Closed immqu closed 7 months ago
bernhardreiter
commented
7 months ago Hi @immqu, thanks for your contribution!
We will review it in the next days. I've started the automatic checks. Note that I found a typo and the linter also found something (see check report).
immqu
commented
7 months ago Hi, I have fixed the typo and linting errors.
Also, I realized the doubt I described above about the Load method came from overlooking one sentence in the spec ("If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF entry in the security.txt"). Currently, the new Enumerate method lists all the PMDs including the duplicated one from the security.txt, but I think we could leave it like that, since this allows to verify that the PMDs are provided correctly.
bernhardreiter
commented
7 months ago @immqu thanks! Can you run the Integration Test action on your branch for an additional check? (Go to Actions and then run it manually on your branch.)
immqu
commented
7 months ago I have updated the fork with the new changes and successfully run the integration tests!
bernhardreiter
commented
7 months ago docs/csaf_downloader.md needs an update for the new flag (it is done manually after running --help)
This PR addresses #520. It adds an enumerate method to the providermetaloader.go which loads the PMDs from the well-known path, the security.txt, or the DNS URL (as defined in the spec in requirement 7.3.1).
The PR also includes usage of the new method in the csaf_downloader and its main method.
There is, however, still a doubt that I have about the issue: Why does the load method compare the PMD from the well-known path to the first one found in the security.txt? I couldn't find a respective requirement in the spec. It could be the case that a provider provides the PMD in the well-known path and only advertises additional PMDs in the security.txt, right?
Looking forward to your feedback!