Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conformance target CVRF CSAF converter #154

Closed
tschmidtb51 opened this issue Nov 25, 2020 · 2 comments
Closed

Conformance target CVRF CSAF converter #154

tschmidtb51 opened this issue Nov 25, 2020 · 2 comments
Assignees
@sthagen
Labels
csaf 2.0 csaf 2.0 work email To be sent via email to the TC
Milestone
CSAF 2.0 JSON Sch...

Comments

@tschmidtb51
Copy link
Contributor

tschmidtb51 commented Nov 25, 2020
edited
Loading

This issue is meant to tidy up the suggestion of the conformance target CVRF CSAF converter proposed in #140.

5.1 Conformance Targets

  • CVRF CSAF converter: A CSAF producer which takes a CVRF document as input and converts it into a vaild CSAF document.

5.X Conformance Clause X-1: CVRF CSAF converter

A program satisfies the "CVRF CSAF converter" conformance profile if:

  • It satisfies the "CSAF producer" conformance profile.
  • It additionally satisfies those normative requirements in section 3 that are designated as applying to the conversion from CVRF to CSAF.
  • It takes only CVRF documents as input.

In section 3, we need to add the conversion rules: e.g. for

  • scores: If not product_id is given, the CVRF CSAF converter must append all product IDs which are listed under ../product_status/in the arrays known_affected, first_affected, last_affected.
  • scores: If there are CVSS3.0 and CVSS3.1 Vectors available for the same product, the CVRF CSAF converter shall discard the CVSS3.0 information and provide in CSAF only the CVSS3.1 information.
  • product relationships: If more than one prod:FullProductName instance is given, the CVRF CSAF converter must convert the first one into full_product_name. It must also output a warning that information might be lost during conversion of product relationships.
@sthagen sthagen self-assigned this Nov 25, 2020
@sthagen sthagen added the csaf 2.0 csaf 2.0 work label Nov 25, 2020
@santosomar santosomar added the email To be sent via email to the TC label Nov 25, 2020
@tschmidtb51 tschmidtb51 mentioned this issue Jan 13, 2021
Closed
@sthagen
Copy link
Contributor

sthagen commented Feb 24, 2021

@santosomar, @tschmidtb51: In case we accept the proposal (which I second) I can add the text to the conformance section, amend section 3 as needed, and will at least add an entry into the terminology section.

@santosomar
Copy link
Contributor

This conformance clause was approved in the TC's monthly meeting of Feb 24, 2021

@tschmidtb51 tschmidtb51 mentioned this issue Mar 19, 2021
Merged
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 25, 2024
@tschmidtb51
CWE
bd53258 
- addresses parts of oasis-tcs#154
- state explicit how to handle CWE categories and views
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 25, 2024
@tschmidtb51
CWEs
0af0785 
- addresses parts of oasis-tcs#530, oasis-tcs#154
- adopt prose to reflect schema
- remove conversion rule for CVRF CSAF converter
- reorder CVRF CSAF converter rules regarding CWEs
- clarify warning regarding conversion of CWE category and view
@tschmidtb51 tschmidtb51 mentioned this issue May 25, 2024
Merged
@tschmidtb51 tschmidtb51 mentioned this issue Jun 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sthagen sthagen

Labels
csaf 2.0 csaf 2.0 work email To be sent via email to the TC
Projects
None yet
Milestone
CSAF 2.0 JSON Schema Draft Review
Development

No branches or pull requests
3 participants
@sthagen @santosomar @tschmidtb51