Implement test of requirement 15 (ROLIE feed)

[JanHoefelmeyer]

@tschmidtb51 The Standard reads:

All CSAF documents with the same TLP level MUST be listed in a single ROLIE feed. At least one of the feeds

    TLP:WHITE
    TLP:GREEN
    unlabeled

MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322]. 

As far as I can tell, the ROLIE feeds do not have any TLP level themselves (although their listed documents do).

Does this mean that there must be at least 1 feed that contains at least 1 document with one of the given TLP levels?

Also: Can ROLIE feed documents contain Csaf-Documents with differing TLP levels as long as all documents with that level are listed within the feed? The above phrasing suggests that each feed should be dedicated to a singular TLP level, but there is no requirement that prevents using a singular feed document for multiple TLP levels.

[tschmidtb51]

As far as I can tell, the ROLIE feeds do not have any TLP level themselves (although their listed documents do).

Correct.

Does this mean that there must be at least 1 feed that contains at least 1 document with one of the given TLP levels?

No. Also an empty ROLIE feed is valid :-) The requirements is a little bit more complex: The PMD must list at least one ROLIE feed of those TLP levels (Note: The feed itself might be empty.) if the ROLIE based distribution is used.

Also: Can ROLIE feed documents contain Csaf-Documents with differing TLP levels as long as all documents with that level are listed within the feed?

Part 1: Yes. Even: It must not contain all CSAF documents with that one TLP-Label.

The purpose of All CSAF documents with the same TLP level MUST be listed in a single ROLIE feed. is that one summary feed exists that lists all CSAF documents with that label.

E.g. another feed with TLP:AMBER might exist, that lists also a set of TLP:GREEN and TLP:WHITE files. Logically, a feed SHOULD NOT contain any information that has a higher label than announced by the PMD... TLP:WHITE<TLP:GREEN<TLP:AMBER<TLP:RED (This does not apply for feeds that are listed unlabeled...)

Does that clarify the statement?

[JanHoefelmeyer]

Two more clarifications: The single ROLIE feed containing all entries of a document does not necessarily need the documents TLP level, correct?

So, for example Requirement 15 is fullfilled if:

• There are WHITE, GREEN and AMBER ROLIE feeds, all of which are empty
• There is an accessible RED ROLIE feed that contains all entries

Should Req 15 issue a warning or error if a feed contains information of a higher level, or should that be ignored (for Req 15 specifically)?

[tschmidtb51]

I hope the following answers your questions:

The idea is that one summary feed per TLP level exists.

The example you gave is really interesting. One the one hand, I would expect that also the content of the TLP:RED feed is confidential as it contains data (e.g. title, date,...) from TLP:RED advisories. One the other hand, the client can not (or only with additional effort) distinguish whether a TLP:RED feed was retrieved with or without authentication.

Result: To enforce (or guide by checker :wink:) the intended procedure, I suggest to implement the following:

• A summary ROLIE feed (=> one that lists all advisories with that level) for each supported TLP level must exist. (For the unlabeled ones: If no separate TLP unlabeled feed exists, it is okay, if they are all (at least) listed in the TLP:WHITE one - otherwise (i.e. TLP unlabeled document in TLP:AMBER feed but not in TLP:WHITE and no TLP unlabeled feed exists) => error.)
• Documents with lower TLP level can show up in higher TLP level feeds. The report message differentiates: If this is determined the summary feed (for the higher TLP level): warning; if it is an ordinary feed: info.
• Documents with higher TLP level can't show up in lover TLP level feeds - otherwise error.

Does that answer the question?

[tschmidtb51]

I opened #368 to check whether the csaf_aggregator implementation does that correctly.

[JanHoefelmeyer]

@tschmidtb51 We decided to simplify the requirement checks a bit within https://github.com/csaf-poc/csaf_distribution/pull/369. The proposed way to handle unlabeled feeds would require a rather complex set of tests that aren't easily future-proofed. Before we implement something like this, we'd prefer if the Standard at least specifies exactly what unlabeled TLP are exactly and how they are to be handled (esp. in regards to requirement 15), which currently just is not documented at all (aside from an unlabeled feed sufficing for the requirement of existence of a low security feed). Otherwise it would require a lot of additional work should the Standard decide to implement unlabeled feeds in a currently unforeseen way.