/id` SHALL be applied. +This implies that usually the sharing group ID is used as a prefix to the original `/document/tracking/id`. + +Sharing Group Name (`name`) of value type `string` with one or more characters contains a human-readable name for the sharing group. + +The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. +However, the following values are reserved for the conditions below: + +- For the Max UUID, the value of `name` SHALL exist and be `Public`. +- For the Nil UUID, the value of `name` SHALL exist and be `No sharing allowed`. ##### Document Property - Distribution - Text @@ -314,8 +391,8 @@ and miscellaneous contributors. The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. -This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and -product resellers and distributors, including authoritative vendor partners. +This includes all authoritative product vendors, product security incident response teams (PSIRTs), +open source projects as well as product resellers and distributors, including authoritative vendor partners. ##### Document Property - Publisher - Contact Details diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md index 663f1b64f..d13929fc8 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md @@ -3,22 +3,28 @@ For each element of type `/$defs/branches_t` with `category` of `product_version` it MUST be tested that the value of `name` does not contain a version range. -> To implement this test it is deemed sufficient that, when converted to lower case, -> the value of `name` does not contain any of the following strings: +> To implement this test it is deemed sufficient that, when converted to lower case, the value of `name` satisfies the two requirements below: > -> ``` -> < -> <= -> > -> >= -> after -> all -> before -> earlier -> later -> prior -> versions -> ``` +> 1. It does not contain any of the following operators: +> +> ``` +> < +> <= +> > +> >= +> ``` +> +> 2. If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords: +> +> ``` +> after +> all +> before +> earlier +> later +> prior +> versions +> ``` The relevant paths for this test are: diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md new file mode 100644 index 000000000..a56a13bf0 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md @@ -0,0 +1,26 @@ +### Date and Time{#mandatory-tests--date-and-time} + +For each item of type `string` and format `date-time` it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}. + +The relevant path for this test is: + +``` + /document/tracking/current_release_date + /document/tracking/generator/date + /document/tracking/initial_release_date + /document/tracking/revision_history[]/date + /vulnerabilities[]/discovery_date + /vulnerabilities[]/flags[]/date + /vulnerabilities[]/release_date + /vulnerabilities[]/involvements[]/date + /vulnerabilities[]/remediations[]/date + /vulnerabilities[]/threats[]/date +``` + +*Example 1 (which fails the test):* + +``` + "current_release_date": "2024-01-24 10:00:00.000Z", +``` + +> The `current_release_date` uses a whitespace as separator instead the letter `T`. diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md new file mode 100644 index 000000000..fe1ee7d8a --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md @@ -0,0 +1,27 @@ +### Non-Public Sharing Group with Max UUID + +It MUST be tested that a CSAF document using Max UUID as sharing group ID has the TLP label `CLEAR`. + +The relevant path for this test is: + +``` + /document/distribution/tlp/label +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "RED" + } + }, +``` + +> The sharing group uses the Max UUID but the CSAF document is labeled as `TLP:RED`. + +> A tool MAY remove the property `sharing_group` as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md new file mode 100644 index 000000000..89d04ca15 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md @@ -0,0 +1,27 @@ +### Public Sharing Group with no Max UUID + +It MUST be tested that a CSAF document with the TLP label `CLEAR` use the Max UUID as sharing group ID if any. +The test SHALL pass if no sharing group is present or the Nil UUID is used and the document status is `draft`. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "CLEAR" + } + }, +``` + +> The sharing group is present for the `TLP:CLEAR` document but it differs from the Max UUID. + +> A tool MAY update the sharing group id as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md new file mode 100644 index 000000000..8b313360a --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md @@ -0,0 +1,25 @@ +### Invalid Sharing Group Name + +It MUST be tested that the value of sharing group name does not equal the reserved values from section [sec](#document-property-distribution-sharing-group) if the precondition is not fulfilled. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/name +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group name is `Public` but it does not use the Max UUID. + +> A tool MAY update the sharing group name as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-missing-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-missing-sharing-group-name.md new file mode 100644 index 000000000..d37fe06cf --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-missing-sharing-group-name.md @@ -0,0 +1,24 @@ +### Missing Sharing Group Name + +It MUST be tested that the sharing group name exists and equals the predefined reserved value from section [sec](#document-property-distribution-sharing-group) if the precondition is fulfilled. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/name +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff" + }, + // ... + }, +``` + +> The Max UUID is used but the sharing group name does not exist. + +> A tool MAY add the corresponding sharing group name as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index f5b0f941f..f3304ea77 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -839,3 +839,83 @@ The relevant path for this test is: ``` > For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all. + +### Usage of Max UUID + +It MUST be tested that the Max UUID is not used as sharing group id. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group id uses the Max UUID. + +> A tool MAY remove the property `sharing_group` as a quick fix. + +### Usage of Nil UUID + +It MUST be tested that the Nil UUID is not used as sharing group id. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group id uses the Nil UUID. + +> A tool MAY remove the property `sharing_group` as a quick fix. + +### Usage of Sharing Group on TLP:CLEAR{#usage-of-sharing-group-on-tlp-clear} + +It MUST be tested that no sharing group is used if the document is `TLP:CLEAR`. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, +``` + +> The CSAF document is `TLP:CLEAR` but a sharing group is given. + +> A tool MAY remove the property `sharing_group` as a quick fix. diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html index c99352a0c..a7440bdd4 100644 --- a/csaf_2.1/prose/share/csaf-v2.1-draft.html +++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html @@ -41,8 +41,8 @@

Committee Specification Draft 01

-

- 30 October 2024 +

+ 27 November 2024

This stage: @@ -160,7 +160,7 @@

[csaf-v2.1]

- Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.


@@ -338,9 +338,11 @@

  • 3.2.2.5 Document Property - Distribution
  • @@ -594,6 +596,16 @@

  • 6.1.36 Contradicting Product Status Remediation Combination
  • +
  • 6.1.37 Date and Time +
  • +
  • 6.1.38 Non-Public Sharing Group with Max UUID +
  • +
  • 6.1.39 Public Sharing Group with no Max UUID +
  • +
  • 6.1.40 Invalid Sharing Group Name +
  • +
  • 6.1.41 Missing Sharing Group Name +
  • 6.2 Optional Tests @@ -652,6 +664,12 @@

  • 6.2.27 Discouraged Product Status Remediation Combination
  • +
  • 6.2.28 Usage of Max UUID +
  • +
  • 6.2.29 Usage of Nil UUID +
  • +
  • 6.2.30 Usage of Sharing Group on TLP:CLEAR +
  • 6.3 Informative Test @@ -823,18 +841,20 @@

  • Appendix B. Revision History
  • Appendix C. Guidance on the Size of CSAF Documents +
  • +
  • Appendix C. File Size +
  • +
  • Appendix C. Array Length +
  • +
  • Appendix C. String Length
  • @@ -1380,6 +1400,9 @@

    [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, https://www.rfc-editor.org/info/rfc3339.

    +

    + [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, https://www.rfc-editor.org/info/rfc4180. +

    [RFC7464] Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, https://www.rfc-editor.org/info/rfc7464.

    @@ -1389,6 +1412,9 @@

    [RFC8259] T. Bray, Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, DOI 10.17487/RFC8259, December 2017, https://www.rfc-editor.org/info/rfc8259.

    +

    + [RFC9562] Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, https://www.rfc-editor.org/info/rfc9562. +

    1.4 Informative References

    @@ -1472,6 +1498,9 @@

    [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, https://www.rfc-editor.org/info/rfc3986.

    +

    + [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, https://www.rfc-editor.org/info/rfc4122. +

    [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, https://www.rfc-editor.org/info/rfc4880.

    @@ -1686,18 +1715,20 @@

    2.2 Date and Time

    - This standard uses the date-time format as defined in JSON Schema Draft 2020-12 Section 7.3.1. In accordance with RFC 3339 and ISO 8601, the following rules apply: + This standard uses the date-time format as defined in JSON Schema Draft 2020-12 Section 7.3.1. In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply:

    • The letter T separating the date and time SHALL be upper case.
    • +
    • The separator between date and time MUST be the letter T. +
    • The letter Z indicating the timezone UTC SHALL be upper case.
    • Fractions of seconds are allowed as specified in the standards mention above with the full stop (.) as separator.
    • Leap seconds are supported. However, they SHOULD be avoided if possible.
    • -
    • Empty timezones are prohibited. +
    • Empty timezones MUST NOT be used.
    • The ABNF of RFC 3339, section 5.6 applies.
    • @@ -3078,11 +3109,14 @@

      3.2.2.5 Document Property - Distribution

      - Rules for sharing document (distribution) of value type object with the mandatory property Traffic Light Protocol (TLP) (tlp) and the optional property Text (text) describes any constraints on how this document might be shared. + Rules for sharing document (distribution) of value type object with the mandatory property Traffic Light Protocol (TLP) (tlp) and the optional properties Sharing Group (Sharing Group) and Text (text) describes any constraints on how this document might be shared.

          "distribution": {
             // ...
             "properties": {
      +        "sharing_group": {
      +          // ...
      +        },
               "text": {
                 // ...
               },
      @@ -3092,22 +3126,111 @@ 

      } },

      - If both values are present, the TLP information SHOULD be preferred as this aids in automation. + If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. The Sharing Group SHALL be interpreted as specification to the TLP information. Therefore, the Sharing Group MAY also be used to convey special TLP restrictions: +

      +

      + Examples 1:

      -
      - 3.2.2.5.1 Document Property - Distribution - Text +
          E-ISAC members-only
      +    Only releasable to European Energy sector
      +    Releasable to NATO countries
      +
      +

      + Note that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation. +

      +
      +
      + 3.2.2.5.1 Document Property - Distribution - Sharing Group +
      +

      + Sharing Group (sharing_group) of value type object with the mandatory property Sharing Group ID (id) and the optional property Sharing Group Name (name) contains information about the group this document is intended to be shared with. +

      +
              "sharing_group": {
      +          // ...
      +          "properties": {
      +            "id": {
      +              // ...
      +            },
      +            "name": {
      +              // ...
      +            }
      +          }
      +        },
      +

      + Sharing Group ID (id) of value type string with format uuid and pattern (regular expression): +

      +
          ^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$
      +

      + Sharing Group ID provides the unique ID for the sharing group. This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group, e.g. during a Multi-Party Coordinated Vulnerability Disclosure case. +

      +
      +

      + Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case. Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered. +

      +
      +

      + The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed. It MUST differ if a different sharing group is addressed. +

      +

      + The ID SHALL be valid according to [RFC9562] and recorded in the 8-4-4-4-12 notation in lower case. The ID SHALL be a UUID Version 4 for any closed sharing group, i.e. TLP:GREEN and above. +

      +

      + The following ID values SHOULD NOT be used unless there are technical reasons for them. Therefore, they are reserved for implementation-specific situations: +

      +
        +
      • A system MAY use the Max UUID for TLP:CLEAR CSAF documents. +
        +

        + For example, the system uses the UUID as an indication whether a user allowed to see the document. The security considerations from [RFC9562] should be reflected on. +

        +
        +
      • +
      • A system MAY use the Nil UUID for CSAF documents that MUST NOT be shared. +
        +

        + For example, the CSAF document is just being drafted and the accidental leakage should be prevented. +

        +
        +
      • +
      +
      +

      + Note, that both values do not indicate a closed sharing group. +

      +
      +

      + A CSAF document with TLP:CLEAR SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (ffffffff-ffff-ffff-ffff-ffffffffffff). +

      +

      + If an issuing party distributes multiple versions of a single CSAF document to different sharing groups, the rules for CSAF modifier (cf. section sec) regarding the generation of the value of /document/tracking/id SHALL be applied. This implies that usually the sharing group + ID is used as a prefix to the original /document/tracking/id. +

      +

      + Sharing Group Name (name) of value type string with one or more characters contains a human-readable name for the sharing group. +

      +

      + The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. However, the following values are reserved for the conditions below: +

      +
        +
      • For the Max UUID, the value of name SHALL exist and be Public. +
      • +
      • For the Nil UUID, the value of name SHALL exist and be No sharing allowed. +
      • +
      +
      + 3.2.2.5.2 Document Property - Distribution - Text

      The Textual description (text) of value type string with 1 or more characters provides a textual description of additional constraints.

