Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge Master into Editor revision 2024-04-24 #727

Merged
merged 10 commits into from
Apr 24, 2024
2 changes: 1 addition & 1 deletion csaf_2.0/test/cpe/run_tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ get_dictionary() {
prepare_23_dictionary() {
# Get CPE 2.3 fields
# Correctly decode special characters
grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/>$//' \
grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/\?>$//' \
| sed -e 's/\\&amp;/\\\&/g' \
| sed -e 's/\\&quot;/\\"/g' \
> "$CPE".txt
Expand Down
4 changes: 4 additions & 0 deletions cvrf_1.2/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2

This directory contains material which is related to CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2. As CSAF CVRF 1.2 was superseeded by CSAF 2.0, the files are not longer updated.
They may contain information that is not longer valid. They serve historic purposes.
123 changes: 123 additions & 0 deletions meeting_minutes/2024/2023-03-27.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
![image](https://user-images.githubusercontent.com/1690898/139102180-5c1e2583-14f1-4f58-ab2b-9e3807ed529c.png)

# Common Security Advisory Framework (CSAF) Technical Committee Working Meeting

- Meeting Date: March 27, 2024
- Time: 18:00 UTC (19:00 CET, 13:00 EDT, 10:00 PST)

## Call to Order and Welcome

Meeting called to order @ 18:05 UTC

## Roll call

Quorum was not reached due to inability to register attendees due to OASIS system upgrades.

## Participants

| Given Name | Family Name | Affiliation | Role |
|:-----------|:------------|:------------------------------------------------------------|:----------------------------|
| Stefan | Hagen | Individual | Voting Member, taking notes |
| Tobias | Limmer | Siemens AG | Voting Member |
| Martin | Prpic | Red Hat | Voting Member |
| Justin | Murphy | DHS Cybersecurity and Infrastructure Security Agency (CISA) | Voting Member |
| Christoph | Plutte | Ericsson | Member |
| Michael | Reeder | Dell | Voting Member |
| Thomas | Proell | Siemens AG | Voting Member |
| Thomas | Schaffer | Cisco Systems | Voting Member |
| Thomas | Schmidt | Federal Office for Information Security (BSI) | Voting Member |
| Dina | Truxius | Federal Office for Information Security (BSI) | Voting Member |
| Sonny | van Lingen | Huawei Technologies Co., Ltd. | Voting Member |
| Feng | Cao | Oracle | Voting Member |
| Omar | Santos | Cisco | Chair |
| Rhonda | Levy | Cisco | Voting Member |


### Observers present

- Tyler Townes, Blackberry Limited

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

### Presenters
Michelle DePalma and Marco Rizzi from RedHat.

## Agenda

- Roll call cannot be done automatically due to the system migration.
- Presentation by Marco Rizzi (along with Michelle DiPalma) from Red Hat on their CSAF implementation
- Review GitHub Issues for TC Discussion: https://github.com/oasis-tcs/csaf/issues
- Discuss next steps.
- Adjourn


## Meeting Notes

- [Red Hat Trusted Profile Analyzer](https://developers.redhat.com/articles/2024/03/18/red-hat-trusted-profile-analyzer-now-tech-preview), part of Red Hat Trusted Software Supply Chain, was introduced as a tool to manage SBOMs, vendor VEX and CVE providing developers and devsecops with analysis of the organization’s risk profile.
- References:
- https://www.trustification.io/
- https://developers.redhat.com/articles/2024/03/18/red-hat-trusted-profile-analyzer-now-tech-preview
- https://github.com/trustification/trustification/

- Thomas Schmidt – question regarding comparison/matching SBOM and CSAT.
- Support version ranges?
- No not yet. Talking about what VEX does and seeing what is in Quac graph.
- Any looking into SBOM/CSAT matching system?
- Have not yet but will look into it.
- Will investigate if it will be listed on CSAT tool site.
- Libraries in certifications built in rough draft, do you have them in separate libraries in ecosystem in tools?
- Works with content of TPA and part of architecture; it is compliant of what it is expected for this purpose and not available but will cover some basis in content of TPA.
- Not suggested to use as a tool for a library now.
- Things are moving fast with TPA.
- Working on version 2, things evolving so fast maybe sometime in 2024.
- Thomas Schmidt will the next CSAT version be integrated with them.
- It is one of the topics to have it integrated with other tools.
- Working on validation part and looking at it for next version integration.
- The More reliable the more able to keep the pace. csaf.io/tools
- Pull request #699 – two weeks to review changes or objections.
- Editor revision for TC meeting 2024-02-28 #699
- Thomas Schmidt to do after the meeting.
- Motion to be sent via email.
- Changed from draft to ready to review – Omar stated.
- to merge only editorial.
- Motion to accept cannot be done due to inability to register and folks who are on call.

