From c4ef71dee4bc205dcfdb84ec37515ae0f8573b87 Mon Sep 17 00:00:00 2001
From: Stefan Hagen
Committee Specification Draft 01
-
- 30 October 2024
+
+ 27 November 2024
This stage:
@@ -160,7 +160,7 @@
[csaf-v2.1]
- Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
[RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, https://www.rfc-editor.org/info/rfc3339.
++ [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, https://www.rfc-editor.org/info/rfc4180. +
[RFC7464] Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, https://www.rfc-editor.org/info/rfc7464.
@@ -1389,6 +1412,9 @@[RFC8259] T. Bray, Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, DOI 10.17487/RFC8259, December 2017, https://www.rfc-editor.org/info/rfc8259.
++ [RFC9562] Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, https://www.rfc-editor.org/info/rfc9562. +
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, https://www.rfc-editor.org/info/rfc3986.
++ [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, https://www.rfc-editor.org/info/rfc4122. +
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, https://www.rfc-editor.org/info/rfc4880.
@@ -1686,18 +1715,20 @@
- This standard uses the date-time
format as defined in JSON Schema Draft 2020-12 Section 7.3.1. In accordance with RFC 3339 and ISO 8601, the following rules apply:
+ This standard uses the date-time
format as defined in JSON Schema Draft 2020-12 Section 7.3.1. In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply:
T
separating the date and time SHALL be upper case.
T
.
+ Z
indicating the timezone UTC SHALL be upper case.
.
) as separator.
- Rules for sharing document (distribution
) of value type object
with the mandatory property Traffic Light Protocol (TLP) (tlp
) and the optional property Text (text
) describes any constraints on how this document might be shared.
+ Rules for sharing document (distribution
) of value type object
with the mandatory property Traffic Light Protocol (TLP) (tlp
) and the optional properties Sharing Group (Sharing Group
) and Text (text
) describes any constraints on how this document might be shared.
"distribution": {
// ...
"properties": {
+ "sharing_group": {
+ // ...
+ },
"text": {
// ...
},
@@ -3092,22 +3126,111 @@
}
},
- If both values are present, the TLP information SHOULD be preferred as this aids in automation. + If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. The Sharing Group SHALL be interpreted as specification to the TLP information. Therefore, the Sharing Group MAY also be used to convey special TLP restrictions: +
+ - E-ISAC members-only
+ Only releasable to European Energy sector
+ Releasable to NATO countries
+ +++ Note that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation. +
+
+ Sharing Group (sharing_group
) of value type object
with the mandatory property Sharing Group ID (id
) and the optional property Sharing Group Name (name
) contains information about the group this document is intended to be shared with.
+
"sharing_group": {
+ // ...
+ "properties": {
+ "id": {
+ // ...
+ },
+ "name": {
+ // ...
+ }
+ }
+ },
+
+ Sharing Group ID (id
) of value type string
with format uuid
and pattern
(regular expression):
+
^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$
+ + Sharing Group ID provides the unique ID for the sharing group. This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group, e.g. during a Multi-Party Coordinated Vulnerability Disclosure case. +
++++ Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case. Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered. +
+
+ The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed. It MUST differ if a different sharing group is addressed. +
+
+ The ID SHALL be valid according to [RFC9562] and recorded in the 8-4-4-4-12 notation in lower case. The ID SHALL be a UUID Version 4 for any closed sharing group, i.e. TLP:GREEN
and above.
+
+ The following ID values SHOULD NOT be used unless there are technical reasons for them. Therefore, they are reserved for implementation-specific situations: +
+TLP:CLEAR
CSAF documents.
+ +++ For example, the system uses the UUID as an indication whether a user allowed to see the document. The security considerations from [RFC9562] should be reflected on. +
+
+++ For example, the CSAF document is just being drafted and the accidental leakage should be prevented. +
+
+++ Note, that both values do not indicate a closed sharing group. +
+
+ A CSAF document with TLP:CLEAR
SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (ffffffff-ffff-ffff-ffff-ffffffffffff
).
