Editor revision for TC meeting 2024-03-27

.github/workflows/csaf_2.1_cpe.yml

@@ -19,4 +19,6 @@ jobs:
       with:
         node-version: '20'
     - name: Perform CPE Dictionary Test
-      run: ./csaf_2.1/test/cpe/run_tests.sh
+      run: ./csaf_2.1/test/cpe/run_dictionary_tests.sh
+    - name: Perform CPE local examples Test
+      run: ./csaf_2.1/test/cpe/run_local_tests.sh

csaf_2.1/json_schema/csaf_json_schema.json

@@ -159,7 +159,7 @@
               "title": "Common Platform Enumeration representation",
               "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.",
               "type": "string",
-              "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$",
+              "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
               "minLength": 5
             },
             "hashes": {
@@ -251,7 +251,7 @@
               "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
               "type": "string",
               "format": "uri",
-              "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+",
+              "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
               "minLength": 7
             },
             "sbom_urls": {
@@ -1350,6 +1350,9 @@
                     }
                   ]
                 },
+                "cvss_v4": {
+                  "$ref": "https://www.first.org/cvss/cvss-v4.0.json"
+                },
                 "products": {
                   "$ref": "#/$defs/products_t"
                 }

csaf_2.1/prose/edit/etc/example-global-to-local.json

@@ -123,24 +123,25 @@
   "121": "branch-categories-eg-1",
   "122": "usage-of-product-version-range-eg-1",
   "123": "usage-of-v-as-version-indicator-eg-1",
-  "124": "requirement-7-provider-metadata-json-eg-1",
-  "125": "requirement-8-security-txt-eg-1",
-  "126": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
-  "127": "requirement-11-one-folder-per-year-eg-1",
-  "128": "requirement-12-index-txt-eg-1",
-  "129": "requirement-13-changes-csv-eg-1",
-  "130": "requirement-15-rolie-feed-eg-1",
-  "131": "requirement-16-rolie-service-document-eg-1",
-  "132": "requirement-17-rolie-category-document-eg-1",
-  "133": "requirement-17-rolie-category-document-eg-2",
-  "134": "requirement-17-rolie-category-document-eg-3",
-  "135": "requirement-18-integrity-eg-1",
-  "136": "requirement-18-integrity-eg-2",
-  "137": "requirement-19-signatures-eg-1",
-  "138": "requirement-21-list-of-csaf-providers-eg-1",
-  "139": "requirement-23-mirror-eg-1",
-  "140": "conformance-clause-5-cvrf-csaf-converter-eg-1",
-  "141": "conformance-clause-5-cvrf-csaf-converter-eg-2",
-  "142": "conformance-clause-5-cvrf-csaf-converter-eg-3",
-  "143": "conformance-clause-5-cvrf-csaf-converter-eg-4"
+  "124": "missing-cvss-v4-0-eg-1",
+  "126": "requirement-7-provider-metadata-json-eg-1",
+  "127": "requirement-8-security-txt-eg-1",
+  "128": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
+  "129": "requirement-11-one-folder-per-year-eg-1",
+  "120": "requirement-12-index-txt-eg-1",
+  "130": "requirement-13-changes-csv-eg-1",
+  "131": "requirement-15-rolie-feed-eg-1",
+  "132": "requirement-16-rolie-service-document-eg-1",
+  "133": "requirement-17-rolie-category-document-eg-1",
+  "134": "requirement-17-rolie-category-document-eg-2",
+  "135": "requirement-17-rolie-category-document-eg-3",
+  "136": "requirement-18-integrity-eg-1",
+  "137": "requirement-18-integrity-eg-2",
+  "138": "requirement-19-signatures-eg-1",
+  "139": "requirement-21-list-of-csaf-providers-eg-1",
+  "140": "requirement-23-mirror-eg-1",
+  "141": "conformance-clause-5-cvrf-csaf-converter-eg-1",
+  "142": "conformance-clause-5-cvrf-csaf-converter-eg-2",
+  "143": "conformance-clause-5-cvrf-csaf-converter-eg-3",
+  "144": "conformance-clause-5-cvrf-csaf-converter-eg-4"
 }

