search

csaf-poc / csaf_distribution

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
38 stars 22 forks source link

Checker: Test for Requirements 11-14 or 15-17 #304

Closed h4b4n3r0 closed 1 year ago

h4b4n3r0 commented 1 year ago

Currently we implemented CSAF as trusted provider. The description for csaf providers states: satisfies the requirements 11 to 14 in section 7.1 or requirements 15 to 17 in section 7.1 We implemented the requirements 15-17. However, the checker warns(12, 13) and errors (11, 14) about issues with requirements 11-14.

The checker itself should be able to determine which ruleset is followed.

tschmidtb51 commented 1 year ago

This is related to #284

JanHoefelmeyer commented 1 year ago

@tschmidtb51: For Requirements 16 and 17, those currently only define what the ROLIE service document and ROLIE category document are, but the standard does not specify where these files should be located and is a bit unclear on the specific structure.

Our implementation assumes the ROLIE service document is located next to the provider-metadata.json, and the ROLIE category document is located next to their respective ROLIE feed document.

The tests are designed to work with documents designed like Example 131 and 134 respectively.

It may be beneficial to amend the standard with these informations.

JanHoefelmeyer commented 1 year ago

Solved by https://github.com/csaf-poc/csaf_distribution/pull/391