+
+ If an issuing party distributes multiple versions of a single CSAF document to different sharing groups, the rules for CSAF modifier (cf. section sec) regarding the generation of the value of /document/tracking/id
SHALL be applied. This implies that usually the sharing group
+ ID is used as a prefix to the original /document/tracking/id
.
+
+ Sharing Group Name (name
) of value type string
with one or more characters contains a human-readable name for the sharing group.
+
+ The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. However, the following values are reserved for the conditions below: +
+name
SHALL exist and be Public
.
+ name
SHALL exist and be No sharing allowed
.
+
The Textual description (text
) of value type string
with 1 or more characters provides a textual description of additional constraints.
Copyright 2024, Example Company, All Rights Reserved.
Distribute freely.
Share only on a need-to-know-basis only.
-
Traffic Light Protocol (TLP) (tlp
) of value type object
with the mandatory property Label (label
) and the optional property URL (url
) provides details about the TLP classification of the document.
@@ -3149,7 +3272,7 @@
https://www.first.org/tlp/
https://www.us-cert.gov/tlp
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
@@ -3288,7 +3411,7 @@ user
indicates anyone using a vendor’s product.
- The value vendor
indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and product resellers and distributors, including authoritative vendor partners.
+ The value vendor
indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, product security incident response teams (PSIRTs), open source projects as well as product resellers and distributors, including authoritative vendor partners.
contact_details
) of value type string
with 1 or more characters provides information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
name
) of value type string
with 1 or more characters contains the name of the issuing party.
BSI
Cisco PSIRT
@@ -3342,7 +3465,7 @@
https://csaf.io
https://www.example.com
@@ -3377,7 +3500,7 @@
Title of this document (title
) of value type string
with 1 or more characters SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.
Cisco IPv6 Crafted Packet Denial of Service Vulnerability
Example Company Cross-Site-Scripting Vulnerability in Example Generator
@@ -3433,7 +3556,7 @@
Every such Alternate Name of value type string
with 1 or more characters specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.
CVE-2019-12345
@@ -3482,7 +3605,7 @@
Engine name (name
) of value type string
with 1 or more characters represents the name of the engine that generated the CSAF document.
Red Hat rhsa-to-cvrf
Secvisogram
@@ -3496,7 +3619,7 @@
0.6.0
1.0.0-beta+exp.sha.a1c44f85
@@ -3520,7 +3643,7 @@
The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
Example Company - 2019-YH3234
RHBA-2019:0024
@@ -3685,7 +3808,7 @@
The summary of the product group (summary
) of value type string
with 1 or more characters gives a short, optional description of the group.
Products supporting Modbus.
The x64 versions of the operating system.
@@ -3763,7 +3886,7 @@
Relates to Product Reference (relates_to_product_reference
) of value type Product ID (product_id_t
) holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.
"product_tree": {
"full_product_names": [
@@ -3916,7 +4039,7 @@
It holds the ID for the weakness associated.
CWE-22
CWE-352
@@ -3925,7 +4048,7 @@
The Weakness name (name
) has value type string
with 1 or more characters and holds the full name of the weakness as given in the CWE specification.
Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
@@ -3938,7 +4061,7 @@
It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
"1.0",
"3.4.1",
@@ -4063,7 +4186,7 @@
System name (system_name
) of value type string
with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
Cisco Bug ID
GitHub Issue
@@ -4071,7 +4194,7 @@
Text (text
) of value type string
with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
CSCso66472
oasis-tcs/csaf#210
@@ -5403,7 +5526,7 @@
cisco-sa-20190513-secureboot.json
example_company_-_2019-yh3234.json
@@ -5414,7 +5537,7 @@
cisco-sa-20190513-secureboot_invalid.json
example_company_-_2019-yh3234_invalid.json
@@ -5500,7 +5623,7 @@
/vulnerabilities[]/remediations[]/product_ids[]
/vulnerabilities[]/threats[]/product_ids[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"product_groups": [
@@ -5531,7 +5654,7 @@
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5567,7 +5690,7 @@
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5606,7 +5729,7 @@
/vulnerabilities[]/remediations[]/group_ids
/vulnerabilities[]/threats[]/group_ids
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5645,7 +5768,7 @@
/product_tree/product_groups[]/group_id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5728,7 +5851,7 @@
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5771,7 +5894,7 @@
/vulnerabilities[]/metrics[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5831,7 +5954,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v3
/vulnerabilities[]/metrics[]/content/cvss_v4
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
@@ -5878,7 +6001,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalScore
/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
@@ -5909,7 +6032,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v3
/vulnerabilities[]/metrics[]/content/cvss_v4
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
@@ -5946,7 +6069,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -5972,7 +6095,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"lang": "EZ"
@@ -5998,7 +6121,7 @@
/product_tree/full_product_names[]/product_identification_helper/purl
/product_tree/relationships[]/full_product_name/product_identification_helper/purl
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6027,7 +6150,7 @@
/document/tracking/revision_history
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6057,7 +6180,7 @@
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -6086,7 +6209,7 @@
/document/tracking/version
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6121,7 +6244,7 @@
/document/tracking/status
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6144,7 +6267,7 @@
/document/tracking/revision_history[]/number
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6179,7 +6302,7 @@
/document/tracking/revision_history[]/number
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6209,7 +6332,7 @@
/document/tracking/version
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6233,7 +6356,7 @@
/document/tracking/revision_history
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6263,7 +6386,7 @@
/document/tracking/revision_history
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6293,7 +6416,7 @@
/vulnerabilities[]/cve
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6319,7 +6442,7 @@
/vulnerabilities[]/involvements
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6356,7 +6479,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6416,7 +6539,7 @@
/document/category
- Examples 1 (for currently prohibited values):
+ Examples 1 (for currently prohibited values):
Csaf_a
Informational Advisory
@@ -6425,7 +6548,7 @@
veX
V_eX
- Example 2 (which fails the test):
+ Example 2 (which fails the test):
"category": "Security_Incident_Response"
@@ -6460,7 +6583,7 @@
/document/notes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"notes": [
{
@@ -6490,7 +6613,7 @@
/document/references
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"references": [
{
@@ -6519,7 +6642,7 @@
/vulnerabilities
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6552,7 +6675,7 @@
/product_tree
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
{
"document": {
@@ -6583,7 +6706,7 @@
/vulnerabilities[]/notes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6610,7 +6733,7 @@
/vulnerabilities[]/product_status
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6640,7 +6763,7 @@
/vulnerabilities[]/product_status/known_not_affected
/vulnerabilities[]/product_status/under_investigation
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_status": {
"first_fixed": [
@@ -6671,7 +6794,7 @@
/vulnerabilities[]/cve
/vulnerabilities[]/ids
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6699,7 +6822,7 @@
/vulnerabilities[]/flags
/vulnerabilities[]/threats
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6770,7 +6893,7 @@
/vulnerabilities[]/remediations
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6843,7 +6966,7 @@
/vulnerabilities
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
{
"document": {
@@ -6870,7 +6993,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -6903,7 +7026,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"remediations": [
{
@@ -6933,7 +7056,7 @@
/document/tracking/revision_history[]/number
/document/tracking/version
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6970,26 +7093,38 @@
- To implement this test it is deemed sufficient that, when converted to lower case, the value of name
does not contain any of the following strings:
+ To implement this test it is deemed sufficient that, when converted to lower case, the value of name
satisfies the two requirements below:
- <
+
+ -
+
+ It does not contain any of the following operators:
+
+ <
<=
>
- >=
- after
+ >=
+
+ -
+
+ If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords:
+
+ after
all
before
earlier
later
prior
versions
+
+
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -7014,7 +7149,7 @@
/vulnerabilities[]/flags[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"flags": [
{
@@ -7042,7 +7177,7 @@
/vulnerabilities[]/flags
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7107,7 +7242,7 @@
/product_tree/branches[](/branches[])*/product
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"branches": [
@@ -7317,7 +7452,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"remediations": [
{
@@ -7357,7 +7492,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_status": {
"known_not_affected": [
@@ -7378,6 +7513,156 @@
For the product with product ID CSAFPID-908070
a vendor_fix
is given but the product was not affected at all.
+
+ 6.1.37 Date and Time
+
+
+ For each item of type string
and format date-time
it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}.