      - Examples 1: + Examples 1:

          Copyright 2024, Example Company, All Rights Reserved.
           Distribute freely.
           Share only on a need-to-know-basis only.
      -
      - 3.2.2.5.2 Document Property - Distribution - TLP +
      + 3.2.2.5.3 Document Property - Distribution - TLP

      Traffic Light Protocol (TLP) (tlp) of value type object with the mandatory property Label (label) and the optional property URL (url) provides details about the TLP classification of the document. @@ -3149,7 +3272,7 @@

          https://www.first.org/tlp/

      - Examples 1: + Examples 1:

          https://www.us-cert.gov/tlp
           https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
      @@ -3288,7 +3411,7 @@
      The value user indicates anyone using a vendor’s product.

      - The value vendor indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and product resellers and distributors, including authoritative vendor partners. + The value vendor indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, product security incident response teams (PSIRTs), open source projects as well as product resellers and distributors, including authoritative vendor partners.

      3.2.2.8.2 Document Property - Publisher - Contact Details @@ -3297,7 +3420,7 @@
      Contact details (contact_details) of value type string with 1 or more characters provides information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.

      - Example 1: + Example 1:

          Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
      @@ -3313,7 +3436,7 @@
      The Name of publisher (name) of value type string with 1 or more characters contains the name of the issuing party.

      - Example 1: + Example 1:

           BSI
            Cisco PSIRT
      @@ -3342,7 +3465,7 @@ 

    - Examples 1: + Examples 1:

        https://csaf.io
         https://www.example.com
    @@ -3377,7 +3500,7 @@

    Title of this document (title) of value type string with 1 or more characters SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.

    - Examples 1: + Examples 1:

        Cisco IPv6 Crafted Packet Denial of Service Vulnerability
         Example Company Cross-Site-Scripting Vulnerability in Example Generator
    @@ -3433,7 +3556,7 @@

    Every such Alternate Name of value type string with 1 or more characters specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.

    - Example 1: + Example 1:

        CVE-2019-12345
    @@ -3482,7 +3605,7 @@
    Engine name (name) of value type string with 1 or more characters represents the name of the engine that generated the CSAF document.

    - Examples 1: + Examples 1:

        Red Hat rhsa-to-cvrf
         Secvisogram
    @@ -3496,7 +3619,7 @@ 

    - Examples 2: + Examples 2:

        0.6.0
         1.0.0-beta+exp.sha.a1c44f85
    @@ -3520,7 +3643,7 @@ 
    The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.

    - Examples 1: + Examples 1:

        Example Company - 2019-YH3234
         RHBA-2019:0024
    @@ -3685,7 +3808,7 @@ 

    The summary of the product group (summary) of value type string with 1 or more characters gives a short, optional description of the group.

    - Examples 1: + Examples 1:

        Products supporting Modbus.
         The x64 versions of the operating system.
    @@ -3763,7 +3886,7 @@

    Relates to Product Reference (relates_to_product_reference) of value type Product ID (product_id_t) holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.

    - Examples 1: + Examples 1:

      "product_tree": {
         "full_product_names": [
    @@ -3916,7 +4039,7 @@ 

    It holds the ID for the weakness associated.

    - Examples 1: + Examples 1:

        CWE-22
         CWE-352
    @@ -3925,7 +4048,7 @@ 

    The Weakness name (name) has value type string with 1 or more characters and holds the full name of the weakness as given in the CWE specification.

    - Examples 2: + Examples 2:

        Cross-Site Request Forgery (CSRF)
         Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    @@ -3938,7 +4061,7 @@ 

    It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.

    - Examples 3: + Examples 3:

        "1.0",
         "3.4.1",
    @@ -4063,7 +4186,7 @@ 

    System name (system_name) of value type string with 1 or more characters indicates the name of the vulnerability tracking or numbering system.

    - Examples 1: + Examples 1:

        Cisco Bug ID
         GitHub Issue
    @@ -4071,7 +4194,7 @@

    Text (text) of value type string with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).

    - Examples 2: + Examples 2:

        CSCso66472
         oasis-tcs/csaf#210
    @@ -5403,7 +5526,7 @@

  • - Examples 1: + Examples 1:

      cisco-sa-20190513-secureboot.json
       example_company_-_2019-yh3234.json
    @@ -5414,7 +5537,7 @@ 

    - Examples 2: + Examples 2:

      cisco-sa-20190513-secureboot_invalid.json
       example_company_-_2019-yh3234_invalid.json
    @@ -5500,7 +5623,7 @@ 

    /vulnerabilities[]/remediations[]/product_ids[] /vulnerabilities[]/threats[]/product_ids[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "product_groups": [
    @@ -5531,7 +5654,7 @@ 

    /product_tree/full_product_names[]/product_id /product_tree/relationships[]/full_product_name/product_id

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -5567,7 +5690,7 @@ 

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -5606,7 +5729,7 @@ 

      /vulnerabilities[]/remediations[]/group_ids
       /vulnerabilities[]/threats[]/group_ids

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -5645,7 +5768,7 @@ 

        /product_tree/product_groups[]/group_id

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -5728,7 +5851,7 @@ 

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -5771,7 +5894,7 @@ 

        /vulnerabilities[]/metrics[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -5831,7 +5954,7 @@ 

    /vulnerabilities[]/metrics[]/content/cvss_v3 /vulnerabilities[]/metrics[]/content/cvss_v4

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "cvss_v3": {
         "version": "3.1",
    @@ -5878,7 +6001,7 @@ 

    /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalScore /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "cvss_v3": {
         "version": "3.1",
    @@ -5909,7 +6032,7 @@ 

    /vulnerabilities[]/metrics[]/content/cvss_v3 /vulnerabilities[]/metrics[]/content/cvss_v4

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "cvss_v3": {
         "version": "3.1",
    @@ -5946,7 +6069,7 @@ 

        /vulnerabilities[]/cwes[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "cwes": [
         {
    @@ -5972,7 +6095,7 @@ 

      /document/lang
       /document/source_lang

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "lang": "EZ"
    @@ -5998,7 +6121,7 @@

    /product_tree/full_product_names[]/product_identification_helper/purl /product_tree/relationships[]/full_product_name/product_identification_helper/purl

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -6027,7 +6150,7 @@ 

        /document/tracking/revision_history

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "revision_history": [
         {
    @@ -6057,7 +6180,7 @@ 

        /document/source_lang

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         // ...
    @@ -6086,7 +6209,7 @@ 

        /document/tracking/version

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "tracking": {
         // ...
    @@ -6121,7 +6244,7 @@ 

        /document/tracking/status

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "tracking": {
           // ...
    @@ -6144,7 +6267,7 @@ 

        /document/tracking/revision_history[]/number

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "tracking": {
           // ...
    @@ -6179,7 +6302,7 @@ 

        /document/tracking/revision_history[]/number

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "revision_history": [
           {
    @@ -6209,7 +6332,7 @@ 

        /document/tracking/version

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "tracking": {
           // ...
    @@ -6233,7 +6356,7 @@ 

        /document/tracking/revision_history

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "revision_history": [
           {
    @@ -6263,7 +6386,7 @@ 

        /document/tracking/revision_history

    - Example 1 (which fails the test): + Example 1 (which fails the test):

       "revision_history": [
           {
    @@ -6293,7 +6416,7 @@ 

        /vulnerabilities[]/cve

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -6319,7 +6442,7 @@ 

        /vulnerabilities[]/involvements

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -6356,7 +6479,7 @@ 

    /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -6416,7 +6539,7 @@ 

      /document/category

    - Examples 1 (for currently prohibited values): + Examples 1 (for currently prohibited values):

      Csaf_a
       Informational Advisory
    @@ -6425,7 +6548,7 @@ 

    veX V_eX

    - Example 2 (which fails the test): + Example 2 (which fails the test):

      "category": "Security_Incident_Response"
    @@ -6460,7 +6583,7 @@

      /document/notes

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "notes": [
         {
    @@ -6490,7 +6613,7 @@ 

      /document/references

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "references": [
         {
    @@ -6519,7 +6642,7 @@ 

      /vulnerabilities

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -6552,7 +6675,7 @@ 

      /product_tree

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      {
         "document": {
    @@ -6583,7 +6706,7 @@ 

      /vulnerabilities[]/notes

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -6610,7 +6733,7 @@ 

      /vulnerabilities[]/product_status

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -6640,7 +6763,7 @@ 

    /vulnerabilities[]/product_status/known_not_affected /vulnerabilities[]/product_status/under_investigation

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_status": {
         "first_fixed": [
    @@ -6671,7 +6794,7 @@ 

      /vulnerabilities[]/cve
       /vulnerabilities[]/ids

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -6699,7 +6822,7 @@ 

      /vulnerabilities[]/flags
       /vulnerabilities[]/threats

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -6770,7 +6893,7 @@ 

      /vulnerabilities[]/remediations

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -6843,7 +6966,7 @@ 

      /vulnerabilities

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      {
         "document": {
    @@ -6870,7 +6993,7 @@ 

      /document/lang
       /document/source_lang

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         // ...
    @@ -6903,7 +7026,7 @@ 

