datetime parsing not fully ISO 8601 compatible

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.

https://csaf.io

42 stars 25 forks source link

datetime parsing not fully ISO 8601 compatible #69

Closed bernhardreiter closed 2 years ago

bernhardreiter commented 2 years ago

Here is a checker run, which encountered a ROLIE document with

{
"updated" : "2022-02-22T00:00Z"
}

which is a valid ISO 8601 format (see second paragraph in https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations for an example) and returned a Loading ROLIE feed failed: parsing time "2022-02-22T00:00Z" as "2006-01-02T15:04:05Z07:00": cannot parse "Z" as ":".

Expectation: this format is accepted.

s-l-teichmann commented 2 years ago

@bernhardreiter: Where did you get the information from that it should fulfill all ISO 8601 profiles?

From ROLIE RFC

https://datatracker.ietf.org/doc/html/rfc8322#section-6.1.3 does not say it explicitely.

https://datatracker.ietf.org/doc/html/rfc8322#section-7.4 mentions is explicitely

urn:ietf:params:rolie:property:content-updated-date
      The "value" attribute of this property is a text representation
      indicating the date that the content, referenced by the "src"
      attribute of the Entry's "atom:content" element, was last updated.
      This date may differ from the updated date of the ROLIE Entry
      because updates made to the content and to the ROLIE Entry are
      different events.  The date MUST be formatted as specified in
      [[RFC3339](https://datatracker.ietf.org/doc/html/rfc3339)].

But RFC3339 is a normative reference, we believe it must be [RFC3339] which the code enforces.

sthagen commented 2 years ago

Well, https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 provides z and Z … as that simplified profile of ISO-8601 modern RFCs should use :wink:

bernhardreiter commented 2 years ago

@bernhardreiter: Where did you get the information from that it should fulfill all ISO 8601 profiles?

Good catch, I've checked the CSAF-2.0 documentation, which does not explicitely refer to datetime standards, so I'd assumed that in absence of mentioning it, ISO 8601 would be a real-world expectation as it is a normative reference. I've made the mistake of not checking the ROLIE standards! Thanks for pointing it out.

@sthagen the problem is not the Z, but the missing ":" time-second, which is mandatory in

partial-time    = time-hour ":" time-minute ":" time-second

@s-l-teichmann we could improve that checker message, I think, but this is worth to be handled elsewhere.

Invalid, ROLIE datetimes MUST adhere to RFC3339

bernhardreiter commented 2 years ago

To be more precise the ROLIE specification lists RFC3339 as normative reference, which we interpret in the sense that all datetime values MUST use that format. (Even if it is only mentioned explicitely in section https://datatracker.ietf.org/doc/html/rfc8322#section-7.4 for The "rolie:property" Extension Point. (I've edited @s-l-teichmann comment above accordingly.))

bernhardreiter commented 2 years ago

As followup I've suggest that CSAF moves to RFC3339 with UTC only in https://github.com/oasis-tcs/csaf/issues/469