Merge pull request #741 from oasis-tcs/editor-revision-2024-05-29

Editor revision for TC meeting 2024-05-29

csaf_2.1/examples/csaf/bsi-2022-0001.json

@@ -134,10 +134,13 @@
         }
       ],
       "cve": "CVE-2022-27193",
-      "cwe": {
-        "id": "CWE-611",
-        "name": "Improper Restriction of XML External Entity Reference"
-      },
+      "cwes": [
+        {
+          "id": "CWE-611",
+          "name": "Improper Restriction of XML External Entity Reference",
+          "version": "4.6"
+        }
+      ],
       "ids": [
         {
           "system_name": "Github Issue",

csaf_2.1/examples/csaf/rhsa-2021_5186.json

@@ -165,10 +165,13 @@
   "vulnerabilities": [
     {
       "cve": "CVE-2021-4104",
-      "cwe": {
-        "id": "CWE-20",
-        "name": "Improper Input Validation"
-      },
+      "cwes": [
+        {
+          "id": "CWE-20",
+          "name": "Improper Input Validation",
+          "version": "4.6"
+        }
+      ],
       "discovery_date": "2021-12-13T00:00:00Z",
       "ids": [
         {

csaf_2.1/examples/csaf/rhsa-2021_5217.json

@@ -116,10 +116,13 @@
         }
       ],
       "cve": "CVE-2021-4133",
-      "cwe": {
-        "id": "CWE-863",
-        "name": "Incorrect Authorization"
-      },
+      "cwes": [
+        {
+          "id": "CWE-863",
+          "name": "Incorrect Authorization",
+          "version": "4.6"
+        }
+      ],
       "discovery_date": "2021-12-17T00:00:00Z",
       "ids": [
         {

csaf_2.1/examples/csaf/rhsa-2022_0011.json

@@ -340,10 +340,13 @@
   "vulnerabilities": [
     {
       "cve": "CVE-2020-10188",
-      "cwe": {
-        "id": "CWE-119",
-        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
-      },
+      "cwes": [
+        {
+          "id": "CWE-119",
+          "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
+          "version": "4.6"
+        }
+      ],
       "discovery_date": "2020-03-06T00:00:00Z",
       "ids": [
         {

csaf_2.1/json_schema/csaf_json_schema.json

@@ -160,7 +160,7 @@
               "title": "Common Platform Enumeration representation",
               "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.",
               "type": "string",
-              "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
+              "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
               "minLength": 5
             },
             "hashes": {
@@ -594,6 +594,7 @@
                   "title": "Label of TLP",
                   "description": "Provides the TLP label of the document.",
                   "type": "string",
+                  "default": "CLEAR",
                   "enum": [
                     "AMBER",
                     "AMBER+STRICT",
@@ -644,6 +645,7 @@
               "enum": [
                 "coordinator",
                 "discoverer",
+                "multiplier",
                 "other",
                 "translator",
                 "user",
@@ -994,36 +996,58 @@
             "type": "string",
             "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$"
           },
-          "cwe": {
-            "title": "CWE",
-            "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.",
-            "type": "object",
-            "required": [
-              "id",
-              "name"
-            ],
-            "properties": {
-              "id": {
-                "title": "Weakness ID",
-                "description": "Holds the ID for the weakness associated.",
-                "type": "string",
-                "pattern": "^CWE-[1-9]\\d{0,5}$",
-                "examples": [
-                  "CWE-22",
-                  "CWE-352",
-                  "CWE-79"
-                ]
-              },
-              "name": {
-                "title": "Weakness name",
-                "description": "Holds the full name of the weakness as given in the CWE specification.",
-                "type": "string",
-                "minLength": 1,
-                "examples": [
-                  "Cross-Site Request Forgery (CSRF)",
-                  "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
-                  "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-                ]
+          "cwes": {
+            "title": "List of CWEs",
+            "description": "Contains a list of CWEs.",
+            "type": "array",
+            "minItems": 1,
+            "uniqueItems": true,
+            "items": {
+              "title": "CWE",
+              "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.",
+              "type": "object",
+              "required": [
+                "id",
+                "name",
+                "version"
+              ],
+              "properties": {
+                "id": {
+                  "title": "Weakness ID",
+                  "description": "Holds the ID for the weakness associated.",
+                  "type": "string",
+                  "pattern": "^CWE-[1-9]\\d{0,5}$",
+                  "examples": [
+                    "CWE-22",
+                    "CWE-352",
+                    "CWE-79"
+                  ]
+                },
+                "name": {
+                  "title": "Weakness name",
+                  "description": "Holds the full name of the weakness as given in the CWE specification.",
+                  "type": "string",
+                  "minLength": 1,
+                  "examples": [
+                    "Cross-Site Request Forgery (CSRF)",
+                    "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+                    "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+                  ]
+                },
+                "version": {
+                  "title": "CWE version",
+                  "description": "Holds the version string of the CWE specification this weakness was extracted from.",
+                  "type": "string",
+                  "minLength": 1,
+                  "pattern": "^[1-9]\\d*\\.([0-9]|([1-9]\\d+))(\\.\\d+)?$",
+                  "examples": [
+                    "1.0",
+                    "3.4.1",
+                    "4.0",
+                    "4.11",
+                    "4.12"
+                  ]
+                }
               }
             }
           },

csaf_2.1/prose/edit/bin/invert_eg_labels.py

@@ -0,0 +1,20 @@
+#! /usr/bin/env python 
+"""Bread and butter inversion of global eexample number to example sug mapping."""
+import json
+import pathlib
+
+ETC_PATH = pathlib.Path('etc')
+IN_PATH = ETC_PATH / 'example-global-to-local.json'
+OUT_PATH = ETC_PATH / 'example-local-to-global.json'
+
+if not ETC_PATH.is_dir():
+	raise RuntimeError('Please execute me inside csaf_2.1/prose/edit/ because I am a simple tool')
+
+with open(IN_PATH, 'rt', encoding='utf-8') as handle:
+    data = json.load(handle)
+
+inverted = {v: k for k, v in data.items()}
+ordered = {k: inverted[k] for k in sorted(inverted)}
+
+with open(OUT_PATH, 'wt', encoding='utf-8') as handle:
+    json.dump(ordered, handle, indent=2)