csaf_2.1/prose/edit/etc/example-local-to-global.json

@@ -13,10 +13,10 @@
   "branches-type-name-under-product-version-range-eg-2": "9",
   "build-metadata-in-revision-history-eg-1": "96",
   "circular-definition-of-product-id-eg-1": "51",
-  "conformance-clause-5-cvrf-csaf-converter-eg-1": "140",
-  "conformance-clause-5-cvrf-csaf-converter-eg-2": "141",
-  "conformance-clause-5-cvrf-csaf-converter-eg-3": "142",
-  "conformance-clause-5-cvrf-csaf-converter-eg-4": "143",
+  "conformance-clause-5-cvrf-csaf-converter-eg-1": "141",
+  "conformance-clause-5-cvrf-csaf-converter-eg-2": "142",
+  "conformance-clause-5-cvrf-csaf-converter-eg-3": "143",
+  "conformance-clause-5-cvrf-csaf-converter-eg-4": "144",
   "contradicting-product-status-eg-1": "54",
   "cve-in-field-ids-eg-1": "109",
   "cvss-for-fixed-products-eg-1": "111",
@@ -56,6 +56,7 @@
   "latest-document-version-eg-1": "64",
   "missing-canonical-url-eg-1": "103",
   "missing-cve-eg-1": "115",
+  "missing-cvss-v4-0-eg-1": "124",
   "missing-cwe-eg-1": "116",
   "missing-date-in-involvements-eg-1": "99",
   "missing-definition-of-product-group-id-eg-1": "52",
@@ -93,22 +94,22 @@
   "purl-eg-1": "61",
   "released-revision-history-eg-1": "66",
   "remediation-without-product-reference-eg-1": "88",
-  "requirement-11-one-folder-per-year-eg-1": "127",
-  "requirement-12-index-txt-eg-1": "128",
-  "requirement-13-changes-csv-eg-1": "129",
-  "requirement-15-rolie-feed-eg-1": "130",
-  "requirement-16-rolie-service-document-eg-1": "131",
-  "requirement-17-rolie-category-document-eg-1": "132",
-  "requirement-17-rolie-category-document-eg-2": "133",
-  "requirement-17-rolie-category-document-eg-3": "134",
-  "requirement-18-integrity-eg-1": "135",
-  "requirement-18-integrity-eg-2": "136",
-  "requirement-19-signatures-eg-1": "137",
-  "requirement-21-list-of-csaf-providers-eg-1": "138",
-  "requirement-23-mirror-eg-1": "139",
-  "requirement-7-provider-metadata-json-eg-1": "124",
-  "requirement-8-security-txt-eg-1": "125",
-  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "126",
+  "requirement-11-one-folder-per-year-eg-1": "128",
+  "requirement-12-index-txt-eg-1": "129",
+  "requirement-13-changes-csv-eg-1": "130",
+  "requirement-15-rolie-feed-eg-1": "131",
+  "requirement-16-rolie-service-document-eg-1": "132",
+  "requirement-17-rolie-category-document-eg-1": "133",
+  "requirement-17-rolie-category-document-eg-2": "134",
+  "requirement-17-rolie-category-document-eg-3": "135",
+  "requirement-18-integrity-eg-1": "136",
+  "requirement-18-integrity-eg-2": "137",
+  "requirement-19-signatures-eg-1": "138",
+  "requirement-21-list-of-csaf-providers-eg-1": "139",
+  "requirement-23-mirror-eg-1": "140",
+  "requirement-7-provider-metadata-json-eg-1": "125",
+  "requirement-8-security-txt-eg-1": "126",
+  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "127",
   "revision-history-entries-for-pre-release-versions-eg-1": "67",
   "sorted-revision-history-eg-1": "62",
   "spell-check-eg-1": "120",

