Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New value: "patch_for_not_affected" or similar in "remediation" #563

Closed
santosomar opened this issue Jun 29, 2022 · 7 comments · Fixed by #819
Closed

New value: "patch_for_not_affected" or similar in "remediation" #563

santosomar opened this issue Jun 29, 2022 · 7 comments · Fixed by #819
Assignees
@santosomar
Labels
csaf 2.1 csaf 2.1 work editor-revision already worked on in the editor revision enhancement motion_passed A motion has passed

Comments

@santosomar
Copy link
Contributor

The TC voted on June 29th, 2022 to add a new field to CSAF 2.1, as requested per Feng Cao in the following email:
https://www.oasis-open.org/apps/org/workgroup/csaf/email/archives/202206/msg00006.html

Dear TC members,

I'd like to discuss about adding a new value for "category" in
"remediation".

Problem:

The third party CVEs will be announced in advisories. Some of them are
re-scored with CVSSv3.1 = 0.0. "known_not_affected" is used in
"product_status". In "remediation", "category" doesn't have a matching
value for "known_not_affected"

(the question on why to announce them with CVSSv3.1=0.0 is to provide
the info to the customers, as their scanners might catch the third party
components, and then they will ask the support).

Solution:

Add a new value, such as "patch_for_not_affected".

Thanks,

Feng Cao, PHD, CISSP, PMP
Oracle Security Alerts
@santosomar santosomar self-assigned this Jun 29, 2022
@santosomar santosomar mentioned this issue Nov 29, 2023
Closed
@santosomar
Copy link
Contributor Author

FYI only: A similar suggestion for "remediation" fields was proposed at #662

@santosomar
Copy link
Contributor Author

santosomar commented Nov 29, 2023
edited by tschmidtb51
Loading

Other suggestions from the TC about the naming for the field:

  • optional_patch
  • RegulatoryCompliancePatch
  • unnecessary_patch

@tschmidtb51
Copy link
Contributor

This is related to #665

@tschmidtb51 tschmidtb51 mentioned this issue Apr 4, 2024
Closed
@tschmidtb51
Copy link
Contributor

@santosomar Was there a motion regarding the addition? If so, please link it here and state the result.

@santosomar
Copy link
Contributor Author

Yes, indeed.

https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2022/2022-06-29.md

Quote:

Feng Cao suggested the consideration of adding a new value under remediations for "patch_for_not_affected". The suggestion was sent via email.

  • Omar set motion to include Feng’s recommendations for 2.1 as an addition to CSAF in current version.

  • Denny second the motion.

  • Motion of adding new remediation has passed. This is documented in issue #563.

@tschmidtb51
Copy link
Contributor

@santosomar: Thank you - I read over the first sentence.

@tschmidtb51 tschmidtb51 added csaf 2.1 csaf 2.1 work motion_passed A motion has passed and removed csaf 2.x Maybe future labels Aug 27, 2024
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Optional Patch
0ad4ed7 
- addresses parts of oasis-tcs#563
- add value "optional_patch"
- adapt prose
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Optional Patch
3dc2345 
- addresses parts of oasis-tcs#563
- add conversion rule for CVRF
- add conversion rule from CSAF 2.0
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Remediation categories
dc942e9 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- clarify that reference of products can be direct or indirect
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Contradicting Remediations
fd44bb3 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting remediations
- add invalid examples
- add valid examples
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Remediation categories
7b6ae7a 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- remove duplicate notes about mutually exclusive categories
- add table for contradicting product status group remediation category combinations
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Contradicting Product Status vs Remediation
35ac496 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting Product status remediations combinations
- add invalid examples
- add valid examples
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Contradicting Product Status vs Remediation
89e3a27 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- fix spelling mistake
- improve wording
- clarify that this also applies to indirect relationships through product groups
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Discouraged Product Status Remediation Combination
8cb0e45 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- add optional test for discouraged product status remediation combinations
- add invalid examples
- add valid examples
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 24, 2024
@tschmidtb51
Contradicting Remediations
d5c358d 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- correct example
- add valid example
- add invalid example
@tschmidtb51 tschmidtb51 mentioned this issue Oct 24, 2024
Closed
@tschmidtb51
Copy link
Contributor

@fjscao: Please have a look at the suggestion in #804

tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 25, 2024
@tschmidtb51
Remediation categories
6e78e52 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- clarify that reference of products can be direct or indirect
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 25, 2024
@tschmidtb51
Contradicting Remediations
22bfacb 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting remediations
- add invalid examples
- add valid examples
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 25, 2024
@tschmidtb51
Remediation categories
675a980 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- remove duplicate notes about mutually exclusive categories
- add table for contradicting product status group remediation category combinations
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 25, 2024
@tschmidtb51
Contradicting Product Status vs Remediation
05502f8 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting Product status remediations combinations
- add invalid examples
- add valid examples
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 25, 2024
@tschmidtb51
Contradicting Product Status vs Remediation
a274571 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- fix spelling mistake
- improve wording
- clarify that this also applies to indirect relationships through product groups
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 25, 2024
@tschmidtb51
Discouraged Product Status Remediation Combination
7e03b04 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- add optional test for discouraged product status remediation combinations
- add invalid examples
- add valid examples
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Oct 25, 2024
@tschmidtb51
Contradicting Remediations
026b814 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- correct example
- add valid example
- add invalid example
@tschmidtb51 tschmidtb51 mentioned this issue Oct 25, 2024
Merged
@tschmidtb51 tschmidtb51 added the editor-revision already worked on in the editor revision label Oct 25, 2024
@tschmidtb51 tschmidtb51 mentioned this issue Oct 30, 2024
Merged
@sthagen sthagen mentioned this issue Dec 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@santosomar santosomar

Labels
csaf 2.1 csaf 2.1 work editor-revision already worked on in the editor revision enhancement motion_passed A motion has passed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Editor revision for TC meeting 2024-10-30 oasis-tcs/csaf
2 participants
@santosomar @tschmidtb51