Merge branch 'editor-revision-2025-01-29' into hardware-software

oasis-tcs · Jan 23, 2025 · 58f5bb7 · 58f5bb7
2 parents d982990 + 9394660
commit 58f5bb7
Show file tree

Hide file tree

Showing 34 changed files with 552 additions and 72 deletions.
diff --git a/.github/workflows/csaf_2.0_cpe.yml b/.github/workflows/csaf_2.0_cpe.yml
@@ -1,6 +1,6 @@
 name: CPE Dictionary Test (CSAF 2.0)
 
-on: 
+on:
   push:
     paths:
       - 'csaf_2.0/**'
@@ -13,9 +13,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup Node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '20'
     - name: Perform CPE Dictionary Test

diff --git a/.github/workflows/csaf_2.0_filenames.yml b/.github/workflows/csaf_2.0_filenames.yml
@@ -1,6 +1,6 @@
 name: CSAF Filenames Test (CSAF 2.0)
 
-on: 
+on:
   push:
     paths:
       - 'csaf_2.0/**'
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup pip package "paikalta"
       run: pip install paikalta
     - name: Test filenames of CSAF filename test files in filenames/data/valid/*.json
@@ -22,11 +22,11 @@ jobs:
       run: ./csaf_2.0/test/filenames/run_invalid_tests.sh ./csaf_2.0/test/filenames/data/invalid/*.json
     - name: Test filenames of CSAF examples
       run: ./csaf_2.0/test/filenames/run_tests.sh ./csaf_2.0/examples/csaf/*.json
-    - name: Test filenames of CSAF examples - profile specific folders 
+    - name: Test filenames of CSAF examples - profile specific folders
       run: ./csaf_2.0/test/filenames/run_tests.sh ./csaf_2.0/examples/csaf/csaf_*/*.json
     - name: Test filenames of CSAF test files in validator/data/mandatory
       run: ./csaf_2.0/test/filenames/run_tests.sh ./csaf_2.0/test/validator/data/mandatory/*.json
-    - name: Test filenames of CSAF test files in validator/data/optional 
+    - name: Test filenames of CSAF test files in validator/data/optional
       run: ./csaf_2.0/test/filenames/run_tests.sh ./csaf_2.0/test/validator/data/optional/*.json
     - name: Test filenames of CSAF test files in validator/data/informative
       run: ./csaf_2.0/test/filenames/run_tests.sh ./csaf_2.0/test/validator/data/informative/*.json
diff --git a/.github/workflows/csaf_2.0_main.yml b/.github/workflows/csaf_2.0_main.yml
@@ -1,6 +1,6 @@
 name: JSON Schema Tests (CSAF 2.0)
 
-on: 
+on:
   push:
     paths:
       - 'csaf_2.0/**'
@@ -14,7 +14,7 @@ jobs:
     name: Test JSON schemas
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Prepare environment
       run: |
         sudo apt-get remove python3-jsonschema
@@ -37,7 +37,7 @@ jobs:
     - name: Test examples against Aggregator schema
       run: ./csaf_2.0/test/aggregator_schema/run_tests.sh
     - name: Upload strict JSON schema artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: strict-schemas
         path: |

diff --git a/.github/workflows/csaf_2.0_mandatory-tests.yml b/.github/workflows/csaf_2.0_mandatory-tests.yml
@@ -1,6 +1,6 @@
 name: CSAF Mandatory Tests (CSAF 2.0)
 
-on: 
+on:
   push:
     paths:
       - 'csaf_2.0/**'
@@ -13,9 +13,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup Node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '20'
     - name: Setup csaf-validator-lib

diff --git a/.github/workflows/csaf_2.0_validator.yml b/.github/workflows/csaf_2.0_validator.yml
@@ -1,6 +1,6 @@
 name: Validator Data Test (CSAF 2.0)
 
-on: 
+on:
   push:
     paths:
       - 'csaf_2.0/**'
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Prepare environment
       run: |
         sudo apt-get remove python3-jsonschema
@@ -35,4 +35,4 @@ jobs:
       run: ./csaf_2.0/test/validator/run_tests.sh informative
 
