Skip to content

Commit

Permalink
Merge pull request #714 from oasis-tcs/editor-revision-2024-03-27
Browse files Browse the repository at this point in the history
Editor revision for TC meeting 2024-03-27
  • Loading branch information
santosomar authored May 12, 2024
2 parents e228c9d + 9e23323 commit 5ddc27e
Show file tree
Hide file tree
Showing 15 changed files with 78 additions and 24 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/csaf_2.1_cpe.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,6 @@ jobs:
with:
node-version: '20'
- name: Perform CPE Dictionary Test
run: ./csaf_2.1/test/cpe/run_tests.sh
run: ./csaf_2.1/test/cpe/run_dictionary_tests.sh
- name: Perform CPE local examples Test
run: ./csaf_2.1/test/cpe/run_local_tests.sh
4 changes: 2 additions & 2 deletions csaf_2.1/json_schema/csaf_json_schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@
"title": "Common Platform Enumeration representation",
"description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.",
"type": "string",
"pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$",
"pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
"minLength": 5
},
"hashes": {
Expand Down Expand Up @@ -251,7 +251,7 @@
"description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
"type": "string",
"format": "uri",
"pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+",
"pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
"minLength": 7
},
"sbom_urls": {
Expand Down
7 changes: 6 additions & 1 deletion csaf_2.1/prose/edit/src/conformance.md
Original file line number Diff line number Diff line change
Expand Up @@ -473,7 +473,7 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
A switch to mark all SBOM component at once MAY be implemented.
* does not bring up a newer revision of a CSAF document as a new match if the remediation for the matched SBOM or SBOM component has not changed.
* detects the usage semantic version (as described in section [sec](#version-type-semantic-versioning)).
* is able to trigger a run of the asset matching module:
* is able to trigger a run of the SBOM matching module:
* manually:
* per CSAF document
* per list of CSAF documents
Expand Down Expand Up @@ -502,7 +502,12 @@ Firstly, the program:

Secondly, the program fulfills the following for all items of:

* type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a
warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.

> A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
> A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any
> of the rules above MAY be ignored to avoid data loss.
-------
6 changes: 3 additions & 3 deletions csaf_2.1/prose/edit/src/frontmatter.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

## Committee Specification Draft 01

## 28 February 2024
## 27 March 2024

#### This stage:
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
Expand Down Expand Up @@ -55,7 +55,7 @@ This specification replaces or supersedes:


#### Abstract:
The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
The Common Security Advisory Framework (CSAF) Version 2.1 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.

#### Status:
This document was last revised or approved by the membership of OASIS on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical.
Expand All @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used

**[csaf-v2.1]**

_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 March 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.


-------
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ OPENSSL
: _GTLS/SSL and crypto library_, OpenSSL Software Foundation, https://www.openssl.org/.

PURL
: _Package URL (PURL)_, GitHub Project, https://github.com/package-url/purl-spec.
: _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec.

RFC3339
: Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
Expand Down Expand Up @@ -118,7 +118,7 @@ SPDX22
https://spdx.github.io/spdx-spec/.

VERS
: _vers: a mostly universal version range specifier_, Part of the PURL GitHub Project,
: _vers: a mostly universal version range specifier_, Part of the purl GitHub Project,
https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst.

VEX
Expand Down
1 change: 1 addition & 0 deletions csaf_2.1/prose/edit/src/revision-history.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@ toc:
|:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
| csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
| csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.0-wd20240327-dev | 2024-03-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-------
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ and `x_generic_uris`, one is mandatory.
Common Platform Enumeration representation (`cpe`) of value type `string` of 5 or more characters with `pattern` (regular expression):

```
^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$
^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$
```

The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.
Expand Down Expand Up @@ -238,20 +238,20 @@ Two `*` MUST NOT follow each other.
IC25T060ATCS05-0
```

##### Full Product Name Type - Product Identification Helper - PURL
##### Full Product Name Type - Product Identification Helper - purl

The package URL (PURL) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression):
The package URL (purl) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression):

