Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remediation categories #807

Merged
merged 15 commits into from
Oct 30, 2024
Merged

Remediation categories #807

merged 15 commits into from
Oct 30, 2024

Conversation

tschmidtb51
Copy link
Contributor

@tschmidtb51
Optional Patch
0ad4ed7 
- addresses parts of oasis-tcs#563
- add value "optional_patch"
- adapt prose
@tschmidtb51
Optional Patch
3dc2345 
- addresses parts of oasis-tcs#563
- add conversion rule for CVRF
- add conversion rule from CSAF 2.0
@tschmidtb51
Fix planned
b5b4f0e 
- addresses parts of oasis-tcs#662
- add value `fix_planned` as remediation category
- adapt prose
- restructure mutually exclusive categories
@tschmidtb51
Fix planned
60137b8 
- addresses parts of oasis-tcs#662
- add conversion rule from CVRF
- add conversion rule from CSAF 2.0
- fix format mistake
@tschmidtb51
Remediation categories
6e78e52 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- clarify that reference of products can be direct or indirect
@tschmidtb51
Contradicting Remediations
22bfacb 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting remediations
- add invalid examples
- add valid examples
@tschmidtb51
Remediation categories
675a980 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- remove duplicate notes about mutually exclusive categories
- add table for contradicting product status group remediation category combinations
@tschmidtb51
Contradicting Product Status vs Remediation
05502f8 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting Product status remediations combinations
- add invalid examples
- add valid examples
@tschmidtb51
Contradicting Product Status vs Remediation
a274571 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- fix spelling mistake
- improve wording
- clarify that this also applies to indirect relationships through product groups
@tschmidtb51
Discouraged Product Status Remediation Combination
7e03b04 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- add optional test for discouraged product status remediation combinations
- add invalid examples
- add valid examples
@tschmidtb51
Contradicting Remediations
026b814 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- correct example
- add valid example
- add invalid example
@tschmidtb51 tschmidtb51 added editor-revision already worked on in the editor revision csaf 2.1 csaf 2.1 work call_to_action a call to action has been send out labels Oct 25, 2024
@tschmidtb51 tschmidtb51 requested a review from sthagen October 25, 2024 19:02
@tschmidtb51 tschmidtb51 self-assigned this Oct 25, 2024
@tschmidtb51 tschmidtb51 mentioned this pull request Oct 25, 2024
Closed
@tschmidtb51 tschmidtb51 marked this pull request as ready for review October 25, 2024 19:06
@tschmidtb51 tschmidtb51 marked this pull request as draft October 25, 2024 19:06
sthagen
sthagen reviewed Oct 25, 2024
View reviewed changes
csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
The following tables shows the allowed and prohibited combinations:

| category value | `workaround` | `mitigation` | `vendor_fix` | `optional_patch` | `none_available` | `fix_planned` | `no_fix_planned` |
|:----------------:|:------------:|:------------:|:------------:|:----------------:|:----------------:|:-------------:|:----------------:|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about left-aligning the cell values (instead of centering)?

Copy link
Contributor Author

@tschmidtb51 tschmidtb51 Oct 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that is a style thing - what do you prefer?

grafik

sthagen
sthagen reviewed Oct 25, 2024
View reviewed changes
csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
The following tables shows the allowed, discouraged and prohibited combinations:

| category value | Affected | Not Affected | Fixed | Under Investigation | Recommended |
|:----------------:|:----------:|:------------:|:-----------:|:-------------------:|:-----------:|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about left-aligning also here the cell values (instead of centering)?

sthagen
sthagen reviewed Oct 25, 2024
View reviewed changes
csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md
> A tool MAY apply the conversion rules from the conformance target CSAF 2.0 to CSAF 2.1 converter if applicable or
> remove the product from the remediation with the lower priority.
> The priority MAY be defined as follows:
> `vendor_fix` > `mitigation` > `workaround` > `fix_planned` > `no_fix_planned` > `optional_patch` > `none_available`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am always tempted to right the escaped > for these relation ships, but if a bare greater works 🆗

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vendor_fix > mitigation > workaround > fix_planned > no_fix_planned > optional_patch > none_available

Looks like it does...

sthagen
sthagen approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@sthagen sthagen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

...2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md Outdated Show resolved Hide resolved
@tschmidtb51
Merge branch 'editor-revision-2024-10-30' into remediation-categories
cc8ba4f
@tschmidtb51
Tests
a47d20c 
- addresses parts of oasis-tcs#541
- add missing files to bind.txt
@tschmidtb51
Remediation categories
ca7fe94 
- addresses review comments from oasis-tcs#807
- convert unnecessary upper case to lower case
sthagen
sthagen approved these changes Oct 26, 2024
View reviewed changes
Copy link
Contributor

@sthagen sthagen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SLGTM.

@jdstefaniak
Copy link

LGTM @tschmidtb51. Thank You.

@tschmidtb51 tschmidtb51 marked this pull request as ready for review October 30, 2024 17:38
@santosomar
Copy link
Contributor

A motion was moved by Thomas to include the changes suggested in this pull request, during the CSAF TC monthly meeting on 2024-10-30. The motion was seconded by Omar. The motion passed.

@santosomar santosomar merged commit 1475f37 into oasis-tcs:editor-revision-2024-10-30 Oct 30, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sthagen sthagen sthagen approved these changes

Assignees

@tschmidtb51 tschmidtb51

Labels
call_to_action a call to action has been send out csaf 2.1 csaf 2.1 work editor-revision already worked on in the editor revision
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tschmidtb51 @jdstefaniak @santosomar @sthagen