Closed bernhardreiter closed 2 years ago
After the creation of this issue, the CSAF specification was updated, by https://github.com/oasis-tcs/csaf/pull/472/files in this point.
To specify the problem to my understanding: Aggregators can be of the categories "aggregator", which is a mirror, and "lister", which only lists the data.
https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html Example 138 shows a lister, example 139 an aggregator.
There need to be 2+ entries in the category aggregator, and 0+ entries in the category lister for the distributing party to qualify as "CSAF aggregator"
This means currently we're not checking whether we have 2+ aggregators but only whether we got 2+ providers, which would falsely allow one aggregator and one lister or two listers to wrongly satisfy the requirement when they should fail, which needs to be fixed.
@tschmidtb51 , if the aggregator.toml contains at least 2 providers, but less than 2 aggregators (mirrors), is the aggregator supposed to throw an error?
Yes, as this violates the third point:
lists a mirror for at least two disjoint issuing parties pointing to a domain under its own control.
CSAF Aggregators must at least do two mirrors, but can also have entries that are just listed, see https://github.com/oasis-tcs/csaf/issues/470
technical consideration
A config option per provider could handle this.