Unable to download Microsoft CSAF #588

Rafiot · 2024-11-19T14:27:07Z

I'm not sure what the issue is, but fetching the CSAF entries from Microsoft fails in a weird way: downloader.log

{"time":"2024-11-19T15:19:47+01:00","level":"INFO","msg":"AdvisoryFileProcessor.Process: \"https://msrc.microsoft.com/csaf/changes.csv\" has an invalid time stamp in line 89: parsing time \"2024-11-12T08:00:00.0000000\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"Z07:00\""}

The call:

csaf_downloader -d csaf_microsoft https://msrc.microsoft.com/csaf/provider-metadata.json

Do you have any idea how to fix it?

The text was updated successfully, but these errors were encountered:

bernhardreiter · 2024-11-20T11:55:55Z

A line from https://msrc.microsoft.com/csaf/changes.csv:

2024/msrc_cve-2024-49060.json,2024-11-15T08:00:00.0000000

Checking the format, this seems to be missing a timezone, so it is an invalid file.

https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#7113-requirement-13-changescsv has

lines MUST be sorted by the current_release_date timestamp

https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#321122-document-property---tracking---current-release-date

(current_release_date) with value type string with format date-time

And date-time is defined in https://json-schema.org/understanding-json-schema/reference/string as

Dates and times are represented in RFC 3339, section 5.6.

"date-time": Date and time together, for example, 2018-11-13T20:20:39+00:00

https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 then has an ABNF which has

time-offset = "Z" / time-numoffset
full-time = partial-time time-offset

The time-offset is missing in the file. Best would be if the provider could fix this on their end.

Rafiot · 2024-11-21T12:43:06Z

I'm reporting it to Microsoft, and pointing them to your details, thanks!

Rafiot · 2024-11-21T21:46:59Z

Update on that: the time issue is fixed, but now I get this error:

{"time":"2024-11-21T22:39:59+01:00","level":"WARN","msg":"Content type is not 'application/json'","url":"https://msrc.microsoft.com/csaf/2024/msrc_cve-2024-49028.json","content_type":"application/json; charset=utf-8"}

Their server returns application/json; charset=utf-8 when you expect application/json, but both should be valid (?).

I couldn't find it in the specs, but I'll drop them another mail if needed.

tschmidtb51 · 2024-11-21T23:02:22Z

Their server returns application/json; charset=utf-8 when you expect application/json, but both should be valid (?).

True. IMHO, both should be valid.
Flagging @bernhardreiter to suggest on how we want to deal with the situation in the checker in general.

Rafiot mentioned this issue Nov 19, 2024

Add Microsoft CSAF in the sources cve-search/vulnerability-lookup#84

Open

bernhardreiter self-assigned this Nov 20, 2024

bernhardreiter removed their assignment Nov 20, 2024

tschmidtb51 added the Not our bug something is not working, but it is due to a problem in the infrastructure beyond our control label Nov 20, 2024

bernhardreiter added the service+dev label Nov 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to download Microsoft CSAF #588

Unable to download Microsoft CSAF #588

Rafiot commented Nov 19, 2024

bernhardreiter commented Nov 20, 2024 •

edited

Loading

Rafiot commented Nov 21, 2024

Rafiot commented Nov 21, 2024

tschmidtb51 commented Nov 21, 2024

Unable to download Microsoft CSAF #588

Unable to download Microsoft CSAF #588

Comments

Rafiot commented Nov 19, 2024

bernhardreiter commented Nov 20, 2024 • edited Loading

Rafiot commented Nov 21, 2024

Rafiot commented Nov 21, 2024

tschmidtb51 commented Nov 21, 2024

bernhardreiter commented Nov 20, 2024 •

edited

Loading