From 6bd3ac0fe93d3908db23c1bc61382aa72df174bf Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 18 Oct 2024 00:25:21 +0200 Subject: [PATCH 1/8] Redirects - resolves oasis-tcs/csaf#798 - add sentence about max redirects --- csaf_2.1/prose/edit/src/distributing.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 954498e5..6846e9a0 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -50,6 +50,8 @@ Redirects SHOULD NOT be used. If they are inevitable only HTTP Header redirects > Reasoning: Clients should not parse the payload for navigation and some, as e.g. `curl`, do not follow any other kind of redirects. +If any redirects are used, there SHOULD not be more than 5 and MUST NOT be more than 10 consecutive redirects. + ### Requirement 7: provider-metadata.json The party MUST provide a valid `provider-metadata.json` according to the schema From 79ceffe805ce5d50d60e96d8ba5495630ffe2e05 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 25 Oct 2024 21:23:39 +0200 Subject: [PATCH 2/8] Mandatory TLP 2.0 - addresses parts of oasis-tcs/csaf#633 - mark test 6.2.10 as obsolete and present reasoning - remove test files for 6.2.10 - adapt test schema and test data list --- csaf_2.1/prose/edit/src/tests-02-optional.md | 23 ++------------ ...oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json | 30 ------------------- csaf_2.1/test/validator/data/testcases.json | 10 ------- .../test/validator/testcases_json_schema.json | 2 +- 4 files changed, 4 insertions(+), 61 deletions(-) delete mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 623ee200..53aa294e 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -322,27 +322,10 @@ The relevant paths for this test are: > The hash algorithm `sha1` is used in one item of hashes without being accompanied by a second hash algorithm. -### Missing TLP label (deprecated){#missing-tlp-label} +### Missing TLP label (obsolete){#missing-tlp-label} -It MUST be tested that `/document/distribution/tlp/label` is present and valid. - -> TLP labels support the machine-readability and automated distribution. - -The relevant path for this test is: - -``` - /document/distribution/tlp/label -``` - -*Example 1 (which fails the test):* - -``` - "distribution": { - "text": "Distribute freely." - } -``` - -> The CSAF document has no TLP label. +> The TLP label is now mandatory. Therefore, the optional test is obsolete. +> This section is kept to avoid confusion and number changes. ### Missing Canonical URL diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json deleted file mode 100644 index 59f90697..00000000 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", - "document": { - "category": "csaf_base", - "csaf_version": "2.1", - "distribution": { - "text": "Distribute freely." - }, - "publisher": { - "category": "other", - "name": "OASIS CSAF TC", - "namespace": "https://csaf.io" - }, - "title": "Optional test: Missing TLP label (failing example 1)", - "tracking": { - "current_release_date": "2024-01-24T10:00:00.000Z", - "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-10-01", - "initial_release_date": "2024-01-24T10:00:00.000Z", - "revision_history": [ - { - "date": "2024-01-24T10:00:00.000Z", - "number": "1", - "summary": "Initial version." - } - ], - "status": "final", - "version": "1" - } - } -} \ No newline at end of file diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 4180ec2c..ce696ccf 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1155,16 +1155,6 @@ } ] }, - { - "id": "6.2.10", - "group": "optional", - "failures": [ - { - "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json", - "valid": true - } - ] - }, { "id": "6.2.11", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index ddb189a6..7cb82029 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" }, "valid": { "title": "List of valid examples", From f169954c4384b7fcbdd1f94698abb68f943943e0 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 25 Oct 2024 21:25:52 +0200 Subject: [PATCH 3/8] Mandatory TLP 2.0 - addresses parts of oasis-tcs/csaf#633 - clarify wording regarding required TLP --- csaf_2.1/prose/edit/src/tests-02-optional.