From c813a563b68ec5c796cfb1222ae79548d77aca19 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:03:31 +0100
Subject: [PATCH 01/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- add CVSS v4 to JSON schema
---
csaf_2.1/json_schema/csaf_json_schema.json | 3 +++
1 file changed, 3 insertions(+)
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
index 1c518685..1c42ccb5 100644
--- a/csaf_2.1/json_schema/csaf_json_schema.json
+++ b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -1350,6 +1350,9 @@
}
]
},
+ "cvss_v4": {
+ "$ref": "https://www.first.org/cvss/cvss-v4.0.json"
+ },
"products": {
"$ref": "#/$defs/products_t"
}
From 75669a815dfbb162b02dc9651c58cc1308e254e3 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:35:10 +0100
Subject: [PATCH 02/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- add CVSS v4.0 to referenced schemas
- add strict version of schema
---
.../referenced_schema/first/cvss-v4.0.json | 387 ++++++++++++
.../first/cvss-v4.0_strict.json | 566 ++++++++++++++++++
2 files changed, 953 insertions(+)
create mode 100644 csaf_2.1/referenced_schema/first/cvss-v4.0.json
create mode 100644 csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
diff --git a/csaf_2.1/referenced_schema/first/cvss-v4.0.json b/csaf_2.1/referenced_schema/first/cvss-v4.0.json
new file mode 100644
index 00000000..695ad9e5
--- /dev/null
+++ b/csaf_2.1/referenced_schema/first/cvss-v4.0.json
@@ -0,0 +1,387 @@
+{
+ "license": [
+ "Copyright (c) 2023, FIRST.ORG, INC.",
+ "All rights reserved.",
+ "",
+ "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ",
+ "following conditions are met:",
+ "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ",
+ " disclaimer.",
+ "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ",
+ " following disclaimer in the documentation and/or other materials provided with the distribution.",
+ "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ",
+ " products derived from this software without specific prior written permission.",
+ "",
+ "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ",
+ "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ",
+ "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ",
+ "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ",
+ "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ",
+ "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ",
+ "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
+ ],
+
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 4.0",
+ "$id": "https://www.first.org/cvss/cvss-v4.0.json?20231011",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [ "NETWORK", "ADJACENT", "LOCAL", "PHYSICAL" ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [ "NETWORK", "ADJACENT", "LOCAL", "PHYSICAL", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [ "HIGH", "LOW" ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [ "HIGH", "LOW", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "attackRequirementsType": {
+ "type": "string",
+ "enum": [ "NONE", "PRESENT" ]
+ },
+ "modifiedAttackRequirementsType": {
+ "type": "string",
+ "enum": [ "NONE", "PRESENT", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [ "HIGH", "LOW", "NONE" ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [ "NONE", "PASSIVE", "ACTIVE" ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [ "NONE", "PASSIVE", "ACTIVE", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnCiaType": {
+ "type": "string",
+ "enum": [ "NONE", "LOW", "HIGH" ]
+ },
+ "modifiedVulnCiaType": {
+ "type": "string",
+ "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "subCiaType": {
+ "type": "string",
+ "enum": [ "NONE", "LOW", "HIGH" ]
+ },
+ "modifiedSubCType": {
+ "type": "string",
+ "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "modifiedSubIaType": {
+ "type": "string",
+ "enum": [ "NONE", "LOW", "HIGH", "SAFETY", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "exploitMaturityType": {
+ "type": "string",
+ "enum": [ "UNREPORTED", "PROOF_OF_CONCEPT", "ATTACKED", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "safetyType": {
+ "type": "string",
+ "enum": [ "NEGLIGIBLE", "PRESENT", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "automatableType": {
+ "type": "string",
+ "enum": [ "NO", "YES", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "recoveryType": {
+ "type": "string",
+ "enum": [ "AUTOMATIC", "USER", "IRRECOVERABLE", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "valueDensityType": {
+ "type": "string",
+ "enum": [ "DIFFUSE", "CONCENTRATED", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnerabilityResponseEffortType": {
+ "type": "string",
+ "enum": [ "LOW", "MODERATE", "HIGH", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "providerUrgencyType": {
+ "type": "string",
+ "enum": [ "CLEAR", "GREEN", "AMBER", "RED", "NOT_DEFINED" ],
+ "default": "NOT_DEFINED"
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0.0,
+ "maximum": 0.0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "minimum": 0.1,
+ "maximum": 3.9,
+ "multipleOf": 0.1
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "minimum": 4.0,
+ "maximum": 6.9,
+ "multipleOf": 0.1
+ },
+ "highScoreType": {
+ "type": "number",
+ "minimum": 7.0,
+ "maximum": 8.9,
+ "multipleOf": 0.1
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "minimum": 9.0,
+ "maximum": 10,
+ "multipleOf": 0.1
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [ "4.0" ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:4[.]0\/AV:[NALP]\/AC:[LH]\/AT:[NP]\/PR:[NLH]\/UI:[NPA]\/VC:[HLN]\/VI:[HLN]\/VA:[HLN]\/SC:[HLN]\/SI:[HLN]\/SA:[HLN](\/E:[XAPU])?(\/CR:[XHML])?(\/IR:[XHML])?(\/AR:[XHML])?(\/MAV:[XNALP])?(\/MAC:[XLH])?(\/MAT:[XNP])?(\/MPR:[XNLH])?(\/MUI:[XNPA])?(\/MVC:[XNLH])?(\/MVI:[XNLH])?(\/MVA:[XNLH])?(\/MSC:[XNLH])?(\/MSI:[XNLHS])?(\/MSA:[XNLHS])?(\/S:[XNP])?(\/AU:[XNY])?(\/R:[XAUI])?(\/V:[XDC])?(\/RE:[XLMH])?(\/U:(X|Clear|Green|Amber|Red))?$"
+ },
+ "attackVector": { "$ref": "#/definitions/attackVectorType" },
+ "attackComplexity": { "$ref": "#/definitions/attackComplexityType" },
+ "attackRequirements": { "$ref": "#/definitions/attackRequirementsType" },
+ "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" },
+ "userInteraction": { "$ref": "#/definitions/userInteractionType" },
+ "vulnConfidentialityImpact": { "$ref": "#/definitions/vulnCiaType" },
+ "vulnIntegrityImpact": { "$ref": "#/definitions/vulnCiaType" },
+ "vulnAvailabilityImpact": { "$ref": "#/definitions/vulnCiaType" },
+ "subConfidentialityImpact": { "$ref": "#/definitions/subCiaType" },
+ "subIntegrityImpact": { "$ref": "#/definitions/subCiaType" },
+ "subAvailabilityImpact": { "$ref": "#/definitions/subCiaType" },
+ "exploitMaturity": { "$ref": "#/definitions/exploitMaturityType" },
+ "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
+ "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
+ "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
+ "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" },
+ "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" },
+ "modifiedAttackRequirements": { "$ref": "#/definitions/modifiedAttackRequirementsType" },
+ "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" },
+ "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" },
+ "modifiedVulnConfidentialityImpact": { "$ref": "#/definitions/modifiedVulnCiaType" },
+ "modifiedVulnIntegrityImpact": { "$ref": "#/definitions/modifiedVulnCiaType" },
+ "modifiedVulnAvailabilityImpact": { "$ref": "#/definitions/modifiedVulnCiaType" },
+ "modifiedSubConfidentialityImpact": { "$ref": "#/definitions/modifiedSubCType" },
+ "modifiedSubIntegrityImpact": { "$ref": "#/definitions/modifiedSubIaType" },
+ "modifiedSubAvailabilityImpact": { "$ref": "#/definitions/modifiedSubIaType" },
+ "Safety": { "$ref": "#/definitions/safetyType" },
+ "Automatable": { "$ref": "#/definitions/automatableType" },
+ "Recovery": { "$ref": "#/definitions/recoveryType" },
+ "valueDensity": { "$ref": "#/definitions/valueDensityType" },
+ "vulnerabilityResponseEffort": { "$ref": "#/definitions/vulnerabilityResponseEffortType" },
+ "providerUrgency": { "$ref": "#/definitions/providerUrgencyType" }
+ },
+ "allOf": [
+ {
+ "anyOf": [{
+ "properties": {
+ "baseScore" : {
+ "$ref": "#/definitions/noneScoreType"
+ },
+ "baseSeverity" : {
+ "$ref": "#/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore" : {
+ "$ref": "#/definitions/lowScoreType"
+ },
+ "baseSeverity" : {
+ "$ref": "#/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore" : {
+ "$ref": "#/definitions/mediumScoreType"
+ },
+ "baseSeverity" : {
+ "$ref": "#/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore" : {
+ "$ref": "#/definitions/highScoreType"
+ },
+ "baseSeverity" : {
+ "$ref": "#/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore" : {
+ "$ref": "#/definitions/criticalScoreType"
+ },
+ "baseSeverity" : {
+ "$ref": "#/definitions/criticalSeverityType"
+ }
+ }
+ }]
+ },
+ {
+ "anyOf": [{
+ "properties": {
+ "threatScore" : {
+ "$ref": "#/definitions/noneScoreType"
+ },
+ "threatSeverity" : {
+ "$ref": "#/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore" : {
+ "$ref": "#/definitions/lowScoreType"
+ },
+ "threatSeverity" : {
+ "$ref": "#/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore" : {
+ "$ref": "#/definitions/mediumScoreType"
+ },
+ "threatSeverity" : {
+ "$ref": "#/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore" : {
+ "$ref": "#/definitions/highScoreType"
+ },
+ "threatSeverity" : {
+ "$ref": "#/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore" : {
+ "$ref": "#/definitions/criticalScoreType"
+ },
+ "threatSeverity" : {
+ "$ref": "#/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "environmentalScore" : {
+ "$ref": "#/definitions/noneScoreType"
+ },
+ "environmentalSeverity" : {
+ "$ref": "#/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore" : {
+ "$ref": "#/definitions/lowScoreType"
+ },
+ "environmentalSeverity" : {
+ "$ref": "#/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore" : {
+ "$ref": "#/definitions/mediumScoreType"
+ },
+ "environmentalSeverity" : {
+ "$ref": "#/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore" : {
+ "$ref": "#/definitions/highScoreType"
+ },
+ "environmentalSeverity" : {
+ "$ref": "#/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore" : {
+ "$ref": "#/definitions/criticalScoreType"
+ },
+ "environmentalSeverity" : {
+ "$ref": "#/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "required": [ "version", "vectorString", "baseScore", "baseSeverity" ]
+}
diff --git a/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json b/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
new file mode 100644
index 00000000..42d86d93
--- /dev/null
+++ b/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
@@ -0,0 +1,566 @@
+{
+ "$id": "https://www.first.org/cvss/cvss-v4.0.json?20231011",
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "additionalProperties": false,
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/noneScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/lowScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/mediumScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/highScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/criticalScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/noneScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/lowScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/mediumScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/highScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/criticalScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "definitions": {
+ "attackComplexityType": {
+ "enum": [
+ "HIGH",
+ "LOW"
+ ],
+ "type": "string"
+ },
+ "attackRequirementsType": {
+ "enum": [
+ "NONE",
+ "PRESENT"
+ ],
+ "type": "string"
+ },
+ "attackVectorType": {
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL"
+ ],
+ "type": "string"
+ },
+ "automatableType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NO",
+ "YES",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "ciaRequirementType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "criticalScoreType": {
+ "maximum": 10,
+ "minimum": 9.0,
+ "multipleOf": 0.1,
+ "type": "number"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ },
+ "exploitMaturityType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "UNREPORTED",
+ "PROOF_OF_CONCEPT",
+ "ATTACKED",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "highScoreType": {
+ "maximum": 8.9,
+ "minimum": 7.0,
+ "multipleOf": 0.1,
+ "type": "number"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "lowScoreType": {
+ "maximum": 3.9,
+ "minimum": 0.1,
+ "multipleOf": 0.1,
+ "type": "number"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumScoreType": {
+ "maximum": 6.9,
+ "minimum": 4.0,
+ "multipleOf": 0.1,
+ "type": "number"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "modifiedAttackComplexityType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "modifiedAttackRequirementsType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NONE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "modifiedAttackVectorType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "modifiedPrivilegesRequiredType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "modifiedSubCType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "modifiedSubIaType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "SAFETY",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "modifiedUserInteractionType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "modifiedVulnCiaType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "noneScoreType": {
+ "maximum": 0.0,
+ "minimum": 0.0,
+ "type": "number"
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "privilegesRequiredType": {
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ],
+ "type": "string"
+ },
+ "providerUrgencyType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "CLEAR",
+ "GREEN",
+ "AMBER",
+ "RED",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "recoveryType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "AUTOMATIC",
+ "USER",
+ "IRRECOVERABLE",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "safetyType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "NEGLIGIBLE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "subCiaType": {
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ],
+ "type": "string"
+ },
+ "userInteractionType": {
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE"
+ ],
+ "type": "string"
+ },
+ "valueDensityType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "DIFFUSE",
+ "CONCENTRATED",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ },
+ "vulnCiaType": {
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ],
+ "type": "string"
+ },
+ "vulnerabilityResponseEffortType": {
+ "default": "NOT_DEFINED",
+ "enum": [
+ "LOW",
+ "MODERATE",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "type": "string"
+ }
+ },
+ "license": [
+ "Copyright (c) 2023, FIRST.ORG, INC.",
+ "All rights reserved.",
+ "",
+ "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ",
+ "following conditions are met:",
+ "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ",
+ " disclaimer.",
+ "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ",
+ " following disclaimer in the documentation and/or other materials provided with the distribution.",
+ "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ",
+ " products derived from this software without specific prior written permission.",
+ "",
+ "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ",
+ "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ",
+ "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ",
+ "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ",
+ "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ",
+ "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ",
+ "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
+ ],
+ "properties": {
+ "Automatable": {
+ "$ref": "#/definitions/automatableType"
+ },
+ "Recovery": {
+ "$ref": "#/definitions/recoveryType"
+ },
+ "Safety": {
+ "$ref": "#/definitions/safetyType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/attackComplexityType"
+ },
+ "attackRequirements": {
+ "$ref": "#/definitions/attackRequirementsType"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/attackVectorType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/ciaRequirementType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/ciaRequirementType"
+ },
+ "exploitMaturity": {
+ "$ref": "#/definitions/exploitMaturityType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/ciaRequirementType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedAttackRequirements": {
+ "$ref": "#/definitions/modifiedAttackRequirementsType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/modifiedAttackVectorType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedSubAvailabilityImpact": {
+ "$ref": "#/definitions/modifiedSubIaType"
+ },
+ "modifiedSubConfidentialityImpact": {
+ "$ref": "#/definitions/modifiedSubCType"
+ },
+ "modifiedSubIntegrityImpact": {
+ "$ref": "#/definitions/modifiedSubIaType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/modifiedUserInteractionType"
+ },
+ "modifiedVulnAvailabilityImpact": {
+ "$ref": "#/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnConfidentialityImpact": {
+ "$ref": "#/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnIntegrityImpact": {
+ "$ref": "#/definitions/modifiedVulnCiaType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/privilegesRequiredType"
+ },
+ "providerUrgency": {
+ "$ref": "#/definitions/providerUrgencyType"
+ },
+ "subAvailabilityImpact": {
+ "$ref": "#/definitions/subCiaType"
+ },
+ "subConfidentialityImpact": {
+ "$ref": "#/definitions/subCiaType"
+ },
+ "subIntegrityImpact": {
+ "$ref": "#/definitions/subCiaType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/userInteractionType"
+ },
+ "valueDensity": {
+ "$ref": "#/definitions/valueDensityType"
+ },
+ "vectorString": {
+ "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$",
+ "type": "string"
+ },
+ "version": {
+ "description": "CVSS Version",
+ "enum": [
+ "4.0"
+ ],
+ "type": "string"
+ },
+ "vulnAvailabilityImpact": {
+ "$ref": "#/definitions/vulnCiaType"
+ },
+ "vulnConfidentialityImpact": {
+ "$ref": "#/definitions/vulnCiaType"
+ },
+ "vulnIntegrityImpact": {
+ "$ref": "#/definitions/vulnCiaType"
+ },
+ "vulnerabilityResponseEffort": {
+ "$ref": "#/definitions/vulnerabilityResponseEffortType"
+ }
+ },
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "title": "JSON Schema for Common Vulnerability Scoring System version 4.0",
+ "type": "object"
+}
From 6ba76ff41352e06b5435c392454473004e22534d Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:40:41 +0100
Subject: [PATCH 03/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- adopt test scripts to include CVSS 4.0
---
csaf_2.1/test/aggregator_schema/run_tests.sh | 3 ++-
csaf_2.1/test/csaf_schema/run_tests.sh | 3 ++-
csaf_2.1/test/provider_schema/run_tests.sh | 3 ++-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/csaf_2.1/test/aggregator_schema/run_tests.sh b/csaf_2.1/test/aggregator_schema/run_tests.sh
index cd370bd0..fbaf761a 100755
--- a/csaf_2.1/test/aggregator_schema/run_tests.sh
+++ b/csaf_2.1/test/aggregator_schema/run_tests.sh
@@ -7,6 +7,7 @@ CSAF_STRICT_SCHEMA=${STRICT_BUILD}/csaf_strict_schema.json
CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
+CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -19,7 +20,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
+ if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
diff --git a/csaf_2.1/test/csaf_schema/run_tests.sh b/csaf_2.1/test/csaf_schema/run_tests.sh
index 1f7517ae..d24a9ed4 100755
--- a/csaf_2.1/test/csaf_schema/run_tests.sh
+++ b/csaf_2.1/test/csaf_schema/run_tests.sh
@@ -6,6 +6,7 @@ CSAF_STRICT_SCHEMA=${STRICT_BUILD}/csaf_strict_schema.json
CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
+CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
TESTPATH=csaf_2.1/examples/csaf/$1/*.json
@@ -17,7 +18,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA}; then
+ if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
diff --git a/csaf_2.1/test/provider_schema/run_tests.sh b/csaf_2.1/test/provider_schema/run_tests.sh
index 59372cc1..0ec6b864 100755
--- a/csaf_2.1/test/provider_schema/run_tests.sh
+++ b/csaf_2.1/test/provider_schema/run_tests.sh
@@ -6,6 +6,7 @@ CSAF_STRICT_SCHEMA=${STRICT_BUILD}/csaf_strict_schema.json
CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
+CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -18,7 +19,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA}; then
+ if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
From 5117d27d25da8c4835b9a43111f4a062c5c344f1 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:44:27 +0100
Subject: [PATCH 04/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- add CVSS 4.0 to informative references
- add CVSS 4.0 to construction principles
---
.../src/design-considerations-01-construction-principles.md | 2 ++
.../prose/edit/src/introduction-04-informative-references.md | 3 +++
2 files changed, 5 insertions(+)
diff --git a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
index bdf6c051..71edbb65 100644
--- a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
+++ b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
@@ -37,6 +37,8 @@ Delegation to industry best practices technologies is used in referencing schema
* Platform Data:
* Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
* Vulnerability Scoring:
+ * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40)
+ * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
* Common Vulnerability Scoring System (CVSS) Version 3.1 [cite](#CVSS31)
* JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
* Common Vulnerability Scoring System (CVSS) Version 3.0 [cite](#CVSS30)
diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
index 5fb3bb5a..90a4c1b2 100644
--- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
+++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -36,6 +36,9 @@ CVSS30
CVSS31
: _Common Vulnerability Scoring System v3.1: Specification Document_, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.