      /vulnerabilities[]/remediations[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "remediations": [
             {
    @@ -6933,7 +7056,7 @@ 

      /document/tracking/revision_history[]/number
       /document/tracking/version

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "tracking": {
           // ...
    @@ -6970,26 +7093,38 @@ 

    - To implement this test it is deemed sufficient that, when converted to lower case, the value of name does not contain any of the following strings: + To implement this test it is deemed sufficient that, when converted to lower case, the value of name satisfies the two requirements below:

    -
      <
    +      
      +
    1. +

      + It does not contain any of the following operators: +

      +
        <
         <=
         >
      -  >=
      -  after
      +  >=
      +
    2. +
    3. +

      + If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords: +

      +
        after
         all
         before
         earlier
         later
         prior
         versions
      +
    4. +

    The relevant paths for this test are:

      /product_tree/branches[](/branches[])*/name

    - Example 1 (which fails the test): + Example 1 (which fails the test):

                "branches": [
                   {
    @@ -7014,7 +7149,7 @@ 

      /vulnerabilities[]/flags[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "flags": [
             {
    @@ -7042,7 +7177,7 @@ 

      /vulnerabilities[]/flags

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -7107,7 +7242,7 @@ 

      /product_tree/branches[](/branches[])*/product

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "branches": [
    @@ -7317,7 +7452,7 @@ 

      /vulnerabilities[]/remediations[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "remediations": [
             {
    @@ -7357,7 +7492,7 @@ 

      /vulnerabilities[]/remediations[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "product_status": {
             "known_not_affected": [
    @@ -7378,6 +7513,156 @@ 

    For the product with product ID CSAFPID-908070 a vendor_fix is given but the product was not affected at all.

    +

    + 6.1.37 Date and Time +

    +

    + For each item of type string and format date-time it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}. +

    +

    + The relevant path for this test is: +

    +
      /document/tracking/current_release_date
    +  /document/tracking/generator/date
    +  /document/tracking/initial_release_date
    +  /document/tracking/revision_history[]/date
    +  /vulnerabilities[]/discovery_date
    +  /vulnerabilities[]/flags[]/date
    +  /vulnerabilities[]/release_date
    +  /vulnerabilities[]/involvements[]/date
    +  /vulnerabilities[]/remediations[]/date
    +  /vulnerabilities[]/threats[]/date
    +

    + Example 1 (which fails the test): +

    +
          "current_release_date": "2024-01-24 10:00:00.000Z",
    +
    +

    + The current_release_date uses a whitespace as separator instead the letter T. +

    +
    +

    + 6.1.38 Non-Public Sharing Group with Max UUID +

    +

    + It MUST be tested that a CSAF document using Max UUID as sharing group ID has the TLP label CLEAR. +

    +

    + The relevant path for this test is: +

    +
      /document/distribution/tlp/label
    +

    + Example 1 (which fails the test): +

    +
        "distribution": {
    +      "sharing_group": {
    +        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
    +        "name": "Public"
    +      },
    +      "tlp": {
    +        "label": "RED"
    +      }
    +    },
    +
    +

    + The sharing group uses the Max UUID but the CSAF document is labeled as TLP:RED. +

    +
    +
    +

    + A tool MAY remove the property sharing_group as a quick fix. +

    +
    +

    + 6.1.39 Public Sharing Group with no Max UUID +

    +

    + It MUST be tested that a CSAF document with the TLP label CLEAR use the Max UUID as sharing group ID if any. The test SHALL pass if no sharing group is present or the Nil UUID is used and the document status is draft. +

    +

    + The relevant path for this test is: +

    +
      /document/distribution/sharing_group/id
    +

    + Example 1 (which fails the test): +

    +
        "distribution": {
    +      "sharing_group": {
    +        "id": "5868d6be-b28a-404e-a245-0b5093b31b8b"
    +      },
    +      "tlp": {
    +        "label": "CLEAR"
    +      }
    +    },
    +
    +

    + The sharing group is present for the TLP:CLEAR document but it differs from the Max UUID. +

    +
    +
    +

    + A tool MAY update the sharing group id as a quick fix. +

    +
    +

    + 6.1.40 Invalid Sharing Group Name +

    +

    + It MUST be tested that the value of sharing group name does not equal the reserved values from section 3.2.2.5.1 if the precondition is not fulfilled. +

    +

    + The relevant path for this test is: +

    +
      /document/distribution/sharing_group/name
    +

    + Example 1 (which fails the test): +

    +
        "distribution": {
    +      "sharing_group": {
    +        "id": "5868d6be-b28a-404e-a245-0b5093b31b8b",
    +        "name": "Public"
    +      },
    +      // ...
    +    },
    +
    +

    + The sharing group name is Public but it does not use the Max UUID. +

    +
    +
    +

    + A tool MAY update the sharing group name as a quick fix. +

    +
    +

    + 6.1.41 Missing Sharing Group Name +

    +

    + It MUST be tested that the sharing group name exists and equals the predefined reserved value from section 3.2.2.5.1 if the precondition is fulfilled. +

    +

    + The relevant path for this test is: +

    +
      /document/distribution/sharing_group/name
    +

    + Example 1 (which fails the test): +

    +
        "distribution": {
    +      "sharing_group": {
    +        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff"
    +      },
    +      // ...
    +    },
    +
    +

    + The Max UUID is used but the sharing group name does not exist. +

    +
    +
    +

    + A tool MAY add the corresponding sharing group name as a quick fix. +

    +

    6.2 Optional Tests

    @@ -7400,7 +7685,7 @@

    /product_tree/full_product_names[]/product_id /product_tree/relationships[]/full_product_name/product_id

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -7439,7 +7724,7 @@ 

    /vulnerabilities[]/product_status/last_affected[] /vulnerabilities[]/product_status/under_investigation[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -7476,7 +7761,7 @@ 

    /vulnerabilities[]/product_status/known_affected[] /vulnerabilities[]/product_status/last_affected[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -7511,7 +7796,7 @@ 

        /document/tracking/revision_history[]/number

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "revision_history": [
           {
    @@ -7536,7 +7821,7 @@ 

        /document/tracking/initial_release_date

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "tracking": {
           // ...
    @@ -7571,7 +7856,7 @@ 

        /document/tracking/current_release_date

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "tracking": {
           "current_release_date": "2023-09-06T10:00:00.000Z",
    @@ -7606,7 +7891,7 @@ 

        /vulnerabilities[]/involvements

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -7641,7 +7926,7 @@ 

    /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -7687,7 +7972,7 @@ 

    /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -7747,7 +8032,7 @@ 

      /document/references

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         // ...
    @@ -7783,7 +8068,7 @@ 

      /document/lang

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         "category": "csaf_base",
    @@ -7814,7 +8099,7 @@ 

      /

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         "csaf_version": "2.1",
    @@ -7843,7 +8128,7 @@ 

      /document/lang
       /document/source_lang

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "lang": "qtx"
    @@ -7868,7 +8153,7 @@

      /document/lang
       /document/source_lang

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "lang": "i-default"
    @@ -7894,7 +8179,7 @@

    /product_tree/full_product_names[] /product_tree/relationships[]/full_product_name

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "full_product_names": [
           {
    @@ -7923,7 +8208,7 @@ 

      /vulnerabilities[]/ids[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "ids": [
             {
    @@ -7958,7 +8243,7 @@ 

      /product_tree/branches[](/branches[])*/name

    - Example 1 (which fails the test): + Example 1 (which fails the test):

                "branches": [
                   {
    @@ -7985,7 +8270,7 @@ 

      /vulnerabilities[]/product_status/first_fixed[]
       /vulnerabilities[]/product_status/fixed[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -8045,7 +8330,7 @@ 

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         "category": "csaf_base",
    @@ -8074,7 +8359,7 @@ 

      /document/tracking/revision_history[]/date

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "revision_history": [
         {
    @@ -8104,7 +8389,7 @@ 

      /document/title

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
         "tracking": {
    @@ -8133,7 +8418,7 @@ 

      /vulnerabilities[]/cwes[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

         "cwes": [
             {
    @@ -8163,7 +8448,7 @@ 

      /vulnerabilities[]/cwes[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         // ...
    @@ -8209,7 +8494,7 @@ 

      /vulnerabilities[]/cwes[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "cwes": [
             {
    @@ -8239,7 +8524,7 @@ 

      /vulnerabilities[]/cwes[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "cwes": [
             {
    @@ -8264,7 +8549,7 @@ 

      /vulnerabilities[]/remediations[]

    - Example 1 (which fails the test): + Example 1 (which fails the test):

          "product_status": {
             "known_not_affected": [
    @@ -8285,6 +8570,98 @@ 

    For the product with product ID CSAFPID-908070 a fix is planned but the product was not affected at all.

    +

    + 6.2.28 Usage of Max UUID +

    +

    + It MUST be tested that the Max UUID is not used as sharing group id. +

    +

    + The relevant path for this test is: +

    +
      /document/distribution/sharing_group/id
    +

    + Example 1 (which fails the test): +

    +
        "distribution": {
    +      "sharing_group": {
    +        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
    +        "name": "Public"
    +      },
    +      // ...
    +    },
    +
    +

    + The sharing group id uses the Max UUID. +

    +
    +
    +

    + A tool MAY remove the property sharing_group as a quick fix. +

    +
    +

    + 6.2.29 Usage of Nil UUID +

    +

    + It MUST be tested that the Nil UUID is not used as sharing group id. +

    +

    + The relevant path for this test is: +

    +
      /document/distribution/sharing_group/id
    +

    + Example 1 (which fails the test): +

    +
        "distribution": {
    +      "sharing_group": {
    +        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
    +        "name": "Public"
    +      },
    +      // ...
    +    },
    +
    +

    + The sharing group id uses the Nil UUID. +

    +
    +
    +

    + A tool MAY remove the property sharing_group as a quick fix. +

    +
    +

    + 6.2.30 Usage of Sharing Group on TLP:CLEAR +

    +

    + It MUST be tested that no sharing group is used if the document is TLP:CLEAR. +

    +

    + The relevant path for this test is: +

    +
      /document/distribution/sharing_group
    +

    + Example 1 (which fails the test): +

    +
        "distribution": {
    +      "sharing_group": {
    +        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
    +        "name": "Public"
    +      },
    +      "tlp": {
    +        "label": "CLEAR"
    +      }
    +    },
    +
    +

    + The CSAF document is TLP:CLEAR but a sharing group is given. +

    +
    +
    +

    + A tool MAY remove the property sharing_group as a quick fix. +

    +

    6.3 Informative Test

    @@ -8308,7 +8685,7 @@

        /vulnerabilities[]/metrics

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -8359,7 +8736,7 @@ 

      /vulnerabilities[]/metrics[]/content/cvss_v3/version
       /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "cvss_v3": {
         "version": "3.0",
    @@ -8395,7 +8772,7 @@ 