csaf_2.1/prose/edit/etc/section-display-to-label.json

@@ -191,6 +191,7 @@
   "6.3.9": "branch-categories",
   "6.3.10": "usage-of-product-version-range",
   "6.3.11": "usage-of-v-as-version-indicator",
+  "6.3.12": "missing-cvss-v4-0",
   "7": "distributing-csaf-documents",
   "7.1": "requirements",
   "7.1.1": "requirement-1-valid-csaf-document",

csaf_2.1/prose/edit/etc/section-label-to-display.json

@@ -112,6 +112,7 @@
   "mandatory-tests": "6.1",
   "missing-canonical-url": "6.2.11",
   "missing-cve": "6.3.3",
+  "missing-cvss-v4-0": "6.3.12",
   "missing-cwe": "6.3.4",
   "missing-date-in-involvements": "6.2.7",
   "missing-definition-of-product-group-id": "6.1.4",

csaf_2.1/prose/edit/src/additional-conventions.md

@@ -47,4 +47,28 @@ they MUST be separated by the Record Separator in accordance with [cite](#RFC746
 
 The keys within a CSAF document SHOULD be sorted alphabetically.
 
+## Usage of Markdown
+
+The use of GitHub-flavoured Markdown is permitted in the following fields:
+
+```
+  /document/acknowledgments[]/summary
+  /document/distribution/text
+  /document/notes[]/text
+  /document/publisher/issuing_authority
+  /document/references[]/summary
+  /document/tracking/revision_history[]/summary
+  /product_tree/product_groups[]/summary
+  /vulnerabilities[]/acknowledgments[]/summary
+  /vulnerabilities[]/involvements[]/summary
+  /vulnerabilities[]/notes[]/text
+  /vulnerabilities[]/references[]/summary
+  /vulnerabilities[]/remediations[]/details
+  /vulnerabilities[]/remediations[]/entitlements[]
+  /vulnerabilities[]/remediations[]/restart_required/details
+  /vulnerabilities[]/threats[]/details
+```
+
+Other fields MUST NOT contain Markdown.
+
 -------

csaf_2.1/prose/edit/src/conformance.md

@@ -50,6 +50,7 @@ The entities ("conformance targets") for which this document defines requirement
 * **CSAF full validator**: A CSAF extended validator that additionally performs informative tests.
 * **CSAF SBOM matching system**: A program that connects to or is an SBOM database and is able to manage CSAF documents as required
   by CSAF management system as well as matching them to SBOM components of the SBOM database.
+* **CSAF 2.0 to CSAF 2.1 converter**: A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
 
 ### Conformance Clause 1: CSAF document
 
@@ -135,6 +136,8 @@ Secondly, the program fulfills the following for all items of:
   `first_affected` and `last_affected` into `product_ids`.
   If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
 * `/vulnerabilities[]/scores[]`:
+  * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
+    the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
   * For any CVSS v3 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
     the rules of the applicable CVSS standard.
   * If no `product_id` is given, the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in
@@ -145,7 +148,8 @@ Secondly, the program fulfills the following for all items of:
     A CVRF CSAF converter MAY offer a configuration option to delete such elements.
   * If there are CVSS v3.0 and CVSS v3.1 Vectors available for the same product, the CVRF CSAF converter discards
     the CVSS v3.0 information and provide in CSAF only the CVSS v3.1 information.
-  * To determine, which minor version of CVSS v3 is used, the CVRF CSAF converter uses the following steps:
+  * To determine, which minor version of CVSS v3 is used and to evaluate a CVSS v4 that was wrongly inserted in a CVSS v3 element,
+    the CVRF CSAF converter uses the following steps:
     1. Retrieve the CVSS version from the CVSS vector, if present.
 
