diff --git a/.github/workflows/csaf_2.1_cpe.yml b/.github/workflows/csaf_2.1_cpe.yml
index c9fcf423..f5ca85f2 100644
--- a/.github/workflows/csaf_2.1_cpe.yml
+++ b/.github/workflows/csaf_2.1_cpe.yml
@@ -19,4 +19,6 @@ jobs:
with:
node-version: '20'
- name: Perform CPE Dictionary Test
- run: ./csaf_2.1/test/cpe/run_tests.sh
+ run: ./csaf_2.1/test/cpe/run_dictionary_tests.sh
+ - name: Perform CPE local examples Test
+ run: ./csaf_2.1/test/cpe/run_local_tests.sh
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
index 1c42ccb5..b3888b31 100644
--- a/csaf_2.1/json_schema/csaf_json_schema.json
+++ b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -159,7 +159,7 @@
"title": "Common Platform Enumeration representation",
"description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.",
"type": "string",
- "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$",
+ "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
"minLength": 5
},
"hashes": {
@@ -251,7 +251,7 @@
"description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
"type": "string",
"format": "uri",
- "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+",
+ "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
"minLength": 7
},
"sbom_urls": {
diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 38d6e639..b5a9329e 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -473,7 +473,7 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
A switch to mark all SBOM component at once MAY be implemented.
* does not bring up a newer revision of a CSAF document as a new match if the remediation for the matched SBOM or SBOM component has not changed.
* detects the usage semantic version (as described in section [sec](#version-type-semantic-versioning)).
-* is able to trigger a run of the asset matching module:
+* is able to trigger a run of the SBOM matching module:
* manually:
* per CSAF document
* per list of CSAF documents
@@ -502,7 +502,12 @@ Firstly, the program:
Secondly, the program fulfills the following for all items of:
+* type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a
+ warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
> A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+> A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any
+> of the rules above MAY be ignored to avoid data loss.
+
-------
diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md
index dd54682d..c3e5d861 100644
--- a/csaf_2.1/prose/edit/src/frontmatter.md
+++ b/csaf_2.1/prose/edit/src/frontmatter.md
@@ -7,7 +7,7 @@
## Committee Specification Draft 01
-## 28 February 2024
+## 27 March 2024
#### This stage:
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -55,7 +55,7 @@ This specification replaces or supersedes:
#### Abstract:
-The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
+The Common Security Advisory Framework (CSAF) Version 2.1 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
#### Status:
This document was last revised or approved by the membership of OASIS on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical.
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
**[csaf-v2.1]**
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 March 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
-------
diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
index 3a450f3b..aba6bf6e 100644
--- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
+++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -65,7 +65,7 @@ OPENSSL
: _GTLS/SSL and crypto library_, OpenSSL Software Foundation, https://www.openssl.org/.
PURL
-: _Package URL (PURL)_, GitHub Project, https://github.com/package-url/purl-spec.
+: _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec.
RFC3339
: Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
@@ -118,7 +118,7 @@ SPDX22
https://spdx.github.io/spdx-spec/.
VERS
-: _vers: a mostly universal version range specifier_, Part of the PURL GitHub Project,
+: _vers: a mostly universal version range specifier_, Part of the purl GitHub Project,
https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst.
VEX
diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md
index 842479aa..f8ddef8e 100644
--- a/csaf_2.1/prose/edit/src/revision-history.md
+++ b/csaf_2.1/prose/edit/src/revision-history.md
@@ -12,4 +12,5 @@ toc:
|:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
| csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
| csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20240327-dev | 2024-03-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-------
diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 59690c97..fdb8ff3b 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -80,7 +80,7 @@ and `x_generic_uris`, one is mandatory.
Common Platform Enumeration representation (`cpe`) of value type `string` of 5 or more characters with `pattern` (regular expression):
```
- ^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$
+ ^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$
```
The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.
@@ -238,20 +238,20 @@ Two `*` MUST NOT follow each other.
IC25T060ATCS05-0
```
-##### Full Product Name Type - Product Identification Helper - PURL
+##### Full Product Name Type - Product Identification Helper - purl
-The package URL (PURL) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression):
+The package URL (purl) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression):
```
- ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+
+ ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+
```
-> The given pattern does not completely evaluate whether a PURL is valid according to the [cite](#PURL) specification.
+> The given pattern does not completely evaluate whether a purl is valid according to the [cite](#PURL) specification.
> It provides a more generic approach and general guidance to enable forward compatibility.
-> CSAF uses only the canonical form of PURL to conform with section 3.3 of [cite](#RFC3986).
+> CSAF uses only the canonical form of purl to conform with section 3.3 of [cite](#RFC3986).
> Therefore, URLs starting with `pkg://` are considered invalid.
-This package URL (PURL) attribute refers to a method for reliably identifying and locating software packages external to this specification.
+This package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.
See [cite](#PURL) for details.
##### Full Product Name Type - Product Identification Helper - SBOM URLs
diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
index 5cecf147..80e18f41 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
@@ -750,7 +750,8 @@ Valid values are:
The value `exploit_status` indicates that the `details` field contains a description of the degree to which an exploit for the vulnerability is known.
This knowledge can range from information privately held among a very small group to an issue that has been described to the public at
a major conference or is being widely exploited globally.
-For consistency and simplicity, this section can be a mirror image of the CVSS "Exploitability" metric.
