Validation: validate provided CSAF against requirements of specific CSAF profile

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.

https://csaf.io

40 stars 23 forks source link

Validation: validate provided CSAF against requirements of specific CSAF profile #556

Open llugin opened 3 months ago

llugin commented 3 months ago

csaf.ValidateCSAF() doesn't validate against mandatory additional fields for specific CSAF profiles other than csaf_base (as described in: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#4-profiles ). Moreover, providing invalid CSAF profile, eg.

{
  "document": {
    "category": "csaf_invalid_category",
   // ...
  }
}

doesn't return a validation error.

tschmidtb51 commented 3 months ago

@llugin I guess, you used the csaf-validate function without the remote validator? The Go code currently just checks the JSON schema (strictly) - for the mandatory (and other business level) tests, a remote validator (e.g. csaf-validator-service) must be used. This is also implemented that way in the csaf_validator. I agree that our documentation on that could be clearer. Feel free to submit a PR.