+CVSS40
+: _Common Vulnerability Scoring System v4.0: Specification Document_, FIRST.Org, Inc., 09 November 2023, https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf.
+
CWE
: _Common Weakness Enumeration (CWE) – A Community-Developed List of Software Weakness Types_, MITRE, 2005, http://cwe.mitre.org/about/.
From d28236857a0f40fa30b363139d1993a1e991a568 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:48:14 +0100
Subject: [PATCH 05/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- add CVSS 4.0 to `/vulnerabilities[]/scores[]`
---
.../schema-elements-02-props-03-vulnerabilities.md | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
index ee0889a7..5cecf147 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
@@ -662,8 +662,8 @@ List of scores (`scores`) of value type `array` with 1 or more items of type sco
},
```
-Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2` and
-`cvss_v3` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
+Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2`,
+`cvss_v3` and `cvss_v4` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
Each Score item has at least 2 properties.
```
@@ -675,7 +675,10 @@ Each Score item has at least 2 properties.
"oneOf": [
// ...
]
- }
+ },
+ "cvss_v4": {
+ // ...
+ },
"products": {
// ...
}
@@ -689,6 +692,8 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
[https://www.first.org/cvss/cvss-v3.0.json](https://www.first.org/cvss/cvss-v3.0.json) or
[https://www.first.org/cvss/cvss-v3.1.json](https://www.first.org/cvss/cvss-v3.1.json).
+The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
+
Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given scores apply.
A score object SHOULD reflect the associated product's status (for example,
a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed;
From 16530f990ac9e06716318b2ff2d6ad3a4f212794 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 30 Jan 2024 23:12:29 +0100
Subject: [PATCH 06/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add invalid example for 6.1.7
- add valid examples for 6.1.7
---
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json | 62 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-15.json | 66 +++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json | 62 +++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 12 ++++
4 files changed, 202 insertions(+)
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-15.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json
new file mode 100644
index 00000000..1fa627be
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json
@@ -0,0 +1,62 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ },
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+ "baseScore": 5.4,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-15.json
new file mode 100644
index 00000000..615aa4af
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-15.json
@@ -0,0 +1,66 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (valid example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-15",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+ "baseScore": 5.4,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json
new file mode 100644
index 00000000..bf5021dd
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json
@@ -0,0 +1,62 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (valid example 6)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-16",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+ "baseScore": 6.4,
+ "baseSeverity": "MEDIUM"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
+ "baseScore": 5.3,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 7443b698..0c9bc6e6 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -107,6 +107,10 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-01.json",
"valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json",
+ "valid": false
}
],
"valid": [
@@ -117,6 +121,14 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-12.json",
"valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-15.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json",
+ "valid": true
}
]
},
From 69532cdf98bc1c073c01fb2e32a25ab156047cbd Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 30 Jan 2024 23:59:21 +0100
Subject: [PATCH 07/44] Tests
- addresses parts of oasis-tcs/csaf#341
- add invalid examples for 6.1.7
- add valid examples for 6.1.7
---
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-02.json | 62 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-03.json | 60 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-13.json | 66 +++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-14.json | 64 ++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 16 +++++
5 files changed, 268 insertions(+)
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-02.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-03.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-13.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-14.json
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-02.json
new file mode 100644
index 00000000..f2541e2f
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-02.json
@@ -0,0 +1,62 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ },
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 6.5,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-03.json
new file mode 100644
index 00000000..cc16c168
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-03.json
@@ -0,0 +1,60 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ }
+ },
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-13.json
new file mode 100644
index 00000000..5917c5e9
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-13.json
@@ -0,0 +1,66 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 6.5,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-14.json
new file mode 100644
index 00000000..eae8df65
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-14.json
@@ -0,0 +1,64 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 0c9bc6e6..c8341ba6 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -108,6 +108,14 @@
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-01.json",
"valid": false
},
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-03.json",
+ "valid": false
+ },
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json",
"valid": false
@@ -122,6 +130,14 @@
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-12.json",
"valid": true
},
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-14.json",
+ "valid": true
+ },
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-15.json",
"valid": true
From 02acf2328f8e90367d9c6d0d102f888447e636b4 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 31 Jan 2024 00:05:46 +0100
Subject: [PATCH 08/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add missing CVSS 4.0 reference in validator test script
---
csaf_2.1/test/validator/run_tests.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
index 073e7995..c7930cba 100755
--- a/csaf_2.1/test/validator/run_tests.sh
+++ b/csaf_2.1/test/validator/run_tests.sh
@@ -6,6 +6,7 @@ CSAF_STRICT_SCHEMA=${STRICT_BUILD}/csaf_strict_schema.json
CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
+CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
TESTPATH=csaf_2.1/test/validator/data/$1/*.json
@@ -19,7 +20,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA}; then
+ if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
From 6d35d3da6ea64f14c6cc1b766c6cb33c39125b60 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 31 Jan 2024 01:00:35 +0100
Subject: [PATCH 09/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- update the strict version to use `unevaluatedProperties` instead of `additionalProperties` which fails with `allOf`
---
csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json b/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
index 42d86d93..be82d6a4 100644
--- a/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+++ b/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
@@ -1,7 +1,7 @@
{
"$id": "https://www.first.org/cvss/cvss-v4.0.json?20231011",
"$schema": "http://json-schema.org/draft-07/schema#",
- "additionalProperties": false,
+ "unevaluatedProperties": false,
"allOf": [
{
"anyOf": [
From 2e36a29841d8835a6a415908961c3b00cfa35efa Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 31 Jan 2024 01:33:02 +0100
Subject: [PATCH 10/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- use different vector to avoid `multiple` issue
---
.../data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json | 4 ++--
.../data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json
index 1fa627be..d8ae29dd 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-04.json
@@ -51,8 +51,8 @@
],
"cvss_v4": {
"version": "4.0",
- "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
- "baseScore": 5.4,
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
+ "baseScore": 4.9,
"baseSeverity": "MEDIUM"
}
}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json
index bf5021dd..3b5fc310 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json
@@ -51,8 +51,8 @@
},
"cvss_v4": {
"version": "4.0",
- "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
- "baseScore": 5.3,
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
+ "baseScore": 4.9,
"baseSeverity": "MEDIUM"
}
}
From 7c64cab5436d89925771d7d509476e93f0b3bf27 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 31 Jan 2024 02:04:37 +0100
Subject: [PATCH 11/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- address `multipleOf` issue by parsing floats as Decimal
- add valid example to show correctness
---
csaf_2.1/test/validator.py | 7 ++-
...oasis_csaf_tc-csaf_2_1-2024-6-1-07-17.json | 62 +++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 4 ++
3 files changed, 70 insertions(+), 3 deletions(-)
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-17.json
diff --git a/csaf_2.1/test/validator.py b/csaf_2.1/test/validator.py
index 8a441cc6..4fbcea50 100644
--- a/csaf_2.1/test/validator.py
+++ b/csaf_2.1/test/validator.py
@@ -1,3 +1,4 @@
+import decimal
import jsonschema
from jsonschema.validators import Draft202012Validator
from referencing import Registry, Resource
@@ -15,20 +16,20 @@
with open(json_schema, 'r') as f:
schema_data = f.read()
- schema = json.loads(schema_data)
+ schema = json.loads(schema_data, parse_float=decimal.Decimal)
resource = Resource.from_contents(schema)
registry = Registry().with_resource(resource.id(), resource)
with open(json_input, 'r') as f:
input_data = f.read()
- input_obj = json.loads(input_data)
+ input_obj = json.loads(input_data, parse_float=decimal.Decimal)
if len(json_referenced_schemas) > 0:
for i in json_referenced_schemas:
with open(i, 'r') as f:
current_ref_schema_data = f.read()
- current_ref_schema = json.loads(current_ref_schema_data)
+ current_ref_schema = json.loads(current_ref_schema_data, parse_float=decimal.Decimal)
current_resource = Resource.from_contents(current_ref_schema)
registry = registry.combine(Registry().with_resource(current_resource.id().split('?')[0], current_resource))
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-17.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-17.json
new file mode 100644
index 00000000..01001257
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-17.json
@@ -0,0 +1,62 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Multiple Scores with same Version per Product (valid example 7)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-07-17",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ },
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+ "baseScore": 6.4,
+ "baseSeverity": "MEDIUM"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
+ "baseScore": 5.3,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index c8341ba6..c0b41043 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -145,6 +145,10 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-16.json",
"valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-07-17.json",
+ "valid": true
}
]
},
From 4140ce95373e41c0c6ebc24750678be96fbfdd74 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 31 Jan 2024 18:20:44 +0100
Subject: [PATCH 12/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- add CVSS 4.0 to Appendix C regarding size
---
csaf_2.1/prose/edit/src/guidance-on-size.md | 37 +++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
index f654fb3a..8fadca4f 100644
--- a/csaf_2.1/prose/edit/src/guidance-on-size.md
+++ b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -211,6 +211,7 @@ A string SHOULD NOT have a length greater than:
* `/vulnerabilities[]/remediations[]/product_ids[]`
* `/vulnerabilities[]/scores[]/cvss_v2/vectorString`
* `/vulnerabilities[]/scores[]/cvss_v3/vectorString`
+ * `/vulnerabilities[]/scores[]/cvss_v4/vectorString`
* `/vulnerabilities[]/scores[]/products[]`
* `/vulnerabilities[]/threats[]/group_ids[]`
* `/vulnerabilities[]/threats[]/product_ids[]`
@@ -337,6 +338,42 @@ It seems to be safe to assume that the length of each value is not greater than
* `/vulnerabilities[]/scores[]/cvss_v3/modifiedIntegrityImpact` (11)
* `/vulnerabilities[]/scores[]/cvss_v3/modifiedAvailabilityImpact` (11)
* `/vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/version` (3)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackVector` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackComplexity` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackRequirements` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/privilegesRequired` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/userInteraction` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/exploitMaturity` (16)
+* `/vulnerabilities[]/scores[]/cvss_v4/confidentialityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/integrityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/availabilityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackVector` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackComplexity` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackRequirements` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedPrivilegesRequired` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedUserInteraction` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Safety` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Automatable` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Recovery` (13)
+* `/vulnerabilities[]/scores[]/cvss_v4/valueDensity` (12)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnerabilityResponseEffort` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/providerUrgency` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/baseSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/threatSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity` (8)
* `/vulnerabilities[]/threats[]/category` (14)
## Date
From 35278f61c703bd24fd29bf078988c56138baac22 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 31 Jan 2024 18:31:36 +0100
Subject: [PATCH 13/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- add CVRF-CSAF-conversion rule
---
csaf_2.1/prose/edit/src/conformance.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 98f77c34..6825a5c9 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -135,6 +135,8 @@ Secondly, the program fulfills the following for all items of:
`first_affected` and `last_affected` into `product_ids`.
If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
* `/vulnerabilities[]/scores[]`:
+ * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
+ the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
* For any CVSS v3 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
the rules of the applicable CVSS standard.
* If no `product_id` is given, the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in
@@ -145,7 +147,8 @@ Secondly, the program fulfills the following for all items of:
A CVRF CSAF converter MAY offer a configuration option to delete such elements.
* If there are CVSS v3.0 and CVSS v3.1 Vectors available for the same product, the CVRF CSAF converter discards
the CVSS v3.0 information and provide in CSAF only the CVSS v3.1 information.