- Thomas Schaffer – meeting minutes #706 Add Preconditions items – that are missing. Option number 2 Thomas Schmidt preferred. Wanted TC to bring up and discuss.
- Thomas Schmidt. Supports the change and feels confident about it.
- No objections or comments.
- Thomas will bring up via email as a motion.

- TC discussion items:
- Pull requests: 699 already discussed and will write motion.
- 701 – minor thing corrects writing of PURL lower case correct in cloud. Reference 579. No vote required for change. Merge into next editor revision.
- Fix broken link – can’t accept request from non-members.
- 704 Add CVRF disclaimer. Instead of 703. Thomas Schmidt reviewed, and team is okay with it.
- If TC is ok will merge.
- Thomas okayed it Denny, said ok – Thomas to merge after meeting.
- Get a comment from Feng, wording for threat score – final comment and will put in next editorial revision.
- 707 CVSS 4.0
- Looked at files and noticed text changed – had name change from different version. Missing confirmation from Feng if correct?
- Feng said sounds good.
- Thomas to update in next version.712 CPE test.
- Testing tools.
- No voting required.
- No objection Thomas to merge after call.
- Will put motion on email to look at #714 pull request.
- Editorial revision, take another 2 weeks to review and if no objections to merge changes.
- Michal Reeder wants an update on 662 – Add remediation category “fix_planned”– clarification of 665 includes 662 – suggest commenting on 665 request an update if integrated.
- Review 665 again and see if team is satisfied and if ok with options provided there. Flags should be applicable in our case.
- Advises keeping them separate.
- Vulnerabilities Property – Remediation 665
- Thomas Schimdt would like to look into this more/again.
- Michael Reeder - Use case – disclose 3rd party components CVEs info are not available to published yet. CSAF – CVEs not available yet and no information yet at that point. Go to Mitre instead of Mist.
From Martin: https://github.com/CVEProject/cvelistV5
If in Mitre, then can use VEX.



## Adjourn

- The meeting was adjourned @ 19:05 UTC

**Note**: All monthly meetings take place on the last Wednesday of each month at 18:00 UTC (19:00 CET, 13:00 EST, 10:00 PST).
The next meeting will be held on April 24, 2024.
125 changes: 125 additions & 0 deletions meeting_minutes/2024/2024-02-28.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
![image](https://user-images.githubusercontent.com/1690898/139102180-5c1e2583-14f1-4f58-ab2b-9e3807ed529c.png)

# Common Security Advisory Framework (CSAF) Technical Committee Working Meeting

- Meeting Date: February 28, 2024
- Time: 18:00 UTC (19:00 CET, 13:00 EDT, 10:00 PST)

## Call to Order and Welcome

Meeting called to order @ 18:04 UTC

## Roll call

Quorum was not reached due to inability to register attendees due to OASIS system upgrades.

## Participants

| Given Name | Family Name | Affiliation | Role |
|:-----------|:------------|:------------------------------------------------------------|:----------------------------|
| Stefan | Hagen | Individual | Voting Member, taking notes |
| Tobias | Limmer | Siemens AG | Voting Member |
| Martin | Prpic | Red Hat | Voting Member |
| Justin | Murphy | DHS Cybersecurity and Infrastructure Security Agency (CISA) | Voting Member |
| Christoph | Plutte | Ericsson | Member |
| Michael | Reeder | Dell | Voting Member |
| Thomas | Proell | Siemens AG | Voting Member |
| Thomas | Schaffer | Cisco Systems | Voting Member |
| Thomas | Schmidt | Federal Office for Information Security (BSI) | Voting Member |
| Dina | Truxius | Federal Office for Information Security (BSI) | Voting Member |
| Sonny | van Lingen | Huawei Technologies Co., Ltd. | Voting Member |
| Feng | Cao | Oracle | Voting Member |
| Omar | Santos | Cisco | Chair |
| Rhonda | Levy | Cisco | Voting Member |


### Observers present

- Tyler Townes, Blackberry Limited

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

## Agenda

- Roll call cannot be done automatically due to the system migration.
- Once email is back online, we will put a motion to approve [Meeting Minutes of 2024-01-31](https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2024/2024-01-31.md)
- Review GitHub Issues for TC Discussion: https://github.com/oasis-tcs/csaf/issues
- Discuss next steps.
- Adjourn


## Meeting Notes

- [Pull Request 704](https://github.com/oasis-tcs/csaf/pull/704)
- Add CVRF disclaimer.
- In response to an ask whether the team would like to vote on this today or March or a following meeting, there were no comments from members.
- Since Thomas Schmidt is on parental leave will not send out email.