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 53aa294e..934afb9d 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -324,7 +324,7 @@ The relevant paths for this test are: ### Missing TLP label (obsolete){#missing-tlp-label} -> The TLP label is now mandatory. Therefore, the optional test is obsolete. +> The TLP label is now mandatory and enforce by the schema. Therefore, the optional test is obsolete. > This section is kept to avoid confusion and number changes. ### Missing Canonical URL From 9b2c2031a8a84dac03abcbded79d977182cf40b2 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 25 Oct 2024 21:29:20 +0200 Subject: [PATCH 4/8] Revert "Code block syntax" --- ...a-elements-01-defs-03-full-product-name.md | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md index 1eb28bff..78bd55f5 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md +++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md @@ -51,29 +51,28 @@ and `x_generic_uris`, one is mandatory. "cpe": { // ... }, - "hashes": [ + "hashes": { // ... - ], - "model_numbers": [ + }, + "model_numbers": { // ... - ], + }, "purl": { // ... }, - "sbom_urls": [ + "sbom_urls": { // ... - ], - "serial_numbers": [ + }, + "serial_numbers": { // ... - ], - "skus": [ + }, + "skus": { // ... - ], - "x_generic_uris": [ + }, + "x_generic_uris": { // ... - ] + } } - } ``` ##### Full Product Name Type - Product Identification Helper - CPE From a0386534b4da21d504614ff19db23580d3d58cd2 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 25 Oct 2024 21:40:41 +0200 Subject: [PATCH 5/8] Mandatory TLP 2.0 - addresses parts of oasis-tcs/csaf#633 - clarify in the wording that it is required, not mandatory to avoid confusion with mandatory tests --- csaf_2.1/prose/edit/src/tests-02-optional.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 934afb9d..5aeb871b 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -324,7 +324,7 @@ The relevant paths for this test are: ### Missing TLP label (obsolete){#missing-tlp-label} -> The TLP label is now mandatory and enforce by the schema. Therefore, the optional test is obsolete. +> The TLP label is now required and enforce by the schema. Therefore, the optional test is obsolete. > This section is kept to avoid confusion and number changes. ### Missing Canonical URL From f826d1e4437f91402eb05ab8d3fa75e080c600f7 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 25 Oct 2024 22:30:28 +0200 Subject: [PATCH 6/8] Requirements 9 and 10 - fixes oasis-tcs/csaf#811 - add comment that not redirects are allowed in requirement 9 and 10 --- csaf_2.1/prose/edit/src/distributing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 6846e9a0..e5bcd940 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -150,7 +150,7 @@ If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF e ### Requirement 9: Well-known URL for provider-metadata.json The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of the issuing authority serves directly -the `provider-metadata.json` according to requirement 7. +the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details. *Example 1:* @@ -162,7 +162,7 @@ The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details ### Requirement 10: DNS path The DNS record `csaf.data.security.domain.tld` SHALL resolve as a web server which serves directly -the `provider-metadata.json` according to requirement 7. +the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required. ### Requirement 11: One folder per year From 8ec5d8fa8ae2218d609f94cf32db9204fd951525 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 25 Oct 2024 22:33:36 +0200 Subject: [PATCH 7/8] RFC 9116 - addresses parts of oasis-tcs/csaf#318 - reflect current state of CSAF field in security.txt --- csaf_2.1/prose/edit/src/distributing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index e5bcd940..8dfb5d20 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -130,8 +130,8 @@ In the security.txt there MUST be at least one field `CSAF` which points to the If this field indicates a web URI, then it MUST begin with "https://" (as per section 2.7.2 of [cite](#RFC7230)). See [cite](#SECURITY-TXT) for more details. -> The security.txt was published as [cite](#RFC9116) in April 2022. At the time of this writing, -> the `CSAF` field is in the process of being officially added. +> The security.txt was published as [cite](#RFC9116) in April 2022. +> The `CSAF` field was officially added through the IANA registry. *Examples 1:* From dd92a3c9fd621312662b088dfae51f3eb21311e7 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Fri, 25 Oct 2024 23:44:54 +0200 Subject: [PATCH 8/8] Review feedback - instead of fixing the wrong form of enforce removed the enforcement as the schema can only require (the validator may enforce). - calmed the waters even more by removing the word confusion and focusing on documentation and numbering of remaining sections --- csaf_2.1/prose/edit/src/tests-02-optional.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 5aeb871b..67d5f5cb 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -324,8 +324,8 @@ The relevant paths for this test are: ### Missing TLP label (obsolete){#missing-tlp-label} -> The TLP label is now required and enforce by the schema. Therefore, the optional test is obsolete. -> This section is kept to avoid confusion and number changes. +> The TLP label is now required by the schema. Therefore, the optional test is obsolete. +> This section is kept to document that change and keep the numbering of the remaining sections stable. ### Missing Canonical URL