-
"product_id" defined in CSAF 2.0 is local within the document (as same as CVRF).
"product_id" defined in CSAF 2.0 can be unique and referenced outside CSAF document. This will help many stakeholder…
-
Version 1.2 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508771)
section 6.9
The words say:
> « The vuln:CWE element MUST be present zero or one time in an…
-
Currently, some publishing parties include the `/document/tracking/id` in the `/document/title`. We should add an optional test (and quick fix / conversion rule) that checks on this.
Reasoning:
Th…
-
CVSS 4.0 official publication is scheduled for Q4, 2023. CSAF 2.x schema needs to add the new
"cvss_v4": {
"$ref": "https://www.first.org/cvss/cvss-v4.0.json"
…
-
Currently ("version": "2.1.1-100-g540d02d"), the `csaf_checker` validates CSAF (trusted) providers even if the `distributions` array is missing in the PMD. However, in that case the the requirements 1…
-
# 🐛 Summary #
At least 7 files has the wrong hash proof.
## To reproduce ##
1. run `git pull`
2. compute sha512 on each ICSA and ICSMA
3. compare each with content of `.sha512`
## Expect…
-
-
[The official conformance target](https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/prose/csaf-v2-editor-draft.md#915-conformance-clause-5-cvrf-csaf-converter) states the following requirements:
…
-
Currently, the `csaf_checker` does not report if one of the fields in a `changes.csv` is not quoted. Can we change that to report this violation?
-
The TC received a [comment via its mailing list](https://lists.oasis-open.org/archives/csaf-comment/202402/msg00004.html):
> When considering how to reference SBOMs within CSAF documents, the quest…