+
+
+ The relevant path for this test is:
+
+ /document/tracking/current_release_date
+ /document/tracking/generator/date
+ /document/tracking/initial_release_date
+ /document/tracking/revision_history[]/date
+ /vulnerabilities[]/discovery_date
+ /vulnerabilities[]/flags[]/date
+ /vulnerabilities[]/release_date
+ /vulnerabilities[]/involvements[]/date
+ /vulnerabilities[]/remediations[]/date
+ /vulnerabilities[]/threats[]/date
+
+ Example 1 (which fails the test):
+
+ "current_release_date": "2024-01-24 10:00:00.000Z",
+
+
+ The current_release_date
uses a whitespace as separator instead the letter T
.
+
+
+
+ 6.1.38 Non-Public Sharing Group with Max UUID
+
+
+ It MUST be tested that a CSAF document using Max UUID as sharing group ID has the TLP label CLEAR
.
+
+
+ The relevant path for this test is:
+
+ /document/distribution/tlp/label
+
+ Example 1 (which fails the test):
+
+ "distribution": {
+ "sharing_group": {
+ "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+ "name": "Public"
+ },
+ "tlp": {
+ "label": "RED"
+ }
+ },
+
+
+ The sharing group uses the Max UUID but the CSAF document is labeled as TLP:RED
.
+
+
+
+
+ A tool MAY remove the property sharing_group
as a quick fix.
+
+
+
+ 6.1.39 Public Sharing Group with no Max UUID
+
+
+ It MUST be tested that a CSAF document with the TLP label CLEAR
use the Max UUID as sharing group ID if any. The test SHALL pass if no sharing group is present or the Nil UUID is used and the document status is draft
.
+
+
+ The relevant path for this test is:
+
+ /document/distribution/sharing_group/id
+
+ Example 1 (which fails the test):
+
+ "distribution": {
+ "sharing_group": {
+ "id": "5868d6be-b28a-404e-a245-0b5093b31b8b"
+ },
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+
+
+ The sharing group is present for the TLP:CLEAR
document but it differs from the Max UUID.
+
+
+
+
+ A tool MAY update the sharing group id as a quick fix.
+
+
+
+ 6.1.40 Invalid Sharing Group Name
+
+
+ It MUST be tested that the value of sharing group name does not equal the reserved values from section 3.2.2.5.1 if the precondition is not fulfilled.
+
+
+ The relevant path for this test is:
+
+ /document/distribution/sharing_group/name
+
+ Example 1 (which fails the test):
+
+ "distribution": {
+ "sharing_group": {
+ "id": "5868d6be-b28a-404e-a245-0b5093b31b8b",
+ "name": "Public"
+ },
+ // ...
+ },
+
+
+ The sharing group name is Public
but it does not use the Max UUID.
+
+
+
+
+ A tool MAY update the sharing group name as a quick fix.
+
+
+
+ 6.1.41 Missing Sharing Group Name
+
+
+ It MUST be tested that the sharing group name exists and equals the predefined reserved value from section 3.2.2.5.1 if the precondition is fulfilled.
+
+
+ The relevant path for this test is:
+
+ /document/distribution/sharing_group/name
+
+ Example 1 (which fails the test):
+
+ "distribution": {
+ "sharing_group": {
+ "id": "ffffffff-ffff-ffff-ffff-ffffffffffff"
+ },
+ // ...
+ },
+
+
+ The Max UUID is used but the sharing group name does not exist.
+
+
+
+
+ A tool MAY add the corresponding sharing group name as a quick fix.