- * To determine, which minor version of CVSS v3 is used, the CVRF CSAF converter uses the following steps:
+ * To determine, which minor version of CVSS v3 is used and to evaluate a CVSS v4 that was wrongly inserted in a CVSS v3 element,
+ the CVRF CSAF converter uses the following steps:
1. Retrieve the CVSS version from the CVSS vector, if present.
*Example 1:*
From efba9aee8efd1bcf6be8160cbd36d00def939112 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 09:43:54 +0100
Subject: [PATCH 14/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add invalid example for 6.1.8
- add valid examples for 6.1.8
- update test 6.1.8
---
.../src/tests-01-mndtr-08-invalid-cvss.md | 1 +
...oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json | 50 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json | 49 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json | 50 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-08-11.json | 51 +++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-08-12.json | 51 +++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-08-13.json | 50 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-08-14.json | 51 +++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 30 +++++++++++
csaf_2.1/test/validator/run_tests.sh | 6 +--
10 files changed, 386 insertions(+), 3 deletions(-)
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-11.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-12.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-13.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-14.json
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-08-invalid-cvss.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-08-invalid-cvss.md
index 9551190b..e5751ec7 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-08-invalid-cvss.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-08-invalid-cvss.md
@@ -7,6 +7,7 @@ The relevant paths for this test are:
```
/vulnerabilities[]/scores[]/cvss_v2
/vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v4
```
*Example 1 (which fails the test):*
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json
new file mode 100644
index 00000000..9b4ac1ad
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json
@@ -0,0 +1,50 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-08-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 6.5
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json
new file mode 100644
index 00000000..d88c5941
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json
@@ -0,0 +1,49 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-08-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "vectorString": "AV:L/AC:L/Au:M/C:C/I:C/A:C",
+ "baseScore": 6.5
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json
new file mode 100644
index 00000000..ecb44285
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json
@@ -0,0 +1,50 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-08-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
+ "baseScore": 5.4
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-11.json
new file mode 100644
index 00000000..2dd374cf
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-11.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-08-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 6.5,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-12.json
new file mode 100644
index 00000000..78d1dcb5
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-12.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-08-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 6.5,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-13.json
new file mode 100644
index 00000000..cf3318a0
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-13.json
@@ -0,0 +1,50 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-08-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:L/AC:L/Au:M/C:C/I:C/A:C",
+ "baseScore": 6.5
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-14.json
new file mode 100644
index 00000000..306eab72
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-14.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-08-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
+ "baseScore": 5.4,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index c0b41043..dd852da3 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -159,6 +159,36 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json",
"valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-08-14.json",
+ "valid": true
}
]
},
diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
index c7930cba..1d39d46c 100755
--- a/csaf_2.1/test/validator/run_tests.sh
+++ b/csaf_2.1/test/validator/run_tests.sh
@@ -10,7 +10,7 @@ CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
TESTPATH=csaf_2.1/test/validator/data/$1/*.json
-EXCLUDE=oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json
+EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json'
EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json
FAIL=0
@@ -30,14 +30,14 @@ validate() {
}
test_all() {
- for i in $(ls -1 ${TESTPATH} | grep -v $EXCLUDE)
+ for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}")
do
validate $i
done
}
test_all_strict() {
- for i in $(ls -1 ${TESTPATH} | grep -v $EXCLUDE | grep -v ${EXCLUDE_STRICT})
+ for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}" | grep -v ${EXCLUDE_STRICT})
do
validate $i
done
From 740aa8f95d7e6bd5bfccac5d4117ff9b98f85d2d Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 10:12:22 +0100
Subject: [PATCH 15/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add invalid example for 6.1.9
- add valid examples for 6.1.9
- update test description 6.1.9
---
...ts-01-mndtr-09-invalid-cvss-computation.md | 6 +++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-02.json | 51 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-03.json | 50 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-04.json | 51 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json | 53 +++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-11.json | 51 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-12.json | 51 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-13.json | 50 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-14.json | 51 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-15.json | 53 +++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 38 +++++++++++++
csaf_2.1/test/validator/run_tests.sh | 2 +-
12 files changed, 506 insertions(+), 1 deletion(-)
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-02.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-03.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-04.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-11.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-12.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-13.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-14.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-15.json
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-09-invalid-cvss-computation.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-09-invalid-cvss-computation.md
index 3b4a5d05..4b2b7254 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-09-invalid-cvss-computation.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-09-invalid-cvss-computation.md
@@ -16,6 +16,12 @@ The relevant paths for this test are:
/vulnerabilities[]/scores[]/cvss_v3/temporalSeverity
/vulnerabilities[]/scores[]/cvss_v3/environmentalScore
/vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/baseScore
+ /vulnerabilities[]/scores[]/cvss_v4/baseSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/threatScore
+ /vulnerabilities[]/scores[]/cvss_v4/threatSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/environmentalScore
+ /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity
```
*Example 1 (which fails the test):*
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-02.json
new file mode 100644
index 00000000..f086512e
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-02.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "HIGH"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-03.json
new file mode 100644
index 00000000..a91adfcb
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-03.json
@@ -0,0 +1,50 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 6.5
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-04.json
new file mode 100644
index 00000000..4cf48fc2
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-04.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 9.3,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json
new file mode 100644
index 00000000..fb5a9ef4
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json
@@ -0,0 +1,53 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (failing example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-05",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
+ "baseScore": 10.0,
+ "baseSeverity": "CRITICAL",
+ "threatScore": 9.9,
+ "threatSeverity": "HIGH"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-11.json
new file mode 100644
index 00000000..37acd246
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-11.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-12.json
new file mode 100644
index 00000000..5be233d3
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-12.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-13.json
new file mode 100644
index 00000000..8377632e
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-13.json
@@ -0,0 +1,50 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10.0
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-14.json
new file mode 100644
index 00000000..30b1e90a
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-14.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10.0,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-15.json
new file mode 100644
index 00000000..ac4dff9b
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-15.json
@@ -0,0 +1,53 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (valid example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-15",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
+ "baseScore": 10.0,
+ "baseSeverity": "CRITICAL",
+ "threatScore": 9.3,
+ "threatSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index dd852da3..f0c686b3 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -199,6 +199,44 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-01.json",
"valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-03.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-04.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-14.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-15.json",
+ "valid": true
}
]
},
diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
index 1d39d46c..cefb49e9 100755
--- a/csaf_2.1/test/validator/run_tests.sh
+++ b/csaf_2.1/test/validator/run_tests.sh
@@ -10,7 +10,7 @@ CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
TESTPATH=csaf_2.1/test/validator/data/$1/*.json
-EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json'
+EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json'
EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json
FAIL=0
From 303252871f004bdb3e62d05df526687d1305822f Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 10:52:23 +0100
Subject: [PATCH 16/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add invalid examples for 6.1.10
- add valid examples for 6.1.10
- update test description 6.1.10
---
.../tests-01-mndtr-10-inconsistent-cvss.md | 1 +
...oasis_csaf_tc-csaf_2_1-2024-6-1-10-02.json | 59 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-10-03.json | 57 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-10-04.json | 62 +++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-10-11.json | 59 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-10-12.json | 59 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-10-13.json | 57 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-1-10-14.json | 62 +++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 30 +++++++++
9 files changed, 446 insertions(+)
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-02.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-03.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-04.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-11.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-12.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-13.json
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-14.json
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-10-inconsistent-cvss.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-10-inconsistent-cvss.md
index cb9b16d6..c3882610 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-10-inconsistent-cvss.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-10-inconsistent-cvss.md
@@ -7,6 +7,7 @@ The relevant paths for this test are:
```
/vulnerabilities[]/scores[]/cvss_v2
/vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v4
```
*Example 1 (which fails the test):*
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-02.json
new file mode 100644
index 00000000..0055db47
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-02.json
@@ -0,0 +1,59 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent CVSS (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-10-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "attackVector": "NETWORK",
+ "attackComplexity": "HIGH",
+ "privilegesRequired": "HIGH",
+ "userInteraction": "REQUIRED",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "HIGH",
+ "availabilityImpact": "HIGH"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-03.json
new file mode 100644
index 00000000..7ec9611f
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-03.json
@@ -0,0 +1,57 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent CVSS (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-10-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC",
+ "baseScore": 9.0,
+ "accessVector": "NETWORK",
+ "accessComplexity": "HIGH",
+ "authentication": "MULTIPLE",
+ "confidentialityImpact": "PARTIAL",
+ "integrityImpact": "NONE",
+ "availabilityImpact": "COMPLETE",
+ "exploitability": "FUNCTIONAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-04.json
new file mode 100644
index 00000000..2b6f38ec
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-04.json
@@ -0,0 +1,62 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent CVSS (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-10-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10.0,
+ "baseSeverity": "CRITICAL",
+ "attackVector": "LOCAL",
+ "attackComplexity": "HIGH",
+ "attackRequirements": "PRESENT",
+ "privilegesRequired": "NONE",
+ "userInteraction": "PASSIVE",
+ "vulnConfidentialityImpact": "LOW",
+ "vulnIntegrityImpact": "NONE",
+ "vulnAvailabilityImpact": "HIGH",
+ "subConfidentialityImpact": "LOW",
+ "subIntegrityImpact": "HIGH",
+ "subAvailabilityImpact": "NONE"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-11.json
new file mode 100644
index 00000000..f834e0b9
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-11.json
@@ -0,0 +1,59 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent CVSS (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-10-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "NONE",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "availabilityImpact": "HIGH"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-12.json
new file mode 100644
index 00000000..16a8e4e8
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-12.json
@@ -0,0 +1,59 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent CVSS (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-10-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "NONE",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "availabilityImpact": "HIGH"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-13.json
new file mode 100644
index 00000000..efc09b66
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-13.json
@@ -0,0 +1,57 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent CVSS (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-10-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC",
+ "baseScore": 9.0,
+ "accessVector": "NETWORK",
+ "accessComplexity": "LOW",
+ "authentication": "NONE",
+ "confidentialityImpact": "COMPLETE",
+ "integrityImpact": "COMPLETE",
+ "availabilityImpact": "COMPLETE",
+ "exploitability": "PROOF_OF_CONCEPT"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-14.json
new file mode 100644
index 00000000..8bc7d618
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-14.json
@@ -0,0 +1,62 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent CVSS (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-10-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10.0,
+ "baseSeverity": "CRITICAL",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "attackRequirements": "NONE",
+ "privilegesRequired": "NONE",
+ "userInteraction": "NONE",
+ "vulnConfidentialityImpact": "HIGH",
+ "vulnIntegrityImpact": "HIGH",
+ "vulnAvailabilityImpact": "HIGH",
+ "subConfidentialityImpact": "HIGH",
+ "subIntegrityImpact": "HIGH",
+ "subAvailabilityImpact": "HIGH"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index f0c686b3..42b06096 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -247,6 +247,36 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-01.json",
"valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-03.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-04.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-10-14.json",
+ "valid": true
}
]
},
From 7506cd1a5a0af40a824218b5157ca25079b6f02f Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 11:18:45 +0100
Subject: [PATCH 17/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add invalid examples for 6.2.19
- add valid examples for 6.2.19
- update test description 6.2.19
---
csaf_2.1/prose/edit/src/tests-02-optional.md | 4 +-
...oasis_csaf_tc-csaf_2_1-2024-6-2-19-07.json | 56 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json | 61 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-2-19-18.json | 56 +++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json | 62 +++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 16 +++++
6 files changed, 253 insertions(+), 2 deletions(-)
create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-07.json
create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json
create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-18.json
create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json
diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md
index 24d9ac66..90ae847e 100644
--- a/csaf_2.1/prose/edit/src/tests-02-optional.md
+++ b/csaf_2.1/prose/edit/src/tests-02-optional.md
@@ -610,8 +610,8 @@ The relevant path for this test is:
> Neither the `environmentalScore` nor the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` nor
> the corresponding attributes in the `vectorString` have been set.
-> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` accordingly and
-> compute the `environmentalScore` as quick fix.
+> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` (respectively their
+> equivalents according to the CVSS version used) accordingly and compute the `environmentalScore` as quick fix.
### Additional Properties
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-07.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-07.json
new file mode 100644
index 00000000..f1b0f2c8
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-07.json
@@ -0,0 +1,56 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: CVSS for Fixed Products (failing example 7)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-19-07",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "product_status": {
+ "first_fixed": [
+ "CSAFPID-9080700"
+ ]
+ },
+ "scores": [
+ {
+ "cvss_v4": {
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "version": "4.0"
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json
new file mode 100644
index 00000000..2becc467
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json
@@ -0,0 +1,61 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: CVSS for Fixed Products (failing example 8)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-19-08",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "product_status": {
+ "first_fixed": [
+ "CSAFPID-9080700"
+ ]
+ },
+ "scores": [
+ {
+ "cvss_v4": {
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "modifiedVulnConfidentialityImpact": "NONE",
+ "modifiedVulnIntegrityImpact": "NONE",
+ "modifiedVulnAvailabilityImpact": "NONE",
+ "modifiedSubConfidentialityImpact": "NONE",
+ "modifiedSubIntegrityImpact": "NONE",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "version": "4.0"
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-18.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-18.json
new file mode 100644
index 00000000..789c6d2c
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-18.json
@@ -0,0 +1,56 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: CVSS for Fixed Products (valid example 8)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-19-18",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "product_status": {
+ "first_fixed": [
+ "CSAFPID-9080700"
+ ]
+ },
+ "scores": [
+ {
+ "cvss_v4": {
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:N/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N",
+ "version": "4.0"
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json
new file mode 100644
index 00000000..6350c321
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json
@@ -0,0 +1,62 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: CVSS for Fixed Products (valid example 9)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-19-19",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "product_status": {
+ "first_fixed": [
+ "CSAFPID-9080700"
+ ]
+ },
+ "scores": [
+ {
+ "cvss_v4": {
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "modifiedVulnConfidentialityImpact": "NONE",
+ "modifiedVulnIntegrityImpact": "NONE",
+ "modifiedVulnAvailabilityImpact": "NONE",
+ "modifiedSubConfidentialityImpact": "NONE",
+ "modifiedSubIntegrityImpact": "NONE",
+ "modifiedSubAvailabilityImpact": "NONE",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "version": "4.0"
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 42b06096..66897317 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1215,6 +1215,14 @@
{
"name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-06.json",
"valid": true
+ },
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-07.json",
+ "valid": true
+ },
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json",
+ "valid": true
}
],
"valid": [
@@ -1245,6 +1253,14 @@
{
"name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-17.json",
"valid": true
+ },
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-18.json",
+ "valid": true
+ },
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json",
+ "valid": true
}
]
},
From 2f216639939ed8a05e70953960f42c48aaf24147 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 11:31:36 +0100
Subject: [PATCH 18/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add invalid example for 6.3.1
- add valid example for 6.3.1
- update test description 6.3.1
---
.../prose/edit/src/tests-03-informative.md | 2 +-
...oasis_csaf_tc-csaf_2_1-2024-6-3-01-03.json | 104 +++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-01-13.json | 122 ++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 8 ++
4 files changed, 235 insertions(+), 1 deletion(-)
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-03.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-13.json
diff --git a/csaf_2.1/prose/edit/src/tests-03-informative.md b/csaf_2.1/prose/edit/src/tests-03-informative.md
index d5f9c1a5..99bc1fac 100644
--- a/csaf_2.1/prose/edit/src/tests-03-informative.md
+++ b/csaf_2.1/prose/edit/src/tests-03-informative.md
@@ -50,7 +50,7 @@ The relevant path for this test is:
Recommendation:
-It is recommended to (also) use the CVSS v3.1.
+It is recommended to (also) use the CVSS v4.0.
### Use of CVSS v3.0
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-03.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-03.json
new file mode 100644
index 00000000..7005f046
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-03.json
@@ -0,0 +1,104 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Use of CVSS v2 as the only Scoring System (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-01-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:L/AC:L/Au:S/C:C/I:N/A:N",
+ "baseScore": 4.6
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
+ "baseScore": 5.7,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+ "baseScore": 4.3
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-13.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-13.json
new file mode 100644
index 00000000..0b70b72c
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-13.json
@@ -0,0 +1,122 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Use of CVSS v2 as the only Scoring System (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-01-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N",
+ "baseScore": 5.3,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:L/AC:L/Au:S/C:C/I:N/A:N",
+ "baseScore": 4.6
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
+ "baseScore": 5.7,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+ "baseScore": 4.3
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
+ "baseScore": 3.1,
+ "baseSeverity": "LOW"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
+ "baseScore": 2.1,
+ "baseSeverity": "LOW"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 66897317..2a1389b1 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1285,6 +1285,10 @@
{
"name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-02.json",
"valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-03.json",
+ "valid": true
}
],
"valid": [
@@ -1295,6 +1299,10 @@
{
"name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-12.json",
"valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-13.json",
+ "valid": true
}
]
},
From dfc79b60cef35c0598b470e6f68d9ddf69ef8a8d Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 11:57:08 +0100
Subject: [PATCH 19/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- add test 6.3.12
- add invalid examples for 6.3.12
- add valid examples for 6.3.12
---
.../prose/edit/src/tests-03-informative.md | 42 +++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-01.json | 51 ++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-02.json | 51 ++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-03.json | 50 ++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json | 102 ++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-11.json | 57 +++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-12.json | 57 +++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-13.json | 56 +++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json | 114 ++++++++++++++++++
...oasis_csaf_tc-csaf_2_1-2024-6-3-12-15.json | 51 ++++++++
csaf_2.1/test/validator/data/testcases.json | 44 +++++++
.../test/validator/testcases_json_schema.json | 2 +-
12 files changed, 676 insertions(+), 1 deletion(-)
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-01.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-02.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-03.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-11.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-12.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-13.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json
create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-15.json
diff --git a/csaf_2.1/prose/edit/src/tests-03-informative.md b/csaf_2.1/prose/edit/src/tests-03-informative.md
index 99bc1fac..a9c49572 100644
--- a/csaf_2.1/prose/edit/src/tests-03-informative.md
+++ b/csaf_2.1/prose/edit/src/tests-03-informative.md
@@ -413,3 +413,45 @@ The relevant paths for this test are:
> The product version starts with a `v`.
