Editor revision for TC meeting 2024-10-30

csaf_2.1/json_schema/csaf_json_schema.json

@@ -1335,9 +1335,11 @@
                   "description": "Specifies the category which this remediation belongs to.",
                   "type": "string",
                   "enum": [
+                    "fix_planned",
                     "mitigation",
                     "no_fix_planned",
                     "none_available",
+                    "optional_patch",
                     "vendor_fix",
                     "workaround"
                   ]

csaf_2.1/prose/edit/etc/bind.txt

@@ -8,6 +8,7 @@ introduction-04-informative-references.md
 introduction-05-typographical-conventions.md
 design-considerations-00.md
 design-considerations-01-construction-principles.md
+design-considerations-02-date-time.md
 schema-elements-00.md
 schema-elements-01-definitions.md
 schema-elements-01-defs-01-acknowledgements.md
@@ -63,6 +64,9 @@ tests-01-mndtr-30-mixed-integer-and-semantic-versioning.md
 tests-01-mndtr-31-version-range-in-product-version.md
 tests-01-mndtr-32-flag-without-product-reference.md
 tests-01-mndtr-33-multiple-flags-with-vex-justification-codes-per-product.md
+tests-01-mndtr-34-branches-recursion-depth.md
+tests-01-mndtr-35-contradicting-remediations.md
+tests-01-mndtr-36-contradicting-product-status-remediation-combination.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

csaf_2.1/prose/edit/src/conformance.md

@@ -27,6 +27,7 @@ This document defines requirements for the CSAF file format and for certain soft
 The entities ("conformance targets") for which this document defines requirements are:
 
 * **CSAF document**: A security advisory text document in the format defined by this document.
+* **CSAF downloader**: A program that retrieves CSAF documents in an automated fashion.
 * **CSAF producer**: A program which emits output in the CSAF format.
 * **CSAF direct producer**: An analysis tool which acts as a CSAF producer.
 * **CSAF converter**: A CSAF producer that transforms the output of an analysis tool from its native output format into the CSAF format.
@@ -60,6 +61,7 @@ The entities ("conformance targets") for which this document defines requirement
 
 A text file or data stream satisfies the "CSAF document" conformance profile if it:
 
+* conforms to the syntax and semantics defined in section [sec](#date-time)
 * conforms to the syntax and semantics defined in section [sec](#schema-elements).
 * satisfies at least one profile defined in section [sec](#profiles).
 * does not fail any mandatory test defined in section [sec](#mandatory-tests).
@@ -144,10 +146,26 @@ Secondly, the program fulfills the following for all items of:
   * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
     warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
 * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
-* `/vulnerabilities[]/remediation[]`: If no `product_ids` or `group_ids` is given,
-  the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in the arrays `known_affected`,
-  `first_affected` and `last_affected` into `product_ids`.
-  If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
+* `/vulnerabilities[]/remediations[]`:
+  * If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under
+    `../product_status` in the arrays `known_affected`, `first_affected` and `last_affected` into `product_ids`.
+    If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
+  * The CVRF CSAF converter MUST convert any remediation with the type `Vendor Fix` into the category `optional_patch` if the product in
+    question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
+    Otherwise, the category `vendor_fix` MUST be set.
+    If multiple products are associated with the remediation - either directly or through a product group - and the products belong to
+    different product status groups, the CVRF CSAF converter MUST duplicate the remediation, change the category in one instance
+    to `optional_patch` and distribute the products accordingly as stated by the conversion rule.
+  * The CVRF CSAF converter MUST convert any remediation with the type `None Available` into the category `fix_planned`
+    if the product in question is also listed in a remediation of the type `Vendor Fix` with a `Date` in the future or no `Date` at all.
+    Consequently, the product MUST be removed from the remediation of the category `vendor_fix`.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * The CVRF CSAF converter MUST remove any product from a remediation with the type `None Available`
+    if the product in question is also listed in a remediation of the type `Vendor Fix` with a `Date` in the past or to the exact same time.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * In any other case, the CVRF CSAF converter MUST preserve the product in the remediation of the category `none_available`.
+  * The CVRF CSAF converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
+    including the products it was changed for.
 * `/vulnerabilities[]/metrics[]`:
   * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
     the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
@@ -534,7 +552,7 @@ Secondly, the program fulfills the following for all items of:
   option to use this label instead. If the TLP label changes through such conversion in a way that is not reflected in the table above, the
   the CSAF 2.0 to CSAF 2.1 converter MUST output a warning that the TLP label was taken from the distribution text. Such a warning MUST include
   both values: the converted one based on the table and the one from the distribution text.
-  > This is a common case for CSAF 2.0 documents labeled as TLP:RED but actually intended to be TLP:AMBER+STRICT.
+  > This is a common case for CSAF 2.0 documents labeled as `TLP:RED` but actually intended to be `TLP:AMBER+STRICT`.
 