         *Example 1:*
@@ -469,7 +473,7 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
   A switch to mark all SBOM component at once MAY be implemented.
 * does not bring up a newer revision of a CSAF document as a new match if the remediation for the matched SBOM or SBOM component has not changed.
 * detects the usage semantic version (as described in section [sec](#version-type-semantic-versioning)).
-* is able to trigger a run of the asset matching module:
+* is able to trigger a run of the SBOM matching module:
   * manually:
     * per CSAF document
     * per list of CSAF documents
@@ -486,4 +490,24 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
   * matching that CSAF document at all
   * marked with a given status
 
+### Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter
+
+A program satisfies the "CSAF 2.0 to CSAF 2.1 converter" conformance profile if the program fulfills the following two groups of requirements:
+
+Firstly, the program:
+
+* satisfies the "CSAF producer" conformance profile.
+* takes only CSAF 2.0 documents as input.
+* additionally satisfies the normative requirements given below.
+
+Secondly, the program fulfills the following for all items of:
+
+* type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a
+  warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+
+> A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+
+> A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any
+> of the rules above MAY be ignored to avoid data loss.
+
 -------

csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md

@@ -37,6 +37,8 @@ Delegation to industry best practices technologies is used in referencing schema
 * Platform Data:
   * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
 * Vulnerability Scoring:
+  * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40)
+    * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
   * Common Vulnerability Scoring System (CVSS) Version 3.1 [cite](#CVSS31)
     * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
   * Common Vulnerability Scoring System (CVSS) Version 3.0 [cite](#CVSS30)

csaf_2.1/prose/edit/src/distributing.md

@@ -171,8 +171,8 @@ value of `/document/tracking/initial_release_date`.
 *Examples 1:*
 
 ```
-2021
-2020
+2024
+2023
 ```
 
 ### Requirement 12: index.txt
@@ -182,9 +182,10 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents
 *Example 1:*
 
 ```
-2020/example_company_-_2020-yh4711.json
-2019/example_company_-_2019-yh3234.json
-2018/example_company_-_2018-yh2312.json
+2023/esa-2023-09953.json
+2022/esa-2022-02723.json
+2021/esa-2021-31916.json
+2021/esa-2021-03676.json
 ```
 
 > This can be used to download all CSAF documents.
@@ -197,10 +198,10 @@ CSAF document in the sub-directories without a heading; lines MUST be sorted by
 *Example 1:*
 
 ```
-"2020/example_company_-_2020-yh4711.json","2020-07-01T10:09:07Z"
-"2018/example_company_-_2018-yh2312.json","2020-07-01T10:09:01Z"
-"2019/example_company_-_2019-yh3234.json","2019-04-17T15:08:41Z"
-"2018/example_company_-_2018-yh2312.json","2019-03-01T06:01:00Z"
+"2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
+"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
+"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
+"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
 ```
 
 ### Requirement 14: Directory listings
@@ -388,9 +389,9 @@ MD5 and SHA1 SHOULD NOT be used.
 *Example 1:*
 
 ```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of SHA-256 hash file: example_company_-_2019-yh3234.json.sha256
-File name of SHA-512 hash file: example_company_-_2019-yh3234.json.sha512
+File name of CSAF document: esa-2022-02723.json
+File name of SHA-256 hash file: esa-2022-02723.json.sha256
+File name of SHA-512 hash file: esa-2022-02723.json.sha512
 ```
 
 The file content SHALL start with the first byte of the hexadecimal hash value.
@@ -399,7 +400,7 @@ Any subsequent data (like a filename) which is optional SHALL be separated by at
 *Example 2:*
 
 ```
-ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  example_company_-_2019-yh3234.json
+ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
 ```
 
 If a ROLIE feed exists, each hash file MUST be listed in it as described in requirement 15.
@@ -412,8 +413,8 @@ extended by the appropriate extension. See [cite](#RFC4880) for more details.
 *Example 1:*
 
 ```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of signature file: example_company_-_2019-yh3234.json.asc
+File name of CSAF document: esa-2022-02723.json
+File name of signature file: esa-2022-02723.json.asc
 ```
 
 If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.

csaf_2.1/prose/edit/src/frontmatter.md

@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## ?? Month 2024
+## 27 March 2024
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -55,7 +55,7 @@ This specification replaces or supersedes:
 
 
 #### Abstract:
-The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
+The Common Security Advisory Framework (CSAF) Version 2.1 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
 
 #### Status:
 This document was last revised or approved by the membership of OASIS on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical.
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 March 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------