oasis-open / csaf-parser

OASIS TC Open Repository: CSAF Parser tool for parsing and checking the syntax of the Common Vulnerability Reporting Framework (CVRF) content
https://github.com/oasis-open/csaf-parser
MIT License
23 stars 12 forks source link

README

OASIS TC Open Repository: csaf-parser

This GitHub public repository ( https://github.com/oasis-open/csaf-parser ) was created at the request of the OASIS Common Security Advisory Framework (CSAF) TC as an OASIS TC Open Repository to support development of open source resources related to Technical Committee work.

**NOTE**: The current version of this parser only supports [CVRF 1.2 (XML-based specification)](http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html). It does not support the [CSAF 2.0 JSON schema](https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/json_schema/csaf_json_schema.json). To obtain information about several tools to parse, create, and validate CSAF 2.0 content go to https://csaf.io.

While this TC Open Repository remains associated with the sponsor TC, its development priorities, leadership, intellectual property terms, participation rules, and other matters of governance are separate and distinct from the OASIS TC Process and related policies.

All contributions made to this TC Open Repository are subject to open source license terms expressed in the BSD-3-Clause License. That license was selected as the declared "Applicable License" when the TC Open Repository was created.

As documented in "Public Participation Invited", contributions to this OASIS TC Open Repository are invited from all parties, whether affiliated with OASIS or not. Participants must have a GitHub account, but no fees or OASIS membership obligations are required. Participation is expected to be consistent with the OASIS TC Open Repository Guidelines and Procedures, the open source LICENSE designated for this particular repository, and the requirement for an Individual Contributor License Agreement that governs intellectual property.

Statement of Purpose

Statement of Purpose for this OASIS TC Open Repository (csaf-parser) as proposed and approved [bis] by the TC:

The CSAF Parser (and validator) under development in this repository is a software tool for parsing and checking the syntax of the Common Vulnerability Reporting Framework (CVRF) machine readable security advisory content. The repository contains source code and associated documentation for the tool. The CSAF Parser can be used as a command-line tool or as a Python library which can be included in other applications.

[Earlier incarnations of the parser code included cvrf-util and Mike Schiffman's cvrfparse]

CVRF Parsing Examples

Common use-case command-line examples

One fairly common use-case would be to query a document and pull out the unique set of products with related fields from all vulnerabilities and save to excel file as shown below: `python cvrf_util.py --file examples/1.1/ms_cvrf.xml --schema schemata/cvrf/1.1/cvrf.xsd --cvrf-version 1.1 --output-format csv --output-file ms_cvrf.csv --vuln ProductID --include-related-product-elements --unique-products --related-product-tags all`

Where the following command line parameters were applied:
--file examples/1.1/ms_cvrf.xmlSpecify the document we are parsing
--schema schemata/cvrf/1.1/cvrf.xsdSpecify the schema
--cvrf-version 1.1Specify the CVRF version
--output-format csvSpecify output format to CVS
--output-file ms_cvrf.csvSpecify the output file
--vuln ProductIDSpecify elements to parse
--include-related-product-elementsTell output to include related product elements
--unique-productsSpecify that we want unique product rows per vulnerability
--related-product-tags allSpecify which related product element tags to include for each product row


Another common example is to query a document and parse out all of the elements in each vulnerability and save to html file as shown below:

`python cvrf_util.py --file examples/1.1/ms_cvrf.xml --cvrf-version 1.1 --output-format html --output-file ms_cvrf.html --vuln Vulnerability --cvrf all --prod all`

Where the following command line parameters were applied:
--file examples/1.1/ms_cvrf.xmlSpecify the document we are parsing
--cvrf-version 1.1Specify the CVRF version
--output-format htmlSpecify output format to HTML
--output-file ms_cvrf.htmlSpecify the output file
--vuln VulnerabilitySpecify elements to parse
--cvrf allSpecify elements to parse
--prod allSpecify elements to parse

Additions to Statement of Purpose

Repository Maintainers may include here any clarifications — any additional sections, subsections, and paragraphs that the Maintainer(s) wish to add as descriptive text, reflecting (sub-) project status, milestones, releases, modifications to statement of purpose, etc. The project Maintainers will create and maintain this content on behalf of the participants.

Maintainers

TC Open Repository Maintainers are responsible for oversight of this project's community development activities, including evaluation of GitHub pull requests and preserving open source principles of openness and fairness. Maintainers are recognized and trusted experts who serve to implement community goals and consensus design preferences.

Initially, the associated TC members have designated one or more persons to serve as Maintainer(s); subsequently, participating community members may select additional or substitute Maintainers, per consensus agreements.

Current Maintainers of this TC Open Repository

About OASIS TC Open Repositories

Feedback

Questions or comments about this TC Open Repository's activities should be composed as GitHub issues or comments. If use of an issue/comment is not possible or appropriate, questions may be directed by email to the Maintainer(s) listed above. Please send general questions about TC Open Repository participation to OASIS Staff at repository-admin@oasis-open.org and any specific CLA-related questions to repository-cla@oasis-open.org.