From 28378c0b475379c8f1b6388e057e5d821df3cf96 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 27 Feb 2024 11:23:08 +0100
Subject: [PATCH 1/6] Add CVRF disclaimer

---
 cvrf_1.2/README.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 cvrf_1.2/README.md

diff --git a/cvrf_1.2/README.md b/cvrf_1.2/README.md
new file mode 100644
index 00000000..a806c9c5
--- /dev/null
+++ b/cvrf_1.2/README.md
@@ -0,0 +1,4 @@
+# CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2
+
+This directory contains material which is related to CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2. As CSAF CVRF 1.2 was superseeded by CSAF 2.0, the files are not longer updated.
+They may contain information that is not longer valid. They serve historic purposes.

From 4af77ebf57de45763cfc1e5dc985cec1261e04d7 Mon Sep 17 00:00:00 2001
From: Omar Santos <os@cisco.com>
Date: Wed, 27 Mar 2024 05:31:43 -0400
Subject: [PATCH 2/6] Create 2024-02-28.md

---
 meeting_minutes/2024/2024-02-28.md | 125 +++++++++++++++++++++++++++++
 1 file changed, 125 insertions(+)
 create mode 100644 meeting_minutes/2024/2024-02-28.md

diff --git a/meeting_minutes/2024/2024-02-28.md b/meeting_minutes/2024/2024-02-28.md
new file mode 100644
index 00000000..07401b15
--- /dev/null
+++ b/meeting_minutes/2024/2024-02-28.md
@@ -0,0 +1,125 @@
+![image](https://user-images.githubusercontent.com/1690898/139102180-5c1e2583-14f1-4f58-ab2b-9e3807ed529c.png)
+
+# Common Security Advisory Framework (CSAF) Technical Committee Working Meeting
+
+- Meeting Date: February 28, 2024
+- Time: 18:00 UTC (19:00 CET, 13:00 EDT, 10:00 PST)
+
+## Call to Order and Welcome
+
+Meeting called to order @ 18:04 UTC
+
+## Roll call
+
+Quorum was not reached due to inability to register attendees due to OASIS system upgrades.
+
+## Participants
+
+| Given Name | Family Name | Affiliation                                                 | Role                        |
+|:-----------|:------------|:------------------------------------------------------------|:----------------------------|
+| Stefan     | Hagen       | Individual                                                  | Voting Member, taking notes |
+| Tobias     | Limmer      | Siemens AG                                                  | Voting Member               |
+| Martin     | Prpic       | Red Hat                                                     | Voting Member               |
+| Justin     | Murphy      | DHS Cybersecurity and Infrastructure Security Agency (CISA) | Voting Member               |
+| Christoph  | Plutte      | Ericsson                                                    | Member                      |
+| Michael    | Reeder      | Dell                                                        | Voting Member               |
+| Thomas     | Proell      | Siemens AG                                                  | Voting Member               |
+| Thomas     | Schaffer    | Cisco Systems                                               | Voting Member               |
+| Thomas     | Schmidt     | Federal Office for Information Security (BSI)               | Voting Member               |
+| Dina       | Truxius     | Federal Office for Information Security (BSI)               | Voting Member               |
+| Sonny      | van Lingen  | Huawei Technologies Co., Ltd.                               | Voting Member               |
+| Feng       | Cao         | Oracle                                                      | Voting Member               |
+| Omar       | Santos      | Cisco                                                       | Chair                       |
+| Rhonda     | Levy        | Cisco                                                       | Voting Member               |
+
+
+### Observers present
+
+- Tyler Townes, Blackberry Limited
+
+Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.
+
+## Agenda
+
+- Roll call cannot be done automatically due to the system migration.
+- Once email is back online, we will put a motion to approve May Meeting Minutes of 2024-01-31 [https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2024/2024-01-31.md]
+- Review GitHub Issues for TC Discussion:  https://github.com/oasis-tcs/csaf/issues
+- Discuss next steps.
+- Adjourn
+
+
+## Meeting Notes
+
+- [Pull Request 704](https://github.com/oasis-tcs/csaf/pull/704) 