- [Pull Request 699](https://github.com/oasis-tcs/csaf/pull/699)
- Stefan said that on the left-hand column – will look like how it will be published. We do not diminish reader experience. Would like members [to take a look at the draft](https://github.com/oasis-tcs/csaf/blob/editor-revision-2024-02-28/csaf_2.1/prose/share/csaf-v2.1-draft.md)
- Pull request will stay in draft until review to be completed in two weeks.
- Thomas Schmidt agrees.
- By second week of March two weeks from today March 13th, pull request 699 – action item owned by Omar.

- [Pull Request 707](https://github.com/oasis-tcs/csaf/pull/707)
- Feng will take a look at this pull request.
- Merge into editor revision is ok with Feng and team.
- For this one editorial it is ok – Feng said it looks good.
- Omar to merge after the call.


- [Issue 693 ](https://github.com/oasis-tcs/csaf/issues/693) and [Issue 694](https://github.com/oasis-tcs/csaf/issues/694) in version 2.1.
- TC should fix in 2.1 or another version.
- For current implementations, errata may be needed.
- Not a feature. Change schema update and apply as basically a fix version of that.
- Any validators would have to be edited to change schema.
- Fix both errors is the recommendation.
- Not sure if qualifies as a non-material change?
- If it is a material change, then it will affect the ISO for CSAF and potential hinder activity.
- If non-material it will do not do any harm.
- Who would make the judgement? Check with OASIS. Stefan is familiar with this.
- Thomas says it is a lower risk and can silently fix it in CSAF 2.1.
- We could put a motion in email and close discussion.
- Any comments from TC – discuss at a later time 2.1.
- Thomas: Motion to address in CSAF 2.1
- Second: Justin and Martin.

- [Issue 665](https://github.com/oasis-tcs/csaf/issues/665) Vulnerabilities Property – Remediations.
- Thomas Proell
- Old ticket – solution outlined on Pull request notes.
- Will see if this makes sense and would like team to look through the information.
- New way of describing patches in a more precise way.
- Would like to discuss at the next meeting.
- Currently it is not defined at all and a big mess as every vendor does it differently.
- No clear definition, patch, workaround or mitigation.
- Feng suggested that we use something else.
- Code change or code fix from patch.
- Likely hood and impact – will look at those terms; and Thomas Proell will make changes and put in transition route.
- Thomas Schmidt would like team to put in changes for next meeting and discuss next time if there are any open questions.
- Discuss ticket 665 and propose changes for vulnerability properties.

- [Issue 678](https://github.com/oasis-tcs/csaf/issues/678) Warning/Error for signature expirations – Thomas Schimdt
- Done in Linux distributions and would have same process here are the expectations from documentations.
- Suggest adding to guidance to CSAF 2.0 and mandatory description in section 7 as a requirement in 2.1.
- Not voting and no objections from TC.
- Put for a minimum of at least 30 days. Not exact. No objections for CSAF recommendation guide.
- Thomas Sch to do in the next month or so?
- Omar to suggest wording when ready. Add comment in 2.0 and specification of 2.1. editors can work on that.
- Review and comment on the suggestion to make signatures valid for a minimum of 30 days.


- [Issue 706](https://github.com/oasis-tcs/csaf/issues/706) Add “Preconditions” item
- Someone from Bosch noticed an issue.
- Allows that you can prepending strings.
- TC agreed to look at this between meetings.
- Thomas prefers option 2 and less work but wants team to weigh in.
- Is this something that we need and adds value to advisories and customers.
- Please look at ticket 706 and make comments please.


## Adjourn

- The meeting was adjourned.

Note: All monthly meetings take place on the last Wednesday of each month at 18:00 UTC (19:00 CET, 13:00 EST, 10:00 PST).
The next meeting will be held on March 27, 2024.
Loading