-------
+
+### Missing CVSS v4.0
+
+For each item in the list of scores it MUST be tested that a `cvss_v4` object is present.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/scores
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+```
+
+> There is no CVSS v4.0 score given for `CSAFPID-9080700`.
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-01.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-01.json
new file mode 100644
index 00000000..6f12dd55
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-01.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Missing CVSS v4.0 (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-02.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-02.json
new file mode 100644
index 00000000..c60cb985
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-02.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Missing CVSS v4.0 (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-03.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-03.json
new file mode 100644
index 00000000..33724493
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-03.json
@@ -0,0 +1,50 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Missing CVSS v4.0 (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json
new file mode 100644
index 00000000..731f4914
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json
@@ -0,0 +1,102 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Informative test: Missing CVSS v4.0 (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-01-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+ "baseScore": 6.4,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+ "baseScore": 4.3
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
+ "baseScore": 3.1,
+ "baseSeverity": "LOW"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-11.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-11.json
new file mode 100644
index 00000000..aa285c5c
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-11.json
@@ -0,0 +1,57 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Missing CVSS v4.0 (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-12.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-12.json
new file mode 100644
index 00000000..4eb00e5e
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-12.json
@@ -0,0 +1,57 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Missing CVSS v4.0 (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.0",
+ "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-13.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-13.json
new file mode 100644
index 00000000..04a9bc41
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-13.json
@@ -0,0 +1,56 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Missing CVSS v4.0 (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json
new file mode 100644
index 00000000..d7f42162
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json
@@ -0,0 +1,114 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Informative test: Missing CVSS v4.0 (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-01-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
+ "baseScore": 5.5
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+ "baseScore": 6.4,
+ "baseSeverity": "MEDIUM"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N",
+ "baseScore": 6.3,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "baseScore": 10
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ },
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v2": {
+ "version": "2.0",
+ "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+ "baseScore": 4.3
+ },
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
+ "baseScore": 3.1,
+ "baseSeverity": "LOW"
+ },
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
+ "baseScore": 2.1,
+ "baseSeverity": "LOW"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-15.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-15.json
new file mode 100644
index 00000000..f7b6ba25
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-15.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Missing CVSS v4.0 (valid example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-15",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 2a1389b1..36f6f0d2 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1523,6 +1523,50 @@
"valid": true
}
]
+ },
+ {
+ "id": "6.3.12",
+ "group": "informative",
+ "failures": [
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-01.json",
+ "valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-02.json",
+ "valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-03.json",
+ "valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json",
+ "valid": true
+ }
+ ],
+ "valid": [
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-11.json",
+ "valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-12.json",
+ "valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-13.json",
+ "valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json",
+ "valid": true
+ },
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-15.json",
+ "valid": true
+ }
+ ]
}
]
}
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 9d8f99e5..24b0d510 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
"title": "Number of the test",
"description": "Contains the section number of the test in the specification.",
"type": "string",
- "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[01])|([12]\\.20)|(1\\.2[1-68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-3]))$"
+ "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.20)|(1\\.2[1-68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-3]))$"
},
"valid": {
"title": "List of valid examples",
From ce28043114152cc020ff2610392549c9dc5e6dce Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 12:00:17 +0100
Subject: [PATCH 20/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652, oasis-tcs/csaf#341
- add valid example for 6.1.9 to trigger `multipleOf` issue
---
...oasis_csaf_tc-csaf_2_1-2024-6-1-09-16.json | 51 +++++++++++++++++++
csaf_2.1/test/validator/data/testcases.json | 4 ++
2 files changed, 55 insertions(+)
create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-16.json
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-16.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-16.json
new file mode 100644
index 00000000..236a4726
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-16.json
@@ -0,0 +1,51 @@
+{
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid CVSS computation (valid example 6)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-09-16",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v4": {
+ "version": "4.0",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
+ "baseScore": 5.3,
+ "baseSeverity": "MEDIUM"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 36f6f0d2..6924b4b6 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -237,6 +237,10 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-15.json",
"valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-09-16.json",
+ "valid": true
}
]
},
From 1c810280aefeb4086affcb95fe0a1426d5d47d11 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 16 Feb 2024 12:06:59 +0100
Subject: [PATCH 21/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- correct wrong `/document/tracking/id`
---
.../data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json | 2 +-
.../data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json
index 731f4914..8dda3429 100644
--- a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-04.json
@@ -10,7 +10,7 @@
"title": "Informative test: Informative test: Missing CVSS v4.0 (failing example 4)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
- "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-01-04",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-04",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json
index d7f42162..cc2610ef 100644
--- a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-12-14.json
@@ -10,7 +10,7 @@
"title": "Informative test: Informative test: Missing CVSS v4.0 (valid example 4)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
- "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-01-14",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-12-14",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
From ea1d44996f206eccc358b8d09f2130874210a503 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:20:10 +0100
Subject: [PATCH 22/44] References
- fixes oasis-tcs/csaf#684
- add RFC 8322 as informative reference
---
.../prose/edit/src/introduction-04-informative-references.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
index 5fb3bb5a..4664d9fd 100644
--- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
+++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -88,6 +88,10 @@ RFC7464
: N. Williams., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015,
https://www.rfc-editor.org/info/rfc7464.
+RFC8322
+: Field, J., Banghart, S., and D. Waltermire, "Resource-Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018,
+https://www.rfc-editor.org/info/rfc8322.
+
RFC8615
: Nottingham, M., "Well-Known Uniform Resource Identifiers (URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019,
https://www.rfc-editor.org/info/rfc8615.
From 1612c758b1d6f7982f31d131d5391bca12bdd87a Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:25:53 +0100
Subject: [PATCH 23/44] BOM Link
- fixes oasis-tcs/csaf#687
- correct namespace
---
.../edit/src/schema-elements-01-defs-03-full-product-name.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 3e105e97..7121d731 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -385,7 +385,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
```
"x_generic_uris": [
{
- "namespace": "https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field",
+ "namespace": "https://spdx.github.io/spdx-spec/latest/document-creation-information/#65-spdx-document-namespace-field",
"uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-libc"
}
]
From 942981339027099239921cbb3ee021f0928991da Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:29:36 +0100
Subject: [PATCH 24/44] Editorial
- update date
- update revision history
- update citation format
---
csaf_2.1/prose/edit/src/frontmatter.md | 4 ++--
csaf_2.1/prose/edit/src/revision-history.md | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md
index 710e19d6..dd54682d 100644
--- a/csaf_2.1/prose/edit/src/frontmatter.md
+++ b/csaf_2.1/prose/edit/src/frontmatter.md
@@ -7,7 +7,7 @@
## Committee Specification Draft 01
-## ?? Month 2024
+## 28 February 2024
#### This stage:
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
**[csaf-v2.1]**
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
-------
diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md
index c692ae69..842479aa 100644
--- a/csaf_2.1/prose/edit/src/revision-history.md
+++ b/csaf_2.1/prose/edit/src/revision-history.md
@@ -11,5 +11,5 @@ toc:
| Revision | Date | Editor | Changes Made |
|:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
| csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
-
+| csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-------
From 7aa5c24ebf6af232fb77e5dc7ff96f177a2ea64f Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:34:50 +0100
Subject: [PATCH 25/44] Size limit
- addresses parts of oasis-tcs/csaf#626
- update size limit and unit
---
csaf_2.1/prose/edit/src/guidance-on-size.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
index f654fb3a..a7183b96 100644
--- a/csaf_2.1/prose/edit/src/guidance-on-size.md
+++ b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -36,7 +36,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
## File size
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
-e.g.: 15 MB.
+e.g.: 50 MiB.
> At least one database technology in wide use for storing CSAF documents rejects insert attempts when
> the transformed BSON size exceeds 16 megabytes.
From ae30854badc835ba147e036ab3b15a4eb2234947 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:50:17 +0100
Subject: [PATCH 26/44] Artifacts
- generate artifacts for easier reading
---
csaf_2.1/prose/share/csaf-v2.1-draft.html | 64 ++++++++++++++---------
csaf_2.1/prose/share/csaf-v2.1-draft.md | 12 +++--
2 files changed, 47 insertions(+), 29 deletions(-)
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html
index 8c441bfa..04aee4d6 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.html
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html
@@ -1,7 +1,7 @@
-
+
@@ -9,7 +9,7 @@
Common Security Advisory Framework Version 2.1
@@ -326,8 +326,8 @@
Committee Specification Draft 01
-
- ?? Month 2024
+
+ 28 February 2024
This stage:
@@ -448,7 +448,7 @@
- Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
@@ -1360,6 +1360,9 @@
[https://www.rfc-editor.org/info/rfc7464.]
+
+ [https://www.rfc-editor.org/info/rfc8322.]
+
[https://www.rfc-editor.org/info/rfc8615.]
@@ -2003,7 +2006,7 @@
"product_identification_helper": {
// ...
- "properties": {
+ "properties": {
"cpe": {
// ...
},
@@ -2101,14 +2104,14 @@
The command openssl dgst -list (Version 1.1.1f from 2020-03-31) outputs the following:
Supported digests:
- -blake2b512 -blake2s256 -md4
- -md5 -md5-sha1 -ripemd
- -ripemd160 -rmd160 -sha1
- -sha224 -sha256 -sha3-224
- -sha3-256 -sha3-384 -sha3-512
- -sha384 -sha512 -sha512-224
- -sha512-256 -shake128 -shake256
- -sm3 -ssl3-md5 -ssl3-sha1
+ -blake2b512 -blake2s256 -md4
+ -md5 -md5-sha1 -ripemd
+ -ripemd160 -rmd160 -sha1
+ -sha224 -sha256 -sha3-224
+ -sha3-256 -sha3-384 -sha3-512
+ -sha384 -sha512 -sha512-224
+ -sha512-256 -shake128 -shake256
+ -sm3 -ssl3-md5 -ssl3-sha1
-whirlpool
@@ -2250,9 +2253,9 @@
"skus": {
- //...
+ //...
"items": {
- //...
+ //...
}
},
@@ -2315,7 +2318,7 @@
@@ -4883,7 +4886,7 @@
Affected:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
@@ -6316,7 +6319,7 @@
The relevant paths for this test are:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
/vulnerabilities[]/product_status/under_investigation[]
@@ -6354,7 +6357,7 @@
The relevant paths for this test are:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
@@ -10425,6 +10428,20 @@
Preparing initial Editor Revision
+
+ |
+ csaf-v2.0-wd20240228-dev
+ |
+
+ 2024-02-28
+ |
+
+ Stefan Hagen and Thomas Schmidt
+ |
+
+ Next Editor Revision
+ |
+
@@ -10450,7 +10467,7 @@
C.1 File size
- A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 15 MB.
+ A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB.
@@ -11274,4 +11291,3 @@
/vulnerabilities[]/scores[]/cvss_v3/remediationLevel (13)
-
\ No newline at end of file
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index 6ba8ae7c..e89aacce 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -7,7 +7,7 @@
## Committee Specification Draft 01
-## ?? Month 2024
+## 28 February 2024
#### This stage:
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
**[csaf-v2.1]**
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
-------
@@ -635,6 +635,8 @@ For purposes of this document, the following terms and definitions apply:
**\[****https://www.rfc-editor.org/info/rfc7464.\]**
+**\[****https://www.rfc-editor.org/info/rfc8322.\]**
+
**\[****https://www.rfc-editor.org/info/rfc8615.\]**
**\[****https://www.rfc-editor.org/info/rfc9116.\]**
@@ -1546,7 +1548,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
```
"x_generic_uris": [
{
- "namespace": "https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field",
+ "namespace": "https://spdx.github.io/spdx-spec/latest/document-creation-information/#65-spdx-document-namespace-field",
"uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-libc"
}
]
@@ -7743,7 +7745,7 @@ The following individuals were members of the OASIS CSAF Technical Committee dur
| Revision | Date | Editor | Changes Made |
|:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
| csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
-
+| csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-------
# Appendix C. Guidance on the Size of CSAF Documents
@@ -7763,7 +7765,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
## C.1 File size
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
-e.g.: 15 MB.
+e.g.: 50 MiB.
> At least one database technology in wide use for storing CSAF documents rejects insert attempts when
> the transformed BSON size exceeds 16 megabytes.
From 05db3f8f28135844e9bc53e0c0d38075762e91ea Mon Sep 17 00:00:00 2001
From: Stefan Hagen
Date: Sat, 17 Feb 2024 10:42:23 +0100
Subject: [PATCH 27/44] Added bridge in the note on the increased size
---
csaf_2.1/prose/edit/src/guidance-on-size.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
index a7183b96..b25612a9 100644
--- a/csaf_2.1/prose/edit/src/guidance-on-size.md
+++ b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -38,6 +38,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
e.g.: 50 MiB.
+> The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve.
> At least one database technology in wide use for storing CSAF documents rejects insert attempts when
> the transformed BSON size exceeds 16 megabytes.
> The BSON format optimizes for accessibility and not size.
From f756a72cfd6e914973e983502425b3dfac1200e9 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:20:10 +0100
Subject: [PATCH 28/44] References
- fixes oasis-tcs/csaf#684
- add RFC 8322 as informative reference
---
.../prose/edit/src/introduction-04-informative-references.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
index 90a4c1b2..e62b394c 100644
--- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
+++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -91,6 +91,10 @@ RFC7464
: N. Williams., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015,
https://www.rfc-editor.org/info/rfc7464.
+RFC8322
+: Field, J., Banghart, S., and D. Waltermire, "Resource-Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018,
+https://www.rfc-editor.org/info/rfc8322.
+
RFC8615
: Nottingham, M., "Well-Known Uniform Resource Identifiers (URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019,
https://www.rfc-editor.org/info/rfc8615.
From 13ec5b7487108b9da607a844af8bb83f8df00f84 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:25:53 +0100
Subject: [PATCH 29/44] BOM Link
- fixes oasis-tcs/csaf#687
- correct namespace
---
.../edit/src/schema-elements-01-defs-03-full-product-name.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 3e105e97..7121d731 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -385,7 +385,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
```
"x_generic_uris": [
{
- "namespace": "https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field",
+ "namespace": "https://spdx.github.io/spdx-spec/latest/document-creation-information/#65-spdx-document-namespace-field",
"uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-libc"
}
]
From b34e2a113fcf1d533b98720d7ef31c81ca7caffa Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:29:36 +0100
Subject: [PATCH 30/44] Editorial
- update date
- update revision history
- update citation format
---
csaf_2.1/prose/edit/src/frontmatter.md | 4 ++--
csaf_2.1/prose/edit/src/revision-history.md | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md
index 710e19d6..dd54682d 100644
--- a/csaf_2.1/prose/edit/src/frontmatter.md
+++ b/csaf_2.1/prose/edit/src/frontmatter.md
@@ -7,7 +7,7 @@
## Committee Specification Draft 01
-## ?? Month 2024
+## 28 February 2024
#### This stage:
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
**[csaf-v2.1]**
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
-------
diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md
index c692ae69..842479aa 100644
--- a/csaf_2.1/prose/edit/src/revision-history.md
+++ b/csaf_2.1/prose/edit/src/revision-history.md
@@ -11,5 +11,5 @@ toc:
| Revision | Date | Editor | Changes Made |
|:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
| csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
-
+| csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-------
From 57b421eb3116a27f460a4c201352d3c15b904504 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:34:50 +0100
Subject: [PATCH 31/44] Size limit
- addresses parts of oasis-tcs/csaf#626
- update size limit and unit
---
csaf_2.1/prose/edit/src/guidance-on-size.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
index 8fadca4f..c8d42d61 100644
--- a/csaf_2.1/prose/edit/src/guidance-on-size.md
+++ b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -36,7 +36,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
## File size
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
-e.g.: 15 MB.