+
+
6.2 Optional Tests
@@ -7400,7 +7685,7 @@
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7439,7 +7724,7 @@
/vulnerabilities[]/product_status/last_affected[]
/vulnerabilities[]/product_status/under_investigation[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7476,7 +7761,7 @@
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7511,7 +7796,7 @@
/document/tracking/revision_history[]/number
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -7536,7 +7821,7 @@
/document/tracking/initial_release_date
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -7571,7 +7856,7 @@
/document/tracking/current_release_date
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
"current_release_date": "2023-09-06T10:00:00.000Z",
@@ -7606,7 +7891,7 @@
/vulnerabilities[]/involvements
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -7641,7 +7926,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7687,7 +7972,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7747,7 +8032,7 @@
/document/references
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -7783,7 +8068,7 @@
/document/lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
"category": "csaf_base",
@@ -7814,7 +8099,7 @@
/
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
"csaf_version": "2.1",
@@ -7843,7 +8128,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"lang": "qtx"
@@ -7868,7 +8153,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"lang": "i-default"
@@ -7894,7 +8179,7 @@
/product_tree/full_product_names[]
/product_tree/relationships[]/full_product_name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"full_product_names": [
{
@@ -7923,7 +8208,7 @@
/vulnerabilities[]/ids[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"ids": [
{
@@ -7958,7 +8243,7 @@
/product_tree/branches[](/branches[])*/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -7985,7 +8270,7 @@
/vulnerabilities[]/product_status/first_fixed[]
/vulnerabilities[]/product_status/fixed[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -8045,7 +8330,7 @@
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
"category": "csaf_base",
@@ -8074,7 +8359,7 @@
/document/tracking/revision_history[]/date
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -8104,7 +8389,7 @@
/document/title
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
"tracking": {
@@ -8133,7 +8418,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -8163,7 +8448,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -8209,7 +8494,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -8239,7 +8524,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -8264,7 +8549,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_status": {
"known_not_affected": [
@@ -8285,6 +8570,98 @@
For the product with product ID CSAFPID-908070
a fix is planned but the product was not affected at all.
+
+ 6.2.28 Usage of Max UUID
+
+
+ It MUST be tested that the Max UUID is not used as sharing group id.
+
+
+ The relevant path for this test is:
+
+ /document/distribution/sharing_group/id
+
+ Example 1 (which fails the test):
+
+ "distribution": {
+ "sharing_group": {
+ "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+ "name": "Public"
+ },
+ // ...
+ },
+
+
+ The sharing group id uses the Max UUID.
+
+
+
+
+ A tool MAY remove the property sharing_group
as a quick fix.
+
+
+
+ 6.2.29 Usage of Nil UUID
+
+
+ It MUST be tested that the Nil UUID is not used as sharing group id.
+
+
+ The relevant path for this test is:
+
+ /document/distribution/sharing_group/id
+
+ Example 1 (which fails the test):
+
+ "distribution": {
+ "sharing_group": {
+ "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+ "name": "Public"
+ },
+ // ...
+ },
+
+
+ The sharing group id uses the Nil UUID.
+
+
+
+
+ A tool MAY remove the property sharing_group
as a quick fix.
+
+
+
+ 6.2.30 Usage of Sharing Group on TLP:CLEAR
+
+
+ It MUST be tested that no sharing group is used if the document is TLP:CLEAR
.
+
+
+ The relevant path for this test is:
+
+ /document/distribution/sharing_group
+
+ Example 1 (which fails the test):
+
+ "distribution": {
+ "sharing_group": {
+ "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+ "name": "Public"
+ },
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+
+
+ The CSAF document is TLP:CLEAR
but a sharing group is given.
+
+
+
+
+ A tool MAY remove the property sharing_group
as a quick fix.
+
+
6.3 Informative Test
@@ -8308,7 +8685,7 @@
/vulnerabilities[]/metrics
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -8359,7 +8736,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v3/version
/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.0",
@@ -8395,7 +8772,7 @@
/vulnerabilities[]/cve
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -8424,7 +8801,7 @@
/vulnerabilities[]/cwe
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -8450,7 +8827,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -8513,7 +8890,7 @@
/vulnerabilities[]/references[]/url
/vulnerabilities[]/remediations[]/url
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"references": [
{
@@ -8543,7 +8920,7 @@
/document/references[]/url
/vulnerabilities[]/references[]/url
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"references": [
{
@@ -8604,7 +8981,7 @@
/vulnerabilities[]/threats[]/details
/vulnerabilities[]/title
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -8639,7 +9016,7 @@
/product_tree/branches
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -8684,7 +9061,7 @@
/product_tree/branches[](/branches[])*/category
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"category": "product_version_range",
@@ -8709,7 +9086,7 @@
/product_tree/branches[](/branches[])*/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -8734,7 +9111,7 @@
/vulnerabilities[]/metrics[]/content
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -8868,7 +9245,7 @@
- Example 1 (minimal with ROLIE document):
+ Example 1 (minimal with ROLIE document):
{
"canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
@@ -8926,7 +9303,7 @@
CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
@@ -8944,7 +9321,7 @@
details.
https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -8960,7 +9337,7 @@
The CSAF documents MUST be located within folders named <YYYY>
where <YYYY>
is the year given in the value of /document/tracking/initial_release_date
.