```
^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+
^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+
```

> The given pattern does not completely evaluate whether a PURL is valid according to the [cite](#PURL) specification.
> The given pattern does not completely evaluate whether a purl is valid according to the [cite](#PURL) specification.
> It provides a more generic approach and general guidance to enable forward compatibility.
> CSAF uses only the canonical form of PURL to conform with section 3.3 of [cite](#RFC3986).
> CSAF uses only the canonical form of purl to conform with section 3.3 of [cite](#RFC3986).
> Therefore, URLs starting with `pkg://` are considered invalid.
This package URL (PURL) attribute refers to a method for reliably identifying and locating software packages external to this specification.
This package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.
See [cite](#PURL) for details.

##### Full Product Name Type - Product Identification Helper - SBOM URLs
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -750,7 +750,8 @@ Valid values are:
The value `exploit_status` indicates that the `details` field contains a description of the degree to which an exploit for the vulnerability is known.
This knowledge can range from information privately held among a very small group to an issue that has been described to the public at
a major conference or is being widely exploited globally.
For consistency and simplicity, this section can be a mirror image of the CVSS "Exploitability" metric.
For consistency and simplicity, this section can be a mirror image of the CVSS `exploitMaturity` (v4.0),
respectively `exploitCodeMaturity` (v3.1 and v3.0) or `exploitability` (v2.0) metric.
However, it can also contain a more contextual status, such as "Weaponized" or "Functioning Code".

The value `impact` indicates that the `details` field contains an assessment of the impact on the user or the target set if
Expand Down
2 changes: 1 addition & 1 deletion csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
### PURL

It MUST be tested that given PURL is valid.
It MUST be tested that given purl is valid.

The relevant paths for this test are:

Expand Down
4 changes: 2 additions & 2 deletions csaf_2.1/prose/edit/src/tests-03-informative.md
Original file line number Diff line number Diff line change
Expand Up @@ -412,8 +412,6 @@ The relevant paths for this test are:

> The product version starts with a `v`.
-------

### Missing CVSS v4.0

For each item in the list of scores it MUST be tested that a `cvss_v4` object is present.
Expand Down Expand Up @@ -455,3 +453,5 @@ The relevant path for this test is:
```

> There is no CVSS v4.0 score given for `CSAFPID-9080700`.
-------
5 changes: 5 additions & 0 deletions csaf_2.1/test/cpe/data/invalid/cpe.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
PREFIXcpe:/o:redhat:rhel_aus:7.6::server
cpe:/o:redhat:rhel_aus:7.6::server::SUFFIX
PREFIXcpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*
cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*"
cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:**
3 changes: 3 additions & 0 deletions csaf_2.1/test/cpe/data/valid/cpe.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other*
cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other????
cpe:/o:redhat:rhel_aus:7.6::server
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ get_dictionary() {
prepare_23_dictionary() {
# Get CPE 2.3 fields
# Correctly decode special characters
grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/>$//' \
grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/\?>$//' \
| sed -e 's/\\&amp;/\\\&/g' \
| sed -e 's/\\&quot;/\\"/g' \
> "$CPE".txt
Expand Down
36 changes: 36 additions & 0 deletions csaf_2.1/test/cpe/run_local_tests.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/bin/bash

SCHEMA=csaf_2.1/json_schema/csaf_json_schema.json
VALIDATOR=csaf_2.1/test/cpe/test-regex.js
DATA_VALID=csaf_2.1/test/cpe/data/valid/cpe.txt
DATA_INVALID=csaf_2.1/test/cpe/data/invalid/cpe.txt

FAIL=0

# go to root of git repository
cd "$(dirname "$0")"/../../.. || exit


validate() {
printf "Testing file %s against cpe regex from %s ... \n" "$1" "$SCHEMA"
if node "$VALIDATOR" "$SCHEMA" "$1" "$2"; then
printf "SUCCESS\n"
else
printf "FAILED\n"
FAIL=1
fi

}

echo -n "Test conforming (not necessary existing) CPEs... "
DATA=$DATA_VALID
validate $DATA true
printf "done\n"

echo -n "Test non-conforming CPEs... "
DATA=$DATA_INVALID
validate $DATA false
printf "done\n"


exit $FAIL
7 changes: 4 additions & 3 deletions csaf_2.1/test/cpe/test-regex.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,16 @@ const r = new RegExp(pattern)
console.log('Current regex to test:', '\n', pattern)

const cpeStr = fs.readFileSync(args[1], 'utf8').split('\n')
const assertion = !((args[2] ?? true) === "false")

let failed = false

cpeStr.forEach(element => {
if (element.length > 0) {
const result = (r.exec(element) != null)
failed = failed | !result
if (!result) {
console.log(result, '\t', element)
failed = failed | (result !== assertion)
if (result !== assertion) {
console.log(result,'but expected', assertion, '\t', element)
}
}
});
Expand Down

0 comments on commit 5ddc27e

Please sign in to comment.