+  - Add CVRF disclaimer.
+  - In response to an ask whether the team would like to vote on this today or March or a following meeting, there were no comments from members. 
+  - Since Thomas Schmidt is on parental leave will not send out email. 
+
+- [Pull Request 699](https://github.com/oasis-tcs/csaf/pull/699)
+  - Stefan said that on the left-hand column – will look like how it will be published.  We do not diminish reader experience.  Would like members [to take a look at the draft](https://github.com/oasis-tcs/csaf/blob/editor-revision-2024-02-28/csaf_2.1/prose/share/csaf-v2.1-draft.md)
+  - Pull request will stay in draft until review to be completed in two weeks.  
+  - Thomas Schmidt agrees. 
+  - By second week of March two weeks from today March 13th, pull request 699 – action item owned by Omar.
+
+- [Pull Request 707](https://github.com/oasis-tcs/csaf/pull/707)  
+  - Feng will take a look at this pull request.  
+  - Merge into editor revision is ok with Feng and team.  
+  - For this one editorial it is ok – Feng said it looks good.  
+  - Omar to merge after the call. 
+
+ 
+- [Pull Request 693 ](https://github.com/oasis-tcs/csaf/pull/707) and [Pull Request 694](https://github.com/oasis-tcs/csaf/pull/694) in version 2.1.
+  - TC should fix in 2.1 or another version.
+  - For current implementations, a router may be needed.
+  - Not a feature. Change schema update and apply as basically a fix version of that. 
+  - Any validators would have to be edited to change schema.  
+  - Fix both errors is the recommendation. 
+  - Not sure if qualifies as a non-material change?
+  - If it is a material change, then it will affect the IOS for CSAF and potential hinder activity.  
+  - If non-material it will do not do any harm.  
+  - Who would make the judgement?  Check with Oasis.  Stefan is familiar with this.  
+  - Thomas says it is a lower risk and can silently fix it. 
+  - We could put a motion in email and close discussion.  
+  - Any comments from TC – discuss at a later time 2.1.  
+  - Thomas: Motion to address in CSAF 2.1
+  - Second: Justin and Martin.
+
+- [Pull Request 665](https://github.com/oasis-tcs/csaf/pull/665) Vulnerabilities Property – Remediations.
+- Thomas Proell
+  - Old ticket – solution outlined on Pull request notes.  
+  - Will see if this makes sense and would like team to look through the information. 
+  - New way of describing patches in a more precise way.  
+  - Would like to discuss at the next meeting. 
+  - Currently it is not defined at all and a big mess as every vendor does it differently. 
+  - No clear definition, patch, workaround or mitigation. 
+  - Feng suggested that we use something else.  
+  - Code change or code fix from patch.   
+  - Likely hood and impact – will look at those terms; and Thomas Propel will make changes and put in transition route.  
+  - Thomas Sch would like team to put in changes for next meeting and discuss next time if there are any open questions. 
+  - Discuss ticket 665 and propose changes for vulnerability properties.
+
+- Warning/Error for signature expirations #678 – Thomas Schimdt 
+  - Done in Linux distributions and would have same process here are the expectations from documentations. 
+  - Suggest adding to guidance to CSAF 2.0 and mandatory description in section 7 as a requirement in 2.1. 
+  - Not voting and no objections from TC.  
+  - Put for a minimum of at least 30 days. Not exact. No objections for CSAF recommendation guide.  
+  - Thomas Sch to do in the next month or so?
+  - Omar to suggest wording when ready. Add comment in 2.0 and specification of 2.1.  editors can work on that.   
+  - Review and comment on the suggestion to make signatures valid for a minimum of 30 days.
+
+
+- Add “Preconditions” item from #706
+  - Someone from Red Hat noticed an issue.  
+  - Allows that you can prepending strings.
+  - TC agreed to look at this between meetings.  
+  - Thomas prefers option 2 and less work but wants team to weigh in. 
+  - Is this something that we need and adds value to advisories and customers.  
+  - Please look at ticket 706 and make comments please.  
+
+
+## Adjourn
+
+- The meeting was adjourned.
+
+Note: All monthly meetings take place on the last Wednesday of each month at 18:00 UTC (19:00 CET, 13:00 EST, 10:00 PST).
+The next meeting will be held on March 27, 2024.  

