-
To facilitate more usage of CSAF, how would a go library have to be constructed to be able to help implementors to access the contents of the advisories?
### potential use cases
* https://github.c…
-
### Current Behavior
Some commercial software vendors provide advisory information in CSAF 2.0 format. These include RedHat and Oracle, among others. There isn't currently a good way to identify vu…
-
Currently ("version": "2.1.1-100-g540d02d"), the `csaf_checker` validates CSAF (trusted) providers even if the `distributions` array is missing in the PMD. However, in that case the the requirements 1…
-
A central point of the distribution model of CSAF is the TLP label. We should make it mandatory for all CSAF documents.
-
The instrumentation is there -> https://oasis-open.github.io/csaf-documentation/tools.html which comes with a downloader: https://github.com/csaf-poc/csaf_distribution/blob/main/docs/csaf_downloader.m…
-
We came across [a situation](https://github.com/csaf-poc/csaf_distribution/issues/376) where a ~Web Application Firewall~ CDN blocked the automatic retrieval of the PMD and CSAF files. Given the reaso…
-
As discussed in today's TC meeting, we should define the vendor. Here is the definition of CSAF as a starting point:
_**vendor**: the community, individual, or organization that created or maintain…
-
Currently, we need to find a valid PMD to run the checks. However, that does not help the user, if he made a mistake in creating the PMD. We should provide more insights (JSON parse, JSON schema valid…
-
Using csaf_distribution-v2.1.0-gnulinux-amd64: when downloading from redhat.com
the signatures do not verify.
```bash
curl -L -O https://github.com/csaf-poc/csaf_distribution/releases/download/v2…
-
# What happened?
I tried to test the `csaf_aggregator` by building and just running it without any parameter, in particular without a path to a config file. Then, of course, the aggregator was lookin…