search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
152 stars 40 forks source link

[Exclude from changes list] Changes from previous version collector #838

Open sthagen opened 18 hours ago

sthagen commented 18 hours ago

As of 2024-12-01T09:00:00+00:00 the following closed and open issues carry the label "csaf 2.1". They are separated per state and sorted by title. The goal is to keep the lists aligned with processing state and use as a source for a human redacted list or table documenting the changes to CSAF v2.1 from CSAF v2.0 (content for section 1.1).

The basic proposal is to aggregate and order by impact / hardness, like:

  1. Changes to the schema files ordered by main csaf and then alphabetically others
  2. Changes to tests ordered by mandatory, optional, and informative (also in prose)
  3. Changes to normative prose "refining the JSON schema" and deprecations
  4. Clarifications of normative and informative prose (eventually with the detailed changes in that category delegated to the appendix revision history)
  5. Nits and fixes summary mention (eventually not even listing these in detail in the appendix revision history)

Cf. the proposal block in this issue.

Closed:

  1. 3.1.11.2 Version Type - Semantic versioning
  2. Add "Preconditions" item
  3. Add $schema to testcases_json_schema.json
  4. Add a new category "Platform" to the Product Branch
  5. Add a schema identifier to CSAF v2.1 and later data files
  6. Add comment on timezones for sorting timestamps
  7. Add conformance target "CSAF Downloader"
  8. Add conformance target "CSAF library"
  9. Add optional test: /document/tracking/id not in /document/title
  10. Add optional test: Suggest usage of latest version in CWE
  11. Add optional test: Warn if vulnerability mapping is not in state allowed
  12. Add optional test: Warn on usage of deprecated CWE
  13. Add reference to RFC8322
  14. Add remediation category "fix_planned"
  15. Add test for unwanted remediation combinations
  16. Add test: same timestamps in revision history
  17. Appendix C: Raise file size softlimit
  18. Clarify 6.1.14: same timestamps
  19. Clarify 6.1.16: same timestamps
  20. Clarify CPE version
  21. Clarify directly in section 7
  22. Clarify Markdown
  23. Clarify relation of search and filter
  24. Clarify Security consideration
  25. Clarify the maximum redirects
  26. Correct broken link in "Examples 32" under section 3.2.1.5.2
  27. Correct enforcing fingerprint
  28. Correct Example 129
  29. Correct namespace in example 17
  30. Feature request: Add source (reference) to CVSS
  31. handling the lack of CVSS string (CSAF specifications 6.1.8)
  32. Handling vulnerabilities with multiple CWEs
  33. Incorrect date in VEX-Justification reference entry
  34. Make TLP mandatory
  35. New value: "patch_for_not_affected" or similar in "remediation"
  36. Remove erroneous word "is" from 3.1.3.3.7 text
  37. Set TLP:CLEAR as default
  38. Specify recursion depth for branches
  39. Typographical error in section 3.1.11.1
  40. Update CSAF to use TLP 2.0
  41. v2.0 OS failed CPSR-coding in section 9.1.13 Conformance Clause 13: CSAF asset matching system bug
  42. Warning/Error for signature expirations
  43. Write purl instead of PURL

Open:

  1. Add conformance target "CSAF-2.0-CSAF-2.1 converter"
  2. Add mandatory test: CPE vs. product_version_range
  3. Add new profile: "Withdrawn"
  4. Add new profile: Superseded
  5. Add Sharing Groups
  6. Add test data for 6.1.7: duplicate items
  7. Add test: Consistent PIH
  8. Add version to CWE
  9. Allow detecting a ROLIE update efficiently
  10. Check code blocks for correct syntax
  11. Clarification on why test case 6-1-31-12 in CSAF2.0 is supposed to be valid
  12. Clarify csaf.data.security.domain.ltd in Requirement 10: DNS path
  13. Clarify Inclusion of Open Source
  14. Clarify quotes in changes.csv
  15. Clarify requirement 19: ASCII vs. Binary signature
  16. Clarify terminology of initial release of document version in 3.1.11.1 Version Type - Integer versioning
  17. Clarify the inclusion of open-source projects for the value vendor in 3.2.1.8.1 Document Property - Publisher - Category
  18. Clearly differentiate fixed vs known_not_affected
  19. Clearly state hardware/software separation in product_tree
  20. CPE pattern
  21. Enforce format validation
  22. Enforce use of affected in csaf_security_advisory
  23. Ensure VEX minimum requirements with CSAF
  24. Include support for SSVC
  25. Offer multiple documents of one advisory
  26. Provide an expected failure "code" or "message" in testcases.json
  27. Sharing groups
  28. Support CVSS 4.0 in CSAF 2.x
  29. Support for Multiple Notes, Products, and IDs
  30. Support multiple purl identifiers in product_identification_helper
sthagen commented 13 hours ago

Proposal Sketch

Changes from Earlier Versions

Changes from CSAF Version 2.0

Changes from the Version 2.0 Schema Files

...ordered by main CSAF JSON schema and then alphabetically others

Changes from the Version 2.0 Tests

...ordered by mandatory, optional, and informative (also in prose)

Changes from the Version 2.0 Normative Parts

Changes to prose "refining the JSON schema" and deprecations Clarifications of normative prose (eventually with the detailed changes in that category delegated to the appendix revision history)

Changes from the Version 2.0 Normative Parts

Clarifications of informative prose (eventually with the detailed changes in that category delegated to the appendix revision history)

Minor Editorial Fixes of the Version 2.0 Artifacts

Nits and fixes summary mention (eventually not even listing these in detail in the appendix revision history)