From fc1d790ba9fa0f2ee6be6a23f5b161ba57ad5da4 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 27 Mar 2024 16:28:35 +0100
Subject: [PATCH 3/6] CPE tests

- addresses parts of oasis-tcs/csaf#710
- backport of 61e78c8
- correct parsing of CPE 2.3 Dictionary (to also capture endings `">` instead of just `"/>`)
---
 csaf_2.0/test/cpe/run_tests.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.0/test/cpe/run_tests.sh b/csaf_2.0/test/cpe/run_tests.sh
index 83233ec1..cb6b0b4e 100755
--- a/csaf_2.0/test/cpe/run_tests.sh
+++ b/csaf_2.0/test/cpe/run_tests.sh
@@ -20,7 +20,7 @@ get_dictionary() {
 prepare_23_dictionary() {
   # Get CPE 2.3 fields
   # Correctly decode special characters
-  grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/>$//' \
+  grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/\?>$//' \
     | sed -e 's/\\&amp;/\\\&/g' \
     | sed -e 's/\\&quot;/\\"/g' \
     > "$CPE".txt

From a17d11314c9db7c8d38032c977cc02d58eb57199 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 3 Apr 2024 18:40:58 +0200
Subject: [PATCH 4/6] Correct meeting minutes 2024-02-28

- try to unify format
- add questions to unclear points
- improve wording from memory
---
 meeting_minutes/2024/2024-02-28.md | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/meeting_minutes/2024/2024-02-28.md b/meeting_minutes/2024/2024-02-28.md
index 07401b15..2604f85a 100644
--- a/meeting_minutes/2024/2024-02-28.md
+++ b/meeting_minutes/2024/2024-02-28.md
@@ -42,7 +42,7 @@ Note: Observers of this committee that are ready to become Members should follow
 ## Agenda
 
 - Roll call cannot be done automatically due to the system migration.
-- Once email is back online, we will put a motion to approve May Meeting Minutes of 2024-01-31 [https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2024/2024-01-31.md]
+- Once email is back online, we will put a motion to approve [Meeting Minutes of 2024-01-31](https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2024/2024-01-31.md)
 - Review GitHub Issues for TC Discussion:  https://github.com/oasis-tcs/csaf/issues
 - Discuss next steps.
 - Adjourn
@@ -68,23 +68,23 @@ Note: Observers of this committee that are ready to become Members should follow
   - Omar to merge after the call. 
 
  
-- [Pull Request 693 ](https://github.com/oasis-tcs/csaf/pull/707) and [Pull Request 694](https://github.com/oasis-tcs/csaf/pull/694) in version 2.1.
+- [Issue 693 ](https://github.com/oasis-tcs/csaf/issues/693) and [Issue 694](https://github.com/oasis-tcs/csaf/issues/694) in version 2.1.
   - TC should fix in 2.1 or another version.
-  - For current implementations, a router may be needed.
+  - For current implementations, a router <!-- Just marking here that this makes no sense to me. Maybe it should refer to an errata? --> may be needed.
   - Not a feature. Change schema update and apply as basically a fix version of that. 
   - Any validators would have to be edited to change schema.  
   - Fix both errors is the recommendation. 
   - Not sure if qualifies as a non-material change?
-  - If it is a material change, then it will affect the IOS for CSAF and potential hinder activity.  
+  - If it is a material change, then it will affect the ISO for CSAF and potential hinder activity.  
   - If non-material it will do not do any harm.  
-  - Who would make the judgement?  Check with Oasis.  Stefan is familiar with this.  
-  - Thomas says it is a lower risk and can silently fix it. 
+  - Who would make the judgement?  Check with OASIS.  Stefan is familiar with this.  
+  - Thomas says it is a lower risk and can silently fix it in CSAF 2.1. 
   - We could put a motion in email and close discussion.  
   - Any comments from TC – discuss at a later time 2.1.  
   - Thomas: Motion to address in CSAF 2.1
   - Second: Justin and Martin.
 
