Merge pull request oasis-tcs#714 from oasis-tcs/editor-revision-2024-…

…03-27

Editor revision for TC meeting 2024-03-27

.github/workflows/csaf_2.1_cpe.yml

@@ -19,4 +19,6 @@ jobs:
       with:
         node-version: '20'
     - name: Perform CPE Dictionary Test
-      run: ./csaf_2.1/test/cpe/run_tests.sh
+      run: ./csaf_2.1/test/cpe/run_dictionary_tests.sh
+    - name: Perform CPE local examples Test
+      run: ./csaf_2.1/test/cpe/run_local_tests.sh

csaf_2.1/json_schema/csaf_json_schema.json

@@ -159,7 +159,7 @@
               "title": "Common Platform Enumeration representation",
               "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.",
               "type": "string",
-              "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$",
+              "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
               "minLength": 5
             },
             "hashes": {
@@ -251,7 +251,7 @@
               "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
               "type": "string",
               "format": "uri",
-              "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+",
+              "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
               "minLength": 7
             },
             "sbom_urls": {

csaf_2.1/prose/edit/src/conformance.md

@@ -473,7 +473,7 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
   A switch to mark all SBOM component at once MAY be implemented.
 * does not bring up a newer revision of a CSAF document as a new match if the remediation for the matched SBOM or SBOM component has not changed.
 * detects the usage semantic version (as described in section [sec](#version-type-semantic-versioning)).
-* is able to trigger a run of the asset matching module:
+* is able to trigger a run of the SBOM matching module:
   * manually:
     * per CSAF document
     * per list of CSAF documents
@@ -502,7 +502,12 @@ Firstly, the program:
 
 Secondly, the program fulfills the following for all items of:
 
+* type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a
+  warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
 
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
 
+> A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any
+> of the rules above MAY be ignored to avoid data loss.
+
 -------

csaf_2.1/prose/edit/src/frontmatter.md

@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## 28 February 2024
+## 27 March 2024
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -55,7 +55,7 @@ This specification replaces or supersedes:
 
 
 #### Abstract:
-The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
+The Common Security Advisory Framework (CSAF) Version 2.1 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
 
 #### Status:
 This document was last revised or approved by the membership of OASIS on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical.
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 March 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------

csaf_2.1/prose/edit/src/introduction-04-informative-references.md

@@ -65,7 +65,7 @@ OPENSSL
 :    _GTLS/SSL and crypto library_, OpenSSL Software Foundation, https://www.openssl.org/.
 
 PURL
-:    _Package URL (PURL)_, GitHub Project, https://github.com/package-url/purl-spec.
+:    _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec.
 
 RFC3339
 :    Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
@@ -118,7 +118,7 @@ SPDX22
 https://spdx.github.io/spdx-spec/.
 
 VERS
-:    _vers: a mostly universal version range specifier_, Part of the PURL GitHub Project,
+:    _vers: a mostly universal version range specifier_, Part of the purl GitHub Project,
 https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst.
 
 VEX

csaf_2.1/prose/edit/src/revision-history.md

@@ -12,4 +12,5 @@ toc:
 |:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
 | csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
 | csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20240327-dev | 2024-03-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 -------

csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md

@@ -80,7 +80,7 @@ and `x_generic_uris`, one is mandatory.
 Common Platform Enumeration representation (`cpe`) of value type `string` of 5 or more characters with `pattern` (regular expression):
 
 ```
-    ^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$
+    ^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$
 ```
 
 The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.
@@ -238,20 +238,20 @@ Two `*` MUST NOT follow each other.
     IC25T060ATCS05-0
 ```
 
-##### Full Product Name Type - Product Identification Helper - PURL
+##### Full Product Name Type - Product Identification Helper - purl
 
-The package URL (PURL) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression):
+The package URL (purl) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression):
 