2024
2023
@@ -8971,7 +9348,7 @@
The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
2023/esa-2023-09953.json
2022/esa-2022-02723.json
@@ -8986,15 +9363,26 @@
7.1.13 Requirement 13: changes.csv
- The file changes.csv MUST contain the filename as well as the value of /document/tracking/current_release_date
for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the current_release_date
timestamp with the latest one first.
+ The file changes.csv
contains a list of CSAF documents in the current TLP level that were changed recently. Therefore, it MUST contain the filename as well as the value of /document/tracking/current_release_date
for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the
+ current_release_date
timestamp with the latest one first. The changes.csv
SHALL be a valid comma separated values format as defined by [RFC4180] without double quotes.
+
+
+ Note: As a consequence of section sec Requirement 2 for filenames and section sec Requirement for directory names, there must not be any characters within the changes.csv
that would require quoting.
+
+
- "2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
-"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
-"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
-"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
+ 2023/esa-2023-09953.json,2023-07-01T10:09:07Z
+2021/esa-2021-03676.json,2023-07-01T10:09:01Z
+2022/esa-2022-02723.json,2022-04-17T15:08:41Z
+2021/esa-2021-31916.json,2022-03-01T06:01:00Z
+
+
+ Note: As CSAF 2.0 requires quotes, an [RFC4180] parser can read both format revisions.
+
+
7.1.14 Requirement 14: Directory listings
@@ -9020,7 +9408,7 @@
MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].
{
"feed": {
@@ -9086,7 +9474,7 @@
the filename service.json
and reside next to the provider-metadata.json
.
{
"service": {
@@ -9153,7 +9541,7 @@
type of product
CPU
Firewall
@@ -9169,7 +9557,7 @@
areas or sectors, the products are used in
Chemical
Commercial
@@ -9187,7 +9575,7 @@
{
"categories": {
@@ -9211,7 +9599,7 @@
MD5 and SHA1 SHOULD NOT be used.
File name of CSAF document: esa-2022-02723.json
File name of SHA-256 hash file: esa-2022-02723.json.sha256
@@ -9220,7 +9608,7 @@
The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.json
@@ -9230,10 +9618,10 @@
7.1.19 Requirement 19: Signatures
- All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. See [RFC4880] for more details.
+ All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. This signature SHALL be presented as an ASCII armored file. See [RFC4880] for more details.
File name of CSAF document: esa-2022-02723.json
File name of signature file: esa-2022-02723.json.asc
@@ -9255,7 +9643,7 @@
7.1.20 Requirement 20: Public OpenPGP Key
- The public part of the OpenPGP key used to sign the CSAF documents MUST be available. It SHOULD also be available at a public key server.
+ The public part of the OpenPGP key used to sign the CSAF documents MUST be available. This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server.
@@ -9299,7 +9687,7 @@
The file aggregator.json
SHOULD only list the latest version of the metadata of a CSAF provider.
{
"aggregator": {
@@ -9356,7 +9744,7 @@
{
"aggregator": {
@@ -9921,7 +10309,7 @@
Retrieve the CVSS version from the CVSS vector, if present.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -9930,7 +10318,7 @@
Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
<!-- -->
@@ -9939,7 +10327,7 @@
is handled the same as
<ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">
@@ -9949,7 +10337,7 @@
decision.
xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -12324,6 +12712,20 @@
Next Editor Revision
+
+
+ csaf-v2.0-wd20241127-dev
+
+
+ 2024-11-27
+
+
+ Stefan Hagen and Thomas Schmidt
+
+
+ Next Editor Revision
+
+
@@ -12345,8 +12747,8 @@
If you come across a case where these limits are exceeded, please provide feedback to the TC.