-- [Pull Request 665](https://github.com/oasis-tcs/csaf/pull/665) Vulnerabilities Property – Remediations.
+- [Issue 665](https://github.com/oasis-tcs/csaf/issues/665) Vulnerabilities Property – Remediations.
 - Thomas Proell
   - Old ticket – solution outlined on Pull request notes.  
   - Will see if this makes sense and would like team to look through the information. 
@@ -94,11 +94,11 @@ Note: Observers of this committee that are ready to become Members should follow
   - No clear definition, patch, workaround or mitigation. 
   - Feng suggested that we use something else.  
   - Code change or code fix from patch.   
-  - Likely hood and impact – will look at those terms; and Thomas Propel will make changes and put in transition route.  
-  - Thomas Sch would like team to put in changes for next meeting and discuss next time if there are any open questions. 
+  - Likely hood and impact – will look at those terms; and Thomas Proell will make changes and put in transition route.  
+  - Thomas Schmidt would like team to put in changes for next meeting and discuss next time if there are any open questions. 
   - Discuss ticket 665 and propose changes for vulnerability properties.
 
-- Warning/Error for signature expirations #678 – Thomas Schimdt 
+- [Issue 678](https://github.com/oasis-tcs/csaf/issues/678) Warning/Error for signature expirations – Thomas Schimdt 
   - Done in Linux distributions and would have same process here are the expectations from documentations. 
   - Suggest adding to guidance to CSAF 2.0 and mandatory description in section 7 as a requirement in 2.1. 
   - Not voting and no objections from TC.  
@@ -108,8 +108,8 @@ Note: Observers of this committee that are ready to become Members should follow
   - Review and comment on the suggestion to make signatures valid for a minimum of 30 days.
 
 
-- Add “Preconditions” item from #706
-  - Someone from Red Hat noticed an issue.  
+- [Issue 706](https://github.com/oasis-tcs/csaf/issues/706) Add “Preconditions” item
+  - Someone from Bosch noticed an issue.  
   - Allows that you can prepending strings.
   - TC agreed to look at this between meetings.  
   - Thomas prefers option 2 and less work but wants team to weigh in. 

From 8b5f1fff0b7681d7c7462f59e0453880bd8e22d8 Mon Sep 17 00:00:00 2001
From: Stefan Hagen <stefan@hagen.link>
Date: Wed, 3 Apr 2024 18:59:53 +0200
Subject: [PATCH 5/6] summarizing post work - excavator

---
 meeting_minutes/2024/2024-02-28.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meeting_minutes/2024/2024-02-28.md b/meeting_minutes/2024/2024-02-28.md
index 2604f85a..48976c8b 100644
--- a/meeting_minutes/2024/2024-02-28.md
+++ b/meeting_minutes/2024/2024-02-28.md
@@ -70,7 +70,7 @@ Note: Observers of this committee that are ready to become Members should follow
  
 - [Issue 693 ](https://github.com/oasis-tcs/csaf/issues/693) and [Issue 694](https://github.com/oasis-tcs/csaf/issues/694) in version 2.1.
   - TC should fix in 2.1 or another version.
-  - For current implementations, a router <!-- Just marking here that this makes no sense to me. Maybe it should refer to an errata? --> may be needed.
+  - For current implementations, errata may be needed.
   - Not a feature. Change schema update and apply as basically a fix version of that. 
   - Any validators would have to be edited to change schema.  
   - Fix both errors is the recommendation. 

