gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
40 stars 23 forks source link

Allow for "listing only" entries in the CSAF Aggregator configuration #73

Closed bernhardreiter closed 2 years ago

bernhardreiter commented 2 years ago

CSAF Aggregators must at least do two mirrors, but can also have entries that are just listed, see https://github.com/oasis-tcs/csaf/issues/470

technical consideration

A config option per provider could handle this.

bernhardreiter commented 2 years ago

After the creation of this issue, the CSAF specification was updated, by https://github.com/oasis-tcs/csaf/pull/472/files in this point.

JanHoefelmeyer commented 2 years ago

To specify the problem to my understanding: Aggregators can be of the categories "aggregator", which is a mirror, and "lister", which only lists the data.

https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html Example 138 shows a lister, example 139 an aggregator.

There need to be 2+ entries in the category aggregator, and 0+ entries in the category lister for the distributing party to qualify as "CSAF aggregator"

This means currently we're not checking whether we have 2+ aggregators but only whether we got 2+ providers, which would falsely allow one aggregator and one lister or two listers to wrongly satisfy the requirement when they should fail, which needs to be fixed.

JanHoefelmeyer commented 2 years ago

@tschmidtb51 , if the aggregator.toml contains at least 2 providers, but less than 2 aggregators (mirrors), is the aggregator supposed to throw an error?

tschmidtb51 commented 2 years ago

Yes, as this violates the third point:

lists a mirror for at least two disjoint issuing parties pointing to a domain under its own control.