search

CERTCC / VINCE

VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.
https://kb.cert.org/vince/
Other
59 stars 24 forks source link

CSAF Compatability #24

Open iainDe opened 2 years ago

iainDe commented 2 years ago

Please expand the Common Security Advisory Framework (CSAF) format when generating notes and sharing the notes through the API

sei-vsarvepalli commented 2 years ago

Hello @iainDe

Have you seen this case - https://github.com/CERTCC/VINCE/pull/19 ?

Limited CSAF output via API is available, we are working with CSAF oasis group members @tschmidtb51 @santosomar to take this forward. The CSAF format is only available for the authenticated end points today with limited information as described in the ticket. You can use our demo site using your API Key to view it https://democert.org/vince/ and see how to get to it.

For e.g., The URL https://kb.cert.org/vince/comm/api/case/636397/csaf/ (using your API Key) will provide CSAF document for VU#636397 for example.

Currently we have some limitations as

  1. We don't collect product names and version in a compatible format from each vendor, so we can only use the Vendor Product and Version fields as specified by the researcher/reporter at the time of submitting a case.
  2. We have an update pending moving from generic_csaf will be renamed into csaf_base, still waiting on some review and some more small changes to match recent schema updates
sei-vsarvepalli commented 2 years ago

55 is a related recommendation and feedback we received from Oasis CSAF working group.

sei-vsarvepalli commented 1 year ago

Related issues #96 and #97 - more improvements needs to support CSAF properly.