+For consistency and simplicity, this section can be a mirror image of the CVSS `exploitMaturity` (v4.0),
+respectively `exploitCodeMaturity` (v3.1 and v3.0) or `exploitability` (v2.0) metric.
However, it can also contain a more contextual status, such as "Weaponized" or "Functioning Code".
The value `impact` indicates that the `details` field contains an assessment of the impact on the user or the target set if
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md
index 949d5cc4..79262fca 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md
@@ -1,6 +1,6 @@
### PURL
-It MUST be tested that given PURL is valid.
+It MUST be tested that given purl is valid.
The relevant paths for this test are:
diff --git a/csaf_2.1/prose/edit/src/tests-03-informative.md b/csaf_2.1/prose/edit/src/tests-03-informative.md
index a9c49572..91e6edc1 100644
--- a/csaf_2.1/prose/edit/src/tests-03-informative.md
+++ b/csaf_2.1/prose/edit/src/tests-03-informative.md
@@ -412,8 +412,6 @@ The relevant paths for this test are:
> The product version starts with a `v`.
--------
-
### Missing CVSS v4.0
For each item in the list of scores it MUST be tested that a `cvss_v4` object is present.
@@ -455,3 +453,5 @@ The relevant path for this test is:
```
> There is no CVSS v4.0 score given for `CSAFPID-9080700`.
+
+-------
diff --git a/csaf_2.1/test/cpe/data/invalid/cpe.txt b/csaf_2.1/test/cpe/data/invalid/cpe.txt
new file mode 100644
index 00000000..f48cc39a
--- /dev/null
+++ b/csaf_2.1/test/cpe/data/invalid/cpe.txt
@@ -0,0 +1,5 @@
+PREFIXcpe:/o:redhat:rhel_aus:7.6::server
+cpe:/o:redhat:rhel_aus:7.6::server::SUFFIX
+PREFIXcpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*"
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:**
diff --git a/csaf_2.1/test/cpe/data/valid/cpe.txt b/csaf_2.1/test/cpe/data/valid/cpe.txt
new file mode 100644
index 00000000..9a5d7be9
--- /dev/null
+++ b/csaf_2.1/test/cpe/data/valid/cpe.txt
@@ -0,0 +1,3 @@
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other*
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other????
+cpe:/o:redhat:rhel_aus:7.6::server
diff --git a/csaf_2.1/test/cpe/run_tests.sh b/csaf_2.1/test/cpe/run_dictionary_tests.sh
similarity index 96%
rename from csaf_2.1/test/cpe/run_tests.sh
rename to csaf_2.1/test/cpe/run_dictionary_tests.sh
index 8c6b7345..a8a84847 100755
--- a/csaf_2.1/test/cpe/run_tests.sh
+++ b/csaf_2.1/test/cpe/run_dictionary_tests.sh
@@ -20,7 +20,7 @@ get_dictionary() {
prepare_23_dictionary() {
# Get CPE 2.3 fields
# Correctly decode special characters
- grep '$//' \
+ grep '$//' \
| sed -e 's/\\&/\\\&/g' \
| sed -e 's/\\"/\\"/g' \
> "$CPE".txt
diff --git a/csaf_2.1/test/cpe/run_local_tests.sh b/csaf_2.1/test/cpe/run_local_tests.sh
new file mode 100755
index 00000000..38f22480
--- /dev/null
+++ b/csaf_2.1/test/cpe/run_local_tests.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+SCHEMA=csaf_2.1/json_schema/csaf_json_schema.json
+VALIDATOR=csaf_2.1/test/cpe/test-regex.js
+DATA_VALID=csaf_2.1/test/cpe/data/valid/cpe.txt
+DATA_INVALID=csaf_2.1/test/cpe/data/invalid/cpe.txt
+
+FAIL=0
+
+# go to root of git repository
+cd "$(dirname "$0")"/../../.. || exit
+
+
+validate() {
+ printf "Testing file %s against cpe regex from %s ... \n" "$1" "$SCHEMA"
+ if node "$VALIDATOR" "$SCHEMA" "$1" "$2"; then
+ printf "SUCCESS\n"
+ else
+ printf "FAILED\n"
+ FAIL=1
+ fi
+
+}
+
+echo -n "Test conforming (not necessary existing) CPEs... "
+DATA=$DATA_VALID
+validate $DATA true
+printf "done\n"
+
+echo -n "Test non-conforming CPEs... "
+DATA=$DATA_INVALID
+validate $DATA false
+printf "done\n"
+
+
+exit $FAIL
diff --git a/csaf_2.1/test/cpe/test-regex.js b/csaf_2.1/test/cpe/test-regex.js
index 567ba08e..98e4d2f9 100644
--- a/csaf_2.1/test/cpe/test-regex.js
+++ b/csaf_2.1/test/cpe/test-regex.js
@@ -10,15 +10,16 @@ const r = new RegExp(pattern)
console.log('Current regex to test:', '\n', pattern)
const cpeStr = fs.readFileSync(args[1], 'utf8').split('\n')
+const assertion = !((args[2] ?? true) === "false")
let failed = false
cpeStr.forEach(element => {
if (element.length > 0) {
const result = (r.exec(element) != null)
- failed = failed | !result
- if (!result) {
- console.log(result, '\t', element)
+ failed = failed | (result !== assertion)
+ if (result !== assertion) {
+ console.log(result,'but expected', assertion, '\t', element)
}
}
});