Merge pull request #720 from tschmidtb51/tlp

Mandatory TLP 2.0

csaf_2.1/examples/ROLIE/example-01-category.json

@@ -2,11 +2,11 @@
   "categories": {
     "category": [
       {
-          "term": "Example Company Product A"
+        "term": "Example Company Product A"
       },
       {
-          "term": "Example Company Product B"
+        "term": "Example Company Product B"
       }
     ]
   }
-}
+}

csaf_2.1/examples/ROLIE/example-01-feed-tlp-white.json

@@ -1,11 +1,11 @@
 {
   "feed": {
-    "id": "example-csaf-feed-tlp-white",
-    "title": "Example CSAF feed (TLP:WHITE)",
+    "id": "example-csaf-feed-tlp-clear",
+    "title": "Example CSAF feed (TLP:CLEAR)",
     "link": [
       {
         "rel": "self",
-        "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-white.json"
+        "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-clear.json"
       }
     ],
     "category": [
@@ -49,4 +49,4 @@
       }
     ]
   }
-}
+}

csaf_2.1/examples/ROLIE/example-01-service.json

@@ -5,8 +5,8 @@
         "title": "Public CSAF feed",
         "collection": [
           {
-            "title": "Example CSAF feed (TLP:WHITE)",
-            "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-white.json",
+            "title": "Example CSAF feed (TLP:CLEAR)",
+            "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-clear.json",
             "categories": {
               "category": [
                 {

csaf_2.1/examples/ROLIE/example-02-service.json

@@ -5,8 +5,8 @@
         "title": "Public CSAF feed",
         "collection": [
           {
-            "title": "Example CSAF feed (TLP:WHITE)",
-            "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-white.json",
+            "title": "Example CSAF feed (TLP:CLEAR)",
+            "href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-clear.json",
             "categories": {
               "category": [
                 {
@@ -57,4 +57,4 @@
       }
     ]
   }
-}
+}

csaf_2.1/examples/csaf/bsi-2022-0001.json

@@ -7,7 +7,7 @@
     "csaf_version": "2.1",
     "distribution": {
       "tlp": {
-        "label": "WHITE",
+        "label": "CLEAR",
         "url": "https://www.first.org/tlp/"
       }
     },

csaf_2.1/examples/csaf/cisco-sa-20180328-smi2.json

@@ -3,6 +3,11 @@
     "title": "Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability",
     "category": "Cisco Security Advisory",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "publisher": {
       "category": "vendor",
       "contact_details": "Emergency Support:\n+1 877 228 7302 (toll-free within North America)\n+1 408 525 6532 (International direct-dial)\nNon-emergency Support:\nEmail: [email protected]\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-a-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-f-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-na-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-ui-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-02-na-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-03-ms-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-04-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-05-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-06-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-07-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-08-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-09-001.json

@@ -2,6 +2,11 @@
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
     "notes": [
       {
         "category": "summary",

csaf_2.1/examples/csaf/csaf_vex/sec-vex-2022-0001.json

@@ -4,7 +4,7 @@
     "csaf_version": "2.1",
     "distribution": {
       "tlp": {
-        "label": "WHITE",
+        "label": "CLEAR",
         "url": "https://www.first.org/tlp/"
       }
     },

csaf_2.1/examples/csaf/rhsa-2019_1862.json

@@ -9,7 +9,7 @@
     "distribution": {
       "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.",
       "tlp": {
-        "label": "WHITE",
+        "label": "CLEAR",
         "url": "https://www.first.org/tlp/"
       }
     },

csaf_2.1/examples/csaf/rhsa-2021_5186.json

@@ -9,7 +9,7 @@
     "distribution": {
       "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.",
       "tlp": {
-        "label": "WHITE",
+        "label": "CLEAR",
         "url": "https://www.first.org/tlp/"
       }
     },

csaf_2.1/examples/csaf/rhsa-2021_5217.json

@@ -9,7 +9,7 @@
     "distribution": {
       "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.",
       "tlp": {
-        "label": "WHITE",
+        "label": "CLEAR",
         "url": "https://www.first.org/tlp/"
       }
     },

