Document CSAF CVRF version 1.2 #72
Conversation
There was a problem hiding this comment.
It might be worth noting that the 2.0 version of the schema (which uses JSON schema instead of XML) is in development: https://github.com/oasis-tcs/csaf/tree/master/csaf_2.0/json_schema
Would it be useful to list more real-world examples of vendors publishing security advisories in the CVRF format? I know of at least these:
- ftp://ftp.suse.com/pub/projects/security/cvrf/
- https://tools.cisco.com/security/center/cvrfListing.x
- https://www.redhat.com/security/data/cvrf/ (obviously :-))
As for tools that parse CVRF, there are:
I don't know of any CVRF generator tools. I suspect none exist because generating a CVRF heavily depends on the way each vendor keeps track of security metadata internally. Though, I could imagine some tool that would take as input CVEs in the MITRE JSON schema, request some input interactively, and spit out a properly formatted CVRF file.
Great write-up, @esarafianou!
| 9. Acknowledgements | ||
| * Achnowledgement | ||
| * Name | ||
| * Organzation |
There was a problem hiding this comment.
| * Organzation | |
| * Organization |
docs/standards/CVRF-CSAF.md
Outdated
| 4. Product Groups | ||
| * Group | ||
| * [A] Group ID | ||
| * Decription |
There was a problem hiding this comment.
| * Decription | |
| * Description |
docs/standards/CVRF-CSAF.md
Outdated
|
|
||
| ## Example | ||
|
|
||
| ### RedHat real example |
There was a problem hiding this comment.
| ### RedHat real example | |
| ### Red Hat real example |
docs/standards/CVRF-CSAF.md
Outdated
| xmlns:sch="http://purl.oclc.org/dsdl/schematron" | ||
| xmlns:vuln="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/vuln" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf"> |
There was a problem hiding this comment.
These namespace specifications aren't really all that useful for this example. I would just omit them and note it down in the explanation to reduce noise a bit. Wdyt?
There was a problem hiding this comment.
Agreed, I'll remove them all
| 6. The source of the CSAF CVRF version 1.2 security advisory (XML) is offered at https://acme.example.com/sa/acme-2017-42-1-1.xml and an also fictitious variant (for now vendor private) in JSON at https://acme.example.com/sa/acme-2017-42-1-1.json. | ||
| 7. There are two revisions (in total). Maybe the initial release of the security advisory did not take into account, that the product when installed on the baz platform is unaffected, or there was given the wrong exploit byte value. Without access to the initial revision, and with no explanation in the release notes, we cannot know | ||
| 8. The acknowledgment was maybe chosen by the company lawyers to not list the real name of the external contributor where the below sample content states “Some One (not to be named explicitly)” – and no dummy Organization is added. | ||
| 9. The complexity of the Affected/Non-Affected mixture may have forced the publisher to not take the internal usual product IDs but instead append the interesting dimension in a simple serialization as: “-on-bar” and “-on-baz” respectively. In a real life advisory, these simple platform names might have become fully fledged product entries themselves with relationship link elements between them. |
There was a problem hiding this comment.
Note that the product ID is completely arbitrary and has meaning only in the context of the CVRF file. The ID can simply be 1, 2, and 3 for different product trees. The point of the ID is to refer to a product in various parts of the vulnerability element, so the "-on-bar" and "-on-baz" don't actually have any meaning here.
There was a problem hiding this comment.
I'll re-word this point to make it more clear, thank!
esarafianou
force-pushed
the
cvrf-csaf
branch
from
c1543c6 to
27fbcfd
Compare
|
@mprpic I updated the PR, I think I've included all your recommendations:
|
esarafianou
force-pushed
the
cvrf-csaf
branch
from
27fbcfd to
25d5cce
Compare
|
@esarafianou how well would those standards work in the OSS context? Are there any gaps that need to be addressed? |
|
@MarcinHoppe Here is my summary:
|
JSON is also not readable, in my opinion :-) But I don't think human readability should be the concern of different metadata formats. The point of these schemas is to represent the data in a standard format so it can be parsed and interpreted by w/e tooling uses the data (e.g. a website application or a vulnerability scanner).
Sharing CVRF generators is difficult because the data that you use to populate a CVRF file comes from different sources for every vendor or maintainer. The OpenSSL project may have a very different representation of CVEs internally from e.g. the Django project. It may be up to security advisory aggregators and package indexes to implement CVRF as an output format. I think it would be ideal to have a CVRF representation of the following pages:
I would love to hear from others in the community on this though. My view may be biased by the fact that Red Hat builds products built on top of open source components so we are naturally very interested in any vulnerability information published for all those components. But processing it is painful specifically because it often comes in the form of blog posts or plain text pages (I've even built a small lib to parse specific advisory plain text / HTML formats into a common representation: https://github.com/mprpic/advisory-parser/). |
|
I agree that a project to take a plain-text advisory and auto-generate CVRF would be very challenging. Perhaps what could help would be a webform-based CVRF "builder tool", something that makes it dead-simple for a maintainer to create an advisory without having to get a Ph.D in CVRF. |
Documents CSAF CVRF version 1.2 as part of #67