-
During the CSAF workshop one task was to use `csaf_checker` to download and validate CSAF documents. As we had multiple (more than 10) "domains", I was using the command like `csaf_checker dns1 dns2 d…
ctron updated
9 months ago
-
The Common Security Advisory Framework Version 2.0 is now an approved specification in the industry. Details about the specification can be found at: https://csaf.io and https://docs.oasis-open.org/cs…
-
Currently the time interval filtered downloads of advisories are using the publish date.
This should be replaced by using the last update time as this is a more recent and
better suited for delta do…
-
https://datatracker.ietf.org/doc/html/rfc9116#name-location-of-the-securitytxt has
> For legacy compatibility, a "security.txt" file might be placed at the top-level path or redirect (as per Sectio…
-
* An error remains if using the back button. Go to https://wid.cert-bund.de/.well-known/csaf/provider-metadata.json press on a GREEN link (without having access) and see the error message. Use "back"…
-
The [CSAF standard requires](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#6213-sorting) that all "keys in a CSAF document are sorted alphabetically". It looks like the current imple…
-
Something seems wrong with the schema for CVSS 3.0.
In https://github.com/csaf-poc/csaf_distribution/blob/main/csaf/schema/cvss-v3.0.json the pattern for _vectorString_ is: `"^CVSS:3[.]0/((AV:[NALP…
-
The current version (might be v3.0.0-beta-39-g0905824) does not evaluate purls given in a `relationship` item.
-
A CDN provider suggested to publish a short article / best practice / guidance document on what CSAF providers need to think about when they use a CDN for distribution. Here are the suggestions:
- …
-
On a Debian Bullseye system:
csaf_distribution-v2.2.0-gnulinux-amd64
./bin-linux-amd64/csaf_downloader
./bin-linux-amd64/csaf_downloader: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not…