csaf_2.1/examples/csaf/rhsa-2022_0011.json

@@ -9,7 +9,7 @@
     "distribution": {
       "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.",
       "tlp": {
-        "label": "WHITE",
+        "label": "CLEAR",
         "url": "https://www.first.org/tlp/"
       }
     },

csaf_2.1/examples/provider-metadata/example-01-provider-metadata.json

@@ -5,9 +5,9 @@
       "rolie": {
         "feeds": [
           {
-            "summary": "All TLP:WHITE advisories of Example Company.",
-            "tlp_label": "WHITE",
-            "url": "https://www.example.com/.well-known/csaf/feed-tlp-white.json"
+            "summary": "All TLP:CLEAR advisories of Example Company.",
+            "tlp_label": "CLEAR",
+            "url": "https://www.example.com/.well-known/csaf/feed-tlp-clear.json"
           }
         ]
       }

csaf_2.1/json_schema/csaf_json_schema.json

@@ -503,6 +503,7 @@
       "required": [
         "category",
         "csaf_version",
+        "distribution",
         "publisher",
         "title",
         "tracking"
@@ -565,7 +566,9 @@
           "title": "Rules for sharing document",
           "description": "Describe any constraints on how this document might be shared.",
           "type": "object",
-          "minProperties": 1,
+          "required": [
+            "tlp"
+          ],
           "properties": {
             "text": {
               "title": "Textual description",
@@ -592,9 +595,10 @@
                   "type": "string",
                   "enum": [
                     "AMBER",
+                    "AMBER+STRICT",
+                    "CLEAR",
                     "GREEN",
-                    "RED",
-                    "WHITE"
+                    "RED"
                   ]
                 },
                 "url": {

csaf_2.1/json_schema/provider_json_schema.json

@@ -98,7 +98,7 @@
                       "description": "Contains a summary of the feed.",
                       "type": "string",
                       "examples": [
-                        "All TLP:WHITE advisories of Example Company."
+                        "All TLP:CLEAR advisories of Example Company."
                       ]
                     },
                     "tlp_label": {
@@ -107,9 +107,10 @@
                       "type": "string",
                       "enum": [
                         "UNLABELED",
-                        "WHITE",
+                        "CLEAR",
                         "GREEN",
                         "AMBER",
+                        "AMBER+STRICT",
                         "RED"
                       ]
                     },

csaf_2.1/prose/edit/src/conformance.md

@@ -504,6 +504,22 @@ Secondly, the program fulfills the following for all items of:
 
 * type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a
   warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+* `/document/distribution/tlp/label`: If a TLP label is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it according to the table below:
+
+  | CSAF 2.0 (using TLP v1.0) | CSAF 2.1 (using TLP v2.0) |
+  |---------------------------|---------------------------|
+  | `TLP:WHITE`               | `TLP:CLEAR`               |
+  | `TLP:GREEN`               | `TLP:GREEN`               |
+  | `TLP:AMBER`               | `TLP:AMBER`               |
+  | `TLP:RED`                 | `TLP:RED`                 |
+
+  If `/document/distribution/text` contains the string `TLP v2.0: TLP:<ValidTLPLabel>`, the CSAF 2.0 to CSAF 2.1 converter SHOULD provide an
+  option to use this label instead. If the TLP label changes through such conversion in a way that is not reflected in the table above, the
+  the CSAF 2.0 to CSAF 2.1 converter MUST output a warning that the TLP label was taken from the distribution text. Such a warning MUST include
+  both values: the converted one based on the table and the one from the distribution text.
+  > This is a common case for CSAF 2.0 documents labeled as TLP:RED but actually intended to be TLP:AMBER+STRICT.
+
+  If no TLP label was given, the CSAF 2.0 to CSAF 2.1 converter SHOULD assign `TLP:CLEAR` and output a warning that the default TLP has been set.
 
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.