+e.g.: 50 MiB.
> At least one database technology in wide use for storing CSAF documents rejects insert attempts when
> the transformed BSON size exceeds 16 megabytes.
From b30175ae6a0750d96434224538876b7a6fdb04a1 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 17 Feb 2024 00:50:17 +0100
Subject: [PATCH 32/44] Artifacts
- generate artifacts for easier reading
---
csaf_2.1/prose/share/csaf-v2.1-draft.html | 64 ++++++++++++++---------
csaf_2.1/prose/share/csaf-v2.1-draft.md | 12 +++--
2 files changed, 47 insertions(+), 29 deletions(-)
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html
index 8c441bfa..04aee4d6 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.html
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html
@@ -1,7 +1,7 @@
-
+
@@ -9,7 +9,7 @@
Common Security Advisory Framework Version 2.1
@@ -326,8 +326,8 @@
Committee Specification Draft 01
-
- ?? Month 2024
+
+ 28 February 2024
This stage:
@@ -448,7 +448,7 @@
- Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
@@ -1360,6 +1360,9 @@
[https://www.rfc-editor.org/info/rfc7464.]
+
+ [https://www.rfc-editor.org/info/rfc8322.]
+
[https://www.rfc-editor.org/info/rfc8615.]
@@ -2003,7 +2006,7 @@
"product_identification_helper": {
// ...
- "properties": {
+ "properties": {
"cpe": {
// ...
},
@@ -2101,14 +2104,14 @@
The command openssl dgst -list (Version 1.1.1f from 2020-03-31) outputs the following:
Supported digests:
- -blake2b512 -blake2s256 -md4
- -md5 -md5-sha1 -ripemd
- -ripemd160 -rmd160 -sha1
- -sha224 -sha256 -sha3-224
- -sha3-256 -sha3-384 -sha3-512
- -sha384 -sha512 -sha512-224
- -sha512-256 -shake128 -shake256
- -sm3 -ssl3-md5 -ssl3-sha1
+ -blake2b512 -blake2s256 -md4
+ -md5 -md5-sha1 -ripemd
+ -ripemd160 -rmd160 -sha1
+ -sha224 -sha256 -sha3-224
+ -sha3-256 -sha3-384 -sha3-512
+ -sha384 -sha512 -sha512-224
+ -sha512-256 -shake128 -shake256
+ -sm3 -ssl3-md5 -ssl3-sha1
-whirlpool
@@ -2250,9 +2253,9 @@
"skus": {
- //...
+ //...
"items": {
- //...
+ //...
}
},
@@ -2315,7 +2318,7 @@
@@ -4883,7 +4886,7 @@
Affected:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
@@ -6316,7 +6319,7 @@
The relevant paths for this test are:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
/vulnerabilities[]/product_status/under_investigation[]
@@ -6354,7 +6357,7 @@
The relevant paths for this test are:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
@@ -10425,6 +10428,20 @@
Preparing initial Editor Revision
+
+ |
+ csaf-v2.0-wd20240228-dev
+ |
+
+ 2024-02-28
+ |
+
+ Stefan Hagen and Thomas Schmidt
+ |
+
+ Next Editor Revision
+ |
+
@@ -10450,7 +10467,7 @@
C.1 File size
- A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 15 MB.
+ A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB.
@@ -11274,4 +11291,3 @@
/vulnerabilities[]/scores[]/cvss_v3/remediationLevel (13)
-
\ No newline at end of file
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index 6ba8ae7c..e89aacce 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -7,7 +7,7 @@
## Committee Specification Draft 01
-## ?? Month 2024
+## 28 February 2024
#### This stage:
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
**[csaf-v2.1]**
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
-------
@@ -635,6 +635,8 @@ For purposes of this document, the following terms and definitions apply:
**\[****https://www.rfc-editor.org/info/rfc7464.\]**
+**\[****https://www.rfc-editor.org/info/rfc8322.\]**
+
**\[****https://www.rfc-editor.org/info/rfc8615.\]**
**\[****https://www.rfc-editor.org/info/rfc9116.\]**
@@ -1546,7 +1548,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
```
"x_generic_uris": [
{
- "namespace": "https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field",
+ "namespace": "https://spdx.github.io/spdx-spec/latest/document-creation-information/#65-spdx-document-namespace-field",
"uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-libc"
}
]
@@ -7743,7 +7745,7 @@ The following individuals were members of the OASIS CSAF Technical Committee dur
| Revision | Date | Editor | Changes Made |
|:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
| csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
-
+| csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-------
# Appendix C. Guidance on the Size of CSAF Documents
@@ -7763,7 +7765,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
## C.1 File size
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
-e.g.: 15 MB.
+e.g.: 50 MiB.
> At least one database technology in wide use for storing CSAF documents rejects insert attempts when
> the transformed BSON size exceeds 16 megabytes.
From 469fba27e5a342f37f3aa21ea8d0f307719fdd46 Mon Sep 17 00:00:00 2001
From: Stefan Hagen
Date: Sat, 17 Feb 2024 10:42:23 +0100
Subject: [PATCH 33/44] Added bridge in the note on the increased size
---
csaf_2.1/prose/edit/src/guidance-on-size.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
index c8d42d61..4d8f2620 100644
--- a/csaf_2.1/prose/edit/src/guidance-on-size.md
+++ b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -38,6 +38,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
e.g.: 50 MiB.
+> The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve.
> At least one database technology in wide use for storing CSAF documents rejects insert attempts when
> the transformed BSON size exceeds 16 megabytes.
> The BSON format optimizes for accessibility and not size.
From 150f42ec7a8645e6b9a7250841d9cf84a325d90a Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 17:16:22 +0100
Subject: [PATCH 34/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- update CVSS schema as FIRST corrected wrong keywords
---
csaf_2.1/referenced_schema/first/cvss-v4.0.json | 6 +++---
csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/csaf_2.1/referenced_schema/first/cvss-v4.0.json b/csaf_2.1/referenced_schema/first/cvss-v4.0.json
index 695ad9e5..6ffffd0e 100644
--- a/csaf_2.1/referenced_schema/first/cvss-v4.0.json
+++ b/csaf_2.1/referenced_schema/first/cvss-v4.0.json
@@ -23,7 +23,7 @@
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "JSON Schema for Common Vulnerability Scoring System version 4.0",
- "$id": "https://www.first.org/cvss/cvss-v4.0.json?20231011",
+ "$id": "https://www.first.org/cvss/cvss-v4.0.json?20240216",
"type": "object",
"definitions": {
"attackVectorType": {
@@ -86,12 +86,12 @@
},
"modifiedSubCType": {
"type": "string",
- "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ],
+ "enum": [ "NEGLIGIBLE", "LOW", "HIGH", "NOT_DEFINED" ],
"default": "NOT_DEFINED"
},
"modifiedSubIaType": {
"type": "string",
- "enum": [ "NONE", "LOW", "HIGH", "SAFETY", "NOT_DEFINED" ],
+ "enum": [ "NEGLIGIBLE", "LOW", "HIGH", "SAFETY", "NOT_DEFINED" ],
"default": "NOT_DEFINED"
},
"exploitMaturityType": {
diff --git a/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json b/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
index be82d6a4..e6a3eb6d 100644
--- a/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+++ b/csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
@@ -1,5 +1,5 @@
{
- "$id": "https://www.first.org/cvss/cvss-v4.0.json?20231011",
+ "$id": "https://www.first.org/cvss/cvss-v4.0.json?20240216",
"$schema": "http://json-schema.org/draft-07/schema#",
"unevaluatedProperties": false,
"allOf": [
@@ -297,7 +297,7 @@
"modifiedSubCType": {
"default": "NOT_DEFINED",
"enum": [
- "NONE",
+ "NEGLIGIBLE",
"LOW",
"HIGH",
"NOT_DEFINED"
@@ -307,7 +307,7 @@
"modifiedSubIaType": {
"default": "NOT_DEFINED",
"enum": [
- "NONE",
+ "NEGLIGIBLE",
"LOW",
"HIGH",
"SAFETY",
From 949834b395218903dd1ee1f67d799623a53abafe Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 17:23:01 +0100
Subject: [PATCH 35/44] CVSS 4.0
- addresses parts of oasis-tcs/csaf#652
- adopt test files in 6.2.19 to reflect changes in FIRST CVSS schema
---
.../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json | 4 ++--
.../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json
index 2becc467..87f31ded 100644
--- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-08.json
@@ -46,8 +46,8 @@
"modifiedVulnConfidentialityImpact": "NONE",
"modifiedVulnIntegrityImpact": "NONE",
"modifiedVulnAvailabilityImpact": "NONE",
- "modifiedSubConfidentialityImpact": "NONE",
- "modifiedSubIntegrityImpact": "NONE",
+ "modifiedSubConfidentialityImpact": "NEGLIGIBLE",
+ "modifiedSubIntegrityImpact": "NEGLIGIBLE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
},
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json
index 6350c321..07098e88 100644
--- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-19-19.json
@@ -46,9 +46,9 @@
"modifiedVulnConfidentialityImpact": "NONE",
"modifiedVulnIntegrityImpact": "NONE",
"modifiedVulnAvailabilityImpact": "NONE",
- "modifiedSubConfidentialityImpact": "NONE",
- "modifiedSubIntegrityImpact": "NONE",
- "modifiedSubAvailabilityImpact": "NONE",
+ "modifiedSubConfidentialityImpact": "NEGLIGIBLE",
+ "modifiedSubIntegrityImpact": "NEGLIGIBLE",
+ "modifiedSubAvailabilityImpact": "NEGLIGIBLE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
},
From 9a7cf537c182eefca95244a0ea10942b0aafbc99 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 17:48:35 +0100
Subject: [PATCH 36/44] Correct Example 129
- resolves oasis-tcs/csaf#589
- make each file appear only once in changes.csv
- update filenames to reflect suggested practice
---
csaf_2.1/prose/edit/src/distributing.md | 31 +++++++++++++------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 38d946a7..58a900a0 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -171,8 +171,8 @@ value of `/document/tracking/initial_release_date`.
*Examples 1:*
```
-2021
-2020
+2024
+2023
```
### Requirement 12: index.txt
@@ -182,9 +182,10 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents
*Example 1:*
```
-2020/example_company_-_2020-yh4711.json
-2019/example_company_-_2019-yh3234.json
-2018/example_company_-_2018-yh2312.json
+2023/esa-2023-09953.json
+2022/esa-2022-02723.json
+2021/esa-2021-31916.json
+2021/esa-2021-03676.json
```
> This can be used to download all CSAF documents.
@@ -197,10 +198,10 @@ CSAF document in the sub-directories without a heading; lines MUST be sorted by
*Example 1:*
```
-"2020/example_company_-_2020-yh4711.json","2020-07-01T10:09:07Z"
-"2018/example_company_-_2018-yh2312.json","2020-07-01T10:09:01Z"
-"2019/example_company_-_2019-yh3234.json","2019-04-17T15:08:41Z"
-"2018/example_company_-_2018-yh2312.json","2019-03-01T06:01:00Z"
+"2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
+"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
+"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
+"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
```
### Requirement 14: Directory listings
@@ -388,9 +389,9 @@ MD5 and SHA1 SHOULD NOT be used.
*Example 1:*
```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of SHA-256 hash file: example_company_-_2019-yh3234.json.sha256
-File name of SHA-512 hash file: example_company_-_2019-yh3234.json.sha512
+File name of CSAF document: esa-2022-02723.json
+File name of SHA-256 hash file: esa-2022-02723.json.sha256
+File name of SHA-512 hash file: esa-2022-02723.json.sha512
```
The file content SHALL start with the first byte of the hexadecimal hash value.
@@ -399,7 +400,7 @@ Any subsequent data (like a filename) which is optional SHALL be separated by at
*Example 2:*
```
-ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 example_company_-_2019-yh3234.json
+ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.json
```
If a ROLIE feed exists, each hash file MUST be listed in it as described in requirement 15.
@@ -412,8 +413,8 @@ extended by the appropriate extension. See [cite](#RFC4880) for more details.
*Example 1:*
```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of signature file: example_company_-_2019-yh3234.json.asc
+File name of CSAF document: esa-2022-02723.json
+File name of signature file: esa-2022-02723.json.asc
```
If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
From c6e5a75a656c776ab3ee781de9127871ba6b2682 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 17:59:10 +0100
Subject: [PATCH 37/44] Markdown
- addresses parts of oasis-tcs/csaf#629
- clearly state that GitHub-flavoured Markdown is allowed
---
csaf_2.1/prose/edit/src/safety-security-and-data-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md b/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md
index 31f1b15c..88f4f743 100644
--- a/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md
+++ b/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md
@@ -12,7 +12,7 @@ CSAF documents are based on JSON, thus the security considerations of [cite](#RF
In addition, CSAF documents may be rendered by consumers in various human-readable formats like HTML or PDF.
Thus, for security reasons, CSAF producers and consumers SHALL adhere to the following:
-* CSAF producers SHOULD NOT emit messages that contain HTML, even though all variants of Markdown permit it.
+* CSAF producers SHOULD NOT emit messages that contain HTML, even though GitHub-flavoured Markdown is permit.
To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer,
e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
* Deeply nested markup can cause a stack overflow in the Markdown processor [cite](#GFMENG).
From 8bfb6266b445c1f8b59aa07bc21f3c93f44add0d Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 18:06:14 +0100
Subject: [PATCH 38/44] Markdown
- addresses parts of oasis-tcs/csaf#629
- explicitly mention fields that may contain Markdown
---
.../prose/edit/src/additional-conventions.md | 24 +++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/csaf_2.1/prose/edit/src/additional-conventions.md b/csaf_2.1/prose/edit/src/additional-conventions.md
index ce960de5..0eebf2f7 100644
--- a/csaf_2.1/prose/edit/src/additional-conventions.md
+++ b/csaf_2.1/prose/edit/src/additional-conventions.md
@@ -47,4 +47,28 @@ they MUST be separated by the Record Separator in accordance with [cite](#RFC746
The keys within a CSAF document SHOULD be sorted alphabetically.
+## Usage of Markdown
+
+The use of GitHub-flavoured Markdown is permitted in the following fields:
+
+```
+ /document/acknowledgments[]/summary
+ /document/distribution/text
+ /document/notes[]/text
+ /document/publisher/issuing_authority
+ /document/references[]/summary
+ /document/tracking/revision_history[]/summary
+ /product_tree/product_groups[]/summary
+ /vulnerabilities[]/acknowledgments[]/summary
+ /vulnerabilities[]/involvements[]/summary
+ /vulnerabilities[]/notes[]/text
+ /vulnerabilities[]/references[]/summary
+ /vulnerabilities[]/remediations[]/details
+ /vulnerabilities[]/remediations[]/entitlements[]
+ /vulnerabilities[]/remediations[]/restart_required/details
+ /vulnerabilities[]/threats[]/details
+```
+
+Other fields MUST NOT contain Markdown.
+
-------
From 877ddd1a35ce79bcd00fc5ba5adbb776b8819b05 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 18:57:37 +0100
Subject: [PATCH 39/44] Editorial
- resolves oasis-tcs/csaf#634
- correct broken link
---
csaf_2.1/prose/edit/src/schema-elements-02-props-01-document.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-01-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-01-document.md
index ba00e4b0..60905522 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-01-document.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-01-document.md
@@ -207,7 +207,7 @@ The default value is the URL to the definition by FIRST:
```
https://www.us-cert.gov/tlp
- https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf
+ https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
```
#### Document Property - Language
From eb95b8d88c99ea228e24a38db183d0cf288c34fc Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 19:17:13 +0100
Subject: [PATCH 40/44] CSAF 2.0-2.1 converter
- addresses parts of oasis-tcs/csaf#673
- add new conformance target CSAF 2.0 CSAF 2.1 converter
---
csaf_2.1/prose/edit/src/conformance.md | 16 ++++++++++++++++
.../src/introduction-02-terminology-glossary.md | 3 +++
2 files changed, 19 insertions(+)
diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 6825a5c9..38d6e639 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -50,6 +50,7 @@ The entities ("conformance targets") for which this document defines requirement
* **CSAF full validator**: A CSAF extended validator that additionally performs informative tests.
* **CSAF SBOM matching system**: A program that connects to or is an SBOM database and is able to manage CSAF documents as required
by CSAF management system as well as matching them to SBOM components of the SBOM database.
+* **CSAF 2.0 to CSAF 2.1 converter**: A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
### Conformance Clause 1: CSAF document
@@ -489,4 +490,19 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
* matching that CSAF document at all
* marked with a given status
+### Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter
+
+A program satisfies the "CSAF 2.0 to CSAF 2.1 converter" conformance profile if the program fulfills the following two groups of requirements:
+
+Firstly, the program:
+
+* satisfies the "CSAF producer" conformance profile.
+* takes only CSAF 2.0 documents as input.
+* additionally satisfies the normative requirements given below.
+
+Secondly, the program fulfills the following for all items of:
+
+
+> A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+
-------
diff --git a/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md b/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md
index 1e9a7e00..4c927419 100644
--- a/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md
+++ b/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md
@@ -20,6 +20,9 @@ _Examples_: A physical file in a file system such as a source file, an object fi
a specific version of a file in a version control system; a database table accessed via an HTTP request;
an arbitrary stream of bytes returned from an HTTP request, a product URL, a common product enumeration value.
+CSAF 2.0 to CSAF 2.1 converter
+: A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
+
CSAF asset matching system
: program that connects to or is an asset database and is able to manage CSAF documents as
required by CSAF management system
From 9c40e21dbe1b1d4e12a29a638e66b80f9a6ccba0 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 19:38:00 +0100
Subject: [PATCH 41/44] Editorial
- resolves oasis-tcs/csaf#576
- add missing date in VEX-Justification reference
---
.../prose/edit/src/introduction-04-informative-references.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
index e62b394c..3a450f3b 100644
--- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
+++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -127,7 +127,7 @@ VEX
VEX-Justification
: _Vulnerability Exploitability eXchange (VEX) - Status Justifications_, VEX sub-group of the Framing Working Group in the CISA SBOM initiative,
-XX May 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.
+June 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.
XML
: _Extensible Markup Language (XML) 1.0 (Fifth Edition)_, T. Bray, J. Paoli, M. Sperberg-McQueen, E. Maler, F. Yergeau, Editors,
From 1ef57cb9040d0c9ac1a2a9975176ed9305c5b4b8 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 24 Feb 2024 19:43:07 +0100
Subject: [PATCH 42/44] Editorial
- resolves oasis-tcs/csaf#578
- remove obsolete "is"
---
.../edit/src/schema-elements-01-defs-03-full-product-name.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 7121d731..59690c97 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -311,7 +311,7 @@ abbreviated (partial) stock keeping units.
A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software,
or the stock keeping units change during update.
-In the latter case the remediations SHALL include the new stock keeping units is or a description how it can be obtained.
+In the latter case the remediations SHALL include the new stock keeping units or a description how it can be obtained.
> The use of the list of relationships in the first case is important.
> Otherwise, the end user is unable to identify which version (the affected or the not affected / fixed one) is used.
From c41b0f2441627c789478de25a5e926a4bf04e42f Mon Sep 17 00:00:00 2001
From: Stefan Hagen
Date: Sat, 24 Feb 2024 23:40:33 +0100
Subject: [PATCH 43/44] Nit
---
csaf_2.1/prose/edit/src/safety-security-and-data-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md b/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md
index 88f4f743..60d936d3 100644
--- a/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md
+++ b/csaf_2.1/prose/edit/src/safety-security-and-data-protection.md
@@ -12,7 +12,7 @@ CSAF documents are based on JSON, thus the security considerations of [cite](#RF
In addition, CSAF documents may be rendered by consumers in various human-readable formats like HTML or PDF.
Thus, for security reasons, CSAF producers and consumers SHALL adhere to the following:
-* CSAF producers SHOULD NOT emit messages that contain HTML, even though GitHub-flavoured Markdown is permit.
+* CSAF producers SHOULD NOT emit messages that contain HTML, even though GitHub-flavoured Markdown is permitted.
To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer,
e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
* Deeply nested markup can cause a stack overflow in the Markdown processor [cite](#GFMENG).
From 49ff91a9e04b87713aa049e2271bd9ae13c07ab8 Mon Sep 17 00:00:00 2001
From: Stefan Hagen
Date: Tue, 27 Feb 2024 19:34:05 +0100
Subject: [PATCH 44/44] Rendered delivery items matching editor revision
2024-02-28
- amended the mapping helper files in etc to include the added section and example
- executed the rendering pipeline
- Note: the automated extraction of section and example counts for the mapping
helpers was forgotten along the many changes during bootstrap
TODO(sthagen) to restore this auto discovery
Co-authored-by: Thomas Schmidt
Signed-off-by: Stefan Hagen
---
.../edit/etc/example-global-to-local.json | 41 +-
.../edit/etc/example-local-to-global.json | 41 +-
.../edit/etc/section-display-to-label.json | 1 +
.../edit/etc/section-label-to-display.json | 1 +
csaf_2.1/prose/share/csaf-v2.1-draft.html | 448 ++++++++++++++----
csaf_2.1/prose/share/csaf-v2.1-draft.md | 238 ++++++++--
6 files changed, 604 insertions(+), 166 deletions(-)
diff --git a/csaf_2.1/prose/edit/etc/example-global-to-local.json b/csaf_2.1/prose/edit/etc/example-global-to-local.json
index c9f4ed4f..0e1b3adf 100644
--- a/csaf_2.1/prose/edit/etc/example-global-to-local.json
+++ b/csaf_2.1/prose/edit/etc/example-global-to-local.json
@@ -123,24 +123,25 @@
"121": "branch-categories-eg-1",
"122": "usage-of-product-version-range-eg-1",
"123": "usage-of-v-as-version-indicator-eg-1",
- "124": "requirement-7-provider-metadata-json-eg-1",
- "125": "requirement-8-security-txt-eg-1",
- "126": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
- "127": "requirement-11-one-folder-per-year-eg-1",
- "128": "requirement-12-index-txt-eg-1",
- "129": "requirement-13-changes-csv-eg-1",
- "130": "requirement-15-rolie-feed-eg-1",
- "131": "requirement-16-rolie-service-document-eg-1",
- "132": "requirement-17-rolie-category-document-eg-1",
- "133": "requirement-17-rolie-category-document-eg-2",
- "134": "requirement-17-rolie-category-document-eg-3",
- "135": "requirement-18-integrity-eg-1",
- "136": "requirement-18-integrity-eg-2",
- "137": "requirement-19-signatures-eg-1",
- "138": "requirement-21-list-of-csaf-providers-eg-1",
- "139": "requirement-23-mirror-eg-1",
- "140": "conformance-clause-5-cvrf-csaf-converter-eg-1",
- "141": "conformance-clause-5-cvrf-csaf-converter-eg-2",
- "142": "conformance-clause-5-cvrf-csaf-converter-eg-3",
- "143": "conformance-clause-5-cvrf-csaf-converter-eg-4"
+ "124": "missing-cvss-v4-0-eg-1",
+ "126": "requirement-7-provider-metadata-json-eg-1",
+ "127": "requirement-8-security-txt-eg-1",
+ "128": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
+ "129": "requirement-11-one-folder-per-year-eg-1",
+ "120": "requirement-12-index-txt-eg-1",
+ "130": "requirement-13-changes-csv-eg-1",
+ "131": "requirement-15-rolie-feed-eg-1",
+ "132": "requirement-16-rolie-service-document-eg-1",
+ "133": "requirement-17-rolie-category-document-eg-1",
+ "134": "requirement-17-rolie-category-document-eg-2",
+ "135": "requirement-17-rolie-category-document-eg-3",
+ "136": "requirement-18-integrity-eg-1",
+ "137": "requirement-18-integrity-eg-2",
+ "138": "requirement-19-signatures-eg-1",
+ "139": "requirement-21-list-of-csaf-providers-eg-1",
+ "140": "requirement-23-mirror-eg-1",
+ "141": "conformance-clause-5-cvrf-csaf-converter-eg-1",
+ "142": "conformance-clause-5-cvrf-csaf-converter-eg-2",
+ "143": "conformance-clause-5-cvrf-csaf-converter-eg-3",
+ "144": "conformance-clause-5-cvrf-csaf-converter-eg-4"
}
diff --git a/csaf_2.1/prose/edit/etc/example-local-to-global.json b/csaf_2.1/prose/edit/etc/example-local-to-global.json
index 4e958008..14a23850 100644
--- a/csaf_2.1/prose/edit/etc/example-local-to-global.json
+++ b/csaf_2.1/prose/edit/etc/example-local-to-global.json
@@ -13,10 +13,10 @@
"branches-type-name-under-product-version-range-eg-2": "9",
"build-metadata-in-revision-history-eg-1": "96",
"circular-definition-of-product-id-eg-1": "51",
- "conformance-clause-5-cvrf-csaf-converter-eg-1": "140",
- "conformance-clause-5-cvrf-csaf-converter-eg-2": "141",
- "conformance-clause-5-cvrf-csaf-converter-eg-3": "142",
- "conformance-clause-5-cvrf-csaf-converter-eg-4": "143",
+ "conformance-clause-5-cvrf-csaf-converter-eg-1": "141",
+ "conformance-clause-5-cvrf-csaf-converter-eg-2": "142",
+ "conformance-clause-5-cvrf-csaf-converter-eg-3": "143",
+ "conformance-clause-5-cvrf-csaf-converter-eg-4": "144",
"contradicting-product-status-eg-1": "54",
"cve-in-field-ids-eg-1": "109",
"cvss-for-fixed-products-eg-1": "111",
@@ -56,6 +56,7 @@
"latest-document-version-eg-1": "64",
"missing-canonical-url-eg-1": "103",
"missing-cve-eg-1": "115",
+ "missing-cvss-v4-0-eg-1": "124",
"missing-cwe-eg-1": "116",
"missing-date-in-involvements-eg-1": "99",
"missing-definition-of-product-group-id-eg-1": "52",
@@ -93,22 +94,22 @@
"purl-eg-1": "61",
"released-revision-history-eg-1": "66",
"remediation-without-product-reference-eg-1": "88",
- "requirement-11-one-folder-per-year-eg-1": "127",
- "requirement-12-index-txt-eg-1": "128",
- "requirement-13-changes-csv-eg-1": "129",
- "requirement-15-rolie-feed-eg-1": "130",
- "requirement-16-rolie-service-document-eg-1": "131",
- "requirement-17-rolie-category-document-eg-1": "132",
- "requirement-17-rolie-category-document-eg-2": "133",
- "requirement-17-rolie-category-document-eg-3": "134",
- "requirement-18-integrity-eg-1": "135",
- "requirement-18-integrity-eg-2": "136",
- "requirement-19-signatures-eg-1": "137",
- "requirement-21-list-of-csaf-providers-eg-1": "138",
- "requirement-23-mirror-eg-1": "139",
- "requirement-7-provider-metadata-json-eg-1": "124",
- "requirement-8-security-txt-eg-1": "125",
- "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "126",
+ "requirement-11-one-folder-per-year-eg-1": "128",
+ "requirement-12-index-txt-eg-1": "129",
+ "requirement-13-changes-csv-eg-1": "130",
+ "requirement-15-rolie-feed-eg-1": "131",
+ "requirement-16-rolie-service-document-eg-1": "132",
+ "requirement-17-rolie-category-document-eg-1": "133",
+ "requirement-17-rolie-category-document-eg-2": "134",
+ "requirement-17-rolie-category-document-eg-3": "135",
+ "requirement-18-integrity-eg-1": "136",
+ "requirement-18-integrity-eg-2": "137",
+ "requirement-19-signatures-eg-1": "138",
+ "requirement-21-list-of-csaf-providers-eg-1": "139",
+ "requirement-23-mirror-eg-1": "140",
+ "requirement-7-provider-metadata-json-eg-1": "125",
+ "requirement-8-security-txt-eg-1": "126",
+ "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "127",
"revision-history-entries-for-pre-release-versions-eg-1": "67",
"sorted-revision-history-eg-1": "62",
"spell-check-eg-1": "120",
diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json
index d8de853d..5e77fc09 100644
--- a/csaf_2.1/prose/edit/etc/section-display-to-label.json
+++ b/csaf_2.1/prose/edit/etc/section-display-to-label.json
@@ -191,6 +191,7 @@
"6.3.9": "branch-categories",
"6.3.10": "usage-of-product-version-range",
"6.3.11": "usage-of-v-as-version-indicator",
+ "6.3.12": "missing-cvss-v4-0",
"7": "distributing-csaf-documents",
"7.1": "requirements",
"7.1.1": "requirement-1-valid-csaf-document",
diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json
index 6b34e181..e4cad037 100644
--- a/csaf_2.1/prose/edit/etc/section-label-to-display.json
+++ b/csaf_2.1/prose/edit/etc/section-label-to-display.json
@@ -112,6 +112,7 @@
"mandatory-tests": "6.1",
"missing-canonical-url": "6.2.11",
"missing-cve": "6.3.3",
+ "missing-cvss-v4-0": "6.3.12",
"missing-cwe": "6.3.4",
"missing-date-in-involvements": "6.2.7",
"missing-definition-of-product-group-id": "6.1.4",
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html
index 04aee4d6..8baf0dec 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.html
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html
@@ -1,7 +1,7 @@
-
+
@@ -9,7 +9,7 @@
Common Security Advisory Framework Version 2.1
@@ -403,14 +403,11 @@
Declared JSON namespaces:
Tests
@@ -701,7 +699,8 @@
Distributing CSAF documents
@@ -761,7 +760,8 @@
@@ -783,7 +783,8 @@
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents
- have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page (https://www.oasis-open.org/committees/csaf/ipr.php).
+ have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page ([https://www.oasis-open.org/committees/csaf/ipr.php](https://www.oasis-open.org/committees/csaf/ipr.php)).
1.2 Terminology
@@ -828,6 +829,12 @@
sequence of bytes addressable via a URI. Examples: A physical file in a file system such as a source file, an object file, a configuration file or a data file; a specific version of a file in a version control system; a database table accessed via an HTTP request; an arbitrary stream of bytes returned from an HTTP request, a
product URL, a common product enumeration value.
+
+ CSAF 2.0 to CSAF 2.1 converter
+
+
+ A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
+
CSAF asset matching system
@@ -1312,6 +1319,9 @@
[CVSS31] Common Vulnerability Scoring System v3.1: Specification Document, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.
+
+ [CVSS40] Common Vulnerability Scoring System v4.0: Specification Document, FIRST.Org, Inc., 09 November 2023, https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf.
+
[CWE] Common Weakness Enumeration (CWE) – A Community-Developed List of Software Weakness Types, MITRE, 2005, http://cwe.mitre.org/about/.
@@ -1390,7 +1400,7 @@
- [XX May 2022, [June 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.]
@@ -1499,6 +1509,12 @@
Vulnerability Scoring:
+ - Common Vulnerability Scoring System (CVSS) Version 4.0 [CVSS40]
+
+
- Common Vulnerability Scoring System (CVSS) Version 3.1 [CVSS31]
- JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
@@ -2006,7 +2022,7 @@
"product_identification_helper": {
// ...
- "properties": {
+ "properties": {
"cpe": {
// ...
},
@@ -2104,14 +2120,14 @@
The command openssl dgst -list (Version 1.1.1f from 2020-03-31) outputs the following:
Supported digests:
- -blake2b512 -blake2s256 -md4
- -md5 -md5-sha1 -ripemd
- -ripemd160 -rmd160 -sha1
- -sha224 -sha256 -sha3-224
- -sha3-256 -sha3-384 -sha3-512
- -sha384 -sha512 -sha512-224
- -sha512-256 -shake128 -shake256
- -sm3 -ssl3-md5 -ssl3-sha1
+ -blake2b512 -blake2s256 -md4
+ -md5 -md5-sha1 -ripemd
+ -ripemd160 -rmd160 -sha1
+ -sha224 -sha256 -sha3-224
+ -sha3-256 -sha3-384 -sha3-512
+ -sha384 -sha512 -sha512-224
+ -sha512-256 -shake128 -shake256
+ -sm3 -ssl3-md5 -ssl3-sha1
-whirlpool
@@ -2245,7 +2261,7 @@
The list of stock keeping units (skus) of value type array with 1 or more items contains a list of full or abbreviated (partial) stock keeping units.
