Closed tschmidtb51 closed 6 months ago
Hi @tschmidtb51, that's a good idea, thank you for that. A lot of information is already in SecObserve, but some would still be missing:
document
section, which might be configured statically.product_tree
section should be not too bad, a product_id
is missing and I have to check the relationships.vulnerabilities
will need some work. First to be able to fulfil the meaning of all attributes of the CSAF specification and second an editorial function, maybe an entity decides not to disclose all observations.I will put the CSAF VEX in the backlog, but it might need some time.
Do you by any chance know, if the EU Cyber Resiliance Act defines, how vendors have to report vulnerabilities? Will it be CSAF based?
@StefanFl If you need more input: BSI is offering a series of CSAF workshops: https://www.allianz-fuer-cybersicherheit.de/Webs/ACS/DE/Netzwerk-Formate/Veranstaltungen-und-Austausch/CSAFversum/CSAF_english.html
Do you by any chance know, if the EU Cyber Resiliance Act defines, how vendors have to report vulnerabilities? Will it be CSAF based?
BSI is not directly involved in writing the CRA. Based on my knowledge, the CRA will not call out specific standards as this will be done through harmonized norms. IMHO, CSAF seems to be the obvious choice given that you have to provide information on the vulnerability and its remediation (=> security advisory).
Design and implementation have started:
But it will be a long way.
An experimental implementation for CSAF and OpenVex will be part of the next release.
The README says:
As we already have the information from manual assessments, what about creating CSAF VEX from them?