One really cool thing about CSAF is the distribution and the discovery. We should add that somewhere. Maybe do a video to explain it?

There are some new videos available:

• https://www.youtube.com/watch?v=bn5AFza-b1w
• https://www.youtube.com/watch?v=rEdvCtWmfiI

Please add the CSAF lister to the website.

In version 1.2 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508771)
Section 6.11.1

It indicates that "Date" is an attribute, however in examples 61 and 62, date is added as an element.
(note also that on example 62, the opening element tag for "Date" uses a "/", which is incorrect)

Example 61: Exploit Status:

Example 62: Exploit Status without Product ID:

I'm not sure if this is incorrectly marked as being a date attribute and it should be an element, or if it's incorrectly exampled as being an element, but it should be one or the other.

This is a request to update the CSAF Documentation Website to make it more intuitive.

We already have some new tools available. They are still work in progress but already usable:

• CSAF trusted provider => csaf_provider + csaf_uploader
• Provider checker => csaf_checker
• CVRF CSAF converter

@santosomar Could you please add them to the list?

We had and have people encountering difficulties understanding that CSAF is the new CVRf.

So, we should add an entry into the FAQ section that swiftly explains that fact.

I think we should add some How-Tos, e.g.:

• How to deal with a Hotfix in the product_tree
• How to use product_status

I attached a file CSAF_TC_Example_Hotfix_2021_0001.json.txt which shows both. Maybe, we could develop the story behind that and connect these two (as I have done in the file - maybe even with the revision_history).

Thoughts?

We could have a section where we show the logos of companies which are supporting CSAF. Would that be possible (from a legal point of view)?

The current statement of purpose does not reflect our current charter. We should update that.

@sthagen provided via pypi paikalta the filename test for CSAF files. Please add that tool.

Update CSAF website with additional 2.0 resources (including links to tools, current prose, examples, etc.)

Update the navigation bar to be more intuitive and organized.

Add Trivy as new tool that can be used with CSAF

I came across a tool call trustification that supports CSAF. We should check what it does and whether we can display it on the tools page.

Maybe @mprpic can help here?

Create short videos (~ 2 minutes long) explaining the following:

• #31
• #32
• #33
• #34
• #35
• #36
• #37

It would be beneficial to add a FAQ section. Questions could be:

• What is CSAF?
• Which problem is addressed by CSAF?
• Can I use CSAF?
• Does vendor X issues CSAF documents?

The tool can display a CSAF file: https://github.com/csaf-poc/csaf_webview => https://csaf-poc.github.io/csaf_webview/

Use new FAQ document from TC: https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/guidance/faq.md

Input from Thomas:
Please add a link to the current prose (right next to the CSAF 2.0 Draft Schema) of CSAF 2.0.

The SecurityTXT project provides an online generator for their file format. We should have something similar for th provider-metadata.json. Maybe we could generate that with GH-Pages or as a standalone tool?

The link should always point to the latest specification: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html instead of a specific CS (currently CS02).

• https://youtu.be/gsrb1qrgA50

Date: 2022-06-07

Hi,

There are git conflict markers in the current master (3617676) version of examples/README.md, probably from a bad merge.

Please add a sections with news about CSAF (e.g. that it is currently in Public Review).

We should consider to remove currently unmaintained (or just CVRF supporting) software from the list of tools - or at least push them to the bottom. I guess that is the case for:

• CSAF Parser
• vulnrep

@santosomar: Thoughts?

Version 1.2 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508771)
section 6.9

The words say:

« The vuln:CWE element MUST be present zero or one time in any vuln:Vulnerability and if present it contains the MITRE standard Common Weakness Enumeration (CWE) and this value MUST match the pattern documented in section 2.2.13 Vulnerability CWE Type Model. » [CSAF-6.9-1]

The Type model says:

Vulnerability measures given as defined in the Common Weakness Enumeration (CWE) model are expected to be in a specific form to enhance interoperability.
« Any CWE value MUST be completely matched by the following regular expression:
CWE-[1-9]\d{0,5}

Which would indicate an element looking like:

CWE-601


However the examples (examples 57 and 58) show:
URL Redirection to Untrusted Site ('Open Redirect')


Which indicates that there is an ID Attribute that must match the type model, and the contents of the element is the name of the CWE.

I'm not sure which is correct, but it should be one or the other.

As we have the CSD in PR we should link to https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json instead https://github.com/oasis-tcs/csaf/tree/master/csaf_2.0/json_schema. We should also consider to add the other (aggregator and provider-metadata) schemas somewhere.

We should add links to the public accessible presentations / videos /slides /papers about CSAF 2.0. Currently, I'm aware of the following:

• Your critical system IS (NOT?) vulnerable: CSAF, VEX, SBOM and the future of advisories
• CSAF 2.0 - A New Sstart to Automate Advisories

in version 1.2 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508771)
section 5.1.3

This section indicates that the prod:Relationship element would contain ONE OR MORE prod:FullProductName elements

The prod:Relationship element MUST be present with cardinality [0, ∞] in prod:Tree and if given MUST contain one or more prod:FullProductName instances. » [CSAF-5.1.3-1]

My understanding of this element is that you are creating a new FullProductName object by relating multiple other elements. This makes sense,

However, I cant figure out an example where you would define MULTIPLE FullProductName objects from that relationship.

So, from the docs, this woudl be legal.

AD Dir Services product
another AD Dir Services product

Is that the intent or is the "ONE or MORE" incorrect? and if it is correct, can you post an example of when that might be useful?

Input from Thomas:
We should add a list which highlights the new features:

• Conformance targets: to be able to use COTS software
• semantic versioning: see when you need to do a new run against your asset database
• VEX as a profile
• easy generation with online tools: like Secvisogram
• enables automation through CSAF roles and requirements for distribution CSAF documents
• Suite of testfiles

In the models section, always include the regular expression where matching is required.
(sometimes you had "must be less than x characters long", sometimes you listed some of the items (like with the CVSS scores). It would be helpful to be able to simply copy the regex into systems instead of having to figure it out each time. (not a big deal, but if you are already there, it's a nice thing).

Add a video:

• https://youtu.be/fKlW9vOs7X4

Date: 2022-01-25

The repo https://github.com/csaf-poc/csaf_distribution also provides a CSAF Downloader.

https://www.youtube.com/watch?v=gX_IcyBsEfA