      /vulnerabilities[]/cve

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -8424,7 +8801,7 @@ 

      /vulnerabilities[]/cwe

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "vulnerabilities": [
         {
    @@ -8450,7 +8827,7 @@ 

    /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -8513,7 +8890,7 @@ 

    /vulnerabilities[]/references[]/url /vulnerabilities[]/remediations[]/url

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "references": [
           {
    @@ -8543,7 +8920,7 @@ 

      /document/references[]/url
       /vulnerabilities[]/references[]/url

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "references": [
           {
    @@ -8604,7 +8981,7 @@ 

    /vulnerabilities[]/threats[]/details /vulnerabilities[]/title

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "document": {
         // ...
    @@ -8639,7 +9016,7 @@ 

      /product_tree/branches

    - Example 1 (which fails the test): + Example 1 (which fails the test):

        "branches": [
           {
    @@ -8684,7 +9061,7 @@ 

      /product_tree/branches[](/branches[])*/category

    - Example 1 (which fails the test): + Example 1 (which fails the test):

                    "category": "product_version_range",
    @@ -8709,7 +9086,7 @@

      /product_tree/branches[](/branches[])*/name

    - Example 1 (which fails the test): + Example 1 (which fails the test):

                "branches": [
                   {
    @@ -8734,7 +9111,7 @@ 

        /vulnerabilities[]/metrics[]/content

    - Example 1 (which fails the test): + Example 1 (which fails the test):

      "product_tree": {
         "full_product_names": [
    @@ -8868,7 +9245,7 @@ 

    - Example 1 (minimal with ROLIE document): + Example 1 (minimal with ROLIE document):

      {
         "canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
    @@ -8926,7 +9303,7 @@ 

    - Examples 1: + Examples 1:

    CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
     CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
    @@ -8944,7 +9321,7 @@ 

    details.

    - Example 1: + Example 1:

      https://www.example.com/.well-known/csaf/provider-metadata.json

    @@ -8960,7 +9337,7 @@

    The CSAF documents MUST be located within folders named <YYYY> where <YYYY> is the year given in the value of /document/tracking/initial_release_date.

    - Examples 1: + Examples 1:

    2024
     2023
    @@ -8971,7 +9348,7 @@

    The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.

    - Example 1: + Example 1:

    2023/esa-2023-09953.json
     2022/esa-2022-02723.json
    @@ -8986,15 +9363,26 @@ 

    7.1.13 Requirement 13: changes.csv

    - The file changes.csv MUST contain the filename as well as the value of /document/tracking/current_release_date for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the current_release_date timestamp with the latest one first. + The file changes.csv contains a list of CSAF documents in the current TLP level that were changed recently. Therefore, it MUST contain the filename as well as the value of /document/tracking/current_release_date for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the + current_release_date timestamp with the latest one first. The changes.csv SHALL be a valid comma separated values format as defined by [RFC4180] without double quotes.

    +
    +

    + Note: As a consequence of section sec Requirement 2 for filenames and section sec Requirement for directory names, there must not be any characters within the changes.csv that would require quoting. +

    +

    - Example 1: + Example 1:

    -
    "2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
    -"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
    -"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
    -"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
    +
    2023/esa-2023-09953.json,2023-07-01T10:09:07Z
    +2021/esa-2021-03676.json,2023-07-01T10:09:01Z
    +2022/esa-2022-02723.json,2022-04-17T15:08:41Z
    +2021/esa-2021-31916.json,2022-03-01T06:01:00Z
    +
    +

    + Note: As CSAF 2.0 requires quotes, an [RFC4180] parser can read both format revisions. +

    +

    7.1.14 Requirement 14: Directory listings

    @@ -9020,7 +9408,7 @@

    MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].

    - Example 1: + Example 1:

      {
         "feed": {
    @@ -9086,7 +9474,7 @@ 

    the filename service.json and reside next to the provider-metadata.json.

    - Example 1: + Example 1:

      {
         "service": {
    @@ -9153,7 +9541,7 @@ 

    type of product

    - Examples 1: + Examples 1:

      CPU
       Firewall
    @@ -9169,7 +9557,7 @@ 

    areas or sectors, the products are used in

    - Examples 2: + Examples 2:

      Chemical
       Commercial
    @@ -9187,7 +9575,7 @@ 

    - Example 3: + Example 3:

      {
         "categories": {
    @@ -9211,7 +9599,7 @@ 

    MD5 and SHA1 SHOULD NOT be used.

    - Example 1: + Example 1:

    File name of CSAF document: esa-2022-02723.json
     File name of SHA-256 hash file: esa-2022-02723.json.sha256
    @@ -9220,7 +9608,7 @@ 

    The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.

    - Example 2: + Example 2:

    ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json

    @@ -9230,10 +9618,10 @@

    7.1.19 Requirement 19: Signatures

    - All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. See [RFC4880] for more details. + All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. This signature SHALL be presented as an ASCII armored file. See [RFC4880] for more details.

    - Example 1: + Example 1:

    File name of CSAF document: esa-2022-02723.json
     File name of signature file: esa-2022-02723.json.asc
    @@ -9255,7 +9643,7 @@

    7.1.20 Requirement 20: Public OpenPGP Key

    - The public part of the OpenPGP key used to sign the CSAF documents MUST be available. It SHOULD also be available at a public key server. + The public part of the OpenPGP key used to sign the CSAF documents MUST be available. This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server.

    @@ -9299,7 +9687,7 @@

    The file aggregator.json SHOULD only list the latest version of the metadata of a CSAF provider.

    - Example 1: + Example 1:

      {
         "aggregator": {
    @@ -9356,7 +9744,7 @@ 

    - Example 1: + Example 1:

      {
         "aggregator": {
    @@ -9921,7 +10309,7 @@ 

    Retrieve the CVSS version from the CVSS vector, if present.

    - Example 1: + Example 1:

      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
    @@ -9930,7 +10318,7 @@

    Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.

    - Example 2: + Example 2:

      xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
       <!-- -->
    @@ -9939,7 +10327,7 @@ 

    is handled the same as

    - Example 3: + Example 3:

      <ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">
    @@ -9949,7 +10337,7 @@

    decision.

    - Example 4: + Example 4:

      xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
    @@ -12324,6 +12712,20 @@

    Next Editor Revision + + + csaf-v2.0-wd20241127-dev + + + 2024-11-27 + + + Stefan Hagen and Thomas Schmidt + + + Next Editor Revision + +
    @@ -12345,8 +12747,8 @@

    If you come across a case where these limits are exceeded, please provide feedback to the TC.

    -

    - C.1 File size +

    + Appendix C. File Size

    A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB. @@ -12357,8 +12759,8 @@

    small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.

    -

    - C.2 Array length +

    + Appendix C. Array Length

    An array SHOULD NOT have more than: @@ -12610,8 +13012,8 @@

    -

    - C.3 String length +

    + Appendix C. String Length

    A string SHOULD NOT have a length greater than: @@ -12634,6 +13036,9 @@

  • /document/category
  • +
  • + /document/distribution/sharing_group/name +
  • /document/lang
  • @@ -12970,75 +13375,42 @@

    -

    - C.4 URI length +

    + C.6 Date

    - A string with format uri SHOULD NOT have a length greater than 20000. This applies to: + The maximum length of strings representing a temporal value is given by the format specifier. This applies to:

    • - /document/acknowledgments[]/urls[] -
    • -
    • - /document/aggregate_severity/namespace -
    • -
    • - /document/distribution/tlp/url -
    • -
    • - /document/references[]/url -
    • -
    • - /document/publisher/namespace -
    • -
    • - /product_tree/branches[]/product/product_identification_helper/sbom_urls[] -
    • -
    • - /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace -
    • -
    • - /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri -
    • -
    • - /product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[] -
    • -
    • - /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace -
    • -
    • - /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri -
    • -
    • - /product_tree/full_product_names[]/product_identification_helper/sbom_urls[] + /document/tracking/current_release_date
    • - /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace + /document/tracking/generator/date
    • - /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri + /document/tracking/initial_release_date
    • - /product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[] + /document/tracking/revision_history[]/date
    • - /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace + /vulnerabilities[]/discovery_date
    • - /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri + /vulnerabilities[]/flags[]/date
    • - /vulnerabilities[]/acknowledgments[]/urls[] + /vulnerabilities[]/release_date
    • - /vulnerabilities[]/metrics[]/source + /vulnerabilities[]/involvements[]/date
    • - /vulnerabilities[]/references[]/url + /vulnerabilities[]/remediations[]/date
    • - /vulnerabilities[]/remediations[]/url + /vulnerabilities[]/threats[]/date

    @@ -13347,42 +13719,86 @@

    /vulnerabilities[]/threats[]/category (14) -

    - C.6 Date +

    + C.5 URI Length

    - The maximum length of strings representing a temporal value is given by the format specifier. This applies to: + A string with format uri SHOULD NOT have a length greater than 20000. This applies to:

    • - /document/tracking/current_release_date + /document/acknowledgments[]/urls[]
    • - /document/tracking/generator/date + /document/aggregate_severity/namespace
    • - /document/tracking/initial_release_date + /document/distribution/tlp/url
    • - /document/tracking/revision_history[]/date + /document/references[]/url
    • - /vulnerabilities[]/discovery_date + /document/publisher/namespace
    • - /vulnerabilities[]/flags[]/date + /product_tree/branches[]/product/product_identification_helper/sbom_urls[]
    • - /vulnerabilities[]/release_date + /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace
    • - /vulnerabilities[]/involvements[]/date + /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri
    • - /vulnerabilities[]/remediations[]/date + /product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]
    • - /vulnerabilities[]/threats[]/date + /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace +
    • +
    • + /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri +
    • +
    • + /product_tree/full_product_names[]/product_identification_helper/sbom_urls[] +
    • +
    • + /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace +
    • +
    • + /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri +
    • +
    • + /product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[] +
    • +
    • + /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace +
    • +
    • + /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri +
    • +
    • + /vulnerabilities[]/acknowledgments[]/urls[] +
    • +
    • + /vulnerabilities[]/metrics[]/source +
    • +
    • + /vulnerabilities[]/references[]/url +
    • +
    • + /vulnerabilities[]/remediations[]/url +
    • +
    +

    + C.5 UUID Length +

    +

    + A string with format uuid SHOULD NOT have a length greater than 50. This applies to: +