From 34ed035e64df06325fc5f2d7f4d3e2558a824409 Mon Sep 17 00:00:00 2001
From: Omar Santos <os@cisco.com>
Date: Wed, 24 Apr 2024 10:40:12 -0400
Subject: [PATCH 6/6] Meeting Minutes for 2023-03-27

OASIS CSAF TC Monthly Meeting Minutes for 2023-03-27
---
 meeting_minutes/2024/2023-03-27.md | 123 +++++++++++++++++++++++++++++
 1 file changed, 123 insertions(+)
 create mode 100644 meeting_minutes/2024/2023-03-27.md

diff --git a/meeting_minutes/2024/2023-03-27.md b/meeting_minutes/2024/2023-03-27.md
new file mode 100644
index 00000000..ac93a2ab
--- /dev/null
+++ b/meeting_minutes/2024/2023-03-27.md
@@ -0,0 +1,123 @@
+![image](https://user-images.githubusercontent.com/1690898/139102180-5c1e2583-14f1-4f58-ab2b-9e3807ed529c.png)
+
+# Common Security Advisory Framework (CSAF) Technical Committee Working Meeting
+
+- Meeting Date: March 27, 2024
+- Time: 18:00 UTC (19:00 CET, 13:00 EDT, 10:00 PST)
+
+## Call to Order and Welcome
+
+Meeting called to order @ 18:05 UTC
+
+## Roll call
+
+Quorum was not reached due to inability to register attendees due to OASIS system upgrades.
+
+## Participants
+
+| Given Name | Family Name | Affiliation                                                 | Role                        |
+|:-----------|:------------|:------------------------------------------------------------|:----------------------------|
+| Stefan     | Hagen       | Individual                                                  | Voting Member, taking notes |
+| Tobias     | Limmer      | Siemens AG                                                  | Voting Member               |
+| Martin     | Prpic       | Red Hat                                                     | Voting Member               |
+| Justin     | Murphy      | DHS Cybersecurity and Infrastructure Security Agency (CISA) | Voting Member               |
+| Christoph  | Plutte      | Ericsson                                                    | Member                      |
+| Michael    | Reeder      | Dell                                                        | Voting Member               |
+| Thomas     | Proell      | Siemens AG                                                  | Voting Member               |
+| Thomas     | Schaffer    | Cisco Systems                                               | Voting Member               |
+| Thomas     | Schmidt     | Federal Office for Information Security (BSI)               | Voting Member               |
+| Dina       | Truxius     | Federal Office for Information Security (BSI)               | Voting Member               |
+| Sonny      | van Lingen  | Huawei Technologies Co., Ltd.                               | Voting Member               |
+| Feng       | Cao         | Oracle                                                      | Voting Member               |
+| Omar       | Santos      | Cisco                                                       | Chair                       |
+| Rhonda     | Levy        | Cisco                                                       | Voting Member               |
+
+
+### Observers present
+
+- Tyler Townes, Blackberry Limited
+
+Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.
+
+### Presenters
+Michelle DePalma and Marco Rizzi from RedHat.
+
+## Agenda
+
+- Roll call cannot be done automatically due to the system migration.
+- Presentation by Marco Rizzi (along with Michelle DiPalma) from Red Hat on their CSAF implementation
+- Review GitHub Issues for TC Discussion:  https://github.com/oasis-tcs/csaf/issues
+- Discuss next steps.
+- Adjourn
+
+
+## Meeting Notes
+
+- [Red Hat Trusted Profile Analyzer](https://developers.redhat.com/articles/2024/03/18/red-hat-trusted-profile-analyzer-now-tech-preview), part of Red Hat Trusted Software Supply Chain, was introduced as a tool to manage SBOMs, vendor VEX and CVE providing developers and devsecops with analysis of the organization’s risk profile. 
+  - References:
+    - https://www.trustification.io/
+    - https://developers.redhat.com/articles/2024/03/18/red-hat-trusted-profile-analyzer-now-tech-preview