   If no TLP label was given, the CSAF 2.0 to CSAF 2.1 converter SHOULD assign `TLP:CLEAR` and output a warning that the default TLP has been set.
 * `/document/publisher/category`: If the value is `other`, the CSAF 2.0 to CSAF 2.1 converter SHOULD output a warning that some parties have
@@ -550,6 +568,24 @@ Secondly, the program fulfills the following for all items of:
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
+* `/vulnerabilities[]/remediations[]`:
+  * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
+    if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
+    Otherwise, the category `vendor_fix` MUST stay the same.
+    If multiple products are associated with the remediation - either directly or through a product group - and the products belong to different
+    product status groups, the CSAF 2.0 to CSAF 2.1 converter MUST duplicate the remediation, change the category in one instance to `optional_patch`
+    and distribute the products accordingly as stated by the conversion rule.
+  * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `none_available` into the category `fix_planned`
+    if the product in question is also listed in a remediation of the category `vendor_fix` with a `date` in the future or no `date` at all.
+    Consequently, the product MUST be removed from the remediation of the category `vendor_fix`.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * The CSAF 2.0 to CSAF 2.1 converter MUST remove any product from a remediation with the category `none_available`
+    if the product in question is also listed in a remediation of the category `vendor_fix` with a `date` in the past or to the exact same time.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`.
+  * The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
+    including the products it was changed for.
+
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
 
 > A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any
@@ -627,4 +663,14 @@ A CSAF library satisfies the "CSAF library with extended validation" conformance
 A CSAF library does not satisfies the "CSAF library with full validation" conformance profile if the CSAF library uses an external library or
 program for the "CSAF full validator" part and does not enforce its presence.
 
+### Conformance Clause 23: CSAF downloader
+
+A program satisfies the "CSAF downloader" conformance profile if the program:
+
+* conforms to the process defined in section [sec](#retrieving-rules) by executing all parts that are applicable to the given role.
+* supports directory-based and ROLIE-based retrieval.
+* is able to execute both steps from section [sec](#retrieving-rules) separately.
+* uses a program-specific HTTP User Agent, e.g. consisting of the name and version of the program.
+
+> A tool MAY implement an option to store CSAF documents that fail any of the steps in section [sec](#retrieving-csaf-documents)
 -------

csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md

@@ -66,4 +66,4 @@ Section [sec](#distributing-csaf-documents) states how to distribute and where t
 Safety, Security and Data Protection are considered in section [sec](#safety-security-and-data-protection-considerations).
 Finally, a set of conformance targets describes tools in the ecosystem.
 
--------
+

csaf_2.1/prose/edit/src/design-considerations-02-date-time.md

@@ -0,0 +1,13 @@
+## Date and Time
+
+This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1.
+In accordance with RFC 3339 and ISO 8601, the following rules apply:
+
+* The letter `T` separating the date and time SHALL be upper case.
+* The letter `Z` indicating the timezone UTC SHALL be upper case.
+* Fractions of seconds are allowed as specified in the standards mention above with the full stop (`.`) as separator.
+* Leap seconds are supported. However, they SHOULD be avoided if possible.
+* Empty timezones are prohibited.
+* The ABNF of RFC 3339, section 5.6 applies.
+
+-------

csaf_2.1/prose/edit/src/distributing.md

@@ -50,6 +50,8 @@ Redirects SHOULD NOT be used. If they are inevitable only HTTP Header redirects
 
 > Reasoning: Clients should not parse the payload for navigation and some, as e.g. `curl`, do not follow any other kind of redirects.
 
+If any redirects are used, there SHOULD not be more than 5 and MUST NOT be more than 10 consecutive redirects.
+
 ### Requirement 7: provider-metadata.json
 
 The party MUST provide a valid `provider-metadata.json` according to the schema
@@ -128,8 +130,8 @@ In the security.txt there MUST be at least one field `CSAF` which points to the
 If this field indicates a web URI, then it MUST begin with "https://" (as per section 2.7.2 of [cite](#RFC7230)).
 See [cite](#SECURITY-TXT) for more details.
 
-> The security.txt was published as [cite](#RFC9116) in April 2022. At the time of this writing,
-> the `CSAF` field is in the process of being officially added.
+> The security.txt was published as [cite](#RFC9116) in April 2022.
+> The `CSAF` field was officially added through the IANA registry.
 
 *Examples 1:*
 
@@ -148,7 +150,7 @@ If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF e
 ### Requirement 9: Well-known URL for provider-metadata.json
 
 The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of the issuing authority serves directly
-the `provider-metadata.json` according to requirement 7.
+the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details.
 
 *Example 1:*
@@ -160,7 +162,7 @@ The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details
 ### Requirement 10: DNS path
 
 The DNS record `csaf.data.security.domain.tld` SHALL resolve as a web server which serves directly
-the `provider-metadata.json` according to requirement 7.
+the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required.
 
 ### Requirement 11: One folder per year

csaf_2.1/prose/edit/src/frontmatter.md

@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## 28 August 2024
+## 30 October 2024
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 August 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------

csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md

@@ -47,6 +47,9 @@ CSAF direct producer
 CSAF document
 :    security advisory text document in the format defined by this document.
 