    +
      +
    • + /document/distribution/sharing_group/id (36)
    diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md index efb046758..93e50d895 100644 --- a/csaf_2.1/prose/share/csaf-v2.1-draft.md +++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 30 October 2024 +## 27 November 2024 #### This stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \ @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used **[csaf-v2.1]** -_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. +_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. ------- @@ -156,8 +156,9 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own 3.2.2.3 [Document Property - Category](#document-property-category) 3.2.2.4 [Document Property - CSAF Version](#document-property-csaf-version) 3.2.2.5 [Document Property - Distribution](#document-property-distribution) - 3.2.2.5.1 [Document Property - Distribution - Text](#document-property-distribution-text) - 3.2.2.5.2 [Document Property - Distribution - TLP](#document-property-distribution-tlp) + 3.2.2.5.1 [Document Property - Distribution - Sharing Group](#document-property-distribution-sharing-group) + 3.2.2.5.2 [Document Property - Distribution - Text](#document-property-distribution-text) + 3.2.2.5.3 [Document Property - Distribution - TLP](#document-property-distribution-tlp) 3.2.2.6 [Document Property - Language](#document-property-language) 3.2.2.7 [Document Property - Notes](#document-property-notes) 3.2.2.8 [Document Property - Publisher](#document-property-publisher) @@ -271,6 +272,11 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own 6.1.34 [Branches Recursion Depth](#mandatory-tests--branches-recursion-depth) 6.1.35 [Contradicting Remediations](#contradicting-remediations) 6.1.36 [Contradicting Product Status Remediation Combination](#contradicting-product-status-remediation-combination) + 6.1.37 [Date and Time](#mandatory-tests--date-and-time) + 6.1.38 [Non-Public Sharing Group with Max UUID](#non-public-sharing-group-with-max-uuid) + 6.1.39 [Public Sharing Group with no Max UUID](#public-sharing-group-with-no-max-uuid) + 6.1.40 [Invalid Sharing Group Name](#invalid-sharing-group-name) + 6.1.41 [Missing Sharing Group Name](#missing-sharing-group-name) 6.2 [Optional Tests](#optional-tests) 6.2.1 [Unused Definition of Product ID](#unused-definition-of-product-id) 6.2.2 [Missing Remediation](#missing-remediation) @@ -299,6 +305,9 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own 6.2.25 [Usage of CWE Not Allowed for Vulnerability Mapping](#usage-of-cwe-not-allowed-for-vulnerability-mapping) 6.2.26 [Usage of CWE Allowed with Review for Vulnerability Mapping](#usage-of-cwe-allowed-with-review-for-vulnerability-mapping) 6.2.27 [Discouraged Product Status Remediation Combination](#discouraged-product-status-remediation-combination) + 6.2.28 [Usage of Max UUID](#usage-of-max-uuid) + 6.2.29 [Usage of Nil UUID](#usage-of-nil-uuid) + 6.2.30 [Usage of Sharing Group on TLP:CLEAR](#usage-of-sharing-group-on-tlp-clear) 6.3 [Informative Test](#informative-test) 6.3.1 [Use of CVSS v2 as the only Scoring System](#use-of-cvss-v2-as-the-only-scoring-system) 6.3.2 [Use of CVSS v3.0](#use-of-cvss-v3-0) @@ -377,12 +386,13 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own Appendix A. [Acknowledgments](#acknowledgments) Appendix B. [Revision History](#revision-history) Appendix C. [Guidance on the Size of CSAF Documents](#guidance-on-the-size-of-csaf-documents) - C.1 [File size](#file-size) - C.2 [Array length](#array-length) - C.3 [String length](#string-length) - C.4 [URI length](#uri-length) - C.5 [Enum](#enum) +Appendix C. [File Size](#file-size) +Appendix C. [Array Length](#array-length) +Appendix C. [String Length](#string-length) C.6 [Date](#date) + C.5 [Enum](#enum) +C.5 [URI Length](#uri-length) +C.5 [UUID Length](#uuid-length) ------- # 1. Introduction @@ -618,12 +628,16 @@ For purposes of this document, the following terms and definitions apply: **\[****RFC3339\]** Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, . +**\[****RFC4180\]** Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, . + **\[****RFC7464\]** Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, . **\[****RFC8174\]** Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . **\[****RFC8259\]** T. Bray, Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, DOI 10.17487/RFC8259, December 2017, . +**\[****RFC9562\]** Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, . + ## 1.4 Informative References **\[****CPE23-A\]** _Common Platform Enumeration: Applicability Language Specification Version 2.3 (NISTIR 7698)_, D. Waltermire, P. Cichonski, K. Scarfone, Editors, NIST Interagency Report 7698, August 2011, https://dx.doi.org/10.6028/NIST.IR.7698. @@ -672,6 +686,8 @@ For purposes of this document, the following terms and definitions apply: **\[****RFC3986\]** Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . +**\[****RFC4122\]** Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, . + **\[****RFC4880\]** Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, . **\[****RFC7231\]** Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, . @@ -827,13 +843,14 @@ Finally, a set of conformance targets describes tools in the ecosystem. ## 2.2 Date and Time This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1. -In accordance with RFC 3339 and ISO 8601, the following rules apply: +In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply: * The letter `T` separating the date and time SHALL be upper case. +* The separator between date and time MUST be the letter `T`. * The letter `Z` indicating the timezone UTC SHALL be upper case. * Fractions of seconds are allowed as specified in the standards mention above with the full stop (`.`) as separator. * Leap seconds are supported. However, they SHOULD be avoided if possible. -* Empty timezones are prohibited. +* Empty timezones MUST NOT be used. * The ABNF of RFC 3339, section 5.6 applies. ------- @@ -2195,12 +2212,15 @@ The single valid value for this `enum` is: #### 3.2.2.5 Document Property - Distribution Rules for sharing document (`distribution`) of value type `object` with the mandatory property Traffic Light Protocol (TLP) (`tlp`) and the -optional property Text (`text`) describes any constraints on how this document might be shared. +optional properties Sharing Group (`Sharing Group`) and Text (`text`) describes any constraints on how this document might be shared. ``` "distribution": { // ... "properties": { + "sharing_group": { + // ... + }, "text": { // ... }, @@ -2211,13 +2231,87 @@ optional property Text (`text`) describes any constraints on how this document m }, ``` -If both values are present, the TLP information SHOULD be preferred as this aids in automation. +If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. +The Sharing Group SHALL be interpreted as specification to the TLP information. +Therefore, the Sharing Group MAY also be used to convey special TLP restrictions: + +*Examples 1:* + +``` + E-ISAC members-only + Only releasable to European Energy sector + Releasable to NATO countries +``` + +> Note that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation. + +##### 3.2.2.5.1 Document Property - Distribution - Sharing Group + +Sharing Group (`sharing_group`) of value type `object` with the mandatory property Sharing Group ID (`id`) and +the optional property Sharing Group Name (`name`) contains information about the group this document is intended to be shared with. + +``` + "sharing_group": { + // ... + "properties": { + "id": { + // ... + }, + "name": { + // ... + } + } + }, +``` + +Sharing Group ID (`id`) of value type `string` with format `uuid` and `pattern` (regular expression): + +``` + ^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$ +``` + +Sharing Group ID provides the unique ID for the sharing group. +This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group, +e.g. during a Multi-Party Coordinated Vulnerability Disclosure case. + +> Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case. +> Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered. + +The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed. +It MUST differ if a different sharing group is addressed. -##### 3.2.2.5.1 Document Property - Distribution - Text +The ID SHALL be valid according to \[[RFC9562](#RFC9562)\] and recorded in the 8-4-4-4-12 notation in lower case. +The ID SHALL be a UUID Version 4 for any closed sharing group, i.e. `TLP:GREEN` and above. + +The following ID values SHOULD NOT be used unless there are technical reasons for them. +Therefore, they are reserved for implementation-specific situations: + +- A system MAY use the Max UUID for `TLP:CLEAR` CSAF documents. + > For example, the system uses the UUID as an indication whether a user allowed to see the document. + > The security considerations from \[[RFC9562](#RFC9562)\] should be reflected on. +- A system MAY use the Nil UUID for CSAF documents that MUST NOT be shared. + > For example, the CSAF document is just being drafted and the accidental leakage should be prevented. + +> Note, that both values do not indicate a closed sharing group. + +A CSAF document with `TLP:CLEAR` SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (`ffffffff-ffff-ffff-ffff-ffffffffffff`). + +If an issuing party distributes multiple versions of a single CSAF document to different sharing groups, the rules for CSAF modifier (cf. section [sec](#conformance-clause-8-csaf-modifier)) regarding the generation of the value of `/document/tracking/id` SHALL be applied. +This implies that usually the sharing group ID is used as a prefix to the original `/document/tracking/id`. + +Sharing Group Name (`name`) of value type `string` with one or more characters contains a human-readable name for the sharing group. + +The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. +However, the following values are reserved for the conditions below: + +- For the Max UUID, the value of `name` SHALL exist and be `Public`. +- For the Nil UUID, the value of `name` SHALL exist and be `No sharing allowed`. + +##### 3.2.2.5.2 Document Property - Distribution - Text The Textual description (`text`) of value type `string` with 1 or more characters provides a textual description of additional constraints. -*Examples 1:* +*Examples 1:* ``` Copyright 2024, Example Company, All Rights Reserved. @@ -2225,7 +2319,7 @@ The Textual description (`text`) of value type `string` with 1 or more character Share only on a need-to-know-basis only. ``` -##### 3.2.2.5.2 Document Property - Distribution - TLP +##### 3.2.2.5.3 Document Property - Distribution - TLP Traffic Light Protocol (TLP) (`tlp`) of value type `object` with the mandatory property Label (`label`) and the optional property URL (`url`) provides details about the TLP classification of the document. @@ -2272,7 +2366,7 @@ The default value is the URL to the definition by FIRST: https://www.first.org/tlp/ ``` -*Examples 1:* +*Examples 1:* ``` https://www.us-cert.gov/tlp @@ -2373,15 +2467,15 @@ and miscellaneous contributors. The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. -This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and -product resellers and distributors, including authoritative vendor partners. +This includes all authoritative product vendors, product security incident response teams (PSIRTs), +open source projects as well as product resellers and distributors, including authoritative vendor partners. ##### 3.2.2.8.2 Document Property - Publisher - Contact Details Contact details (`contact_details`) of value type `string` with 1 or more characters provides information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses. -*Example 1:* +*Example 1:* ``` Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact. @@ -2396,7 +2490,7 @@ the authority of the issuing party to release the document, in particular, the p The Name of publisher (`name`) of value type `string` with 1 or more characters contains the name of the issuing party. -*Example 1:* +*Example 1:* ``` BSI @@ -2423,7 +2517,7 @@ an incremented (patch) version which has no other changes than: * the updated item in `/document/references[]` which points to the new version of the CSAF document * an added item in `/document/references[]` which points to the previous version of the CSAF document (if the URL changed) -*Examples 1:* +*Examples 1:* ``` https://csaf.io @@ -2458,7 +2552,7 @@ The property SHALL NOT be present if the document was not translated. Title of this document (`title`) of value type `string` with 1 or more characters SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents. -*Examples 1:* +*Examples 1:* ``` Cisco IPv6 Crafted Packet Denial of Service Vulnerability @@ -2521,7 +2615,7 @@ list of alternate names for the same document. Every such Alternate Name of value type `string` with 1 or more characters specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document. -*Example 1:* +*Example 1:* ``` CVE-2019-12345 @@ -2575,7 +2669,7 @@ optional property Engine version (`version`) contains information about the engi Engine name (`name`) of value type `string` with 1 or more characters represents the name of the engine that generated the CSAF document. -*Examples 1:* +*Examples 1:* ``` Red Hat rhsa-to-cvrf @@ -2588,7 +2682,7 @@ Engine version (`version`) of value type `string` with 1 or more characters cont > Although it is not formally required, the