- A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software, or the stock keeping units change during update. In the latter case the remediations SHALL include the new stock keeping units is or a description how it can be obtained.
+ A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software, or the stock keeping units change during update. In the latter case the remediations SHALL include the new stock keeping units or a description how it can be obtained.
@@ -2253,9 +2269,9 @@
"skus": {
- //...
+ //...
"items": {
- //...
+ //...
}
},
@@ -2957,7 +2973,7 @@
Examples 1:
https://www.us-cert.gov/tlp
- https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf
+ https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
3.2.1.6 Document Property - Language
@@ -4187,8 +4203,8 @@
}
},
- Value type of every such Score item is object with the mandatory property products and the optional properties cvss_v2 and cvss_v3 specifies information about (at least one) score of the vulnerability and for which products the given value applies. Each Score item has at least 2
- properties.
+ Value type of every such Score item is object with the mandatory property products and the optional properties cvss_v2, cvss_v3 and cvss_v4 specifies information about (at least one) score of the vulnerability and for which products the given value applies. Each Score item
+ has at least 2 properties.
"properties": {
"cvss_v2": {
@@ -4198,16 +4214,23 @@
"oneOf": [
// ...
]
- }
+ },
+ "cvss_v4": {
+ // ...
+ },
"products": {
// ...
}
}
- The property CVSS v2 (cvss_v2) holding a CVSS v2.0 value abiding by the schema at https://www.first.org/cvss/cvss-v2.0.json.
+ The property CVSS v2 (cvss_v2) holding a CVSS v2.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v2.0.json](https://www.first.org/cvss/cvss-v2.0.json).
+
+
+ The property CVSS v3 (cvss_v3) holding a CVSS v3.x value abiding by one of the schemas at [https://www.first.org/cvss/cvss-v3.0.json](https://www.first.org/cvss/cvss-v3.0.json) or [https://www.first.org/cvss/cvss-v3.1.json](https://www.first.org/cvss/cvss-v3.1.json).
- The property CVSS v3 (cvss_v3) holding a CVSS v3.x value abiding by one of the schemas at https://www.first.org/cvss/cvss-v3.0.json or https://www.first.org/cvss/cvss-v3.1.json.
+ The property CVSS v4 (cvss_v4) holding a CVSS v4.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
Product IDs (products) of value type products_t with 1 or more items indicates for which products the given scores apply. A score object SHOULD reflect the associated product's status (for example, a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed;
@@ -4650,6 +4673,30 @@
The keys within a CSAF document SHOULD be sorted alphabetically.
+
+ 5.4 Usage of Markdown
+
+
+ The use of GitHub-flavoured Markdown is permitted in the following fields:
+
+ /document/acknowledgments[]/summary
+ /document/distribution/text
+ /document/notes[]/text
+ /document/publisher/issuing_authority
+ /document/references[]/summary
+ /document/tracking/revision_history[]/summary
+ /product_tree/product_groups[]/summary
+ /vulnerabilities[]/acknowledgments[]/summary
+ /vulnerabilities[]/involvements[]/summary
+ /vulnerabilities[]/notes[]/text
+ /vulnerabilities[]/references[]/summary
+ /vulnerabilities[]/remediations[]/details
+ /vulnerabilities[]/remediations[]/entitlements[]
+ /vulnerabilities[]/remediations[]/restart_required/details
+ /vulnerabilities[]/threats[]/details
+
+ Other fields MUST NOT contain Markdown.
+
6. Tests
@@ -4886,7 +4933,7 @@
Affected:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
@@ -5007,7 +5054,8 @@
The relevant paths for this test are:
/vulnerabilities[]/scores[]/cvss_v2
- /vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v4
Example 1 (which fails the test):
@@ -5048,7 +5096,13 @@
/vulnerabilities[]/scores[]/cvss_v3/temporalScore
/vulnerabilities[]/scores[]/cvss_v3/temporalSeverity
/vulnerabilities[]/scores[]/cvss_v3/environmentalScore
- /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity
+ /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/baseScore
+ /vulnerabilities[]/scores[]/cvss_v4/baseSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/threatScore
+ /vulnerabilities[]/scores[]/cvss_v4/threatSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/environmentalScore
+ /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity
Example 1 (which fails the test):
@@ -5078,7 +5132,8 @@
The relevant paths for this test are:
/vulnerabilities[]/scores[]/cvss_v2
- /vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v4
Example 1 (which fails the test):
@@ -6319,7 +6374,7 @@
The relevant paths for this test are:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
/vulnerabilities[]/product_status/under_investigation[]
@@ -6357,7 +6412,7 @@
The relevant paths for this test are:
- /vulnerabilities[]/product_status/first_affected[]
+ /vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
@@ -6922,7 +6977,7 @@
- A tool MAY set the properties modifiedIntegrityImpact, modifiedAvailabilityImpact, modifiedConfidentialityImpact accordingly and compute the environmentalScore as quick fix.
+ A tool MAY set the properties modifiedIntegrityImpact, modifiedAvailabilityImpact, modifiedConfidentialityImpact (respectively their equivalents according to the CVSS version used) accordingly and compute the environmentalScore as quick fix.
@@ -7012,7 +7067,7 @@
Recommendation:
- It is recommended to (also) use the CVSS v3.1.
+ It is recommended to (also) use the CVSS v4.0.
6.3.2 Use of CVSS v3.0
@@ -7391,6 +7446,49 @@
+
+ 6.3.12 Missing CVSS v4.0
+
+
+ For each item in the list of scores it MUST be tested that a cvss_v4 object is present.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/scores
+
+ Example 1 (which fails the test):
+
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+
+
+ There is no CVSS v4.0 score given for CSAFPID-9080700.
+
+
7. Distributing CSAF documents
@@ -7487,7 +7585,7 @@
- Example 1 (minimal with ROLIE document):
+ Example 1 (minimal with ROLIE document):
{
"canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
@@ -7545,7 +7643,7 @@
- Examples 1:
+ Examples 1:
CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
@@ -7562,7 +7660,7 @@
- Example 1:
+ Example 1:
https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -7578,10 +7676,10 @@
The CSAF documents MUST be located within folders named <YYYY> where <YYYY> is the year given in the value of /document/tracking/initial_release_date.
- Examples 1:
+ Examples 1:
- 2021
-2020
+ 2024
+2023
7.1.12 Requirement 12: index.txt
@@ -7589,11 +7687,12 @@
The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
- Example 1:
+ Example 1:
- 2020/example_company_-_2020-yh4711.json
-2019/example_company_-_2019-yh3234.json
-2018/example_company_-_2018-yh2312.json
+ 2023/esa-2023-09953.json
+2022/esa-2022-02723.json
+2021/esa-2021-31916.json
+2021/esa-2021-03676.json
This can be used to download all CSAF documents.
@@ -7606,12 +7705,12 @@
The file changes.csv MUST contain the filename as well as the value of /document/tracking/current_release_date for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the current_release_date timestamp with the latest one first.
- Example 1:
+ Example 1:
- "2020/example_company_-_2020-yh4711.json","2020-07-01T10:09:07Z"
-"2018/example_company_-_2018-yh2312.json","2020-07-01T10:09:01Z"
-"2019/example_company_-_2019-yh3234.json","2019-04-17T15:08:41Z"
-"2018/example_company_-_2018-yh2312.json","2019-03-01T06:01:00Z"
+ "2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
+"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
+"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
+"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
7.1.14 Requirement 14: Directory listings
@@ -7637,7 +7736,7 @@
MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].
- Example 1:
+ Example 1:
{
"feed": {
@@ -7702,7 +7801,7 @@
The use and therefore the existence of ROLIE service document is optional. If it is used, each ROLIE service document MUST be a JSON file that conforms with [RFC8322] and lists the ROLIE feed documents.
- Example 1:
+ Example 1:
{
"service": {
@@ -7768,7 +7867,7 @@
type of product
- Examples 1:
+ Examples 1:
CPU
Firewall
@@ -7784,7 +7883,7 @@
areas or sectors, the products are used in
- Examples 2:
+ Examples 2:
Chemical
Commercial
@@ -7802,7 +7901,7 @@
- Example 3:
+ Example 3:
{
"categories": {
@@ -7826,18 +7925,18 @@
MD5 and SHA1 SHOULD NOT be used.
- Example 1:
+ Example 1:
- File name of CSAF document: example_company_-_2019-yh3234.json
-File name of SHA-256 hash file: example_company_-_2019-yh3234.json.sha256
-File name of SHA-512 hash file: example_company_-_2019-yh3234.json.sha512
+ File name of CSAF document: esa-2022-02723.json
+File name of SHA-256 hash file: esa-2022-02723.json.sha256
+File name of SHA-512 hash file: esa-2022-02723.json.sha512
The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
- Example 2:
+ Example 2:
- ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 example_company_-_2019-yh3234.json
+ ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.json
If a ROLIE feed exists, each hash file MUST be listed in it as described in requirement 15.
@@ -7848,10 +7947,10 @@
All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. See [RFC4880] for more details.
- Example 1:
+ Example 1:
- File name of CSAF document: example_company_-_2019-yh3234.json
-File name of signature file: example_company_-_2019-yh3234.json.asc
+ File name of CSAF document: esa-2022-02723.json
+File name of signature file: esa-2022-02723.json.asc
If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
@@ -7903,7 +8002,7 @@
The file aggregator.json SHOULD only list the latest version of the metadata of a CSAF provider.
- Example 1:
+ Example 1:
{
"aggregator": {
@@ -7960,7 +8059,7 @@
- Example 1:
+ Example 1:
{
"aggregator": {
@@ -8208,7 +8307,7 @@
In addition, CSAF documents may be rendered by consumers in various human-readable formats like HTML or PDF. Thus, for security reasons, CSAF producers and consumers SHALL adhere to the following:
- - CSAF producers SHOULD NOT emit messages that contain HTML, even though all variants of Markdown permit it. To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer, e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
+
- CSAF producers SHOULD NOT emit messages that contain HTML, even though GitHub-flavoured Markdown is permitted. To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer, e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
- Deeply nested markup can cause a stack overflow in the Markdown processor [GFMENG]. To reduce this risk, CSAF consumers SHALL use a Markdown processor that is hardened against such attacks. Note: One example is the GitHub fork of the
cmark Markdown processor [GFMCMARK].
@@ -8312,6 +8411,9 @@ -
CSAF SBOM matching system: A program that connects to or is an SBOM database and is able to manage CSAF documents as required by CSAF management system as well as matching them to SBOM components of the SBOM database.
+ -
+ CSAF 2.0 to CSAF 2.1 converter: A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
+
/vulnerabilities[]/scores[]:
xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -9154,6 +9258,31 @@
+ A program satisfies the "CSAF 2.0 to CSAF 2.1 converter" conformance profile if the program fulfills the following two groups of requirements:
+
+
+ Firstly, the program:
+
+
+ - satisfies the "CSAF producer" conformance profile.
+
+ - takes only CSAF 2.0 documents as input.
+
+ - additionally satisfies the normative requirements given below.
+
+
+
+ Secondly, the program fulfills the following for all items of:
+
+
+
+ A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+
+
Appendix A. Acknowledgments
@@ -10471,8 +10600,8 @@
- At least one database technology in wide use for storing CSAF documents rejects insert attempts when the transformed BSON size exceeds 16 megabytes. The BSON format optimizes for accessibility and not size. So, small integers and small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds
- length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.
+ The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve. At least one database technology in wide use for storing CSAF documents rejects insert attempts when the transformed BSON size exceeds 16 megabytes. The BSON format optimizes for accessibility and not size. So, small integers and
+ small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.
@@ -10971,6 +11100,9 @@
/vulnerabilities[]/scores[]/cvss_v3/vectorString
+
+ /vulnerabilities[]/scores[]/cvss_v4/vectorString
+
/vulnerabilities[]/scores[]/products[]
@@ -11291,3 +11423,159 @@
/vulnerabilities[]/scores[]/cvss_v3/remediationLevel (13)
+
+ /vulnerabilities[]/scores[]/cvss_v3/reportConfidence (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/temporalSeverity (8)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/confidentialityRequirement (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/integrityRequirement (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/availabilityRequirement (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedAttackVector (16)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedAttackComplexity (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedPrivilegesRequired (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedUserInteraction (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedScope (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedConfidentialityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedIntegrityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/modifiedAvailabilityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity (8)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/version (3)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/attackVector (8)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/attackComplexity (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/attackRequirements (7)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/privilegesRequired (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/userInteraction (7)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/vulnConfidentialityImpact (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/vulnIntegrityImpact (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/vulnAvailabilityImpact (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/subConfidentialityImpact (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/subIntegrityImpact (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/subAvailabilityImpact (4)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/exploitMaturity (16)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/confidentialityRequirement (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/integrityRequirement (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/availabilityRequirement (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedAttackVector (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedAttackComplexity (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedAttackRequirements (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedPrivilegesRequired (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedUserInteraction (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedVulnConfidentialityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedVulnIntegrityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedVulnAvailabilityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedSubConfidentialityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedSubIntegrityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/modifiedSubAvailabilityImpact (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/Safety (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/Automatable (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/Recovery (13)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/valueDensity (12)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/vulnerabilityResponseEffort (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/providerUrgency (11)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/baseSeverity (8)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/threatSeverity (8)
+
+
+ /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity (8)
+
+
+ /vulnerabilities[]/threats[]/category (14)
+
+
+
+ C.6 Date
\ No newline at end of file
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index e89aacce..9945448c 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -215,6 +215,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
5.1 [Filename](#filename)
5.2 [Separation in Data Stream](#separation-in-data-stream)
5.3 [Sorting](#additional-conventions--sorting)
+ 5.4 [Usage of Markdown](#usage-of-markdown)
6. [Tests](#tests)
6.1 [Mandatory Tests](#mandatory-tests)
6.1.1 [Missing Definition of Product ID](#missing-definition-of-product-id)
@@ -294,6 +295,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
6.3.9 [Branch Categories](#branch-categories)
6.3.10 [Usage of Product Version Range](#usage-of-product-version-range)
6.3.11 [Usage of V as Version Indicator](#usage-of-v-as-version-indicator)
+ 6.3.12 [Missing CVSS v4.0](#missing-cvss-v4-0)
7. [Distributing CSAF documents](#distributing-csaf-documents)
7.1 [Requirements](#requirements)
7.1.1 [Requirement 1: Valid CSAF document](#requirement-1-valid-csaf-document)
@@ -348,6 +350,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
9.1.15 [Conformance Clause 15: CSAF extended validator](#conformance-clause-15-csaf-extended-validator)
9.1.16 [Conformance Clause 16: CSAF full validator](#conformance-clause-16-csaf-full-validator)
9.1.17 [Conformance Clause 17: CSAF SBOM matching system](#conformance-clause-17-csaf-sbom-matching-system)
+ 9.1.18 [Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter](#conformance-clause-18-csaf-2-0-to-csaf-2-1-converter)
Appendix A. [Acknowledgments](#acknowledgments)
Appendix B. [Revision History](#revision-history)
@@ -396,6 +399,8 @@ For purposes of this document, the following terms and definitions apply:
Examples: A physical file in a file system such as a source file, an object file, a configuration file or a data file;
a specific version of a file in a version control system; a database table accessed via an HTTP request;
an arbitrary stream of bytes returned from an HTTP request, a product URL, a common product enumeration value.
+ CSAF 2.0 to CSAF 2.1 converter
+ A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
CSAF asset matching system
program that connects to or is an asset database and is able to manage CSAF documents as
required by CSAF management system
@@ -605,6 +610,8 @@ For purposes of this document, the following terms and definitions apply:
**\[****CVSS31\]** _Common Vulnerability Scoring System v3.1: Specification Document_, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.
+**\[****CVSS40\]** _Common Vulnerability Scoring System v4.0: Specification Document_, FIRST.Org, Inc., 09 November 2023, https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf.