+CSAF downloader
+:    A program that retrieves CSAF documents in an automated fashion.
+
 CSAF extended validator
 :    A CSAF basic validator that additionally performs optional tests.
 
@@ -137,6 +140,9 @@ externalized property
 false positive
 :    result which an end user decides does not actually represent a problem
 
+filter
+:    refine a list by selecting entries that match given criteria
+
 fingerprint
 :    stable value that can be used by a result management system to uniquely identify a result over time,
 even if a relevant artifact is modified
@@ -218,6 +224,9 @@ _Examples_: severity level, rank
 repository
 :    container for a related set of files in a version control system
 
+search
+:    compile a list of entries that match given criteria
+
 taxonomy
 :    classification of analysis results into a set of categories
 

csaf_2.1/prose/edit/src/introduction-03-normative-references.md

@@ -1,5 +1,8 @@
 ## Normative References
 
+ISO8601
+:    _Data elements and interchange formats — Information interchange — Representation of dates and times_, International Standard, ISO 8601:2004(E), December 1, 2004, https://www.iso.org/standard/40874.html.
+
 JSON-Schema-Core
 :    _JSON Schema: A Media Type for Describing JSON Documents_, draft-bhutton-json-schema-00, December 2020, <https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00>.
 
@@ -15,6 +18,9 @@ Relative-JSON-Pointers
 RFC2119
 :    Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
 
+RFC3339
+:    Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <https://www.rfc-editor.org/info/rfc3339>.
+
 RFC7464
 :    Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, <https://www.rfc-editor.org/info/rfc7464>.
 

csaf_2.1/prose/edit/src/introduction-04-informative-references.md

@@ -51,9 +51,6 @@ GFMCMARK
 GFMENG
 :    _GitHub Engineering: A formal spec for GitHub Flavored Markdown_, https://githubengineering.com/a-formal-spec-for-github-markdown/.
 
-ISO8601
-:    _Data elements and interchange formats — Information interchange — Representation of dates and times_, International Standard, ISO 8601:2004(E), December 1, 2004, https://www.iso.org/standard/40874.html.
-
 ISO19770-2
 :    _Information technology — IT asset management — Part 2: Software identification tag_, International Standard, ISO 19770-2:2015, September 30, 2015, <https://www.iso.org/standard/65666.html>.
 
@@ -66,9 +63,6 @@ OPENSSL
 PURL
 :    _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec.
 
-RFC3339
-:    Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <https://www.rfc-editor.org/info/rfc3339>.
-
 RFC3552
 :    Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, <https://www.rfc-editor.org/info/rfc3552>.
 

csaf_2.1/prose/edit/src/revision-history.md

@@ -18,4 +18,6 @@ toc:
 | csaf-v2.0-wd20240626-dev | 2024-06-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+
 -------

csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md

@@ -51,29 +51,28 @@ and `x_generic_uris`, one is mandatory.
         "cpe": {
           // ...
         },
-        "hashes": [
+        "hashes": {
           // ...
-        ],
-        "model_numbers": [
+        },
+        "model_numbers": {
           // ...
-        ],
+        },
         "purl": {
           // ...
         },
-        "sbom_urls": [
+        "sbom_urls": {
           // ...
-        ],
-        "serial_numbers": [
+        },
+        "serial_numbers": {
           // ...
-        ],
-        "skus": [
+        },
+        "skus": {
           // ...
-        ],
-        "x_generic_uris": [
+        },
+        "x_generic_uris": {
           // ...
-        ]
+        }
       }
-    }
 ```
 
 ##### Full Product Name Type - Product Identification Helper - CPE
@@ -87,6 +86,8 @@ Common Platform Enumeration representation (`cpe`) of value type `string` of 5 o
 The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.
 See [CPE23-N] for details.
 
+> Both, CPE 2.2 and CPE 2.3, are supported in CSAF.
+
 ##### Full Product Name Type - Product Identification Helper - Hashes
 
 List of hashes (`hashes`) of value type `array` holding at least one item contains a list of cryptographic hashes usable to identify files.

csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md

@@ -110,7 +110,7 @@ This results in the following rules:
    1.0.0-0.3.7
    1.0.0-alpha
    1.0.0-alpha.1
-   1.0.0-x-y-z.–
+   1.0.0-x-y-z.--
    1.0.0-x.7.z.92
    ```
 
@@ -124,7 +124,7 @@ This results in the following rules:
 
     ```
     1.0.0+20130313144700
-    1.0.0+21AF26D3—-117B344092BD
+    1.0.0+21AF26D3----117B344092BD
     1.0.0-alpha+001
     1.0.0-beta+exp.sha.5114f85
     ```
@@ -163,3 +163,15 @@ This results in the following rules:
        ```
        1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0
        ```
+
+Note, that the following values do no conform the semantic versioning described above.
+
+*Examples 6 (which are invalid):*
+
+```
+  1.16.13.14-Cor
+  1.0.0-x-y-z.–
+  1.0.0+21AF26D3—-117B344092BD
+  2.5.20+3f93da6b+7cc
+  3.20.0-00
+```