     - name: Test validator/data/testcases.json against testcase schema
-      run: ./csaf_2.0/test/validator/check_testcases.sh
+      run: ./csaf_2.0/test/validator/check_testcases.sh
diff --git a/.github/workflows/csaf_2.1_cpe.yml b/.github/workflows/csaf_2.1_cpe.yml
@@ -13,9 +13,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup Node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '20'
     - name: Perform CPE Dictionary Test

diff --git a/.github/workflows/csaf_2.1_filenames.yml b/.github/workflows/csaf_2.1_filenames.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup pip package "paikalta"
       run: pip install paikalta
     - name: Test filenames of CSAF filename test files in filenames/data/valid/*.json

diff --git a/.github/workflows/csaf_2.1_main.yml b/.github/workflows/csaf_2.1_main.yml
@@ -14,7 +14,7 @@ jobs:
     name: Test JSON schemas
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Prepare environment
       run: |
         sudo apt-get remove python3-jsonschema
@@ -37,7 +37,7 @@ jobs:
     - name: Test examples against Aggregator schema
       run: ./csaf_2.1/test/aggregator_schema/run_tests.sh
     - name: Upload strict JSON schema artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: strict-schemas
         path: |

diff --git a/.github/workflows/csaf_2.1_mandatory-tests.yml b/.github/workflows/csaf_2.1_mandatory-tests.yml
@@ -13,9 +13,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup Node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '20'
     - name: Setup csaf-validator-lib

diff --git a/.github/workflows/csaf_2.1_validator.yml b/.github/workflows/csaf_2.1_validator.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Prepare environment
       run: |
         sudo apt-get remove python3-jsonschema

diff --git a/csaf_2.1/examples/provider-metadata/example-01-provider-metadata.json b/csaf_2.1/examples/provider-metadata/example-01-provider-metadata.json
@@ -6,6 +6,7 @@
       "rolie": {
         "feeds": [
           {
+            "last_updated": "2024-01-24T20:20:56.169Z",
             "summary": "All TLP:CLEAR advisories of Example Company.",
             "tlp_label": "CLEAR",
             "url": "https://www.example.com/.well-known/csaf/feed-tlp-clear.json"

diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -247,13 +247,20 @@
                 "minLength": 1
               }
             },
-            "purl": {
-              "title": "package URL representation",
-              "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
-              "type": "string",
-              "format": "uri",
-              "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
-              "minLength": 7
+            "purls": {
+              "title": "List of package URLs",
+              "description": "Contains a list of package URLs (purl).",
+              "type": "array",
+              "minItems": 1,
+              "uniqueItems": true,
+              "items": {
+                "title": "package URL representation",
+                "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
+                "type": "string",
+                "format": "uri",
+                "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
+                "minLength": 7
+              }
             },
             "sbom_urls": {
               "title": "List of SBOM URLs",

diff --git a/csaf_2.1/json_schema/provider_json_schema.json b/csaf_2.1/json_schema/provider_json_schema.json
@@ -115,10 +115,17 @@
                   "description": "Contains information about the ROLIE feed.",
                   "type": "object",
                   "required": [
+                    "last_updated",
                     "tlp_label",
                     "url"
                   ],
                   "properties": {
+                    "last_updated": {
+                      "title": "Last updated",
+                      "description": "Holds the date and time when the feed was last updated.",
+                      "type": "string",
+                      "format": "date-time"
+                    },
                     "summary": {
                       "title": "Summary of the feed",
                       "description": "Contains a summary of the feed.",

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
@@ -72,6 +72,7 @@ tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md
 tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md
 tests-01-mndtr-40-invalid-sharing-group-name.md
 tests-01-mndtr-41-missing-sharing-group-name.md
+tests-01-mndtr-42-purl-qualifiers.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json
@@ -30,7 +30,7 @@
   "3.1.3.3.1": "full-product-name-type-product-identification-helper-cpe",
   "3.1.3.3.2": "full-product-name-type-product-identification-helper-hashes",
   "3.1.3.3.3": "full-product-name-type-product-identification-helper-model-numbers",
-  "3.1.3.3.4": "full-product-name-type-product-identification-helper-purl",
+  "3.1.3.3.4": "full-product-name-type-product-identification-helper-purls",
   "3.1.3.3.5": "full-product-name-type-product-identification-helper-sbom-urls",
   "3.1.3.3.6": "full-product-name-type-product-identification-helper-serial-numbers",
   "3.1.3.3.7": "full-product-name-type-product-identification-helper-skus",

diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json
@@ -106,7 +106,7 @@
   "full-product-name-type-product-identification-helper-generic-uris": "3.1.3.3.8",
   "full-product-name-type-product-identification-helper-hashes": "3.1.3.3.2",
   "full-product-name-type-product-identification-helper-model-numbers": "3.1.3.3.3",
-  "full-product-name-type-product-identification-helper-purl": "3.1.3.3.4",
+  "full-product-name-type-product-identification-helper-purls": "3.1.3.3.4",
   "full-product-name-type-product-identification-helper-sbom-urls": "3.1.3.3.5",
   "full-product-name-type-product-identification-helper-serial-numbers": "3.1.3.3.6",
   "full-product-name-type-product-identification-helper-skus": "3.1.3.3.7",
@@ -265,9 +265,9 @@
   "vulnerabilities-property-ids": "3.2.4.6",
   "vulnerabilities-property-involvements": "3.2.4.7",
   "vulnerabilities-property-metrics": "3.2.4.8",
-  "vulnerabilities-property-metrics-content": "3.2.4.8.1", 
-  "vulnerabilities-property-metrics-products": "3.2.4.8.2", 
-  "vulnerabilities-property-metrics-source": "3.2.4.8.3", 
+  "vulnerabilities-property-metrics-content": "3.2.4.8.1",
+  "vulnerabilities-property-metrics-products": "3.2.4.8.2",
+  "vulnerabilities-property-metrics-source": "3.2.4.8.3",
   "vulnerabilities-property-notes": "3.2.4.9",
   "vulnerabilities-property-product-status": "3.2.4.10",
   "vulnerabilities-property-references": "3.2.4.11",

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
@@ -82,6 +82,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA
         "rolie": {
           "feeds": [
             {
+              "last_updated": "2024-01-24T20:20:56.169Z",
               "summary": "All TLP:CLEAR advisories of Example Company.",
               "tlp_label": "CLEAR",
               "url": "https://www.example.com/.well-known/csaf/feed-tlp-clear.json"

diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md
@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## 27 November 2024
+## 29 January 2025
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 29 January 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------

diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -57,18 +57,22 @@ An array SHOULD NOT have more than:
   * `/document/tracking/aliases`
   * `/product_tree/branches[]/product/product_identification_helper/hashes`
   * `/product_tree/branches[]/product/product_identification_helper/hashes[]/file_hashes`
+  * `/product_tree/branches[]/product/product_identification_helper/purls`
   * `/product_tree/branches[]/product/product_identification_helper/sbom_urls`
   * `/product_tree/branches[]/product/product_identification_helper/x_generic_uris`
   * `/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes`
   * `/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes`
+  * `/product_tree/branches[](/branches[])*/product/product_identification_helper/purls`
   * `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls`
   * `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris`
   * `/product_tree/full_product_names[]/product_identification_helper/hashes`
   * `/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes`
+  * `/product_tree/full_product_names[]/product_identification_helper/purls`
   * `/product_tree/full_product_names[]/product_identification_helper/sbom_urls`
   * `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris`
   * `/product_tree/relationships[]/full_product_name/product_identification_helper/hashes`
   * `/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes`
+  * `/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]`
   * `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls`
   * `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris`
   * `/vulnerabilities[]/acknowledgments`
@@ -229,14 +233,14 @@ A string SHOULD NOT have a length greater than:
   * `/document/references[]/summary`
   * `/document/tracking/revision_history[]/summary`
   * `/product_tree/branches[]/product/product_identification_helper/cpe`
-  * `/product_tree/branches[]/product/product_identification_helper/purl`
+  * `/product_tree/branches[]/product/product_identification_helper/purls[]`
   * `/product_tree/branches[](/branches[])*/product/product_identification_helper/cpe`
-  * `/product_tree/branches[](/branches[])*/product/product_identification_helper/purl`
+  * `/product_tree/branches[](/branches[])*/product/product_identification_helper/purls[]`
   * `/product_tree/full_product_names[]/product_identification_helper/cpe`
-  * `/product_tree/full_product_names[]/product_identification_helper/purl`
+  * `/product_tree/full_product_names[]/product_identification_helper/purls[]`
   * `/product_tree/product_groups[]/summary`
   * `/product_tree/relationships[]/full_product_name/product_identification_helper/cpe`
-  * `/product_tree/relationships[]/full_product_name/product_identification_helper/purl`
+  * `/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]`
   * `/vulnerabilities[]/acknowledgments[]/summary`
   * `/vulnerabilities[]/involvements[]/summary`
   * `/vulnerabilities[]/references[]/summary`

diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md
@@ -20,5 +20,5 @@ toc:
 | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-
+| csaf-v2.0-wd20250129-dev | 2025-01-29 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 -------