+
**\[****CWE\]** _Common Weakness Enumeration (CWE) – A Community-Developed List of Software Weakness Types_, MITRE, 2005, http://cwe.mitre.org/about/.
**\[****CYCLONEDX13\]** _CycloneDX Software Bill-of-Material Specification JSON schema version 1.3_, cyclonedx.org, May 2021, https://github.com/CycloneDX/specification/blob/1.3/schema/bom-1.3.schema.json.
@@ -653,7 +660,7 @@ For purposes of this document, the following terms and definitions apply:
**\[****27 September 2021, .\]**
-**\[****XX May 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.\]**
+**\[****June 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.\]**
**\[****W3C Recommendation, November 26, 2008, https://www.w3.org/TR/2008/REC-xml-20081126/. Latest version available at .\]**
@@ -751,6 +758,8 @@ Delegation to industry best practices technologies is used in referencing schema
* Platform Data:
* Common Platform Enumeration (CPE) Version 2.3 \[[CPE23-N](#CPE23-N)\]
* Vulnerability Scoring:
+ * Common Vulnerability Scoring System (CVSS) Version 4.0 \[[CVSS40](#CVSS40)\]
+ * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
* Common Vulnerability Scoring System (CVSS) Version 3.1 \[[CVSS31](#CVSS31)\]
* JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
* Common Vulnerability Scoring System (CVSS) Version 3.0 \[[CVSS30](#CVSS30)\]
@@ -1474,7 +1483,7 @@ abbreviated (partial) stock keeping units.
A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software,
or the stock keeping units change during update.
-In the latter case the remediations SHALL include the new stock keeping units is or a description how it can be obtained.
+In the latter case the remediations SHALL include the new stock keeping units or a description how it can be obtained.
> The use of the list of relationships in the first case is important.
> Otherwise, the end user is unable to identify which version (the affected or the not affected / fixed one) is used.
@@ -2179,7 +2188,7 @@ The default value is the URL to the definition by FIRST:
```
https://www.us-cert.gov/tlp
- https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf
+ https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
```
#### 3.2.1.6 Document Property - Language
@@ -3450,8 +3459,8 @@ List of scores (`scores`) of value type `array` with 1 or more items of type sco
},
```
-Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2` and
-`cvss_v3` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
+Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2`,
+`cvss_v3` and `cvss_v4` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
Each Score item has at least 2 properties.
```
@@ -3463,7 +3472,10 @@ Each Score item has at least 2 properties.
"oneOf": [
// ...
]
- }
+ },
+ "cvss_v4": {
+ // ...
+ },
"products": {
// ...
}
@@ -3477,6 +3489,8 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
[https://www.first.org/cvss/cvss-v3.0.json](https://www.first.org/cvss/cvss-v3.0.json) or
[https://www.first.org/cvss/cvss-v3.1.json](https://www.first.org/cvss/cvss-v3.1.json).
+The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
+
Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given scores apply.
A score object SHOULD reflect the associated product's status (for example,
a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed;
@@ -3765,6 +3779,30 @@ they MUST be separated by the Record Separator in accordance with \[[RFC7464](#R
The keys within a CSAF document SHOULD be sorted alphabetically.
+## 5.4 Usage of Markdown
+
+The use of GitHub-flavoured Markdown is permitted in the following fields:
+
+```
+ /document/acknowledgments[]/summary
+ /document/distribution/text
+ /document/notes[]/text
+ /document/publisher/issuing_authority
+ /document/references[]/summary
+ /document/tracking/revision_history[]/summary
+ /product_tree/product_groups[]/summary
+ /vulnerabilities[]/acknowledgments[]/summary
+ /vulnerabilities[]/involvements[]/summary
+ /vulnerabilities[]/notes[]/text
+ /vulnerabilities[]/references[]/summary
+ /vulnerabilities[]/remediations[]/details
+ /vulnerabilities[]/remediations[]/entitlements[]
+ /vulnerabilities[]/remediations[]/restart_required/details
+ /vulnerabilities[]/threats[]/details
+```
+
+Other fields MUST NOT contain Markdown.
+
-------
# 6. Tests
@@ -4109,6 +4147,7 @@ The relevant paths for this test are:
```
/vulnerabilities[]/scores[]/cvss_v2
/vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v4
```
*Example 1 (which fails the test):*
@@ -4144,6 +4183,12 @@ The relevant paths for this test are:
/vulnerabilities[]/scores[]/cvss_v3/temporalSeverity
/vulnerabilities[]/scores[]/cvss_v3/environmentalScore
/vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/baseScore
+ /vulnerabilities[]/scores[]/cvss_v4/baseSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/threatScore
+ /vulnerabilities[]/scores[]/cvss_v4/threatSeverity
+ /vulnerabilities[]/scores[]/cvss_v4/environmentalScore
+ /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity
```
*Example 1 (which fails the test):*
@@ -4170,6 +4215,7 @@ The relevant paths for this test are:
```
/vulnerabilities[]/scores[]/cvss_v2
/vulnerabilities[]/scores[]/cvss_v3
+ /vulnerabilities[]/scores[]/cvss_v4
```
*Example 1 (which fails the test):*
@@ -5948,8 +5994,8 @@ The relevant path for this test is:
> Neither the `environmentalScore` nor the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` nor
> the corresponding attributes in the `vectorString` have been set.
-> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` accordingly and
-> compute the `environmentalScore` as quick fix.
+> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` (respectively their
+> equivalents according to the CVSS version used) accordingly and compute the `environmentalScore` as quick fix.
### 6.2.20 Additional Properties
@@ -6031,7 +6077,7 @@ The relevant path for this test is:
Recommendation:
-It is recommended to (also) use the CVSS v3.1.
+It is recommended to (also) use the CVSS v4.0.
### 6.3.2 Use of CVSS v3.0
@@ -6395,6 +6441,48 @@ The relevant paths for this test are:
-------
+### 6.3.12 Missing CVSS v4.0
+
+For each item in the list of scores it MUST be tested that a `cvss_v4` object is present.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/scores
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "scores": [
+ {
+ "products": [
+ "CSAFPID-9080700"
+ ],
+ "cvss_v3": {
+ "version": "3.1",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "baseScore": 10,
+ "baseSeverity": "CRITICAL"
+ }
+ }
+ ]
+ }
+ ]
+```
+
+> There is no CVSS v4.0 score given for `CSAFPID-9080700`.
+
# 7. Distributing CSAF documents
This section lists requirements and roles defined for distributing CSAF documents.
@@ -6467,7 +6555,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA
> * https://psirt.domain.tld/advisories/csaf/provider-metadata.json
> * https://domain.tld/security/csaf/provider-metadata.json
-*Example 1 (minimal with ROLIE document):*
+*Example 1 (minimal with ROLIE document):*
```
{
@@ -6528,7 +6616,7 @@ See \[[SECURITY-TXT](#SECURITY-TXT)\] for more details.
> The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022. At the time of this writing,
> the `CSAF` field is in the process of being officially added.
-*Examples 1:*
+*Examples 1:*
```
CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
@@ -6548,7 +6636,7 @@ The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of
the `provider-metadata.json` according to requirement 7.
The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more details.
-*Example 1:*
+*Example 1:*
```
https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -6565,23 +6653,24 @@ The use of the scheme "HTTPS" is required.
The CSAF documents MUST be located within folders named `` where `` is the year given in the
value of `/document/tracking/initial_release_date`.
-*Examples 1:*
+*Examples 1:*
```
-2021
-2020
+2024
+2023
```
### 7.1.12 Requirement 12: index.txt
The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
-*Example 1:*
+*Example 1:*
```
-2020/example_company_-_2020-yh4711.json
-2019/example_company_-_2019-yh3234.json
-2018/example_company_-_2018-yh2312.json
+2023/esa-2023-09953.json
+2022/esa-2022-02723.json
+2021/esa-2021-31916.json
+2021/esa-2021-03676.json
```
> This can be used to download all CSAF documents.
@@ -6591,13 +6680,13 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents
The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each
CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first.
-*Example 1:*
+*Example 1:*
```
-"2020/example_company_-_2020-yh4711.json","2020-07-01T10:09:07Z"
-"2018/example_company_-_2018-yh2312.json","2020-07-01T10:09:01Z"
-"2019/example_company_-_2019-yh3234.json","2019-04-17T15:08:41Z"
-"2018/example_company_-_2018-yh2312.json","2019-03-01T06:01:00Z"
+"2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
+"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
+"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
+"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
```
### 7.1.14 Requirement 14: Directory listings
@@ -6618,7 +6707,7 @@ At least one of the feeds
MUST exist.
Each ROLIE feed document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\].
-*Example 1:*
+*Example 1:*
```
{
@@ -6685,7 +6774,7 @@ having the `rel` value of `signature`.
The use and therefore the existence of ROLIE service document is optional.
If it is used, each ROLIE service document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\] and lists the ROLIE feed documents.
-*Example 1:*
+*Example 1:*
```
{
@@ -6728,7 +6817,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
* `product_version`
* type of product
- *Examples 1:*
+ *Examples 1:*
```
CPU
@@ -6743,7 +6832,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
* areas or sectors, the products are used in
- *Examples 2:*
+ *Examples 2:*
```
Chemical
@@ -6758,7 +6847,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
* any other categorization useful to the consumers
-*Example 3:*
+*Example 3:*
```
{
@@ -6782,21 +6871,21 @@ to ensure their integrity. The filename is constructed by appending the file ext
MD5 and SHA1 SHOULD NOT be used.
-*Example 1:*
+*Example 1:*
```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of SHA-256 hash file: example_company_-_2019-yh3234.json.sha256
-File name of SHA-512 hash file: example_company_-_2019-yh3234.json.sha512
+File name of CSAF document: esa-2022-02723.json
+File name of SHA-256 hash file: esa-2022-02723.json.sha256
+File name of SHA-512 hash file: esa-2022-02723.json.sha512
```
The file content SHALL start with the first byte of the hexadecimal hash value.
Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
-*Example 2:*
+*Example 2:*
```
-ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 example_company_-_2019-yh3234.json
+ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.json
```
If a ROLIE feed exists, each hash file MUST be listed in it as described in requirement 15.
@@ -6806,11 +6895,11 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ
All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is
extended by the appropriate extension. See \[[RFC4880](#RFC4880)\] for more details.
-*Example 1:*
+*Example 1:*
```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of signature file: example_company_-_2019-yh3234.json.asc
+File name of CSAF document: esa-2022-02723.json
+File name of signature file: esa-2022-02723.json.asc
```
If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
@@ -6841,7 +6930,7 @@ It MUST NOT be stored adjacent to a `provider-metadata.json`.
The file `aggregator.json` SHOULD only list the latest version of the metadata of a CSAF provider.
-*Example 1:*
+*Example 1:*
```
{
@@ -6897,7 +6986,7 @@ Each such folder MUST at least:
* provide a `provider-metadata.json` for the current issuing party.
* provide the ROLIE feed document according to requirement 15 which links to the local copy of the CSAF document.
-*Example 1:*
+*Example 1:*
```
{
@@ -7106,7 +7195,7 @@ CSAF documents are based on JSON, thus the security considerations of \[[RFC8259
In addition, CSAF documents may be rendered by consumers in various human-readable formats like HTML or PDF.
Thus, for security reasons, CSAF producers and consumers SHALL adhere to the following:
-* CSAF producers SHOULD NOT emit messages that contain HTML, even though all variants of Markdown permit it.
+* CSAF producers SHOULD NOT emit messages that contain HTML, even though GitHub-flavoured Markdown is permitted.
To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer,
e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
* Deeply nested markup can cause a stack overflow in the Markdown processor \[[GFMENG](#GFMENG)\].
@@ -7176,6 +7265,7 @@ The entities ("conformance targets") for which this document defines requirement
* **CSAF full validator**: A CSAF extended validator that additionally performs informative tests.
* **CSAF SBOM matching system**: A program that connects to or is an SBOM database and is able to manage CSAF documents as required
by CSAF management system as well as matching them to SBOM components of the SBOM database.
+* **CSAF 2.0 to CSAF 2.1 converter**: A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
### 9.1.1 Conformance Clause 1: CSAF document
@@ -7261,6 +7351,8 @@ Secondly, the program fulfills the following for all items of:
`first_affected` and `last_affected` into `product_ids`.
If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
* `/vulnerabilities[]/scores[]`:
+ * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
+ the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
* For any CVSS v3 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
the rules of the applicable CVSS standard.
* If no `product_id` is given, the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in
@@ -7271,10 +7363,11 @@ Secondly, the program fulfills the following for all items of:
A CVRF CSAF converter MAY offer a configuration option to delete such elements.
* If there are CVSS v3.0 and CVSS v3.1 Vectors available for the same product, the CVRF CSAF converter discards
the CVSS v3.0 information and provide in CSAF only the CVSS v3.1 information.
- * To determine, which minor version of CVSS v3 is used, the CVRF CSAF converter uses the following steps:
+ * To determine, which minor version of CVSS v3 is used and to evaluate a CVSS v4 that was wrongly inserted in a CVSS v3 element,
+ the CVRF CSAF converter uses the following steps:
1. Retrieve the CVSS version from the CVSS vector, if present.
- *Example 1:*
+ *Example 1:*
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -7283,7 +7376,7 @@ Secondly, the program fulfills the following for all items of:
2. Retrieve the CVSS version from the CVSS element's namespace, if present.
The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
- *Example 2:*
+ *Example 2:*
```
xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
@@ -7293,7 +7386,7 @@ Secondly, the program fulfills the following for all items of:
is handled the same as
- *Example 3:*
+ *Example 3:*
```
@@ -7304,7 +7397,7 @@ Secondly, the program fulfills the following for all items of:
If more than one CVSS namespace is present and the element is not clearly defined via the namespace,
this step MUST be skipped without a decision.
- *Example 4:*
+ *Example 4:*
```
xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -7612,6 +7705,21 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
* matching that CSAF document at all
* marked with a given status
+### 9.1.18 Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter
+
+A program satisfies the "CSAF 2.0 to CSAF 2.1 converter" conformance profile if the program fulfills the following two groups of requirements:
+
+Firstly, the program:
+
+* satisfies the "CSAF producer" conformance profile.
+* takes only CSAF 2.0 documents as input.
+* additionally satisfies the normative requirements given below.
+
+Secondly, the program fulfills the following for all items of:
+
+
+> A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+
-------
# Appendix A. Acknowledgments
@@ -7767,6 +7875,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
e.g.: 50 MiB.
+> The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve.
> At least one database technology in wide use for storing CSAF documents rejects insert attempts when
> the transformed BSON size exceeds 16 megabytes.
> The BSON format optimizes for accessibility and not size.
@@ -7940,6 +8049,7 @@ A string SHOULD NOT have a length greater than:
* `/vulnerabilities[]/remediations[]/product_ids[]`
* `/vulnerabilities[]/scores[]/cvss_v2/vectorString`
* `/vulnerabilities[]/scores[]/cvss_v3/vectorString`
+ * `/vulnerabilities[]/scores[]/cvss_v4/vectorString`
* `/vulnerabilities[]/scores[]/products[]`
* `/vulnerabilities[]/threats[]/group_ids[]`
* `/vulnerabilities[]/threats[]/product_ids[]`
@@ -8066,6 +8176,42 @@ It seems to be safe to assume that the length of each value is not greater than
* `/vulnerabilities[]/scores[]/cvss_v3/modifiedIntegrityImpact` (11)
* `/vulnerabilities[]/scores[]/cvss_v3/modifiedAvailabilityImpact` (11)
* `/vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/version` (3)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackVector` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackComplexity` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackRequirements` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/privilegesRequired` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/userInteraction` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/exploitMaturity` (16)
+* `/vulnerabilities[]/scores[]/cvss_v4/confidentialityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/integrityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/availabilityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackVector` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackComplexity` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackRequirements` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedPrivilegesRequired` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedUserInteraction` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Safety` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Automatable` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Recovery` (13)
+* `/vulnerabilities[]/scores[]/cvss_v4/valueDensity` (12)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnerabilityResponseEffort` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/providerUrgency` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/baseSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/threatSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity` (8)
* `/vulnerabilities[]/threats[]/category` (14)
## C.6 Date