search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
142 stars 39 forks source link

Fix multiple full_product_names in relationship #98

Closed tolim closed 3 years ago

tolim commented 4 years ago

It is not conclusive to me why we allow multiple full_product_names in product_tree/relationships. One relationship element links two products and may produce one new product name and identifier in full_product_name. In this context it does not make sense to allow multiple full_product_names.

Btw, this is explicitly allowed by CVRF 1.2:

The prod:Relationship element MUST be present with cardinality [0, ∞] in prod:Tree and if given MUST contain one or more prod:FullProductName instances. » [CSAF-5.1.3-1]

At the moment we do not require the property full_product_name within product_tree/relationships. This does not conform to CVRF 1.2, but I propose not to change this.

sthagen commented 4 years ago

As stated in my review of the pull request I can easily imagine many components together constructing the insecure situation the advisory tries to mitgate: An nginx server running in a docker container with a specific hypervisor on a specific operating system when ipv6 is active and the application server is a so-and-so in a such-and-such configuration ...

santosomar commented 3 years ago

This was addressed in pull request #99