-
- C.1 File size
+
+ Appendix C. File Size
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB.
@@ -12357,8 +12759,8 @@
small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.
-
- C.2 Array length
+
+ Appendix C. Array Length
An array SHOULD NOT have more than:
@@ -12610,8 +13012,8 @@
-
- C.3 String length
+
+ Appendix C. String Length
A string SHOULD NOT have a length greater than:
@@ -12634,6 +13036,9 @@
/document/category
+
+ /document/distribution/sharing_group/name
+
/document/lang
@@ -12970,75 +13375,42 @@
-
- C.4 URI length
+
+ C.6 Date
- A string with format uri
SHOULD NOT have a length greater than 20000. This applies to:
+ The maximum length of strings representing a temporal value is given by the format specifier. This applies to:
-
-
/document/acknowledgments[]/urls[]
-
- -
-
/document/aggregate_severity/namespace
-
- -
-
/document/distribution/tlp/url
-
- -
-
/document/references[]/url
-
- -
-
/document/publisher/namespace
-
- -
-
/product_tree/branches[]/product/product_identification_helper/sbom_urls[]
-
- -
-
/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace
-
- -
-
/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri
-
- -
-
/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]
-
- -
-
/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace
-
- -
-
/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri
-
- -
-
/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]
+ /document/tracking/current_release_date
-
-
/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace
+ /document/tracking/generator/date
-
-
/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri
+ /document/tracking/initial_release_date
-
-
/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]
+ /document/tracking/revision_history[]/date
-
-
/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace
+ /vulnerabilities[]/discovery_date
-
-
/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri
+ /vulnerabilities[]/flags[]/date
-
-
/vulnerabilities[]/acknowledgments[]/urls[]
+ /vulnerabilities[]/release_date
-
-
/vulnerabilities[]/metrics[]/source
+ /vulnerabilities[]/involvements[]/date
-
-
/vulnerabilities[]/references[]/url
+ /vulnerabilities[]/remediations[]/date
-
-
/vulnerabilities[]/remediations[]/url
+ /vulnerabilities[]/threats[]/date
@@ -13347,42 +13719,86 @@
/vulnerabilities[]/threats[]/category
(14)
-
- C.6 Date
+
+ C.5 URI Length
- The maximum length of strings representing a temporal value is given by the format specifier. This applies to:
+ A string with format uri
SHOULD NOT have a length greater than 20000. This applies to:
-
-
/document/tracking/current_release_date
+ /document/acknowledgments[]/urls[]
-
-
/document/tracking/generator/date
+ /document/aggregate_severity/namespace
-
-
/document/tracking/initial_release_date
+ /document/distribution/tlp/url
-
-
/document/tracking/revision_history[]/date
+ /document/references[]/url
-
-
/vulnerabilities[]/discovery_date
+ /document/publisher/namespace
-
-
/vulnerabilities[]/flags[]/date
+ /product_tree/branches[]/product/product_identification_helper/sbom_urls[]
-
-
/vulnerabilities[]/release_date
+ /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace
-
-
/vulnerabilities[]/involvements[]/date
+ /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri
-
-
/vulnerabilities[]/remediations[]/date
+ /product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]
-
-
/vulnerabilities[]/threats[]/date
+ /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace
+
+ -
+
/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri
+
+ -
+
/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]
+
+ -
+
/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace
+
+ -
+
/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri
+
+ -
+
/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]
+
+ -
+
/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace
+
+ -
+
/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri
+
+ -
+
/vulnerabilities[]/acknowledgments[]/urls[]
+
+ -
+
/vulnerabilities[]/metrics[]/source
+
+ -
+
/vulnerabilities[]/references[]/url
+
+ -
+
/vulnerabilities[]/remediations[]/url
+
+
+
+ C.5 UUID Length
+
+
+ A string with format uuid
SHOULD NOT have a length greater than 50. This applies to:
+
+
+ -
+
/document/distribution/sharing_group/id
(36)