+    - https://github.com/trustification/trustification/
+
+- Thomas Schmidt – question regarding comparison/matching SBOM and CSAT.
+  - Support version ranges? 
+    - No not yet. Talking about what VEX does and seeing what is in Quac graph. 
+  - Any looking into SBOM/CSAT matching system?  
+    - Have not yet but will look into it.  
+    - Will investigate if it will be listed on CSAT tool site.  
+- Libraries in certifications built in rough draft, do you have them in separate libraries in ecosystem in tools? 
+  - Works with content of TPA and part of architecture; it is compliant of what it is expected for this purpose and not available but will cover some basis in content of TPA. 
+  - Not suggested to use as a tool for a library now.  
+  - Things are moving fast with TPA.  
+  - Working on version 2, things evolving so fast maybe sometime in 2024.  
+- Thomas Schmidt will the next CSAT version be integrated with them. 
+  - It is one of the topics to have it integrated with other tools. 
+  - Working on validation part and looking at it for next version integration.  
+  - The More reliable the more able to keep the pace.  csaf.io/tools
+- Pull request #699 – two weeks to review changes or objections.
+- Editor revision for TC meeting 2024-02-28 #699
+- Thomas Schmidt to do after the meeting. 
+  - Motion to be sent via email.
+  - Changed from draft to ready to review – Omar stated.  
+    - to merge only editorial.
+  - Motion to accept cannot be done due to inability to register and folks who are on call.
+
+- Thomas Schaffer – meeting minutes #706 Add Preconditions items – that are missing.  Option number 2 Thomas Schmidt preferred.   Wanted TC to bring up and discuss.
+  - Thomas Schmidt. Supports the change and feels confident about it.
+  - No objections or comments.
+  - Thomas will bring up via email as a motion.
+
+- TC discussion items:
+  - Pull requests:  699 already discussed and will write motion.
+  - 701 – minor thing corrects writing of PURL lower case correct in cloud. Reference 579. No vote required for change. Merge into next editor revision.
+  - Fix broken link – can’t accept request from non-members.  
+    - 704 Add CVRF disclaimer.  Instead of 703.  Thomas Schmidt reviewed, and team is okay with it.
+    - If TC is ok will merge.  
+    - Thomas okayed it Denny, said ok – Thomas to merge after meeting.
+    - Get a comment from Feng, wording for threat score – final comment and will put in next editorial revision.
+  - 707 CVSS 4.0 
+    - Looked at files and noticed text changed – had name change from different version.  Missing confirmation from Feng if correct?
+    - Feng said sounds good.
+  - Thomas to update in next version.712 CPE test.
+    - Testing tools.
+    - No voting required.
+    - No objection Thomas to merge after call.
+  - Will put motion on email to look at #714 pull request.
+    - Editorial revision, take another 2 weeks to review and if no objections to merge changes.
+  - Michal Reeder wants an update on 662 – Add remediation category “fix_planned”– clarification of 665 includes 662 – suggest commenting on 665 request an update if integrated.  
+    - Review 665 again and see if team is satisfied and if ok with options provided there.  Flags should be applicable in our case.  
+    - Advises keeping them separate.
+    - Vulnerabilities Property – Remediation 665 
+    - Thomas Schimdt would like to look into this more/again. 
+    - Michael Reeder - Use case – disclose 3rd party components CVEs info are not available to published yet.  CSAF – CVEs not available yet and no information yet at that point.  Go to Mitre instead of Mist.
+From Martin: https://github.com/CVEProject/cvelistV5
+If in Mitre, then can use VEX.
+
+
+
+## Adjourn
+
+- The meeting was adjourned @ 19:05 UTC
+
+**Note**: All monthly meetings take place on the last Wednesday of each month at 18:00 UTC (19:00 CET, 13:00 EST, 10:00 PST).
+The next meeting will be held on April 24, 2024.