TC suggests to use a versioning which is compatible with Semantic Versioning as described in > the external specification [SemVer]. This could help the end user to identify when CSAF consumers have to be updated. -*Examples 2:* +*Examples 2:* ``` 0.6.0 @@ -2611,7 +2705,7 @@ Unique identifier for the document holds the Identifier. The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization. -*Examples 1:* +*Examples 1:* ``` Example Company - 2019-YH3234 @@ -2779,7 +2873,7 @@ the optional Summary (`summary`) property. The summary of the product group (`summary`) of value type `string` with 1 or more characters gives a short, optional description of the group. -*Examples 1:* +*Examples 1:* ``` Products supporting Modbus. @@ -2868,7 +2962,7 @@ which is referenced as the first element of the relationship. Relates to Product Reference (`relates_to_product_reference`) of value type Product ID (`product_id_t`) holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship. -*Examples 1:* +*Examples 1:* ``` "product_tree": { @@ -3034,7 +3128,7 @@ The Weakness ID (`id`) has value type `string` with `pattern` (regular expressio It holds the ID for the weakness associated. -*Examples 1:* +*Examples 1:* ``` CWE-22 @@ -3045,7 +3139,7 @@ It holds the ID for the weakness associated. The Weakness name (`name`) has value type `string` with 1 or more characters and holds the full name of the weakness as given in the CWE specification. -*Examples 2:* +*Examples 2:* ``` Cross-Site Request Forgery (CSRF) @@ -3062,7 +3156,7 @@ The CWE version (`version`) has value type `string` with `pattern` (regular expr It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used. -*Examples 3:* +*Examples 3:* ``` "1.0", @@ -3175,7 +3269,7 @@ tracking ID for the vulnerability. System name (`system_name`) of value type `string` with 1 or more characters indicates the name of the vulnerability tracking or numbering system. -*Examples 1:* +*Examples 1:* ``` Cisco Bug ID @@ -3184,7 +3278,7 @@ System name (`system_name`) of value type `string` with 1 or more characters ind Text (`text`) of value type `string` with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists). -*Examples 2:* +*Examples 2:* ``` CSCso66472 @@ -3963,7 +4057,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum > As a result, a `/document/tracking/id` with the value `2022_#01-A` is converted into `2022_01-a` instead of `2022__01-a`. 3. The file extension `.json` MUST be appended. -*Examples 1:* +*Examples 1:* ``` cisco-sa-20190513-secureboot.json @@ -3974,7 +4068,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum > It is currently considered best practice to indicate that a CSAF document is invalid by > inserting `_invalid` into the filename in front of the file extension. -*Examples 2:* +*Examples 2:* ``` cisco-sa-20190513-secureboot_invalid.json @@ -4059,7 +4153,7 @@ The relevant paths for this test are: /vulnerabilities[]/threats[]/product_ids[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4090,7 +4184,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name/product_id ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4124,7 +4218,7 @@ The relevant path for this test is: > a Product ID defined in a relationship item is used as `product_reference` or `relates_to_product_reference`. > Only for those which fulfill this condition it is necessary to run the full check following the references. -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4163,7 +4257,7 @@ The relevant paths for this test are: /vulnerabilities[]/threats[]/group_ids ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4202,7 +4296,7 @@ The relevant path for this test is: /product_tree/product_groups[]/group_id ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4278,7 +4372,7 @@ Contradiction groups are: > Note: An issuer might recommend (`/vulnerabilities[]/product_status/recommended`) a product version from any group - also from the affected group, > i.e. if it was discovered that fixed versions introduce a more severe vulnerability. -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4317,7 +4411,7 @@ The relevant path for this test is: /vulnerabilities[]/metrics[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4376,7 +4470,7 @@ The relevant paths for this test are: /vulnerabilities[]/metrics[]/content/cvss_v4 ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cvss_v3": { @@ -4417,7 +4511,7 @@ The relevant paths for this test are: /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cvss_v3": { @@ -4444,7 +4538,7 @@ The relevant paths for this test are: /vulnerabilities[]/metrics[]/content/cvss_v4 ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cvss_v3": { @@ -4478,7 +4572,7 @@ The relevant path for this test is: /vulnerabilities[]/cwes[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cwes": [ @@ -4503,7 +4597,7 @@ The relevant paths for this test are: /document/source_lang ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "lang": "EZ" @@ -4525,7 +4619,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name/product_identification_helper/purl ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4555,7 +4649,7 @@ The relevant path for this test is: /document/tracking/revision_history ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "revision_history": [ @@ -4584,7 +4678,7 @@ The relevant path for this test is: /document/source_lang ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -4615,7 +4709,7 @@ The relevant path for this test is: /document/tracking/version ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "tracking": { @@ -4649,7 +4743,7 @@ The relevant path for this test is: /document/tracking/status ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "tracking": { @@ -4671,7 +4765,7 @@ The relevant path for this test is: /document/tracking/revision_history[]/number ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "tracking": { @@ -4705,7 +4799,7 @@ The relevant path for this test is: /document/tracking/revision_history[]/number ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "revision_history": [ @@ -4734,7 +4828,7 @@ The relevant path for this test is: /document/tracking/version ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "tracking": { @@ -4760,7 +4854,7 @@ The relevant path for this test is: /document/tracking/revision_history ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "revision_history": [ @@ -4789,7 +4883,7 @@ The relevant path for this test is: /document/tracking/revision_history ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "revision_history": [ @@ -4818,7 +4912,7 @@ The relevant path for this test is: /vulnerabilities[]/cve ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -4843,7 +4937,7 @@ The relevant path for this test is: /vulnerabilities[]/involvements ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -4879,7 +4973,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -4939,7 +5033,7 @@ The relevant path for this test is: /document/category ``` -*Examples 1 (for currently prohibited values):* +*Examples 1 (for currently prohibited values):* ``` Csaf_a @@ -4950,7 +5044,7 @@ The relevant path for this test is: V_eX ``` -*Example 2 (which fails the test):* +*Example 2 (which fails the test):* ``` "category": "Security_Incident_Response" @@ -4984,7 +5078,7 @@ The relevant path for this test is: /document/notes ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "notes": [ @@ -5015,7 +5109,7 @@ The relevant path for this test is: /document/references ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "references": [ @@ -5045,7 +5139,7 @@ The relevant path for this test is: /vulnerabilities ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -5076,7 +5170,7 @@ The relevant path for this test is: /product_tree ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` { @@ -5108,7 +5202,7 @@ The relevant path for this test is: /vulnerabilities[]/notes ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -5136,7 +5230,7 @@ The relevant path for this test is: /vulnerabilities[]/product_status ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -5168,7 +5262,7 @@ The relevant paths for this test are: /vulnerabilities[]/product_status/under_investigation ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_status": { @@ -5200,7 +5294,7 @@ The relevant paths for this test are: /vulnerabilities[]/ids ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -5231,7 +5325,7 @@ The relevant path for this test is: /vulnerabilities[]/threats ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -5303,7 +5397,7 @@ The relevant path for this test is: /vulnerabilities[]/remediations ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -5376,7 +5470,7 @@ The relevant path for this test is: /vulnerabilities ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` { @@ -5402,7 +5496,7 @@ The relevant path for this test is: /document/source_lang ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -5430,7 +5524,7 @@ The relevant path for this test is: /vulnerabilities[]/remediations[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "remediations": [ @@ -5457,7 +5551,7 @@ The relevant paths for this test are: /document/tracking/version ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "tracking": { @@ -5489,22 +5583,28 @@ The relevant paths for this test are: For each element of type `/$defs/branches_t` with `category` of `product_version` it MUST be tested that the value of `name` does not contain a version range. -> To implement this test it is deemed sufficient that, when converted to lower case, -> the value of `name` does not contain any of the following strings: +> To implement this test it is deemed sufficient that, when converted to lower case, the value of `name` satisfies the two requirements below: > -> ``` -> < -> <= -> > -> >= -> after -> all -> before -> earlier -> later -> prior -> versions -> ``` +> 1. It does not contain any of the following operators: +> +> ``` +> < +> <= +> > +> >= +> ``` +> +> 2. If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords: +> +> ``` +> after +> all +> before +> earlier +> later +> prior +> versions +> ``` The relevant paths for this test are: @@ -5512,7 +5612,7 @@ The relevant paths for this test are: /product_tree/branches[](/branches[])*/name ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "branches": [ @@ -5536,7 +5636,7 @@ The relevant path for this test is: /vulnerabilities[]/flags[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "flags": [ @@ -5563,7 +5663,7 @@ The relevant path for this test is: /vulnerabilities[]/flags ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -5628,7 +5728,7 @@ The relevant path for this test is: /product_tree/branches[](/branches[])*/product ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -5838,7 +5938,7 @@ The relevant path for this test is: /vulnerabilities[]/remediations[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "remediations": [ @@ -5877,7 +5977,7 @@ The relevant path for this test is: /vulnerabilities[]/remediations[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_status": { @@ -5898,6 +5998,140 @@ The relevant path for this test is: > For the product with product ID `CSAFPID-908070` a `vendor_fix` is given but the product was not affected at all. +### 6.1.37 Date and Time + +For each item of type `string` and format `date-time` it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}. + +The relevant path for this test is: + +``` + /document/tracking/current_release_date + /document/tracking/generator/date + /document/tracking/initial_release_date + /document/tracking/revision_history[]/date + /vulnerabilities[]/discovery_date + /vulnerabilities[]/flags[]/date + /vulnerabilities[]/release_date + /vulnerabilities[]/involvements[]/date + /vulnerabilities[]/remediations[]/date + /vulnerabilities[]/threats[]/date +``` + +*Example 1 (which fails the test):* + +``` + "current_release_date": "2024-01-24 10:00:00.000Z", +``` + +> The `current_release_date` uses a whitespace as separator instead the letter `T`. + +### 6.1.38 Non-Public Sharing Group with Max UUID + +It MUST be tested that a CSAF document using Max UUID as sharing group ID has the TLP label `CLEAR`. + +The relevant path for this test is: + +``` + /document/distribution/tlp/label +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "RED" + } + }, +``` + +> The sharing group uses the Max UUID but the CSAF document is labeled as `TLP:RED`. + +> A tool MAY remove the property `sharing_group` as a quick fix. + +### 6.1.39 Public Sharing Group with no Max UUID + +It MUST be tested that a CSAF document with the TLP label `CLEAR` use the Max UUID as sharing group ID if any. +The test SHALL pass if no sharing group is present or the Nil UUID is used and the document status is `draft`. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "CLEAR" + } + }, +``` + +> The sharing group is present for the `TLP:CLEAR` document but it differs from the Max UUID. + +> A tool MAY update the sharing group id as a quick fix. + +### 6.1.40 Invalid Sharing Group Name + +It MUST be tested that the value of sharing group name does not equal the reserved values from section [3.2.2.5.1](#document-property-distribution-sharing-group) if the precondition is not fulfilled. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/name +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group name is `Public` but it does not use the Max UUID. + +> A tool MAY update the sharing group name as a quick fix. + +### 6.1.41 Missing Sharing Group Name + +It MUST be tested that the sharing group name exists and equals the predefined reserved value from section [3.2.2.5.1](#document-property-distribution-sharing-group) if the precondition is fulfilled. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/name +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff" + }, + // ... + }, +``` + +> The Max UUID is used but the sharing group name does not exist. + +> A tool MAY add the corresponding sharing group name as a quick fix. + ## 6.2 Optional Tests Optional tests SHOULD NOT fail at a valid CSAF document without a good reason. Failing such a test does not make the CSAF document invalid. @@ -5919,7 +6153,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name/product_id ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -5952,7 +6186,7 @@ The relevant paths for this test are: /vulnerabilities[]/product_status/under_investigation[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -5989,7 +6223,7 @@ The relevant paths for this test are: /vulnerabilities[]/product_status/last_affected[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -6023,7 +6257,7 @@ The relevant path for this test is: /document/tracking/revision_history[]/number ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "revision_history": [ @@ -6048,7 +6282,7 @@ The relevant path for this test is: /document/tracking/initial_release_date ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "tracking": { @@ -6084,7 +6318,7 @@ The relevant path for this test is: /document/tracking/current_release_date ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "tracking": { @@ -6119,7 +6353,7 @@ The relevant path for this test is: /vulnerabilities[]/involvements ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -6151,7 +6385,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -6194,7 +6428,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -6243,7 +6477,7 @@ The relevant path for this test is: /document/references ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -6278,7 +6512,7 @@ The relevant path for this test is: /document/lang ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -6308,7 +6542,7 @@ The relevant path for this test is: / ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -6333,7 +6567,7 @@ The relevant paths for this test are: /document/source_lang ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "lang": "qtx" @@ -6354,7 +6588,7 @@ The relevant paths for this test are: /document/source_lang ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "lang": "i-default" @@ -6376,7 +6610,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "full_product_names": [ @@ -6401,7 +6635,7 @@ The relevant paths for this test are: /vulnerabilities[]/ids[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "ids": [ @@ -6434,7 +6668,7 @@ The relevant paths for this test are: /product_tree/branches[](/branches[])*/name ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "branches": [ @@ -6462,7 +6696,7 @@ The relevant path for this test is: /vulnerabilities[]/product_status/fixed[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -6518,7 +6752,7 @@ The relevant path for this test is: > To implement this test it is deemed sufficient to validate the CSAF document against a "strict" version schema that > sets `additionalProperties` to `false` for every key of type `object`. -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -6544,7 +6778,7 @@ The relevant path for this test is: /document/tracking/revision_history[]/date ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "revision_history": [ @@ -6573,7 +6807,7 @@ The relevant path for this test is: /document/title ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)", @@ -6599,7 +6833,7 @@ The relevant path for this test is: /vulnerabilities[]/cwes[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cwes": [ @@ -6626,7 +6860,7 @@ The relevant path for this test is: /vulnerabilities[]/cwes[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -6666,7 +6900,7 @@ The relevant path for this test is: /vulnerabilities[]/cwes[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cwes": [ @@ -6693,7 +6927,7 @@ The relevant path for this test is: /vulnerabilities[]/cwes[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cwes": [ @@ -6719,7 +6953,7 @@ The relevant path for this test is: /vulnerabilities[]/remediations[] ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_status": { @@ -6740,6 +6974,86 @@ The relevant path for this test is: > For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all. +### 6.2.28 Usage of Max UUID + +It MUST be tested that the Max UUID is not used as sharing group id. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group id uses the Max UUID. + +> A tool MAY remove the property `sharing_group` as a quick fix. + +### 6.2.29 Usage of Nil UUID + +It MUST be tested that the Nil UUID is not used as sharing group id. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group id uses the Nil UUID. + +> A tool MAY remove the property `sharing_group` as a quick fix. + +### 6.2.30 Usage of Sharing Group on TLP:CLEAR + +It MUST be tested that no sharing group is used if the document is `TLP:CLEAR`. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, +``` + +> The CSAF document is `TLP:CLEAR` but a sharing group is given. + +> A tool MAY remove the property `sharing_group` as a quick fix. + ## 6.3 Informative Test Informative tests provide insights in common mistakes and bad practices. @@ -6762,7 +7076,7 @@ The relevant path for this test is: /vulnerabilities[]/metrics ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -6810,7 +7124,7 @@ The relevant paths for this test are: /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "cvss_v3": { @@ -6842,7 +7156,7 @@ The relevant path for this test is: /vulnerabilities[]/cve ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -6870,7 +7184,7 @@ The relevant path for this test is: /vulnerabilities[]/cwe ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "vulnerabilities": [ @@ -6895,7 +7209,7 @@ The relevant paths for this test are: /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -6956,7 +7270,7 @@ The relevant paths for this test are: /vulnerabilities[]/remediations[]/url ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "references": [ @@ -6985,7 +7299,7 @@ The relevant paths for this test are: /vulnerabilities[]/references[]/url ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "references": [ @@ -7046,7 +7360,7 @@ The relevant paths for this test are: /vulnerabilities[]/title ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "document": { @@ -7078,7 +7392,7 @@ The relevant paths for this test are: /product_tree/branches ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "branches": [ @@ -7120,7 +7434,7 @@ The relevant paths for this test are: /product_tree/branches[](/branches[])*/category ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "category": "product_version_range", @@ -7145,7 +7459,7 @@ The relevant paths for this test are: /product_tree/branches[](/branches[])*/name ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "branches": [ @@ -7169,7 +7483,7 @@ The relevant path for this test is: /vulnerabilities[]/metrics[]/content ``` -*Example 1 (which fails the test):* +*Example 1 (which fails the test):* ``` "product_tree": { @@ -7279,7 +7593,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA > * https://psirt.domain.tld/advisories/csaf/provider-metadata.json > * https://domain.tld/security/csaf/provider-metadata.json -*Example 1 (minimal with ROLIE document):* +*Example 1 (minimal with ROLIE document):* ``` { @@ -7340,7 +7654,7 @@ See \[[SECURITY-TXT](#SECURITY-TXT)\] for more details. > The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022. > The `CSAF` field was officially added through the IANA registry. -*Examples 1:* +*Examples 1:* ``` CSAF: https://domain.tld/security/data/csaf/provider-metadata.json @@ -7360,7 +7674,7 @@ The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more details. -*Example 1:* +*Example 1:* ``` https://www.example.com/.well-known/csaf/provider-metadata.json @@ -7377,7 +7691,7 @@ The use of the scheme "HTTPS" is required. The CSAF documents MUST be located within folders named `` where `` is the year given in the value of `/document/tracking/initial_release_date`. -*Examples 1:* +*Examples 1:* ``` 2024 @@ -7388,7 +7702,7 @@ value of `/document/tracking/initial_release_date`. The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames. -*Example 1:* +*Example 1:* ``` 2023/esa-2023-09953.json @@ -7401,18 +7715,25 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents ### 7.1.13 Requirement 13: changes.csv -The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each +The file `changes.csv` contains a list of CSAF documents in the current TLP level that were changed recently. +Therefore, it MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first. +The `changes.csv` SHALL be a valid comma separated values format as defined by \[[RFC4180](#RFC4180)\] without double quotes. + +> Note: As a consequence of section [sec](#requirement-2-filename) Requirement 2 for filenames and section [sec](#requirement-11-one-folder-per-year) +> Requirement for directory names, there must not be any characters within the `changes.csv` that would require quoting. -*Example 1:* +*Example 1:* ``` -"2023/esa-2023-09953.json","2023-07-01T10:09:07Z" -"2021/esa-2021-03676.json","2023-07-01T10:09:01Z" -"2022/esa-2022-02723.json","2022-04-17T15:08:41Z" -"2021/esa-2021-31916.json","2022-03-01T06:01:00Z" +2023/esa-2023-09953.json,2023-07-01T10:09:07Z +2021/esa-2021-03676.json,2023-07-01T10:09:01Z +2022/esa-2022-02723.json,2022-04-17T15:08:41Z +2021/esa-2021-31916.json,2022-03-01T06:01:00Z ``` +> Note: As CSAF 2.0 requires quotes, an \[[RFC4180](#RFC4180)\] parser can read both format revisions. + ### 7.1.14 Requirement 14: Directory listings Directory listing SHALL be enabled to support manual navigation. @@ -7431,7 +7752,7 @@ At least one of the feeds MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\]. -*Example 1:* +*Example 1:* ``` { @@ -7500,7 +7821,7 @@ If it is used, each ROLIE service document MUST be a JSON file that conforms wit Additionally, it can also list the corresponding ROLIE category documents. The ROLIE service document SHOULD use the filename `service.json` and reside next to the `provider-metadata.json`. -*Example 1:* +*Example 1:* ``` { @@ -7544,7 +7865,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or * `product_version` * type of product - *Examples 1:* + *Examples 1:* ``` CPU @@ -7559,7 +7880,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or * areas or sectors, the products are used in - *Examples 2:* + *Examples 2:* ``` Chemical @@ -7574,7 +7895,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or * any other categorization useful to the consumers -*Example 3:* +*Example 3:* ``` { @@ -7598,7 +7919,7 @@ to ensure their integrity. The filename is constructed by appending the file ext MD5 and SHA1 SHOULD NOT be used. -*Example 1:* +*Example 1:* ``` File name of CSAF document: esa-2022-02723.json @@ -7609,7 +7930,7 @@ File name of SHA-512 hash file: esa-2022-02723.json.sha512 The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space. -*Example 2:* +*Example 2:* ``` ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.json @@ -7620,9 +7941,11 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ ### 7.1.19 Requirement 19: Signatures All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is -extended by the appropriate extension. See \[[RFC4880](#RFC4880)\] for more details. +extended by the appropriate extension. +This signature SHALL be presented as an ASCII armored file. +See \[[RFC4880](#RFC4880)\] for more details. -*Example 1:* +*Example 1:* ``` File name of CSAF document: esa-2022-02723.json @@ -7644,6 +7967,7 @@ Tools SHOULD treat the violation of the rules given in the first sentence as: ### 7.1.20 Requirement 20: Public OpenPGP Key The public part of the OpenPGP key used to sign the CSAF documents MUST be available. +This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server. > For example, the public part of the OpenPGP key could be placed in a directory `openpgp` adjacent to the `provider-metadata.json`. @@ -7667,7 +7991,7 @@ It MUST NOT be stored adjacent to a `provider-metadata.json`. The file `aggregator.json` SHOULD only list the latest version of the metadata of a CSAF provider. -*Example 1:* +*Example 1:* ``` { @@ -7723,7 +8047,7 @@ Each such folder MUST at least: * provide a `provider-metadata.json` for the current issuing party. * provide the ROLIE feed document according to requirement 15 which links to the local copy of the CSAF document. -*Example 1:* +*Example 1:* ``` { @@ -8153,7 +8477,7 @@ Secondly, the program fulfills the following for all items of: the CVRF CSAF converter uses the following steps: 1. Retrieve the CVSS version from the CVSS vector, if present. - *Example 1:* + *Example 1:* ``` CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1 @@ -8162,7 +8486,7 @@ Secondly, the program fulfills the following for all items of: 2. Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace. - *Example 2:* + *Example 2:* ``` xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd" @@ -8172,7 +8496,7 @@ Secondly, the program fulfills the following for all items of: is handled the same as - *Example 3:* + *Example 3:* ``` @@ -8183,7 +8507,7 @@ Secondly, the program fulfills the following for all items of: If more than one CVSS namespace is present and the element is not clearly defined via the namespace, this step MUST be skipped without a decision. - *Example 4:* + *Example 4:* ``` xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0 @@ -8785,6 +9109,7 @@ The following individuals were members of the OASIS CSAF Technical Committee dur | csaf-v2.0-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | +| csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | ------- @@ -8802,7 +9127,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits > If you come across a case where these limits are exceeded, please provide feedback to the TC. -## C.1 File size +## Appendix C. File Size A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB. @@ -8815,7 +9140,7 @@ e.g.: 50 MiB. > In addition, the BSON format adds length information for the entries inside the document, > which adds to the size when storing CSAF document content in a BSON format. -## C.2 Array length +## Appendix C. Array Length An array SHOULD NOT have more than: @@ -8899,7 +9224,7 @@ An array SHOULD NOT have more than: * `/vulnerabilities[]/threats[]/group_ids` * `/vulnerabilities[]/threats[]/product_ids` -## C.3 String length +## Appendix C. String Length A string SHOULD NOT have a length greater than: @@ -8908,6 +9233,7 @@ A string SHOULD NOT have a length greater than: * `/document/acknowledgments[]/organization` * `/document/aggregate_severity/text` * `/document/category` + * `/document/distribution/sharing_group/name` * `/document/lang` * `/document/notes[]/audience` * `/document/notes[]/title` @@ -9019,31 +9345,20 @@ A string SHOULD NOT have a length greater than: * `/vulnerabilities[]/remediations[]/restart_required/details` * `/vulnerabilities[]/threats[]/details` -## C.4 URI length +## C.6 Date -A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to: +The maximum length of strings representing a temporal value is given by the format specifier. This applies to: -* `/document/acknowledgments[]/urls[]` -* `/document/aggregate_severity/namespace` -* `/document/distribution/tlp/url` -* `/document/references[]/url` -* `/document/publisher/namespace` -* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]` -* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]` -* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri` -* `/vulnerabilities[]/acknowledgments[]/urls[]` -* `/vulnerabilities[]/metrics[]/source` -* `/vulnerabilities[]/references[]/url` -* `/vulnerabilities[]/remediations[]/url` +* `/document/tracking/current_release_date` +* `/document/tracking/generator/date` +* `/document/tracking/initial_release_date` +* `/document/tracking/revision_history[]/date` +* `/vulnerabilities[]/discovery_date` +* `/vulnerabilities[]/flags[]/date` +* `/vulnerabilities[]/release_date` +* `/vulnerabilities[]/involvements[]/date` +* `/vulnerabilities[]/remediations[]/date` +* `/vulnerabilities[]/threats[]/date` ## C.5 Enum @@ -9155,17 +9470,34 @@ This applies to: * `/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity` (8) * `/vulnerabilities[]/threats[]/category` (14) -## C.6 Date +## C.5 URI Length -The maximum length of strings representing a temporal value is given by the format specifier. This applies to: +A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to: -* `/document/tracking/current_release_date` -* `/document/tracking/generator/date` -* `/document/tracking/initial_release_date` -* `/document/tracking/revision_history[]/date` -* `/vulnerabilities[]/discovery_date` -* `/vulnerabilities[]/flags[]/date` -* `/vulnerabilities[]/release_date` -* `/vulnerabilities[]/involvements[]/date` -* `/vulnerabilities[]/remediations[]/date` -* `/vulnerabilities[]/threats[]/date` +* `/document/acknowledgments[]/urls[]` +* `/document/aggregate_severity/namespace` +* `/document/distribution/tlp/url` +* `/document/references[]/url` +* `/document/publisher/namespace` +* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]` +* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]` +* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri` +* `/vulnerabilities[]/acknowledgments[]/urls[]` +* `/vulnerabilities[]/metrics[]/source` +* `/vulnerabilities[]/references[]/url` +* `/vulnerabilities[]/remediations[]/url` + +## C.5 UUID Length + +A string with format `uuid` SHOULD NOT have a length greater than 50. This applies to: + +* `/document/distribution/sharing_group/id` (36) diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json new file mode 100644 index 000000000..9185702eb --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Version Range in Product Version (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-31-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "branches": [ + { + "category": "vendor", + "name": "Example Company", + "branches": [ + { + "category": "product_name", + "name": "Product A", + "branches": [ + { + "category": "product_version", + "name": "overall otter", + "product": { + "product_id": "CSAFPID-9080700", + "name": "Example Company Product A overall otter" + } + } + ] + } + ] + } + ] + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json new file mode 100644 index 000000000..b715f8fd8 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Date and Time (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24 10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-01", + "initial_release_date": "2024-01-24 10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24 10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json new file mode 100644 index 000000000..17aaa9a97 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Date and Time (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json new file mode 100644 index 000000000..a6a78c90c --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json new file mode 100644 index 000000000..b653debce --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "AMBER+STRICT" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json new file mode 100644 index 000000000..56bf95437 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json new file mode 100644 index 000000000..f2151ea1e --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "GREEN" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-04", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json new file mode 100644 index 000000000..b3e21ee22 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json new file mode 100644 index 000000000..3afcd47bd --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "AMBER+STRICT" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json new file mode 100644 index 000000000..0f020c83c --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "234efd7a-a3a1-4897-8296-633d5d37659c", + "name": "Example Sharing Group 3" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json new file mode 100644 index 000000000..bd4f3b1d6 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "GREEN" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-14", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json new file mode 100644 index 000000000..47a979198 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 5)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-15", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json new file mode 100644 index 000000000..d43907285 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json new file mode 100644 index 000000000..7c10469cd --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json new file mode 100644 index 000000000..65766abd9 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json new file mode 100644 index 000000000..db1f73d59 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json new file mode 100644 index 000000000..eba1bc0b3 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json new file mode 100644 index 000000000..e96a3e9be --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json new file mode 100644 index 000000000..6f1416409 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json new file mode 100644 index 000000000..d6dab838c --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json new file mode 100644 index 000000000..576878cca --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "GREEN" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json new file mode 100644 index 000000000..6ac651a65 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "234efd7a-a3a1-4897-8296-633d5d37659c", + "name": "Example Sharing Group 3" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-14", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json new file mode 100644 index 000000000..49ea1473e --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json new file mode 100644 index 000000000..0c50385cb --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json new file mode 100644 index 000000000..f684e10d7 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "No sharing restrictions" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json new file mode 100644 index 000000000..6699e8e73 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "Releasable to OASIS CSAF TC member organizations" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-04", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json new file mode 100644 index 000000000..27aa1691f --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json new file mode 100644 index 000000000..5bddd0442 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json new file mode 100644 index 000000000..8bc6b78d4 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Max UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-28-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json new file mode 100644 index 000000000..6a4c469c0 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Max UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-28-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json new file mode 100644 index 000000000..22a56ca0d --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Max UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-28-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json new file mode 100644 index 000000000..5b0374583 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Nil UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-29-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json new file mode 100644 index 000000000..005347894 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Nil UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-29-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json new file mode 100644 index 000000000..17946d69b --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Nil UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-29-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json new file mode 100644 index 000000000..23c0b6018 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Sharing Group on TLP:CLEAR (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-30-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json new file mode 100644 index 000000000..796fb393f --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Sharing Group on TLP:CLEAR (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-30-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json new file mode 100644 index 000000000..4a197e46f --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Sharing Group on TLP:CLEAR (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-30-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index a1d19886a..11d861926 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -969,6 +969,10 @@ { "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-12.json", "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json", + "valid": true } ] }, @@ -1096,6 +1100,154 @@ } ] }, + { + "id": "6.1.37", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json", + "valid": true + } + ] + }, + { + "id": "6.1.38", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json", + "valid": true + } + ] + }, + { + "id": "6.1.39", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json", + "valid": true + } + ] + }, + { + "id": "6.1.40", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json", + "valid": true + } + ] + }, + { + "id": "6.1.41", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", @@ -1710,6 +1862,66 @@ } ] }, + { + "id": "6.2.28", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json", + "valid": true + } + ] + }, + { + "id": "6.2.29", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json", + "valid": true + } + ] + }, + { + "id": "6.2.30", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh index c9a0791bc..1c287c799 100755 --- a/csaf_2.1/test/validator/run_tests.sh +++ b/csaf_2.1/test/validator/run_tests.sh @@ -10,7 +10,7 @@ CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py TESTPATH=csaf_2.1/test/validator/data/$1/*.json -EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json' +EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json' EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json FAIL=0 diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index df28d870a..107d8e97e 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-9])|(2\\.30)|(1\\.4[0-1]))$" }, "valid": { "title": "List of valid examples",