 ```
-    ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+
+    ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+
 ```
 
-> The given pattern does not completely evaluate whether a PURL is valid according to the [cite](#PURL) specification.
+> The given pattern does not completely evaluate whether a purl is valid according to the [cite](#PURL) specification.
 > It provides a more generic approach and general guidance to enable forward compatibility.
-> CSAF uses only the canonical form of PURL to conform with section 3.3 of [cite](#RFC3986).
+> CSAF uses only the canonical form of purl to conform with section 3.3 of [cite](#RFC3986).
 > Therefore, URLs starting with `pkg://` are considered invalid.
 
-This package URL (PURL) attribute refers to a method for reliably identifying and locating software packages external to this specification.
+This package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.
 See [cite](#PURL) for details.
 
 ##### Full Product Name Type - Product Identification Helper - SBOM URLs

csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md

@@ -750,7 +750,8 @@ Valid values are:
 The value `exploit_status` indicates that the `details` field contains a description of the degree to which an exploit for the vulnerability is known.
 This knowledge can range from information privately held among a very small group to an issue that has been described to the public at
 a major conference or is being widely exploited globally.
-For consistency and simplicity, this section can be a mirror image of the CVSS "Exploitability" metric.
+For consistency and simplicity, this section can be a mirror image of the CVSS `exploitMaturity` (v4.0),
+respectively `exploitCodeMaturity` (v3.1 and v3.0) or `exploitability` (v2.0) metric.
 However, it can also contain a more contextual status, such as "Weaponized" or "Functioning Code".
 
 The value `impact` indicates that the `details` field contains an assessment of the impact on the user or the target set if

csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md

@@ -1,6 +1,6 @@
 ### PURL
 
-It MUST be tested that given PURL is valid.
+It MUST be tested that given purl is valid.
 
 The relevant paths for this test are:
 

csaf_2.1/prose/edit/src/tests-03-informative.md

@@ -412,8 +412,6 @@ The relevant paths for this test are:
 
 > The product version starts with a `v`.
 
--------
-
 ### Missing CVSS v4.0
 
 For each item in the list of scores it MUST be tested that a `cvss_v4` object is present.
@@ -455,3 +453,5 @@ The relevant path for this test is:
 ```
 
 > There is no CVSS v4.0 score given for `CSAFPID-9080700`.
+
+-------

csaf_2.1/test/cpe/data/invalid/cpe.txt

@@ -0,0 +1,5 @@
+PREFIXcpe:/o:redhat:rhel_aus:7.6::server
+cpe:/o:redhat:rhel_aus:7.6::server::SUFFIX
+PREFIXcpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*"
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:**

csaf_2.1/test/cpe/data/valid/cpe.txt

@@ -0,0 +1,3 @@
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other*
+cpe:2.3:a:admin_management_xtended_project:admin_management_xtended:0.8:*:*:*:*:wordpress:*:*other????
+cpe:/o:redhat:rhel_aus:7.6::server

csaf_2.1/test/cpe/run_tests.sh → csaf_2.1/test/cpe/run_dictionary_tests.sh

@@ -20,7 +20,7 @@ get_dictionary() {
 prepare_23_dictionary() {
   # Get CPE 2.3 fields
   # Correctly decode special characters
-  grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/>$//' \
+  grep '<cpe-23:cpe23-item name=' "$CPE".xml | sed -e 's/^.*<cpe-23:cpe23-item name="//' -e 's/"\/\?>$//' \
     | sed -e 's/\\&amp;/\\\&/g' \
     | sed -e 's/\\&quot;/\\"/g' \
     > "$CPE".txt

csaf_2.1/test/cpe/run_local_tests.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+SCHEMA=csaf_2.1/json_schema/csaf_json_schema.json
+VALIDATOR=csaf_2.1/test/cpe/test-regex.js
+DATA_VALID=csaf_2.1/test/cpe/data/valid/cpe.txt
+DATA_INVALID=csaf_2.1/test/cpe/data/invalid/cpe.txt
+
+FAIL=0
+
+# go to root of git repository
+cd "$(dirname "$0")"/../../.. || exit
+
+
+validate() {
+  printf "Testing file %s against cpe regex from %s ... \n" "$1" "$SCHEMA"
+  if node "$VALIDATOR" "$SCHEMA" "$1" "$2"; then
+    printf "SUCCESS\n"
+  else
+    printf "FAILED\n"
+    FAIL=1
+  fi
+
+}
+
+echo -n "Test conforming (not necessary existing) CPEs... "
+DATA=$DATA_VALID
+validate $DATA true
+printf "done\n"
+
+echo -n "Test non-conforming CPEs... "
+DATA=$DATA_INVALID
+validate $DATA false
+printf "done\n"
+
+
+exit $FAIL

csaf_2.1/test/cpe/test-regex.js

@@ -10,15 +10,16 @@ const r = new RegExp(pattern)
 console.log('Current regex to test:', '\n', pattern)
 
 const cpeStr = fs.readFileSync(args[1], 'utf8').split('\n')
+const assertion = !((args[2] ?? true) === "false")
 
 let failed = false
 
 cpeStr.forEach(element => {
     if (element.length > 0) {
         const result = (r.exec(element) != null)
-        failed = failed | !result
-        if (!result) {
-            console.log(result, '\t', element)
+        failed = failed | (result !== assertion)
+        if (result !== assertion) {
+            console.log(result,'but expected', assertion, '\t', element)
         }
     }
 });