-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSAF Should Support Modern RESTful APIs instead of just ROLIE or Directory Listing #637
Comments
@santosomar Thank you for bringing this up. I'm happy to work on that specification with you and the TC.
I totally agree. Nevertheless, we need to specify the API and the required features to make it interoperable. |
A student wrote a RESTful API for CSAF: https://opus.hs-offenburg.de/frontdoor/index/index/start/0/rows/10/sortfield/score/sortorder/desc/searchtype/simple/query/csaf/docId/6011 We need to evaluate whether that fulfills all of our use cases or whether additional routes would need to be established. |
Another student is currently writing his master thesis to challenge the REST-based approach with a GraphQL-based one. Based on that information, we can decide whether REST is the best approach or GraphQL should be used. |
My suggestion to proceed would be:
|
I like this suggestion! Thank you @tschmidtb51 ! I will put this in the agenda to discuss at the next TC meeting for initial discussion. We also should also try to collaborate and/or evaluate some of the efforts discussed in https://dbom.io |
This should be the initial collector ticket around API planning. |
The master thesis that looked into GraphQL as a API-base is now published: https://www.fernuni-hagen.de/pv/docs/wiegel-abschlussarbeit.pdf |
Also the Code is online:
|
We should also consider the approaches OData and ActivityPub based on the use cases. |
There are several ways to structure data transmission. CSAF currently suggests the providers to use some traditional methods of distribution the directory listing of JSON files and ROLIE. Most modern security tools use Representational State Transfer (REST) APIs. Unfortunately, ROLIE is not widely adopted in the industry. Though both can serve as platforms for data exchange, they have differences in functionality, flexibility, and scalability, making REST APIs the preferred choice for many developers.
REST APIs operate based on a universal standard and are inherently consistent. They're typically developed around HTTP methods, such as GET, POST, PUT, and DELETE, making them intuitive to use. This simplifies the learning curve for developers and promotes consistency across diverse applications. This is similar in ROLIE.
In contrast, a directory of JSON files lacks these standards. The lack of an established protocol might lead to inconsistencies, making it hard to maintain, particularly for large-scale projects or teams with multiple developers.
REST APIs often include measures to protect data integrity and confidentiality. Features such as authentication, authorization, and encryption ensure that only authorized parties can access and modify the data.
On the other hand, a directory listing of JSON files might not inherently provide these security features. While you can implement security measures, doing so consistently and robustly could be challenging.
A REST API returns precisely the data requested, reducing the load on both the server and client side. Using pagination and other techniques, it allows a large dataset to be efficiently transmitted in smaller chunks. In contrast, directory listing of JSON files could entail downloading whole files, even when only a small portion of the data is required. This inefficiency may lead to increased network traffic and slower performance.
REST APIs are designed with scalability in mind, allowing easy expansion of services and functionalities. They allow for changes in underlying databases or systems without affecting the client-side application, offering a greater level of abstraction. For example, I can just make a query based on a CVE that I am interested to get the status or disposition. With a directory listing of JSON files, modifications or expansions might require changes on the client-side, reducing flexibility and scalability.
REST APIs support real-time data transmission, which is essential in many modern applications. With technologies like WebSockets or Server-Sent Events, REST APIs can push updates to the client, enabling real-time interactivity. Directory listings of JSON files, by their static nature, cannot easily provide real-time data.
REST APIs usually include robust error handling mechanisms. When a request fails, the API can return a specific HTTP status code and message, making it easy to diagnose and fix issues. Directory listing of JSON files lacks such a built-in error handling mechanism. Recognizing and resolving issues might be more challenging and time-consuming.
The following table highlights the pros and cons of directory listing and REST APIs.
The following a table compares ROLIE and REST APIs.
CSAF Must NOT penalize vendors that provide modern RESTful APIs vs ROLIE and Directory Listing. This will hinder the adoption of the standard.
The text was updated successfully, but these errors were encountered: