https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative)
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.pdf
N/A
https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.md (Authoritative)
https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html
https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.pdf
OASIS Common Security Advisory Framework (CSAF) TC
Justin Murphy (justin.murphy@mail.cisa.dhs.gov), DHS Cybersecurity and Infrastructure Security Agency (CISA)
Omar Santos (osantos@cisco.com), Cisco Systems
Stefan Hagen (stefan@hagen.link), Individual
Stefan Hagen (stefan@hagen.link), Individual
Thomas Schmidt (thomas.schmidt@bsi.bund.de), Federal Office for Information Security (BSI) Germany
This prose specification is one component of a Work Product that also includes:
This specification replaces or supersedes:
The Common Security Advisory Framework (CSAF) Version 2.1 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
This document was last revised or approved by the membership of OASIS on the above date. The level of approval is also listed above. Check the “Latest stage” location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical.
TC members should send comments on this specification to the TC’s email list. Others should send comments to the TC’s public comment list, after subscribing to it by following the instructions at the “Send A Comment” button on the TC’s web page at https://www.oasis-open.org/committees/csaf/.
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC’s web page (https://www.oasis-open.org/committees/csaf/ipr.php).
Note that any machine-readable content (Computer Language Definitions) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product’s prose narrative document(s), the content in the separate plain text file prevails.
When referencing this specification the following citation format should be used:
[csaf-v2.1]
Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 28 May 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
Copyright © OASIS Open 2022. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the “OASIS IPR Policy”). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
As stated in the OASIS IPR Policy, the following three paragraphs in brackets apply to OASIS Standards Final Deliverable documents (Committee Specification, Candidate OASIS Standard, OASIS Standard, or Approved Errata).
[OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Standards Final Deliverable, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this deliverable.]
[OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this OASIS Standards Final Deliverable by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this OASIS Standards Final Deliverable. OASIS may include such claims on its website, but disclaims any obligation to do so.]
[OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this OASIS Standards Final Deliverable or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS’ procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Standards Final Deliverable, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.]
The name “OASIS” is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark/ for above guidance.
Appendix A. Acknowledgments Appendix B. Revision History Appendix C. Guidance on the Size of CSAF Documents Appendix C. File Size Appendix C. Array Length Appendix C. String Length C.6 Date C.5 Enum C.5 URI Length C.5 UUID Length
This specification is provided under the Non-Assertion Mode of
the OASIS IPR Policy, the mode chosen when the Technical Committee was established.
For information on whether any patents have been disclosed that may be
essential to implementing this specification,
and any offers of patent licensing terms, please refer to the
Intellectual Property Rights section of the TC’s web page (https://www.oasis-open.org/committees/csaf/ipr.php).
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] and [RFC8174] when, and only when, they appear in all capitals, as shown here.
For purposes of this document, the following terms and definitions apply:
[ECMA-262] ECMAScript® 2024 Language Specification, ECMA-262, 15th edition, June 2024, https://262.ecma-international.org/15.0/
[ISO8601-1] Date and time — Representations for information interchangePart 1: Basic rules, International Standard, ISO 8601-1:2019(E), February 25, 2019, https://www.iso.org/standard/70907.html.
[JSON-Schema-Core] JSON Schema: A Media Type for Describing JSON Documents, draft-bhutton-json-schema-00, December 2020, https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00.
[JSON-Schema-Validation] JSON Schema Validation: A Vocabulary for Structural Validation of JSON, draft-bhutton-json-schema-validation-00, December 2020, https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00.
[JSON-Hyper-Schema] JSON Hyper-Schema: A Vocabulary for Hypermedia Annotation of JSON, draft-handrews-json-schema-hyperschema-02, September 2019, https://json-schema.org/draft/2019-09/json-schema-hypermedia.html.
[Relative-JSON-Pointers] Relative JSON Pointers, draft-bhutton-relative-json-pointer-00, December 2020, https://datatracker.ietf.org/doc/html/draft-bhutton-relative-json-pointer-00.
[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels”, BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, https://www.rfc-editor.org/info/rfc2119.
[RFC3339] Klyne, G. and C. Newman, “Date and Time on the Internet: Timestamps”, RFC 3339, DOI 10.17487/RFC3339, July 2002, https://www.rfc-editor.org/info/rfc3339.
[RFC4180] Shafranovich, Y., “Common Format and MIME Type for Comma-Separated Values (CSV) Files”, RFC 4180, DOI 10.17487/RFC4180, October 2005, https://www.rfc-editor.org/info/rfc4180.
[RFC7230] Roy T. Fielding and Julian Reschke, “Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing”, RFC 7230, DOI 10.17487/RFC7230, June 2014, https://www.rfc-editor.org/info/rfc7230.
[RFC7464] Williams, N., “JavaScript Object Notation (JSON) Text Sequences”, RFC 7464, DOI 10.17487/RFC7464, February 2015, https://www.rfc-editor.org/info/rfc7464.
[RFC8174] Leiba, B., “Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words”, BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, https://www.rfc-editor.org/info/rfc8174.
[RFC8259] T. Bray, Ed., “The JavaScript Object Notation (JSON) Data Interchange Format”, RFC 8259, DOI 10.17487/RFC8259, December 2017, https://www.rfc-editor.org/info/rfc8259.
[RFC9562] Davis, K., Peabody, B., and P. Leach, “Universally Unique IDentifiers (UUIDs)”, RFC 9562, DOI 10.17487/RFC9562, May 2024, https://www.rfc-editor.org/info/rfc9562.
[SPDX301] The System Package Data Exchange® (SPDX®) Specification Version 3.0.1, Linux Foundation and its Contributors, 2024, https://spdx.github.io/spdx-spec/.
[CPE23-A] Common Platform Enumeration: Applicability Language Specification Version 2.3 (NISTIR 7698), D. Waltermire, P. Cichonski, K. Scarfone, Editors, NIST Interagency Report 7698, August 2011, https://dx.doi.org/10.6028/NIST.IR.7698.
[CPE23-D] Common Platform Enumeration: Dictionary Specification Version 2.3, P. Cichonski, D. Waltermire, K. Scarfone, Editors, NIST Interagency Report 7697, August 2011, https://dx.doi.org/10.6028/NIST.IR.7697.
[CPE23-M] Common Platform Enumeration: Naming Matching Specification Version 2.3, M. Parmelee, H. Booth, D. Waltermire, K. Scarfone, Editors, NIST Interagency Report 7696, August 2011, https://dx.doi.org/10.6028/NIST.IR.7696.
[CPE23-N] Common Platform Enumeration: Naming Specification Version 2.3, B. Cheikes, D. Waltermire, K. Scarfone, Editors, NIST Interagency Report 7695, August 2011, https://dx.doi.org/10.6028/NIST.IR.7695.
[CSAF-v2.0] Common Security Advisory Framework Version 2.0. Edited by Langley Rock, Stefan Hagen, and Thomas Schmidt. 18 November 2022. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html.
[CVE] Common Vulnerability and Exposures (CVE) – The Standard for Information Security Vulnerability Names, MITRE, 1999, Revised Feb. 2016, https://cve.mitre.org/docs/cve-intro-handout.pdf.
[CVE-NF] Common Vulnerability and Exposures (CVE) – The Standard for Information Security Vulnerability Names - CVE ID Syntax Change, MITRE, January 01, 2014, https://cve.mitre.org/cve/identifiers/syntaxchange.html.
[CVRF-1-1] The Common Vulnerability Reporting Framework (CVRF) Version 1.1, M. Schiffman, Editor, May 2012, Internet Consortium for Advancement of Security on the Internet (ICASI), https://www.icasi.org/the-common-vulnerability-reporting-framework-cvrf-v1-1/.
[CVRF-v1.2] CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2. Edited by Stefan Hagen. 13 September 2017. OASIS Committee Specification 01. https://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html. Latest version: https://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.html.
[CVSS2] A Complete Guide to the Common Vulnerability Scoring System Version 2.0, P. Mell, K. Scarfone, S. Romanosky, Editors, First.org, Inc., June 2007, https://www.first.org/cvss/v2/cvss-v2-guide.pdf.
[CVSS30] Common Vulnerability Scoring System v3.0: Specification Document, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3.0/cvss-v30-specification_v1.9.pdf.
[CVSS31] Common Vulnerability Scoring System v3.1: Specification Document, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.
[CVSS40] Common Vulnerability Scoring System v4.0: Specification Document, FIRST.Org, Inc., November 9, 2023, https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf.
[CWE] Common Weakness Enumeration (CWE) – A Community-Developed List of Software Weakness Types, MITRE, 2006, http://cwe.mitre.org/about/.
[CYCLONEDX161] CycloneDX Software Bill-of-Material Specification JSON schema version 1.6.1, cyclonedx.org, November 7, 2024, https://github.com/CycloneDX/specification/blob/1.6.1/schema/bom-1.6.schema.json.
[EPSS] Exploit Prediction Scoring System (EPSS), FIRST.Org, Inc., https://www.first.org/epss/
[FETCH] Fetch: Living Standard, https://fetch.spec.whatwg.org.
[GFMCMARK] GitHub’s fork of cmark, a CommonMark parsing and rendering library and program in C, https://github.com/github/cmark.
[GFMENG] GitHub Engineering: A formal spec for GitHub Flavored Markdown, https://githubengineering.com/a-formal-spec-for-github-markdown/.
[ISO19770-2] Information technology — IT asset management — Part 2: Software identification tag, International Standard, ISO 19770-2:2015, September 30, 2015, https://www.iso.org/standard/65666.html.
[ISO29147] Information technology — Security techniques — Vulnerability disclosure, International Standard, ISO/IEC 29147:2018, October 23, 2018, https://www.iso.org/standard/72311.html.
[OPENSSL] GTLS/SSL and crypto library, OpenSSL Software Foundation, https://www.openssl.org/.
[PURL] Package URL (purl), GitHub Project, https://github.com/package-url/purl-spec.
[RFC3552] Rescorla, E. and B. Korver, “Guidelines for Writing RFC Text on Security Considerations”, BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, https://www.rfc-editor.org/info/rfc3552.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax”, STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, https://www.rfc-editor.org/info/rfc3986.
[RFC4122] Leach, P., Mealling, M., and R. Salz, “A Universally Unique IDentifier (UUID) URN Namespace”, RFC 4122, DOI 10.17487/RFC4122, July 2005, https://www.rfc-editor.org/info/rfc4122.
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, “OpenPGP Message Format”, RFC 4880, DOI 10.17487/RFC4880, November 2007, https://www.rfc-editor.org/info/rfc4880.
[RFC7231] Fielding, R., Ed., and J. Reschke, Ed., “Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content”, RFC 7231, DOI 10.17487/RFC7231, June 2014, https://www.rfc-editor.org/info/rfc7231.
[RFC8322] Field, J., Banghart, S., and D. Waltermire, “Resource-Oriented Lightweight Information Exchange (ROLIE)”, RFC 8322, DOI 10.17487/RFC8322, February 2018, https://www.rfc-editor.org/info/rfc8322.
[RFC8615] Nottingham, M., “Well-Known Uniform Resource Identifiers (URIs)”, RFC 8615, DOI 10.17487/RFC8615, May 2019, https://www.rfc-editor.org/info/rfc8615.
[RFC9116] Foudil, E. and Y. Shafranovich, “A File Format to Aid in Security Vulnerability Disclosure”, RFC 9116, DOI 10.17487/RFC9116, April 2022, https://www.rfc-editor.org/info/rfc9116.
[SCAP12] The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2, D. Waltermire, S. Quinn, K. Scarfone, A. Halbardier, Editors, NIST Spec. Publ. 800‑126 rev. 2, September 2011, https://dx.doi.org/10.6028/NIST.SP.800-126r2.
[SECURITY-TXT] Foudil, E. and Shafranovich, Y., Security.txt Project, https://securitytxt.org/.
[SemVer] Semantic Versioning 2.0.0, T. Preston-Werner, June 2013, https://semver.org/.
[SSVC] SSVC: Stakeholder-Specific Vulnerability Categorization, CERT/CC, https://certcc.github.io/SSVC/reference/
[VERS] vers: a mostly universal version range specifier, Part of the purl GitHub Project, https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst.
[VEX] Vulnerability-Exploitability eXchange (VEX) - An Overview, VEX sub-group of the Framing Working Group in the NTIA SBOM initiative, 27 September 2021, https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf.
[VEX-Justification] Vulnerability Exploitability eXchange (VEX) - Status Justifications, VEX sub-group of the Framing Working Group in the CISA SBOM initiative, June 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.
[XML] Extensible Markup Language (XML) 1.0 (Fifth Edition), T. Bray, J. Paoli, M. Sperberg-McQueen, E. Maler, F. Yergeau, Editors, W3C Recommendation, November 26, 2008, https://www.w3.org/TR/2008/REC-xml-20081126/. Latest version available at https://www.w3.org/TR/xml.
[XML-Schema-1] W3C XML Schema Definition Language (XSD) 1.1 Part 1: Structures, S. Gao, M. Sperberg-McQueen, H. Thompson, N. Mendelsohn, D. Beech, M. Maloney, Editors, W3C Recommendation, April 5, 2012, https://www.w3.org/TR/2012/REC-xmlschema11-1-20120405/. Latest version available at https://www.w3.org/TR/xmlschema11-1/.
[XML-Schema-2] W3C XML Schema Definition Language (XSD) 1.1 Part 2: Datatypes W3C XML Schema Definition Language (XSD) 1.1 Part 2: Datatypes, D. Peterson, S. Gao, A. Malhotra, M. Sperberg-McQueen, H. Thompson, Paul V. Biron, Editors, W3C Recommendation, April 5, 2012, https://www.w3.org/TR/2012/REC-xmlschema11-2-20120405/. Latest version available at https://www.w3.org/TR/xmlschema11-2/.
Keywords defined by this specification use this
monospaced font.
Normative source code uses this paragraph style.Some sections of this specification are illustrated with non-normative examples introduced with “Example” or “Examples” like so:
Informative examples also use this paragraph style but preceded by the text "Example(s)".All examples in this document are informative only.
All other text is normative unless otherwise labeled e.g. like the following informative comment:
This is a pure informative comment that may be present, because the information conveyed is deemed useful advice or common pitfalls learned from implementer or operator experience and often given including the rationale.
The Common Security Advisory Framework (CSAF) is a language to exchange Security Advisories formulated in JSON.
The term Security Advisory as used in this document describes any notification of security issues in products of and by providers. Anyone providing a product is considered in this document as a vendor, i.e. developers or maintainers of information system products or services. This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and product resellers and distributors, including authoritative vendor partners. A security issue is not necessarily constrained to a problem statement, the focus of the term is on the security aspect impacting (or not impacting) specific product-platform-version combinations. Information on presence or absence of workarounds is also considered part of the security issue. This document is the definitive reference for the language elements of CSAF version 2.1. The encompassing JSON schema file noted in the Additional Artifacts section of the title page SHALL be taken as normative in the case a gap or an inconsistency in this explanatory document becomes evident. The following presentation in this section is grouped by topical area, and is not simply derivative documentation from the schema document itself. The information contained aims to be more descriptive and complete. Where applicable, common conventions are stated and known common issues in usage are pointed out informatively to support implementers of document producers and consumers alike.
This minimal required information set does not provide any useful information on products, vulnerabilities, or security advisories. Thus, any real-world Security Advisory will carry additional information as specified in section 3 Schema elements.
Care has been taken, to design the containers for product and vulnerability information to support fine-grained mapping of security advisories onto product and vulnerability and minimize data duplication through referencing. The display of the elements representing Product Tree and Vulnerability information has been placed in the sections named accordingly.
A Security Advisory defined as a CSAF document is the result of complex orchestration of many players and distinct and partially difficult to play schemas.
The format chosen is [JSONSchema] which allows validation and delegation to sub schema providers. The latter aligns well with separation of concerns and shares the format family of information interchange utilized by the providers of product and vulnerability information which migrated from XML to JSON since the creation of CSAF CVRF version 1.2, the pre-predecessor of this specification.
The acronym CSAF, “Common Security Advisory Framework”, stands for the target of concerted mitigation and remediation accomplishment.
Technically, the use of JSON schema allows validation and proof of model conformance (through established schema based validation) of the declared information inside CSAF documents.
The CSAF schema structures its derived documents into three main classes of the information conveyed:
Wherever possible repetition of data has been replaced by linkage through ID elements. Consistency on the content level thus is in the responsibility of the producer of such documents, to link e.g. vulnerability information to the matching product.
A dictionary like presentation of all defined schema elements is given in the section 3. Any expected relations to other elements (linkage) is described there. This linking relies on setting attribute values accordingly (mostly guided by industry best practice and conventions) and thus implies, that any deep validation on a semantic level (e.g. does the CWE match the described vulnerability) is to be ensured by the producer and consumer of CSAF documents. It is out of scope for this specification.
Proven and intended usage patterns from practice are given where possible.
Delegation to industry best practices technologies is used in referencing schemas for:
Even though not all - especially the referenced - JSON schemas prohibit specifically additional properties and custom keywords, it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC’s GitHub. The JSON schemas defined in this standard do not allow the use of additional properties and custom keywords.
The standardized fields allow for scalability across different issuing parties and dramatically reduce the human effort and need for dedicated parsers as well as other tools on the side of the consuming parties.
Section 4 defined profiles that are used to ensure a common understanding of which fields are required in a given use case. Additional conventions are stated in section 5. The tests given in section 6 support CSAF producers and consumers to verify rules from the specification which can not be tested by the schema. Section 7 states how to distribute and where to find CSAF documents. Safety, Security and Data Protection are considered in section 8. Finally, a set of conformance targets describes tools in the ecosystem.
The JSON schema 2020-12 dialect per default uses the
format keyword just as annotation.
To be able to ensure that the format constraints are validated as
intended, the following metaschema is defined.
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/meta.json",
"$dynamicAnchor": "meta",
"$vocabulary": {
"https://json-schema.org/draft/2020-12/vocab/core": true,
"https://json-schema.org/draft/2020-12/vocab/format-assertion": true
},
"allOf": [
{ "$ref": "https://json-schema.org/draft/2020-12/meta/core" },
{ "$ref": "https://json-schema.org/draft/2020-12/meta/format-assertion" }
]
}It is then consequently used in all JSON schemas defined in this standard and replaces the reference to the JSON schema 2020-12.
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/meta.json",
// ...
}The format validation is enforced by setting the corresponding vocabulary as required.
If a library used to parse, modify or create CSAF content is unable to deal with this meta schema, it could reach the objective by interpreting the schema as JSON schema 2020-12 dialect and enforcing the format validation via its implementation.
This standard uses the date-time format as defined in
JSON Schema Draft 2020-12 Section 7.3.1.
In accordance with [RFC3339] and [ISO8601-1], the following rules apply:
T separating the date and time SHALL be
upper case.T.Z indicating the timezone UTC SHALL be upper
case..) as separator.The CSAF schema describes how to represent security advisory information as a JSON document.
The CSAF schema Version 2.1 builds on the JSON Schema draft 2020-12 rules extended by the format validation enforcement (see 2.2).
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/meta.json"The schema identifier is:
"$id": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json"The further documentation of the schema is organized via Definitions and Properties.
Types and properties together provide the vocabulary for the domain specific language supporting security advisories.
The two mandatory properties are $schema and
document.
The optional two additional properties are product_tree and
vulnerabilities.
The definitions ($defs) introduce the following domain
specific types into the CSAF language:
Acknowledgments (acknowledgments_t), Branches
(branches_t), Full Product Name
(full_product_name_t), Language (lang_t),
Notes (notes_t),
Product Group ID (product_group_id_t), Product Groups
(product_groups_t), Product ID (product_id_t),
Products (products_t),
References (references_t), and Version
(version_t).
"$defs": {
"acknowledgments_t": {
// ...
},
"branches_t": {
// ...
},
"full_product_name_t": {
// ...
},
"lang_t": {
// ...
},
"notes_t": {
// ...
},
"product_group_id_t": {
// ...
},
"product_groups_t": {
// ...
},
"product_id_t": {
// ...
},
"products_t": {
// ...
},
"references_t": {
// ...
},
"version_t": {
// ...
}
},List of Acknowledgments (acknowledgments_t) type
instances of value type array with 1 or more elements
contain
a list of Acknowledgment elements.
"acknowledgments_t": {
// ...
"items": {
// ...
}
},The value type of Acknowledgment is object with at least
1 and at most 4 properties. Every such element acknowledges
contributions by
describing those that contributed.
The properties are: names, organization,
summary, and urls.
"properties": {
"names": {
// ...
},
"organization": {
// ...
},
"summary": {
// ...
},
"urls": {
// ...
}
}List of acknowledged names (names) has value type
array with 1 or more items holds the names of contributors
being recognized.
Every such item of value type string with 1 or more
characters represents the name of the contributor and contains the name
of
a single contributor being recognized.
Albert Einstein
Johann Sebastian BachThe contributing organization (organization) has value
type string with 1 or more characters and holds the name
of
the contributing organization being recognized.
CISA
Google Project Zero
TalosSummary of the acknowledgment (summary) of value type
string with 1 or more characters SHOULD represent any
contextual details
the document producers wish to make known about the acknowledgment or
acknowledged parties.
First analysis of Coordinated Multi-Stream Attack (CMSA)List of URLs (urls) of acknowledgment is a container
(value type array) for 1 or more string of
type URL that specifies
a list of URLs or location of the reference to be acknowledged.
Any URL of acknowledgment contains the URL or location of the reference
to be acknowledged.
Value type is string with format URI (uri).
"acknowledgments": [
{
"names": [
"Johann Sebastian Bach",
"Georg Philipp Telemann",
"Georg Friedrich Händel"
],
"organization": "Baroque composers",
"summary": "wonderful music"
},
{
"organization": "CISA",
"summary": "coordination efforts",
"urls": [
"https://cisa.gov"
]
},
{
"organization": "BSI",
"summary": "assistance in coordination"
},
{
"names": [
"Antonio Vivaldi"
],
"summary": "influencing other composers"
}
],The example [1] above SHOULD lead to the following outcome in a human-readable advisory:
We thank the following parties for their efforts:
- Johann Sebastian Bach, Georg Philipp Telemann, Georg Friedrich Händel from Baroque composers for wonderful music
- CISA for coordination efforts (see: https://cisa.gov)
- BSI for assistance in coordination
- Antonio Vivaldi for influencing other composers
List of branches (branches_t) with value type
array contains 1 or more branch elements as children of the
current element.
"branches_t": {
//...
"items": {
// ...
}
},Every Branch holds exactly 3 properties and is a part of the
hierarchical structure of the product tree.
The properties name and category are
mandatory. In addition, the object contains either a
branches or a product property.
"properties": {
"branches": {
// ...
},
"category": {
// ...
},
"name": {
// ...
},
"product": {
// ...
}
}
branches_tsupports building a hierarchical structure of products that allows to indicate the relationship of products to each other and enables grouping for simpler referencing. As an example, the structure MAY use the following levels:vendor->product_family->product_name->product_version. It is recommended to use the hierarchical structure ofvendor->product_name->product_versionwhenever possible to support the identification and matching of products on the consumer side.
List of branches (branches) has the value type
branches_t.
Category of the branch (category) of value type
string and enum describes the characteristics
of the labeled branch.
Valid enum values are:
architecture
host_name
language
legacy
patch_level
platform
product_family
product_name
product_version
product_version_range
service_pack
specification
vendorThe value architecture indicates the architecture for
which the product is intended.
The value host_name indicates the host name of a
system/service.
The value language indicates the language of the
product.
The value legacy indicates an entry that has reached its
end of life.
The value patch_level indicates the patch level of the
product.
The value platform indicates the (CPU) platform for
which the product is intended.
The value product_family indicates the product family
that the product falls into.
The value product_name indicates the name of the
product.
The value product_version indicates exactly a single
version of the product.
The value of the adjacent name property can be numeric or
some other descriptor.
However, it MUST NOT contain version ranges of any kind.
It is recommended to enumerate versions wherever possible. Nevertheless, the TC understands that this is sometimes impossible. To reflect that in the specification and aid in automatic processing of CSAF documents the value
product_version_rangewas introduced. See next section for details.
The value product_version_range indicates a range of
versions for the product.
The value of the adjacent name property SHOULD NOT be used
to convey a single version.
The value service_pack indicates the service pack of the
product.
The value specification indicates the specification such
as a standard, best common practice, etc.
The value vendor indicates the name of the vendor or
manufacturer that makes the product.
Name of the branch (name) of value type
string with 1 or more characters contains the canonical
descriptor or ‘friendly name’ of the branch.
10
365
Microsoft
Office
PCS 7
SIMATIC
Siemens
WindowsA leading v or V in the value of
name SHOULD only exist for the categories
product_version or product_version_range if it
is
part of the product version as given by the vendor.
If adjacent property category has the value
product_version, the value of name MUST NOT
contain version ranges of any kind.
Examples 1 (for name when using
product_version):
10
17.4
v3The
product_versionis the easiest way for users to determine whether their version is meant (provided that the given ancestors in the product tree matched): If both version strings are the same, it is a match - otherwise not. Therefore, it is always recommended to enumerate product versions instead of providing version ranges.
Examples 2 (for name when using
product_version which are
invalid):
8.0.0 - 8.0.1
8.1.5 and later
<= 2
prior to 4.2
All versions < V3.0.29
V3.0, V4.0, V4.1, V4.2All the examples above contain some kind of a version range and are therefore invalid under the category
product_version.
If adjacent property category has the value
product_version_range, the value of name MUST
contain version ranges.
The value of MUST obey to exactly one of the following options:
Version Range Specifier (vers)
vers is an ongoing community effort to address the problem of version ranges. Its draft specification is available at [VERS].
vers MUST be used in its canonical form. To convey the term “all
versions” the special string vers:all/* MUST be used.
Examples 1 (for name when using
product_version_range with
vers):
vers:gem/>=2.2.0|!=2.2.1|<2.3.0
vers:npm/1.2.3|>=2.0.0|<5.0.0
vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1
vers:tomee/>=8.0.0-M1|<=8.0.1Through the definitions of the vers specification a user can compute whether a given version is in a given range.
Vers-like Specifier (vls)
This option uses only the <version-constraint>
part from the vers specification. It MUST NOT have an URI nor the
<versioning-scheme> part.
It is a fallback option and SHOULD NOT be used unless really
necessary.
The reason for that is, that it is nearly impossible for tools to reliable determine whether a given version is in the range or not.
Tools MAY support this on best effort basis.
Examples 2 (for name when using
product_version_range with
vls):
<=2
<4.2
<V3.0.29
>=8.1.5
>10.9a|!=10.9c|!=10.9f|<=10.9k
<2024-4-pabc0019|>2024-10-pefd0010|<2024-12-pjkl2010|>2024-12-pjkl5010|<=2025-1-pghi1001Product (product) has the value type Full Product Name
(full_product_name_t).
Full Product Name (full_product_name_t) with value type
object specifies information about the product and assigns
the product ID.
The properties name and product_id are
required. The property product_identification_helper is
optional.
"full_product_name_t": {
// ...
"properties": {
"name": {
// ...
},
"product_id": {
// ...
},
"product_identification_helper": {
// ...
}
}
},Textual description of the product (name) has value type
string with 1 or more characters.
The value SHOULD be the product’s full canonical name, including version
number and other attributes,
as it would be used in a human-friendly document.
Cisco AnyConnect Secure Mobility Client 2.3.185
Microsoft Host Integration Server 2006 Service Pack 1Product ID (product_id) holds a value of type Product ID
(product_id_t).
Helper to identify the product
(product_identification_helper) of value type
object provides in its properties at least
one method which aids in identifying the product in an asset
database.
Of the given eight properties cpe, hashes,
model_numbers, purls, sbom_urls,
serial_numbers, skus,
and x_generic_uris, one is mandatory.
"product_identification_helper": {
// ...
"properties": {
"cpe": {
// ...
},
"hashes": {
// ...
},
"model_numbers": {
// ...
},
"purls": {
// ...
},
"sbom_urls": {
// ...
},
"serial_numbers": {
// ...
},
"skus": {
// ...
},
"x_generic_uris": {
// ...
}
}
}A helper to identify the product SHALL identify the product described
by the name in its entirety.
A matching algorithm has to be able to rely on the
product_identification_helper information during the
matching without having to
check e.g. the branches hierarchy leading to the product.
Therefore, it is, for example, prohibited to omit the version from the CPE if a
product_versionwas given in branches hierarchy leading to the product.
Common Platform Enumeration representation (cpe) of
value type string of 5 or more characters with
pattern (regular expression):
^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification. See [CPE23-N] for details.
Both, CPE 2.2 and CPE 2.3, are supported in CSAF.
List of hashes (hashes) of value type array
holding at least one item contains a list of cryptographic hashes usable
to identify files.
"hashes": {
// ...
"items": {
// ...
}
},Cryptographic hashes of value type object contains all
information to identify a file based on its cryptographic hash
values.
Any cryptographic hashes object has the 2 mandatory properties
file_hashes and filename.
"properties": {
"file_hashes": {
// ...
},
"filename": {
// ...
}
}List of file hashes (file_hashes) of value type
array holding at least one item contains a list of
cryptographic hashes for this file.
"file_hashes": {
// ...
"items": {
// ...
}
},Each File hash of value type object contains one hash
value and algorithm of the file to be identified.
Any File hash object has the 2 mandatory properties
algorithm and value.
"properties": {
"algorithm": {
// ...
},
"value": {
// ...
}
}The algorithm of the cryptographic hash representation
(algorithm) of value type string with one or
more characters contains
the name of the cryptographic hash algorithm used to calculate the
value.
The default value for algorithm is sha256.
blake2b512
sha256
sha3-512
sha384
sha512These values are derived from the currently supported digests OpenSSL [OPENSSL]. Leading dashes were removed.
The command
openssl dgst -list(Version 3.4.0 from 2024-10-22) outputs the following:Supported digests: -blake2b512 -blake2s256 -md4 -md5 -md5-sha1 -mdc2 -ripemd -ripemd160 -rmd160 -sha1 -sha224 -sha256 -sha3-224 -sha3-256 -sha3-384 -sha3-512 -sha384 -sha512 -sha512-224 -sha512-256 -shake128 -shake256 -sm3 -ssl3-md5 -ssl3-sha1 -whirlpool
The Value of the cryptographic hash representation
(value) of value type string of 32 or more
characters with pattern (regular expression):
^[0-9a-fA-F]{32,}$The Value of the cryptographic hash attribute contains the cryptographic hash value in hexadecimal representation.
37df33cb7464da5c7f077f4d56a32bc84987ec1d85b234537c1c1a4d4fc8d09dc29e2e762cb5203677bf849a2855a0283710f1f5fe1d6ce8d5ac85c645d0fcb3
4775203615d9534a8bfca96a93dc8b461a489f69124a130d786b42204f3341cc
9ea4c8200113d49d26505da0e02e2f49055dc078d1ad7a419b32e291c7afebbb84badfbd46dec42883bea0b2a1fa697cThe filename representation (filename) of value type
string with one or more characters contains the name
of
the file which is identified by the hash values.
WINWORD.EXE
msotadddin.dll
sudoers.soIf the value of the hash matches and the filename does not, a user SHOULD prefer the hash value. In such cases, the filename SHOULD be used as informational property.
The list of models (model_numbers) of value type
array with 1 or more unique items contains a list of model
numbers.
A list of models SHOULD only be used if a certain range of model numbers with its corresponding software version is affected, or the model numbers change during update.
This can also be used to identify hardware. If necessary, the software, or any other related part, SHALL be bind to that via a product relationship.
"model_numbers": {
//...
"items": {
//...
}
},Any given model number of value type string with at
least 1 character represents a model number of the component to identify
-
possibly with placeholders.
The terms “model”, “model number” and “model variant” are mostly used synonymously. Often it is abbreviated as “MN”, M/N” or “model no.”.
If a part of a model number of the component to identify is
given,
it MUST begin at the first and end at the last character position of the
string representing the targeted component.
The wildcard characters ? (for a single character) and
* (for zero or more characters) signal exclusion of
characters at these positions from matching.
This applies also to the first character.
An unescaped * MUST be the only * wildcard in
the string.
As part of the model number, the special characters ?,
* and \ MUST be escaped with
\.
Note: A backslash MUST be escaped itself in a JSON string.
*-G109A/EU?
2024-*
6RA8096-4MV62-0AA0
6RA801?-??V62-0AA0
IC25T060ATCS05-0List of purls (purls) of value type array
with 1 or more unique items contains a list of package URL (purl)
identifiers.
"purls": {
//...
"items": {
//...
}
},A package URL representation is a string of 7 or more
characters with pattern (regular expression):
^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+The given pattern does not completely evaluate whether a purl is valid according to the [PURL] specification. It provides a more generic approach and general guidance to enable forward compatibility. CSAF uses only the canonical form of purl to conform with section 3.3 of [RFC3986]. Therefore, URLs starting with
pkg://are considered invalid.
The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification. See [PURL] for details. Multiple purls can be specified to allow for identifiers to locate identical components in different locations.
If multiple purls are specified, they SHALL only differ in their qualifiers. Otherwise, separate product branches SHOULD be used to differentiate between the components.
The list of SBOM URLs (sbom_urls) of value type
array with 1 or more items contains
a list of URLs where SBOMs for this product can be retrieved.
The SBOMs might differ in format or depth of detail. Currently supported formats are SPDX, CycloneDX, and SWID.
"sbom_urls": {
//...
"items": {
//...
}
},Any given SBOM URL of value type string with format
uri contains a URL of one SBOM for this product.
https://raw.githubusercontent.com/CycloneDX/bom-examples/master/SBOM/keycloak-10.0.2/bom.json
https://swinslow.net/spdx-examples/example4/main-bin-v2The list of serial numbers (serial_numbers) of value
type array with 1 or more unique items contains
a list of serial numbers.
A list of serial numbers SHOULD only be used if a certain range of serial numbers with its corresponding software version is affected, or the serial numbers change during update.
"serial_numbers": {
//...
"items": {
//...
}
},Any given serial number of value type string with at
least 1 character represents a serial number of the component to
identify -
possibly with placeholders.
If a part of a serial number of the component to identify is
given,
it MUST begin at the first and end at the last character position of the
string representing the targeted component.
The wildcard characters ? (for a single character) and
* (for zero or more characters) signal exclusion of
characters at these positions from matching.
This applies also to the first character.
An unescaped * MUST be the only * wildcard in
the string.
As part of the serial number, the special characters ?,
* and \ MUST be escaped with
\.
Note: A backslash MUST be escaped itself in a JSON string.
*RF8R71YR???
11S45N0249Z1ZS9*
DSEP147100
L15-VM-???
L234.696.30.044.712The list of stock keeping units (skus) of value type
array with 1 or more items contains a list of full or
abbreviated (partial) stock keeping units.
A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software, or the stock keeping units change during update. In the latter case the remediations SHALL include the new stock keeping units or a description how it can be obtained.
The use of the list of relationships in the first case is important. Otherwise, the end user is unable to identify which version (the affected or the not affected / fixed one) is used.
"skus": {
//...
"items": {
//...
}
},Any given stock keeping unit of value type string with
at least 1 character represents a full or
abbreviated (partial) stock keeping unit (SKU) of the component to
identify.
Sometimes this is also called “item number”, “article number” or “product number”.
If a part of a stock keeping unit of the component to identify is
given, it SHOULD begin with the first character of
the stock keeping unit and stop at any point.
Characters which SHOULD NOT be matched MUST be replaced by either
? (for a single character) or * (for zero or
more characters).
Two * MUST NOT follow each other.
List of generic URIs (x_generic_uris) of value type
array with at least 1 item contains a list of identifiers
which are
either vendor-specific or derived from a standard not yet supported.
"x_generic_uris": {
// ...
"items": {
// ...
}
}Any such Generic URI item of value type object provides
the two mandatory properties Namespace (namespace) and URI
(uri).
"properties": {
"namespace": {
// ...
},
"uri": {
// ...
}
}The namespace of the generic URI (namespace) of value
type string with format uri refers to a URL
which provides
the name and knowledge about the specification used or is the namespace
in which these values are valid.
The URI (uri) of value type string with
format uri contains the identifier itself.
These elements can be used to reference a specific component from an SBOM:
Example 1 (linking a component from a CycloneDX SBOM using the bomlink mechanism):
"x_generic_uris": [
{
"namespace": "https://cyclonedx.org/capabilities/bomlink/",
"uri": "urn:cdx:411dafd2-c29f-491a-97d7-e97de5bc2289/1#pkg:maven/org.jboss.logging/jboss-logging@3.4.1.Final?type=jar"
}
]Example 2 (linking a component from an SPDX SBOM):
"x_generic_uris": [
{
"namespace": "https://spdx.github.io/spdx-spec/latest/document-creation-information/#65-spdx-document-namespace-field",
"uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-libc"
}
]Language type (lang_t) has value type
string with pattern (regular expression):
^(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?|[A-Za-z]{4,8})(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3}))*(-[A-WY-Za-wy-z0-9](-[A-Za-z0-9]{2,8})+)*(-[Xx](-[A-Za-z0-9]{1,8})+)?|[Xx](-[A-Za-z0-9]{1,8})+|[Ii]-[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-[Mm][Ii][Nn][Gg][Oo])$The value identifies a language, corresponding to IETF BCP 47 / RFC
5646. See IETF language registry: https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry
CSAF skips those grandfathered language tags that are deprecated at the time of writing the specification. Even though the private use language tags are supported they should not be used to ensure readability across the ecosystem. It is recommended to follow the conventions for the capitalization of the subtags even though it is not mandatory as most users are used to that.
de
en
fr
frc
jpList of notes (notes_t) of value type array
with 1 or more items of type Note contains notes which are
specific to the current context.
"notes_t": {
// ...
"items": {
// ...
}
},Value type of every such Note item is object with the
mandatory properties category and text
providing a place to put
all manner of text blobs related to the current context.
A Note object MAY provide the optional properties
audience, group_ids, product_ids
and title.
"properties": {
"audience": {
// ...
},
"category": {
// ...
},
"group_ids": {
// ...
},
"product_ids": {
// ...
}
"text": {
// ...
},
"title": {
// ...
}
}Audience of note (audience) of value type
string with 1 or more characters indicates who is intended
to read it.
all
executives
operational management and system administrators
safety engineersNote category (category) of value type
string and enum contains the information of
what kind of note this is.
Valid enum values are:
description
details
faq
general
legal_disclaimer
other
summaryThe value description indicates the note is a
description of something.
The optional sibling property title MAY have more
information in this case.
The value details indicates the note is a low-level
detailed discussion.
The optional sibling property title MAY have more
information in this case.
The value faq indicates the note is a list of frequently
asked questions.
The value general indicates the note is a general,
high-level note.
The optional sibling property title MAY have more
information in this case.
The value legal_disclaimer indicates the note represents
any possible legal discussion, including constraints, surrounding the
document.
The value other indicates the note is something that
doesn’t fit the other categories.
The optional sibling attribute title SHOULD have more
information to indicate clearly what kind of note to expect in this
case.
The value summary indicates the note is a summary of
something.
The optional sibling property title MAY have more
information in this case.
Group IDs (group_ids) are of value type Product Groups
(product_groups_t) and contain a list of Product Groups the
current note item applies to.
Product IDs (product_ids) are of value type Products
(products_t) and contain a list of Products the current
note item applies to.
Note content (text) of value type string
with 1 or more characters holds the content of the note.
Content varies depending on type.
Title of note (title) of value type string
with 1 or more characters provides a concise description of what
is contained in the text of the note.
Details
Executive summary
Technical summary
Impact on safety systemsThe Product Group ID Type (product_group_id_t) of value
type string with 1 or more characters is a reference token
for product group instances.
The value is a token required to identify a group of products so that it
can be referred to from other parts in the document.
There is no predefined or required format for the Product Group ID
(product_group_id) as long as it uniquely identifies
a product group in the context of the current document.
"product_group_id_t": {
// ...
}, CSAFGID-0001
CSAFGID-0002
CSAFGID-0020Even though the standard does not require a specific format it is recommended to use different prefixes for the Product ID and the Product Group ID to support reading and parsing the document.
List of Product Group ID (product_groups_t) of value
type array with 1 or more unique items (a set)
of type
Product Group ID (product_group_id_t) specifies a list of
product_group_ids to give context to the parent item.
"product_groups_t": {
// ...
"items": {
// ...
}
},The Product ID Type (product_id_t) of value type
string with 1 or more characters is a reference token for
product instances.
The value is a token required to identify a
full_product_name so that it can be referred to from other
parts in the document.
There is no predefined or required format for the Product ID
(product_id) as long as it uniquely identifies a product in
the context of
the current document.
"product_id_t": {
// ...
}, CSAFPID-0004
CSAFPID-0008Even though the standard does not require a specific format it is recommended to use different prefixes for the Product ID and the Product Group ID to support reading and parsing the document.
List of Product IDs (products_t) of value type
array with 1 or more unique items (a set) of
type
Product ID (product_id_t) specifies a list of
product_ids to give context to the parent item.
"products_t": {
// ...
"items": {
// ...
}
},List of references (references_t) of value type
array with 1 or more items of type Reference holds a list
of Reference objects.
"references_t": {
// ...
"items": {
// ...
}
},Value type of every such Reference item is object with
the mandatory properties url and summary
holding any reference to conferences,
papers, advisories, and other resources that are related and considered
related to either a surrounding part of or
the entire document and to be of value to the document consumer.
A reference object MAY provide the optional property
category.
"properties": {
"category": {
// ...
},
"summary": {
// ...
},
"url": {
// ...
}
}Category of reference (category) of value type
string and enum indicates whether the
reference points to the same document or
vulnerability in focus (depending on scope) or to an external
resource.
Valid enum values are:
external
selfThe default value for category is
external.
The value external indicates, that this document is an
external reference to a document or vulnerability in focus (depending on
scope).
The value self indicates, that this document is a
reference to this same document or vulnerability (also depending on
scope).
This includes links to documents with the same content but different file format (e.g. advisories as PDF or HTML).
Summary of the reference (summary) of value type
string with 1 or more characters indicates what this
reference refers to.
URL of reference (url) of value type string
with format uri provides the URL for the reference.
The Version (version_t) type has value type
string with pattern (regular expression):
^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$The version specifies a version string to denote clearly the evolution of the content of the document. There are two options how it can be used:
A CSAF document MUST use only one versioning system.
1
4
0.9.0
1.4.3
2.40.0+21AF26D3Integer versioning increments for each version where the
/document/tracking/status is final the version
number by one.
The regular expression for this type is:
^(0|[1-9][0-9]*)$The following rules apply:
initial_release_date.draft. Anything MAY change at
any time. The document SHOULD NOT be considered stable./document/tracking/status is
final has a version number incremented by one.draft) MUST carry
the new version number.draft and version 1 MAY
be used to indicate that the content is unlikely to change.Semantic versioning derived the rules from [SemVer]. The regular expression for this type is:
^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$The goal of this structure is to provide additional information to the end user whether a new comparison with the asset database is needed. The “public API” in regards to CSAF is the CSAF document with its structure and content. This results in the following rules:
A normal version number MUST take the form X.Y.Z where X, Y, and Z are non-negative integers, and MUST NOT contain leading zeroes. X is the major version, Y is the minor version, and Z is the patch version. Each element MUST increase numerically. For instance: 1.9.0 -> 1.10.0 -> 1.11.0.
Once a versioned document has been released, the contents of that version MUST NOT be modified. Any modifications MUST be released as a new version.
Major version zero (0.y.z) is for initial development before the
initial_release_date.
The document status MUST be draft. Anything MAY change at
any time.
The document SHOULD NOT be considered stable. Changes which would
increment the major version according to rule 7 are
tracked in this stage with (0.y.z) by incrementing the minor version y
instead.
Changes that would increment the minor or patch version according to
rule 6 or 5 are both tracked in this stage with
(0.y.z) by incrementing the patch version z instead.
Version 1.0.0 defines the initial release to the specified target group. The way in which the version number is incremented after this release is dependent on the content and structure of the document and how it changes.
Patch version Z (x.y.Z | x > 0) MUST be incremented if only backwards compatible bug fixes are introduced. A bug fix is defined as an internal change that fixes incorrect behavior.
In the context of the document this is the case e.g. for spelling mistakes.
Minor version Y (x.Y.z | x > 0) MUST be incremented if the content of an existing element changes except for those which are covert through rule 7. It MUST be incremented if substantial new information are introduced or new elements are provided. It MAY include patch level changes. Patch version MUST be reset to 0 when minor version is incremented.
Major version X (X.y.z | X > 0) MUST be incremented if a new comparison with the end user’s asset database is required. This includes:
/product_tree or elements which contain
/product_tree in their path/vulnerabilities/vulnerabilities[]/product_status/first_affected/vulnerabilities[]/product_status/known_affected/vulnerabilities[]/product_status/last_affected/vulnerabilities[]/product_status/first_fixed/vulnerabilities[]/product_status/fixed/vulnerabilities[]/product_status/known_not_affectedIt MAY also include minor and patch level changes. Patch and minor version MUST be reset to 0 when major version is incremented.
A pre-release version (document status draft) MAY be
denoted by appending a hyphen and a series of dot separated identifiers
immediately
following the patch version. Identifiers MUST comprise only ASCII
alphanumerics and hyphens [0-9A-Za-z-].
Identifiers MUST NOT be empty. Numeric identifiers MUST NOT include
leading zeroes.
Pre-release versions have a lower precedence than the associated normal
version.
A pre-release version indicates that the version is unstable and might
not satisfy the intended compatibility requirements as
denoted by its associated normal version.
1.0.0-0.3.7
1.0.0-alpha
1.0.0-alpha.1
1.0.0-x-y-z.--
1.0.0-x.7.z.92Pre-release MUST NOT be included if
/document/tracking/status is final.
Build metadata MAY be denoted by appending a plus sign and a series of dot separated identifiers immediately following the patch or pre-release version. Identifiers MUST comprise only ASCII alphanumerics and hyphens [0-9A-Za-z-]. Identifiers MUST NOT be empty. Build metadata MUST be ignored when determining version precedence. Thus two versions that differ only in the build metadata, have the same precedence.
1.0.0+20130313144700
1.0.0+21AF26D3----117B344092BD
1.0.0-alpha+001
1.0.0-beta+exp.sha.5114f85Precedence refers to how versions are compared to each other when ordered.
Precedence MUST be calculated by separating the version into major, minor, patch and pre-release identifiers in that order (Build metadata does not figure into precedence).
Precedence is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically.
1.0.0 < 2.0.0 < 2.1.0 < 2.1.1When major, minor, and patch are equal, a pre-release version has lower precedence than a normal version:
1.0.0-alpha < 1.0.0Precedence for two pre-release versions with the same major, minor, and patch version MUST be determined by comparing each dot separated identifier from left to right until a difference is found as follows:
1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0Note, that the following values do no conform the semantic versioning described above.
Examples 6 (which are invalid):
1.16.13.14-Cor
1.0.0-x-y-z.–
1.0.0+21AF26D3—-117B344092BD
2.5.20+3f93da6b+7cc
3.20.0-00These final four subsections document the four properties of a CSAF
document.
The two mandatory properties $schema and
document, as well as the optional properties
product_tree and vulnerabilities in that
order.
JSON schema ($schema) of value type string
and enum with format uri contains the URL of
the CSAF JSON schema which the document promises to be valid for.
The single valid value for this enum is:
https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.jsonThis value allows for tools to identify that a JSON document is meant to be valid against this schema. Tools can use that to support users by automatically checking whether the CSAF adheres to the JSON schema identified by this URL.
Document level meta-data (document) of value type
object with the 6 mandatory properties Category
(category),
CSAF Version (csaf_version), Distribution
(distribution), Publisher (publisher), Title
(title),
and Tracking (tracking) captures the meta-data about this
document describing a particular set of security advisories.
In addition, the document object MAY provide the 7 optional
properties Acknowledgments (acknowledgments),
Aggregate Severity (aggregate_severity), Language
(lang), License expression
(license_expression), Notes (notes),
References (references), and Source Language
(source_lang).
"document": {
// ...
"properties": {
"acknowledgments": {
// ...
},
"aggregate_severity" : {
// ...
},
"category": {
// ...
},
"csaf_version": {
// ...
},
"distribution": {
// ...
},
"lang": {
// ...
},
"license_expression": {
// ...
},
"notes": {
// ...
},
"publisher": {
// ...
},
"references": {
// ...
},
"source_lang": {
// ...
},
"title": {
// ...
},
"tracking": {
// ...
}
}
},Document acknowledgments (acknowledgments) of value type
Acknowledgments Type (acknowledgments_t) contains
a list of acknowledgment elements associated with the whole
document.
"acknowledgments": {
// ...
},Aggregate severity (aggregate_severity) of value type
object with the mandatory property text
and
the optional property namespace is a vehicle that is
provided by the document producer to convey the urgency and
criticality with which the one or more vulnerabilities reported should
be addressed.
It is a document-level metric and applied to the document as a whole —
not any specific vulnerability.
The range of values in this field is defined according to the document
producer’s policies and procedures.
"aggregate_severity": {
// ...
"properties": {
"namespace": {
// ...
},
"text": {
// ...
}
}
},The Namespace of aggregate severity (namespace) of value
type string with format uri points to the
namespace so referenced.
The Text of aggregate severity (text) of value type
string with 1 or more characters provides a severity which
is
independent of - and in addition to - any other standard metric for
determining the impact or severity of a given vulnerability (such as
CVSS).
Critical
Important
ModerateDocument category (category) with value type
string of 1 or more characters with pattern
(regular expression):
^[^\\s\\-_\\.](.*[^\\s\\-_\\.])?$Document category defines a short canonical name, chosen by the document producer, which will inform the end user as to the category of document.
It is directly related to the profiles defined in section 4.
"category": {
// ...
} csaf_base
csaf_security_advisory
csaf_vex
Example Company Security NoticeCSAF version (csaf_version) of value type
string and enum gives the version of the CSAF
specification which the document was generated for.
The single valid value for this enum is:
2.1Rules for sharing document (distribution) of value type
object with the mandatory property Traffic Light Protocol
(TLP) (tlp) and the
optional properties Sharing Group (Sharing Group) and Text
(text) describes any constraints on how this document might
be shared.
"distribution": {
// ...
"properties": {
"sharing_group": {
// ...
},
"text": {
// ...
},
"tlp": {
// ...
}
}
},If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. The Sharing Group SHALL be interpreted as specification to the TLP information. Therefore, the Sharing Group MAY also be used to convey special TLP restrictions:
E-ISAC members-only
Only releasable to European Energy sector
Releasable to NATO countriesNote that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation.
Sharing Group (sharing_group) of value type
object with the mandatory property Sharing Group ID
(id) and
the optional property Sharing Group Name (name) contains
information about the group this document is intended to be shared
with.
"sharing_group": {
// ...
"properties": {
"id": {
// ...
},
"name": {
// ...
}
}
},Sharing Group ID (id) of value type string
with format uuid and pattern (regular
expression):
^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$Sharing Group ID provides the unique ID for the sharing group. This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group, e.g. during a Multi-Party Coordinated Vulnerability Disclosure case.
Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case. Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered.
The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed. It MUST differ if a different sharing group is addressed.
It is assumed that the ID is globally unique, if constructed according to the specification for UUID Version 4.
The ID SHALL be valid according to [RFC9562]
and recorded in the 8-4-4-4-12 notation in lower case.
The ID SHALL be a UUID Version 4 for any closed sharing group,
i.e. TLP:GREEN and above.
The following ID values SHOULD NOT be used unless there are technical reasons for them. Therefore, they are reserved for implementation-specific situations:
TLP:CLEAR CSAF
documents.Note, that both values do not indicate a closed sharing group.
A CSAF document with TLP:CLEAR SHOULD NOT contain a
sharing group value and SHALL NOT contain any other value for the
Sharing Group ID than Max UUID
(ffffffff-ffff-ffff-ffff-ffffffffffff).
If an issuing party distributes multiple versions of a single CSAF
document to different sharing groups, the rules for CSAF modifier
(cf. section sec)
regarding the generation of the value of
/document/tracking/id SHALL be applied.
This implies that usually the sharing group ID is used as a prefix to
the original /document/tracking/id.
Sharing Group Name (name) of value type
string with one or more characters contains a
human-readable name for the sharing group.
The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. However, the following values are reserved for the conditions below:
name SHALL exist and be
Public.name SHALL exist and be
No sharing allowed.The Textual description (text) of value type
string with 1 or more characters provides a textual
description of additional constraints.
Copyright 2024, Example Company, All Rights Reserved.
Distribute freely.
Share only on a need-to-know-basis only.Traffic Light Protocol (TLP) (tlp) of value type
object with the mandatory property Label
(label) and
the optional property URL (url) provides details about the
TLP classification of the document.
"tlp": {
// ...
"properties": {
"label": {
// ...
},
"url": {
// ...
}
}
}The Label of TLP (label) with value type
string and enum provides the TLP label of the
document.
Valid values of the enum are:
AMBER
AMBER+STRICT
CLEAR
GREEN
REDNote: In the TLP specification there are only 4 labels. The part
+STRICTis an extension toTLP:AMBER. To simplify the JSON structure, avoid additional business level tests and aid in parsing, consumption and processing, it is provided as a label to be selected instead of having a separate field.
The default value for label is CLEAR.
Note: This provides the suggested default value for anyone writing CSAF documents as the majority of those are intended to be publicly available.
The URL of TLP version (url) with value type
string with format uri provides a URL where to
find
the textual description of the TLP version which is used in this
document.
The default value is the URL to the definition by FIRST:
https://www.first.org/tlp/ https://www.us-cert.gov/tlp
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdfDocument language (lang) of value type Language Type
(lang_t) identifies the language used by this
document,
corresponding to IETF BCP 47 / RFC 5646.
License expression (license_expression) of value type
string with 1 or more characters contains the SPDX license
expression for the CSAF document.
It MUST NOT contain a license text.
See annex B of [SPDX301] for details.
The DocumentRef part given in that ABNF MUST NOT be used in
CSAF.
Any SPDX license identifier not from the official SPDX license
identifier list MUST contain a prefix of the form
LicenseRef-<license-inventoring-entity>- where
<license-inventoring-entity> is replaced with a
unique name for the entity that provided the
database this license identifier was found in.
The unique name MAY be a domain name.
The same applies for AdditionRef- user defined
identifiers.
In addition, the following rules apply:
License identification:
The SPDX License List Version 3.26.0 or later MUST be consulted
to identify the appropriate SPDX license identifier or
construct an expression based on a SPDX license identifier.
Deprecated license identifiers SHOULD NOT be used.
SPDX license identifiers that were deprecated before the version listed
above MUST NOT be used. > The list is available at https://spdx.org/licenses/.
> It includes also the exceptions.
If the appropriate license identifier is not found in the SPDX
License List or expression been possible to constructed,
the license database AboutCode’s “ScanCode LicenseDB” MUST be consulted
as a next step.
License identifiers from this database MUST use the prefix
LicenseRef-scancode-.
The database is currently available at https://scancode-licensedb.aboutcode.org/.
The construction of a license expression with such an identifier is also allowed.
If the first two steps did not result in an appropriate license
identifier or expression and no extant identifier was found,
the issuing party SHALL create their own license identifier following
the rules above.
The license identifier SHOULD contain the version number of the
license.
The license text MUST be made available through exactly one document
note using the category
legal_disclaimer.
The title MUST be License for English or an
unspecified document language.
For any other language, it SHOULD be the language specific translation
of that term.
License similarity:
CC-BY-4.0
LicenseRef-www.example.org-Example-CSAF-License-3.0+
LicenseRef-scancode-public-domain
MIT OR any-OSIDocument notes (notes) of value type Notes Type
(notes_t) holds notes associated with the whole
document.
"notes": {
// ...
},The following combinations of category and
title have a special meaning and MUST be used as stated
below:
category |
title |
content of text |
|---|---|---|
description |
Product Description | Contains a description of a product given in the
product_tree in regards to field of application and core
functionality. This SHOULD be bound to the corresponding product or
product group. |
general |
General Security Recommendations | Contains general advise and security recommendations that are related, generic and might be independently applicable of the content of the CSAF document. |
legal_disclaimer |
License | Contains the only license text of the document license. |
summary |
Summary | Contains a short summary of the content of the advisory. |
If a note is specific to a product or product group it MUST be bound
via the group_ids respectively
product_ids.
Publisher (publisher) has value type object
with the mandatory properties Category (category), Name
(name) and
Namespace (namespace) and provides information on the
publishing entity.
The 2 other optional properties are: contact_details and
issuing_authority.
"publisher": {
// ...
"properties": {
"category": {
// ...
},
"contact_details": {
// ...
},
"issuing_authority": {
// ...
},
"name": {
// ...
}
"namespace": {
// ...
}
}
},The Category of publisher (category) of value type
string and enum provides information about the
category of
publisher releasing the document.
The valid values are:
coordinator
discoverer
multiplier
other
translator
user
vendorThe value coordinator indicates individuals or
organizations that
manage a single vendor’s response or multiple vendors’ responses to a
vulnerability, a security flaw, or an incident.
This includes all Computer Emergency/Incident Response Teams
(CERTs/CIRTs) or agents acting on the behalf of a researcher.
The value discoverer indicates individuals or
organizations that find vulnerabilities or security weaknesses.
This includes all manner of researchers.
The value multiplier indicates individuals or
organizations that use existing CSAF documents or information that
could
be represented in CSAF, and create their own CSAF documents for
distribution to a specific target audience.
A single multiplier might have target audiences.
For example, a National CSIRT might create different CSAF documents for the same vulnerability for critical infrastructure companies in different sectors, government agencies, non-critical industry, and the public based on information sharing agreements and threats to the target group.
The creation step can make use of a CSAF modifier that replaces metadata, e.g. the document publisher. Currently, this value includes multipliers, republishers, and forwarders.
The value translator indicates individuals or
organizations that translate CSAF documents.
This includes all manner of language translators, also those who work
for the party issuing the original advisory.
The value other indicates a catchall for everyone else.
Currently this includes editors, reviewers,
and miscellaneous contributors.
The value user indicates anyone using a vendor’s
product.
The value vendor indicates developers or maintainers of
information system products or services.
This includes all authoritative product vendors, product security
incident response teams (PSIRTs),
open source projects as well as product resellers and distributors,
including authoritative vendor partners.
Contact details (contact_details) of value type
string with 1 or more characters provides information on
how to contact the publisher,
possibly including details such as web sites, email addresses, phone
numbers, and postal mail addresses.
Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.Issuing authority (issuing_authority) of value type
string with 1 or more characters Provides information
about
the authority of the issuing party to release the document, in
particular, the party’s constituency and responsibilities or other
obligations.
The Name of publisher (name) of value type
string with 1 or more characters contains the name of the
issuing party.
BSI
Cisco PSIRT
Siemens ProductCERTThe Namespace of publisher (namespace) of value type
string with format uri contains a URL
which
is under control of the issuing party and can be used as a globally
unique identifier for that issuing party.
The URL SHALL be normalized.
An issuing party can choose any URL which fulfills the requirements
state above.
The URL MAY be dereferenceable. If an issuing party has chosen a URL, it
SHOULD NOT change.
Tools can make use of the combination of
/document/publisher/namespace and
/document/tracking/id as it
identifies a CSAF document globally unique.
If an issuing party decides to change its Namespace it SHOULD reissue all CSAF documents with an incremented (patch) version which has no other changes than:
/document/references[] which points
to the new version of the CSAF document/document/references[] which points to
the previous version of the CSAF document (if the URL changed) https://csaf.io
https://www.example.comDocument references (references) of value type
References Type (references_t) holds a list of references
associated with the whole document.
"references": {
// ...
},Source language (source_lang) of value type Language
Type (lang_t) identifies if this copy of the document
is
a translation then the value of this property describes from which
language this document was translated.
The property MUST be present and set for any CSAF document with the
value translator in
/document/publisher/category.
The property SHALL NOT be present if the document was not
translated.
If an issuing party publishes a CSAF document with the same content in more than one language, one of these documents SHOULD be deemed the “original”, the other ones SHOULD be considered translations from the “original”. The issuing party can retain its original publisher information including the
category. However, other rules defined in the conformance clause “CSAF translator” SHOULD be applied.
Title of this document (title) of value type
string with 1 or more characters SHOULD be a canonical name
for the document,
and sufficiently unique to distinguish it from similar documents.
Cisco IPv6 Crafted Packet Denial of Service Vulnerability
Example Company Cross-Site-Scripting Vulnerability in Example GeneratorTracking (tracking) of value type object
with the six mandatory properties: Current Release Date
(current_release_date),
Identifier (id), Initial Release Date
(initial_release_date), Revision History
(revision_history), Status (status),
and Version (version) is a container designated to hold all
management attributes necessary to track a CSAF document as a
whole.
The two optional additional properties are Aliases
(aliases) and Generator (generator).
"tracking": {
// ...
"properties": {
"aliases": {
// ...
},
"current_release_date": {
// ...
},
"generator": {
// ...
},
"id": {
// ...
},
"initial_release_date": {
// ...
},
"revision_history": {
// ...
},
"status": {
// ...
},
"version": {
// ...
}
}
},Aliases (aliases) of value type array with
1 or more unique items (a set) representing Alternate Names
contains a
list of alternate names for the same document.
"aliases": {
// ...
"items": {
// ...
}
},Every such Alternate Name of value type string with 1 or
more characters specifies a non-empty string that represents a
distinct optional alternative ID used to refer to the document.
CVE-2019-12345Current release date (current_release_date) with value
type string with format date-time holds the
date when
the current revision of this document was released.
Document Generator (generator) of value type
object with mandatory property Engine (engine)
and
optional property Date (date) is a container to hold all
elements related to the generation of the document.
These items will reference when the document was actually created,
including the date it was generated and the entity that generated
it.
"generator": {
// ...
"properties": {
"date": {
// ...
},
"engine": {
// ...
}
}
},Date of document generation (date) of value type
string with format date-time SHOULD be the
current date that the document was generated.
Because documents are often generated internally by a document producer
and exist for a nonzero amount of time before being released,
this field MAY be different from the Initial Release Date and Current
Release Date.
Engine of document generation (engine) of value type
object with mandatory property Engine name
(name) and
optional property Engine version (version) contains
information about the engine that generated the CSAF document.
"engine": {
// ...
"properties": {
"name": {
// ...
},
"version": {
// ...
}
}
},Engine name (name) of value type string
with 1 or more characters represents the name of the engine that
generated the CSAF document.
Red Hat rhsa-to-cvrf
Secvisogram
TVCEEngine version (version) of value type
string with 1 or more characters contains the version of
the engine that generated the CSAF document.
Although it is not formally required, the TC suggests to use a versioning which is compatible with Semantic Versioning as described in the external specification [SemVer]. This could help the end user to identify when CSAF consumers have to be updated.
0.6.0
1.0.0-beta+exp.sha.a1c44f85
2Unique identifier for the document (id) of value type
string with 1 or more characters with pattern
(regular expression):
^[\\S](.*[\\S])?$Unique identifier for the document holds the Identifier. It SHALL NOT start or end with a white space and SHALL NOT contain a newline sequence.
The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
Example Company - 2019-YH3234
RHBA-2019:0024
cisco-sa-20190513-securebootThe combination of
/document/publisher/namespaceand/document/tracking/ididentifies a CSAF document globally unique.
This value is also used to determine the filename for the CSAF document (cf. section 5.1).
Initial release date (initial_release_date) with value
type string with format date-time holds the
date when this document was first released to the specified target
group.
For
TLP:CLEARdocuments, this is usually the timestamp when the document was published. ForTLP:GREENand higher, this is the timestamp when it was first made available to the specific group. Note that the initial release date does not change after the initial release even if the document is later on released to a broader audience.
If the timestamp of the initial release date was set incorrectly, it MUST be corrected. This change MUST be tracked with a new entry in the revision history.
The Revision History (revision_history) with value type
array of 1 or more Revision History Entries holds one
revision item for each version of
the CSAF document, including the initial one.
"revision_history": {
// ...
"items": {
// ...
}
},Each Revision contains all the information elements required to track
the evolution of a CSAF document.
Revision History Entry items are of value type object with
the three mandatory properties: Date (date), Number
(number),
and Summary (summary).
In addition, a Revision MAY expose the optional property
legacy_version.
"properties": {
"date": {
// ...
},
"legacy_version": {
// ...
},
"number": {
// ...
},
"summary": {
// ...
}
}The Date of the revision (date) of value type
string with format date-time states the date
of the revision entry.
Legacy version of the revision (legacy_version) of value
type string with 1 or more characters contains the version
string used
in an existing document with the same content.
This SHOULD be used to aid in the mapping between existing (human-readable) documents which might use a different version scheme and CSAF documents with the same content. It is recommended, to use the CSAF revision number to describe the revision history for any new human-readable equivalent.
The Number (number) has value type Version
(version_t).
The Summary of the revision (summary) of value type
string with 1 or more characters holds a single non-empty
string representing
a short description of the changes.
Each Revision item which has a number of 0
or 0.y.z MUST be removed from the document if the document
status is final.
Versions of the document which are pre-release SHALL NOT have its own
revision item.
All changes MUST be tracked in the item for the next release
version.
Build metadata SHOULD NOT be included in the number of any
revision item.
Document status (status) of value type
string and enum defines the draft status of
the document.
The value MUST be one of the following:
draft
final
interimThe value draft indicates, that this is a pre-release,
intended for issuing party’s internal use only,
or possibly used externally when the party is seeking feedback or
indicating its intentions regarding a specific issue.
The value final indicates, that the issuing party
asserts the content is unlikely to change.
“Final” status is an indication only, and does not preclude
updates.
This SHOULD be used if the issuing party expects no, slow or few
changes.
The value interim indicates, that the issuing party
expects rapid updates.
This SHOULD be used if the expected rate of release for this document is
significant higher than for other documents.
Once the rate slows down it MUST be changed to final. This
MAY be done in a patch version.
This is extremely useful for downstream vendors to constantly inform the end users about ongoing investigation. It can be used as an indication to pull the CSAF document more frequently.
Version has the value type Version (version_t).
Product Tree (product_tree) has value type
object with 1 or more properties is a container for all
fully qualified product names that
can be referenced elsewhere in the document.
The properties are Branches (branches), Full Product Names
(full_product_names), Product Groups
(product_groups),
and Relationships (relationships).
"product_tree": {
// ...
"properties": {
"branches": {
// ...
},
"full_product_names": {
// ...
},
"product_groups": {
// ...
},
"relationships": {
// ...
}
}
},List of branches (branches) has the value type
branches_t.
List of full product names (full_product_names) of value
type array with 1 or more items of type
full_product_name_t contains a
list of full product names.
List of product groups (product_groups) of value type
array with 1 or more items of value type
object contains a list of product groups.
"product_groups": {
// ...
"items": {
// ...
}
},The product group items are of value type object with
the 2 mandatory properties Group ID (group_id) and Product
IDs (product_ids) and
the optional Summary (summary) property.
"properties": {
"group_id": {
// ...
},
"product_ids": {
// ...
},
"summary": {
// ...
}
}The summary of the product group (summary) of value type
string with 1 or more characters gives a short, optional
description of the group.
Products supporting Modbus.
The x64 versions of the operating system.Group ID (group_id) has value type Product Group ID
(product_group_id_t).
List of Product IDs (product_ids) of value type
array with 2 or more unique items of value type Product ID
(product_id_t) lists
the product_ids of those products which known as one group in the
document.
List of relationships (relationships) of value type
array with 1 or more items contains a list of
relationships.
"relationships": {
// ...
"items": {
// ...
}
}The Relationship item is of value type object and has
four mandatory properties: Relationship category
(category),
Full Product Name (full_product_name), Product Reference
(product_reference), and Relates to Product Reference
(relates_to_product_reference).
The Relationship item establishes a link between two existing
full_product_name_t elements,
allowing the document producer to define a combination of two products
that form a new full_product_name entry.
"properties": {
"category": {
// ...
},
"full_product_name": {
// ...
},
"product_reference": {
// ...
},
"relates_to_product_reference": {
// ...
}
}The situation where a need for declaring a Relationship arises, is given when a product is e.g. vulnerable only when installed together with another, or to describe operating system components.
Relationship category (category) of value type
string and enum defines the category of
relationship for the referenced component.
The valid values are:
default_component_of
external_component_of
installed_on
installed_with
optional_component_ofThe value default_component_of indicates that the entity
labeled with one Product ID (e.g. CSAFPID-0001) is a default component
of
an entity with another Product ID (e.g. CSAFPID-0002).
These Product IDs SHOULD NOT be identical to provide minimal
redundancy.
The value external_component_of indicates that the
entity labeled with one Product ID (e.g. CSAFPID-0001) is an external
component of
an entity with another Product ID (e.g. CSAFPID-0002).
These Product IDs SHOULD NOT be identical to provide minimal
redundancy.
The value installed_on indicates that the entity labeled
with one Product ID (e.g. CSAFPID-0001) is installed on a platform
entity with
another Product ID (e.g. CSAFPID-0002).
These Product IDs SHOULD NOT be identical to provide minimal
redundancy.
The value installed_with indicates that the entity
labeled with one Product ID (e.g. CSAFPID-0001) is installed
alongside
an entity with another Product ID (e.g. CSAFPID-0002).
These Product IDs SHOULD NOT be identical to provide minimal
redundancy.
The value optional_component_of indicates that the
entity labeled with one Product ID (e.g. CSAFPID-0001) is an optional
component of
an entity with another Product ID (e.g. CSAFPID-0002).
These Product IDs SHOULD NOT be identical to provide minimal
redundancy.
Full Product Name (full_product_name) of value type Full
Product Name Type (full_product_name_t).
Product Reference (product_reference) of value type
Product ID (product_id_t) holds a Product ID that refers to
the Full Product Name element,
which is referenced as the first element of the relationship.
Relates to Product Reference
(relates_to_product_reference) of value type Product ID
(product_id_t) holds a Product ID that refers to
the Full Product Name element, which is referenced as the second element
of the relationship.
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-908070601",
"name": "Cisco AnyConnect Secure Mobility Client 4.9.04053"
},
{
"product_id": "CSAFPID-908070602",
"name": "Microsoft Windows"
}
],
"relationships": [
{
"product_reference": "CSAFPID-908070601",
"category": "installed_on",
"relates_to_product_reference": "CSAFPID-908070602",
"full_product_name": {
"product_id": "CSAFPID-908070603",
"name": "Cisco AnyConnect Secure Mobility Client 4.9.04053 installed on Microsoft Windows"
}
}
]
}The product
Cisco AnyConnect Secure Mobility Client 4.9.04053"(Product ID:CSAFPID-908070601) and the productMicrosoft Windows(Product ID:CSAFPID-908070602) form together a new product with the separate Product IDCSAFPID-908070603. The latter one can be used to refer to that combination in other parts of the CSAF document. In the preceding example 1, it might be the case thatCisco AnyConnect Secure Mobility Client 4.9.04053"is only vulnerable when installed onMicrosoft Windows.
Vulnerabilities (vulnerabilities) of value type
array with 1 or more objects representing vulnerabilities
and providing 1 or more
properties represents a list of all relevant vulnerability information
items.
"vulnerabilities": {
// ...
"items": {
// ...
}
}The Vulnerability item of value type object with 1 or
more properties is a container for the aggregation of all fields that
are related to
a single vulnerability in the document.
Any vulnerability MAY provide the optional properties Acknowledgments
(acknowledgments), Common Vulnerabilities and Exposures
(CVE) (cve),
Common Weakness Enumeration (CWE) (cwes), Disclosure Date
(disclosure_date), Discovery Date
(discovery_date),
List of first known exploitation dates
(first_known_exploitation_dates), Flags
(flags), IDs (ids), Involvements
(involvements),
Metrics (metrics), Notes (notes), Product
Status (product_status), References
(references), Remediations
(remediations),
Threats (threats), and Title (title).
"properties": {
"acknowledgments": {
// ...
},
"cve": {
// ...
},
"cwes": {
// ...
},
"disclosure_date": {
// ...
},
"discovery_date": {
// ...
},
"first_known_exploitation_dates": {
// ...
},
"flags": {
// ...
},
"ids": {
// ...
},
"involvements": {
// ...
},
"metrics": {
// ...
},
"notes": {
// ...
},
"product_status": {
// ...
},
"references": {
// ...
},
"remediations": {
// ...
},
"threats": {
// ...
},
"title": {
// ...
}
}Vulnerability acknowledgments (acknowledgments) of value
type Acknowledgments Type (acknowledgments_t) contains a
list of
acknowledgment elements associated with this vulnerability item.
"acknowledgments": {
// ...
},CVE (cve) of value type string with
pattern (regular expression):
^CVE-[0-9]{4}-[0-9]{4,}$holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.
List of CWEs (cwes) of value type array
with 1 or more unique items (a set) of value type object
contains a list of CWEs.
"cwes": {
// ...
"items": {
// ...
}
},It is expected that the list of CWEs is ordered from the most specific weakness ID to the least specific one.
Every CWE item of value type object with the 3 mandatory
properties Weakness ID (id), Weakness Name
(name), CWE version (version) holds the
MITRE standard Common Weakness Enumeration (CWE) for the weakness
associated. For more information cf. [CWE].
"properties": {
"id": {
// ...
},
"name": {
// ...
},
"version": {
// ...
}
}The Weakness ID (id) has value type string
with pattern (regular expression):
^CWE-[1-9]\\d{0,5}$It holds the ID for the weakness associated.
CWE-22
CWE-352
CWE-79The Weakness name (name) has value type
string of 1 or more characters with pattern
(regular expression):
^[^\\s\\-_\\.](.*[^\\s\\-_\\.])?$The Weakness name holds the full name of the weakness as given in the CWE specification.
Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The CWE version (version) has value type
string with pattern (regular expression):
^[1-9]\\d*\\.([0-9]|([1-9]\\d+))(\\.\\d+)?$It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
"1.0",
"3.4.1",
"4.0",
"4.11",
"4.12"Disclosure date (disclosure_date) of value type
string with format date-time holds the date
and time
the vulnerability was originally disclosed to the public.
For vulnerabilities not yet disclosed to the public, a disclosure
date in the future SHOULD indicate the
intended date for disclosure of the vulnerability.
This is also sometimes called embargo date.
As disclosure dates may change during a vulnerability disclosure
process, an issuing party SHOULD produce an updated CSAF document to
confirm that
the vulnerability was in fact disclosed to the public at that time or
update the disclosure_date with the new intended date in
the future.
Discovery date (discovery_date) of value type
string with format date-time holds the date
and time the vulnerability was originally discovered.
List of first known exploitation dates
(first_known_exploitation_dates) of value type
array with 1 or more unique items (a set) of value
type
object contains a list of dates of first known
exploitations.
"first_known_exploitation_dates": {
// ...
"items": {
// ...
}
},Every First known exploitation date item of value type
object with the 2 mandatory properties Date of the
information (date) and
Date of the exploitation (exploitation_date) holds at least
3 properties and contains information on when this vulnerability
was
first known to be exploited in the wild in the products specified.
At least one of the optional elements Group IDs (group_ids)
and Product IDs (product_ids) MUST be present to state for
which products or
product groups this date is applicable.
This information can be helpful to determine the risk of compromise. It can also be used to provide an indication for the time frame to be considered in a threat hunt for the exploitation this vulnerability.
"properties": {
"date": {
// ...
},
"exploitation_date": {
// ...
},
"group_ids": {
// ...
},
"product_ids": {
// ...
}
}Date of the information (date) of value type
string with format date-time contains the date
when the information was last updated.
Date of the exploitation (exploitation_date) of value
type string with format date-time contains the
date when the exploitation happened.
Different document issuers might have different knowledge about exploitations in the wild that happened. Therefore, the
exploitation_datecan differ.
Group IDs (group_ids) are of value type Product Groups
(product_groups_t) and contain a list of Product Groups the
current
first known exploitation date item applies to.
Product IDs (product_ids) are of value type Products
(products_t) and contain a list of Products the current
first known exploitation date item
applies to.
List of flags (flags) of value type array
with 1 or more unique items (a set) of value type object
contains a list of machine readable flags.
"flags": {
// ...
"items": {
// ...
}
},Every Flag item of value type object with the mandatory
property Label (label) contains product specific
information in regard to
this vulnerability as a single machine readable flag.
For example, this could be a machine readable justification code why a
product is not affected.
At least one of the optional elements Group IDs (group_ids)
and Product IDs (product_ids) MUST be present to state for
which products or
product groups this flag is applicable.
These flags enable the receiving party to automate the selection of actions to take.
In addition, any Flag item MAY provide the three optional properties
Date (date), Group IDs (group_ids) and Product
IDs (product_ids).
"properties": {
"date": {
// ...
},
"group_ids": {
// ...
},
"label": {
// ...
},
"product_ids": {
// ...
}
}Date of the flag (date) of value type
string with format date-time contains the date
when assessment was done or the flag was assigned.
Group IDs (group_ids) are of value type Product Groups
(product_groups_t) and contain a list of Product Groups the
current flag item applies to.
Label of the flag (label) of value type
string and enum specifies the machine readable
label. Valid enum values are:
component_not_present
inline_mitigations_already_exist
vulnerable_code_cannot_be_controlled_by_adversary
vulnerable_code_not_in_execute_path
vulnerable_code_not_presentThe given values reflect the VEX not affected justifications. See [VEX-Justification] for more details. The values MUST be used as follows:
component_not_present: The software is not affected
because the vulnerable component is not in the product.vulnerable_code_not_present: The product is not
affected because the code underlying the vulnerability is not present in
the product.component_not_present, the component in
question is present, but for whatever reason (e.g. compiler
options)vulnerable_code_cannot_be_controlled_by_adversary: The
vulnerable component is present, and the component contains the
vulnerable code.vulnerable_code_not_in_execute_path: The affected code
is not reachable through the execution of the code,inline_mitigations_already_exist: Built-in inline
controls or mitigations prevent an adversary from leveraging the
vulnerability.Product IDs (product_ids) are of value type Products
(products_t) and contain a list of Products the current
flag item applies to.
List of IDs (ids) of value type array with
one or more unique ID items of value type object represents
a list of unique labels or
tracking IDs for the vulnerability (if such information exists).
"ids": {
// ...
"items": {
// ...
}
},Every ID item of value type object with the two
mandatory properties System Name (system_name) and Text
(text) contains a single unique label or
tracking ID for the vulnerability.
"properties": {
"system_name": {
// ...
},
"text": {
// ...
}
}System name (system_name) of value type
string with 1 or more characters indicates the name of the
vulnerability tracking or numbering system.
Cisco Bug ID
GitHub IssueText (text) of value type string with 1 or
more characters is unique label or tracking ID for the vulnerability (if
such information exists).
CSCso66472
oasis-tcs/csaf#210General examples may include an identifier from a vulnerability tracking system that is available to customers, such as:
- a Cisco bug ID,
- a GitHub Issue number,
- an ID from a Bugzilla system, or
- an ID from a public vulnerability database such as the X-Force Database.
The ID MAY be a vendor-specific value but is not to be used to publish the CVE tracking numbers (MITRE standard Common Vulnerabilities and Exposures), as these are specified inside the dedicated CVE element.
List of involvements (involvements) of value type
array with 1 or more unique items (a set) of value type
object contains a list of involvements.
"involvements": {
// ...
"items": {
// ...
}
},Every Involvement item of value type object with the 2
mandatory properties Party (party), Status
(status) and
the 5 optional properties Party contact information
(contact), Date of involvement (date), Group
IDs (group_ids),
Product IDs (product_ids), and Summary
(summary) is a container that allows the document producers
to comment on the level of
involvement (or engagement) of themselves (or third parties) in the
vulnerability identification, scoping, and remediation process.
It can also be used to convey the disclosure timeline.
The ordered tuple of the values of party and
date (if present) SHALL be unique within
involvements.
"properties": {
"contact": {
// ...
},
"date": {
// ...
},
"group_ids" {
// ...
},
"party": {
// ...
},
"product_ids": {
// ...
},
"status": {
// ...
},
"summary": {
// ...
}
}Party contact information (contact) contains the contact
information of the party that was used in this state.
In many cases, that could be an email address.
Date of involvement (date) of value type
string with format date-time holds the date
and time of the involvement entry.
Group IDs (group_ids) are of value type Product Groups
(product_groups_t) and contain a list of Product Groups the
current
involvement item applies to.
Party category (party) of value type string
and enum defines the category of the involved party.
Valid values are:
coordinator
discoverer
other
user
vendorThese values follow the same definitions as given for the publisher category (cf. section 3.2.2.9.1).
Product IDs (product_ids) are of value type Products
(products_t) and contain a list of Products the
current
involvement item applies to.
Party status (status) of value type string
and enum defines contact status of the involved
party.
Valid values are:
completed
contact_attempted
disputed
in_progress
not_contacted
openEach status is mutually exclusive - only one status is valid for a
particular vulnerability at a particular time. As the vulnerability
ages,
a party’s involvement could move from state to state.
However, in many cases, a document producer may choose not to issue CSAF
documents at each state, or simply omit this element altogether.
It is recommended, however, that vendors that issue CSAF documents
indicating an open or in-progress involvement SHOULD eventually expect
to issue
a document containing one of the statuses disputed or
completed as the latest one.
The two vulnerability involvement status states,
contact_attemptedandnot_contactedare intended for use by document producers other than vendors (such as research or coordinating entities).
The value completed indicates that the party asserts
that investigation of the vulnerability is complete.
No additional information, fixes, or documentation from the party about
the vulnerability should be expected to be released.
The value contact_attempted indicates that the document
producer attempted to contact the party.
The value disputed indicates that the party disputes the
vulnerability report in its entirety.
This status SHOULD be used when the party believes that a vulnerability
report regarding a product is completely inaccurate
(that there is no real underlying security vulnerability) or that the
technical issue being reported has no security implications.
The value in_progress indicates that some hotfixes,
permanent fixes, mitigations, workarounds,
or patches may have been made available by the party, but more
information or fixes may be released in the future.
The use of this status by a vendor indicates that future information
from the vendor about the vulnerability is to be expected.
The value not_contacted indicates that the document
producer has not attempted to make contact with the party.
The value open is the default status.
It doesn’t indicate anything about the vulnerability remediation effort
other than the fact that the party has acknowledged awareness of
the vulnerability report.
The use of this status by a vendor indicates that future updates from
the vendor about the vulnerability are to be expected.
Summary of involvement (summary) of value type
string with 1 or more characters contains additional
context regarding what is going on.
List of metrics (metrics) of value type
array with 1 or more unique items (a set) of value type
object Contains metric objects for the current
vulnerability.
"metrics": {
// ...
"items": {
// ...
}
},Every Metric item of value type object with the
mandatory properties content and products and
the optional property source contains all metadata about
the metric including products it applies to and the source and the
content itself.
"properties": {
"content": {
// ...
},
"products": {
// ...
},
"source": {
// ...
}
}Content (content) of value type object with
the optional properties CVSS v2 (cvss_v2), CVSS v3
(cvss_v3), CVSS v4 (cvss_v4), EPSS
(epss), and SSVC v1 (ssvc_v1) specifies
information about (at least one) metric or score for the given products
regarding the current vulnerability.
A Content object has at least 1 property.
"properties": {
"cvss_v2": {
// ...
},
"cvss_v3": {
"oneOf": [
// ...
]
},
"cvss_v4": {
// ...
},
"epss": {
// ...
},
"ssvc_v1": {
// ....
}
}The property CVSS v2 (cvss_v2) holding a CVSS v2.0 value
abiding by the schema at https://www.first.org/cvss/cvss-v2.0.json.
The property CVSS v3 (cvss_v3) holding a CVSS v3.x value
abiding by one of the schemas at https://www.first.org/cvss/cvss-v3.0.json or
https://www.first.org/cvss/cvss-v3.1.json.
The property CVSS v4 (cvss_v4) holding a CVSS v4.0 value
abiding by the schema at https://www.first.org/cvss/cvss-v4.0.json.
The property SSVC v1 (ssvc_v1) holding an SSVC Decision
Point Value Selection v1.0.1 value abiding by the schema at https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json.
The property EPSS (epss) of value type
object with the 3 mandatory properties Percentile
(percentile), Probability (probability) and
EPSS timestamp (timestamp) contains the EPSS data.
"properties": {
"percentile": {
// ...
},
"probability": {
// ...
},
"timestamp": {
// ...
}
}Percentile (percentile) has value type
string with pattern (regular expression):
^(([0]\\.([0-9])+)|([1]\\.[0]+))$The value contains the rank ordering of probabilities from highest to lowest.
Probability (probability) with pattern
(regular expression):
^(([0]\\.([0-9])+)|([1]\\.[0]+))$The value contains the likelihood that any exploitation activity for this Vulnerability is being observed in the 30 days following the given timestamp.
EPSS timestamp (timestamp) of value type
string with format date-time holds the date
and time the EPSS value was recorded.
Product IDs (products) of value type
products_t with 1 or more items indicates for which
products the given content applies.
A metric object SHOULD reflect the associated product’s status (for
example,
a fixed product no longer contains a vulnerability and should have a
CVSS score of 0, or simply no score listed;
the known affected versions of that product can list the vulnerability
score as it applies to them).
Source (source) of value type string with
format uri contains the URL of the source that originally
determined the metric.
If no source is given, then the metric was assigned by the document
author.
For example, this could point to the vendor advisory, discoverer blog post, a multiplier’s assessment or other sources that provide metric information.
Vulnerability notes (notes) of value type Notes Type
(notes_t) holds notes associated with this vulnerability
item.
"notes": {
// ...
},The following combinations of category and
title have a special meaning and MUST be used as stated
below:
category |
title |
content of text |
|---|---|---|
description |
CVE Description | Contains the official and unchanged CVE description for this specific vulnerability. |
description |
Preconditions | Contains a description of the preconditions that have to be fulfilled to be able to exploit the vulnerability, e.g. user account or physical access. |
summary |
Vulnerability Summary | Contains a summary of the vulnerability which is not the official CVE description. |
If a note is specific to a product or product group it MUST be bound
via the group_ids respectively
product_ids.
Product status (product_status) of value type
object with 1 or more properties contains different lists
of product_ids which
provide details on the status of the referenced product related to the
current vulnerability.
The nine defined properties are First affected
(first_affected), First fixed (first_fixed),
Fixed (fixed), Known affected
(known_affected),
Known not affected (known_not_affected), Last affected
(last_affected), Recommended
(recommended),
Under investigation (under_investigation) and Unknown
(unknown) are all of value type Products
(products_t).
"product_status": {
// ...
"properties": {
"first_affected": {
// ...
},
"first_fixed": {
// ...
},
"fixed": {
// ...
},
"known_affected": {
// ...
},
"known_not_affected": {
// ...
},
"last_affected": {
// ...
},
"recommended": {
// ...
},
"under_investigation": {
// ...
},
"unknown": {
// ...
}
}
},First affected (first_affected) of value type Products
(products_t) represents that these are the first versions
of the releases known to be
affected by the vulnerability.
First fixed (first_fixed) of value type Products
(products_t) represents that these versions contain the
first fix for the vulnerability but
may not be the recommended fixed versions.
Fixed (fixed) of value type Products
(products_t) represents that these versions contain a fix
for the vulnerability but
may not be the recommended fixed versions.
Known affected (known_affected) of value type Products
(products_t) represents that these versions are known to be
affected by the vulnerability.
Actions are recommended to remediate or address this vulnerability.
This could include for instance learning more about the vulnerability and context, and/or making a risk-based decision to patch or apply defense-in-depth measures. See
/vulnerabilities[]/remediations,/vulnerabilities[]/notesand/vulnerabilities[]/threatsfor more details.
Known not affected (known_not_affected) of value type
Products (products_t) represents that these versions are
known not to be affected by
the vulnerability.
No remediation is required regarding this vulnerability.
This could for instance be because the code referenced in the vulnerability is not present, not exposed, compensating controls exist, or other factors. See
/vulnerabilities[]/flagsand/vulnerabilities[]/threatsin categoryimpactfor more details.
Last affected (last_affected) of value type Products
(products_t) represents that these are the last versions in
a release train known to be
affected by the vulnerability. Subsequently released versions would
contain a fix for the vulnerability.
Recommended (recommended) of value type Products
(products_t) represents that these versions have a fix for
the vulnerability and are
the vendor-recommended versions for fixing the vulnerability.
Under investigation (under_investigation) of value type
Products (products_t) represents that it is not known yet
whether these versions are or
are not affected by the vulnerability.
However, it is still under investigation - the result will be provided
in a later release of the document.
Unknown (unknown) of value type Products
(products_t) represents that it is not known whether these
versions are or are not affected by the
vulnerability.
There is also no investigation and therefore the status might never be
determined.
The individual properties form the following product status groups:
Affected:
/vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]Not affected:
/vulnerabilities[]/product_status/known_not_affected[]Fixed:
/vulnerabilities[]/product_status/first_fixed[]
/vulnerabilities[]/product_status/fixed[]Under investigation:
/vulnerabilities[]/product_status/under_investigation[]Unknown:
/vulnerabilities[]/product_status/unknown[]As the aforementioned product status groups contradict each other, the sets formed by the contradicting groups within one vulnerability item MUST be pairwise disjoint.
Note: An issuer might recommend (
/vulnerabilities[]/product_status/recommended) a product version from any group - also from the affected group, i.e. if it was discovered that fixed versions introduce a more severe vulnerability.
Vulnerability references (references) of value type
References Type (references_t) holds a
list of references associated with this vulnerability item.
"references": {
// ...
},List of remediations (remediations) of value type
array with 1 or more Remediation items of value type
object contains a list of remediations.
"remediations": {
// ...
"items": {
// ...
}
},Every Remediation item of value type object with the 2
mandatory properties Category (category) and
Details (details) specifies details on how to handle (and
presumably, fix) a vulnerability.
At least one of the optional elements Group IDs (group_ids)
and Product IDs (product_ids) MUST be present to state for
which
products or product groups this remediation is applicable.
In addition, any Remediation MAY expose the six optional properties
Date (date), Entitlements (entitlements),
Group IDs (group_ids),
Product IDs (product_ids), Restart required
(restart_required), and URL (url).
"properties": {
"category": {
// ...
},
"date": {
// ...
},
"details": {
// ...
},
"entitlements": {
// ...
},
"group_ids": {
// ...
},
"product_ids": {
// ...
},
"restart_required": {
// ...
},
"url": {
// ...
}
}Category of the remediation (category) of value type
string and enum specifies the category which
this remediation belongs to.
Valid values are:
fix_planned
mitigation
no_fix_planned
none_available
optional_patch
vendor_fix
workaroundThe value workaround indicates that the remediation
contains information about a configuration or specific deployment
scenario that
can be used to avoid exposure to the vulnerability. There MAY be none,
one, or more workarounds available.
This is typically the “first line of defense” against a new
vulnerability before a mitigation or vendor fix has been issued or even
discovered.
The value mitigation indicates that the remediation
contains information about a configuration or deployment scenario
that
helps to reduce the risk of the vulnerability but that does not resolve
the vulnerability on the affected product.
Mitigations MAY include using devices or access controls external to the
affected product.
Mitigations MAY or MAY NOT be issued by the original author of the
affected product,
and they MAY or MAY NOT be officially sanctioned by the document
producer.
The value vendor_fix indicates that the remediation
contains information about an official fix that
is issued by the original author of the affected product.
Unless otherwise noted, it is assumed that this fix fully resolves the
vulnerability.
The value optional_patch indicates that the remediation
contains information about an patch that
is issued by the original author of the affected product.
Its application is not necessary, but might be desired by the user,
e.g. to calm a security scanner by
updating a dependency to a fixed version even though the dependency in
the affected version was used
in the product in a way that the product itself was not affected.
Unless otherwise noted, it is assumed that this does not change the
state regarding the vulnerability.
This is sometimes also referred to as a “regulatory compliance patch”.
The value none_available indicates that there is
currently no fix or other remediation available.
The text in field details SHOULD contain details about why
there is no fix or other remediation.
The value fix_planned indicates that there is a fix for
the vulnerability planned but not yet ready.
An issuing party might choose to use this category to announce that a
fix is currently developed.
The text in field details SHOULD contain details including
a date when a customer can expect the fix to be ready and
distributed.
The value no_fix_planned indicates that there is no fix
for the vulnerability and it is not planned to provide one at any
time.
This is often the case when a product has been orphaned, declared
end-of-life, or otherwise deprecated.
The text in field details SHOULD contain details about why
there will be no fix issued.
Some category values contradict each other and thus are mutually exclusive per product. Therefore, such a combination MUST NOT be used in the list of remediations for the same product. This is independent from whether the product is referenced directly or indirectly through a product group. The following tables shows the allowed and prohibited combinations:
| category value | workaround |
mitigation |
vendor_fix |
optional_patch |
none_available |
fix_planned |
no_fix_planned |
|---|---|---|---|---|---|---|---|
workaround |
allowed | allowed | allowed | prohibited | prohibited | allowed | allowed |
mitigation |
allowed | allowed | allowed | prohibited | prohibited | allowed | allowed |
vendor_fix |
allowed | allowed | allowed | prohibited | prohibited | prohibited | prohibited |
optional_patch |
prohibited | prohibited | prohibited | allowed | prohibited | prohibited | prohibited |
none_available |
prohibited | prohibited | prohibited | prohibited | allowed | prohibited | prohibited |
fix_planned |
allowed | allowed | prohibited | prohibited | prohibited | allowed | prohibited |
no_fix_planned |
allowed | allowed | prohibited | prohibited | prohibited | prohibited | allowed |
Some category values contradict certain product status groups. Therefore, such a combination MUST NOT exist in a vulnerability item for the same product. This is independent from whether the product is referenced directly or indirectly through a product group. The following tables shows the allowed, discouraged and prohibited combinations:
| category value | Affected | Not Affected | Fixed | Under Investigation | Unknown | Recommended |
|---|---|---|---|---|---|---|
workaround |
allowed | prohibited | prohibited | discouraged | discouraged | allowed |
mitigation |
allowed | prohibited | prohibited | discouraged | discouraged | allowed |
vendor_fix |
allowed | prohibited | prohibited | discouraged | discouraged | allowed |
optional_patch |
prohibited | allowed | discouraged | allowed | allowed | allowed |
none_available |
allowed | prohibited | prohibited | allowed | allowed | allowed |
fix_planned |
allowed | discouraged | prohibited | discouraged | discouraged | allowed |
no_fix_planned |
allowed | discouraged | prohibited | allowed | allowed | allowed |
Date of the remediation (date) of value type
string with format date-time contains the date
from which the remediation is available.
Details of the remediation (details) of value type
string with 1 or more characters contains a thorough
human-readable discussion of the remediation.
List of entitlements (entitlements) of value type
array with 1 or more items of type Entitlement of the
remediation as string with
1 or more characters contains a list of entitlements.
"entitlements": {
// ....
"items": {
// ...
}
},Every Entitlement of the remediation contains any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.
Group IDs (group_ids) are of value type Product Groups
(product_groups_t) and contain a list of
Product Groups the current remediation item applies to.
Product IDs (product_ids) are of value type Products
(products_t) and contain a list of Products the current
remediation item applies to.
Restart required by remediation (restart_required) of
value type object with the 1 mandatory property Category
(category) and
the optional property Details (details) provides
information on category of restart is required by this remediation to
become effective.
"restart_required": {
// ...
"properties": {
"category": {
// ...
}
"details": {
// ...
}
}
},Category of restart (category) of value type
string and enum specifies what category of
restart is required by
this remediation to become effective.
Valid values are:
connected
dependencies
machine
none
parent
service
system
vulnerable_component
zoneThe values MUST be used as follows:
none: No restart required.vulnerable_component: Only the vulnerable component (as
given by the elements of product_ids or
group_ids in the current remediation item)service: The vulnerable component and the background
service used by the vulnerable component need to be restarted.parent: The vulnerable component and its parent process
need to be restarted. This could be the case if the parent process has
no build-in waydependencies: The vulnerable component and all
components which require the vulnerable component to work need to be
restarted.connected: The vulnerable component and all components
connected (via network or any type of inter-process communication)machine: The machine on which the vulnerable component
is installed on needs to be restarted.zone: The security zone in which the machine resides on
which the vulnerable component is installed needs to be restarted.system: The whole system which the machine resides on
which the vulnerable component is installed needs to be restarted.Additional restart information (details) of value type
string with 1 or more characters provides additional
information for the restart.
This can include details on procedures, scope or impact.
URL (url) of value type string with format
uri contains the URL where to obtain the remediation.
List of threats (threats) of value type
array with 1 or more items of value type
object contains
information about a vulnerability that can change with time.
"threats": {
// ...
"items": {
// ...
}
},Every Threat item of value type object with the two
mandatory properties Category (category) and Details
(details) contains
the vulnerability kinetic information.
This information can change as the vulnerability ages and new
information becomes available.
In addition, any Threat item MAY expose the three optional properties
Date (date), Group IDs (group_ids), and
Product IDs (product_ids).
"properties": {
"category": {
// ...
}
"date": {
// ...
},
"details": {
// ...
},
"group_ids": {
// ...
},
"product_ids": {
// ...
}
}Category of the threat (category) of value type
string and enum categorizes the threat
according to the rules of the specification.
Valid values are:
exploit_status
impact
target_setThe value exploit_status indicates that the
details field contains a description of the degree to which
an exploit for the vulnerability is known.
This knowledge can range from information privately held among a very
small group to an issue that has been described to the public at
a major conference or is being widely exploited globally.
For consistency and simplicity, this section can be a mirror image of
the CVSS exploitMaturity (v4.0),
respectively exploitCodeMaturity (v3.1 and v3.0) or
exploitability (v2.0) metric.
However, it can also contain a more contextual status, such as
“Weaponized” or “Functioning Code”.
The value impact indicates that the details
field contains an assessment of the impact on the user or the target set
if
the vulnerability is successfully exploited or a description why it
cannot be exploited.
If applicable, for consistency and simplicity, this section can be a
textual summary of the three CVSS impact metrics.
These metrics measure how a vulnerability detracts from the three core
security properties of an information system:
Confidentiality, Integrity, and Availability.
The value target_set indicates that the
details field contains a description of
the currently known victim population in whatever terms are
appropriate.
Such terms MAY include: operating system platform, types of products,
user segments, and geographic distribution.
Date of the threat (date) of value type
string with format date-time contains the date
when the assessment was done or the threat appeared.
Details of the threat (details) of value type
string with 1 or more characters represents a thorough
human-readable discussion of the threat.
Group IDs (group_ids) are of value type Product Groups
(product_groups_t) and contain a list of Product Groups the
current threat item applies to.
Product IDs (product_ids) are of value type Products
(products_t) and contain a list of Products the current
threat item applies to.
Title (title) has value type string with 1
or more characters and gives the document producer the ability to apply
a canonical name or
title to the vulnerability.
CSAF documents do not have many required fields as they can be used
for different purposes.
To ensure a common understanding of which fields are required in a given
use case the standard defines profiles.
Each subsection describes such a profile by describing necessary content
for that specific use case and providing insights into its
purpose.
The value of /document/category is used to identify a CSAF
document’s profile. The following rules apply:
/document/category starting with
csaf_ are reserved for existing, past, upcoming and future
profiles defined in the CSAF standard./document/category starting with
csaf_deprecated_ are used for official profiles that are
marked deprecated./document/category that do not match any of
the values defined in section 4 of this standard
SHALL be validated againstThis profile defines the default required fields for any CSAF document. Therefore, it is a “catch all” for CSAF documents that do not satisfy any other profile. Furthermore, it is the foundation all other profiles are build on.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “CSAF Base”:
/$schema/document/category/document/csaf_version/document/distribution/tlp/label/document/publisher/category/document/publisher/name/document/publisher/namespace/document/title/document/tracking/current_release_date/document/tracking/id/document/tracking/initial_release_date/document/tracking/revision_history[]/date/document/tracking/revision_history[]/number/document/tracking/revision_history[]/summary/document/tracking/status/document/tracking/version/document/category SHALL NOT be equal to
any value that is intended to only be used by another profile nor to
thecsaf_base SHOULD be used.Neither
CSAF Security Advisorynorcsaf security advisoryare valid values for/document/category.
An issuing party might choose to set
/document/publisher/name in front of a value that is
intended to only be used by another
profile to state that the CSAF document does not use the profile
associated with this value.
In this case, the (case insensitive) string “CSAF” MUST be removed from
the value.
This SHOULD be done if the issuing party is unable or unwilling to use
the value csaf_base, e.g. due to legal or cooperate
identity reasons.
Both values
Example Company Security AdvisoryandExample Company security_advisoryin/document/categoryuse the profile “CSAF Base”. This is important to prepare forward compatibility as later versions of CSAF might add new profiles. Therefore, the values which can be used for the profile “CSAF Base” might change.
This profile SHOULD be used to provide a response to a security breach or incident. This MAY also be used to convey information about an incident that is unrelated to the issuing party’s own products or infrastructure.
Example Company might use a CSAF document satisfying this profile to respond to a security incident at ACME Inc. and the implications on its own products and infrastructure.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “Security incident response”:
/document/notes with at least one item which has a
category of description, details,
general or summary/document/references with at least one item which has a
category of external/document/category SHALL be
csaf_security_incident_response.This profile SHOULD be used to provide information which are not related to a vulnerability but e.g. a misconfiguration.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “Informational Advisory”:
/document/notes with at least one item which has a
category of description, details,
general or summary/document/references with at least one item which has a
category of external/document/category SHALL be
csaf_informational_advisory./vulnerabilities SHALL NOT exist./vulnerabilities the CSAF document SHOULD use another
profile,If the element /product_tree exists, a user MUST assume
that all products mentioned are affected.
This profile SHOULD be used to provide information which is related to vulnerabilities and corresponding remediations.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “Security Advisory”:
/product_tree which lists all products referenced later
on in the CSAF document regardless of their state./vulnerabilities which lists all vulnerabilities./vulnerabilities[]/notes/vulnerabilities[]/product_status/vulnerabilities[]/product_status/known_affected/vulnerabilities[]/product_status/fixed, the corresponding
affected version SHALL be given.branches element./document/category SHALL be
csaf_security_advisory./vulnerabilities[]/product_status/fixed/vulnerabilities[]/remediationsThis profile SHOULD be used to provide information of the “Vulnerability Exploitability eXchange”. The main purpose of the VEX format is to state that and why a certain product is, or is not, affected by a vulnerability. See [VEX] for details.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “VEX”:
/product_tree which lists all products referenced later
on in the CSAF document regardless of their state./vulnerabilities which lists all vulnerabilities./vulnerabilities[]/product_status/fixed/vulnerabilities[]/product_status/known_affected/vulnerabilities[]/product_status/known_not_affected/vulnerabilities[]/product_status/under_investigation/vulnerabilities[]/cve/vulnerabilities[]/ids/vulnerabilities[]/notes/vulnerabilities[]/product_status/known_not_affected an
impact statement SHALL exist as machine readable flag/vulnerabilities[]/flags or as human readable
justification in /vulnerabilities[]/threats.category value for such a statement
MUST be impact and the details field SHALL
contain/vulnerabilities[]/product_status/known_affected
additional product specific information SHALL be provided/vulnerabilities[]/remediations as an action
statement./vulnerabilities[]/notes and
/vulnerabilities[]/threats.no_fix_planned and
none_available for an action statement is permitted.remediations and threats
object.known_not_affected MUST have
anknown_affected MUST have additional product specific
information/document/category SHALL be
csaf_vex.This profile MAY be used to provide information which is related to vulnerabilities and corresponding remediations, e.g. when converting CSAF documents from older CSAF versions or a human-readable format. It SHOULD NOT be used for newly created documents. The profile “Security Advisory” from section [sec]{profiles-profile-4-security-advisory} SHOULD be used instead.
The definition of the profile “Deprecated Security Advisory” in CSAF 2.1 matches the definition of profile “Security Advisory” in CSAF 2.0.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “Deprecated Security Advisory”:
/product_tree which lists all products referenced later
on in the CSAF document regardless of their state./vulnerabilities which lists all vulnerabilities./vulnerabilities[]/notes/vulnerabilities[]/product_status/document/category SHALL be
csaf_deprecated_security_advisory.This profile MUST be used for any CSAF document that is withdrawn. It MUST NOT be used for any superseded document.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “Withdrawn”:
The following elements MUST exist and be valid:
all elements required by the profile “CSAF Base”.
/document[]/notes with exactly one item using the
category description
describing the original content and the reasons for the withdrawal
Other items, such as a legal disclaimer, may exist alongside the required one.
The title MUST be Reasoning for Withdrawal
for English or an unspecified document language.
For any other language, it SHOULD be the language specific translation
of that term.
/document/tracking/revision_history with at least 2
entries. Any previous items MUST NOT be removed.
> A CSAF document cannot be withdrawn during the initial release to
its specified target group.
> In such case, the CSAF document should not be released at
all.
> If it was shared previously in draft status, then the
/document/tracking/status is kept in
draft.
The value of /document/category SHALL be
csaf_withdrawn.
The elements /product_tree and
/vulnerabilities SHALL NOT exist.
The CSAF document MAY link to additional information through
/document/references.
This profile MUST be used for any CSAF document that is superseded. It MUST NOT be used for any withdrawn document.
A CSAF document SHALL fulfill the following requirements to satisfy the profile “Superseded”:
The following elements MUST exist and be valid:
all elements required by the profile “CSAF Base”.
/document[]/notes with exactly one item using the
category description
Other items, such as a legal disclaimer, may exist alongside the required one.
The title MUST be
Reasoning for Supersession for English or an unspecified
document language.
For any other language, it SHOULD be the language specific translation
of that term.
/document/tracking/revision_history with at least 2
entries. Any previous items MUST NOT be removed.
> A CSAF document cannot be superseded during the initial release to
its specified target group.
> In such case, the CSAF document should not be released at
all.
> If it was shared previously in draft status, then the
/document/tracking/status is kept in
draft.
/document/references containing at least one item
with category external
The summary MUST start with
Superseding Document for English or an unspecified document
language.
For any other language, it SHOULD be the language specific translation
of that term.
The value of /document/category SHALL be
csaf_superseded.
The elements /product_tree and
/vulnerabilities SHALL NOT exist.
This section provides additional rules for handling CSAF documents.
The following rules MUST be applied to determine the filename for the CSAF document:
/document/tracking/id is converted into lower
case._):
+ (0x2B), -
(0x2D)[^+\-a-z0-9]+ can be used to find a
character sequence which has to be replaced by an underscore._ (0x5F) is a valid
character in the filename it is replaced to avoid situations/document/tracking/id with the value
2022_#01-A is converted into 2022_01-a instead
of 2022__01-a..json MUST be appended. cisco-sa-20190513-secureboot.json
example_company_-_2019-yh3234.json
rhba-2019_0024.jsonIt is currently considered best practice to indicate that a CSAF document is invalid by inserting
_invalidinto the filename in front of the file extension.
cisco-sa-20190513-secureboot_invalid.json
example_company_-_2019-yh3234_invalid.json
rhba-2019_0024_invalid.jsonIf multiple CSAF documents are transported via a data stream in a sequence without requests inbetween, they MUST be separated by the Record Separator in accordance with [RFC7464].
The keys within a CSAF document SHOULD be sorted alphabetically.
The use of GitHub-flavoured Markdown is permitted in the following fields:
/document/acknowledgments[]/summary
/document/distribution/text
/document/notes[]/text
/document/publisher/issuing_authority
/document/references[]/summary
/document/tracking/revision_history[]/summary
/product_tree/product_groups[]/summary
/vulnerabilities[]/acknowledgments[]/summary
/vulnerabilities[]/involvements[]/summary
/vulnerabilities[]/notes[]/text
/vulnerabilities[]/references[]/summary
/vulnerabilities[]/remediations[]/details
/vulnerabilities[]/remediations[]/entitlements[]
/vulnerabilities[]/remediations[]/restart_required/details
/vulnerabilities[]/threats[]/detailsOther fields MUST NOT contain Markdown.
The /product_tree uses a nested structure for
branches. Along a single path to a leaf, the recursion of
branches is limited to 30 repetitions. Therefore, the
longest path to a leaf is:
/product_tree/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/productIf a product consists of hardware and software, the hardware part MUST be presented as one product in the product tree and the software part as another one. To form the overall product, both parts MUST be combined through a relationship.
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "Example Company Controller A 1.0",
"product_id": "CSAFPID-908070601",
"product_identification_helper": {
"serial_numbers": [
"143-D-354"
]
}
}
}
],
"category": "product_name",
"name": "Controller A"
},
{
"branches": [
{
"category": "product_version",
"name": "4.1",
"product": {
"name": "Example Company Controller A Firmware 4.1",
"product_id": "CSAFPID-908070602",
"product_identification_helper": {
"hashes": [
{
"file_hashes": [
{
"algorithm": "sha256",
"value": "3fb9d502d096b1dfbcdfe60eed80ddecd98c8771bf21a82bbe1752735c4dc9e2"
}
],
"filename": "a_4-1.bin"
}
]
}
}
},
{
"category": "product_version",
"name": "4.2",
"product": {
"name": "Example Company Controller A Firmware 4.2",
"product_id": "CSAFPID-908070603",
"product_identification_helper": {
"hashes": [
{
"file_hashes": [
{
"algorithm": "sha256",
"value": "0a853ce2337f0608489ac596a308dc5b7b19d35a52b10bf31261586ac368b175"
}
],
"filename": "a_4-2.bin"
}
]
}
}
}
],
"category": "product_name",
"name": "Controller A Firmware"
}
],
"category": "vendor",
"name": "Example Company"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Example Company Controller A Firmware 4.1 installed on Example Company Controller A 1.0",
"product_id": "CSAFPID-908070604"
},
"product_reference": "CSAFPID-908070602",
"relates_to_product_reference": "CSAFPID-908070601"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Example Company Controller A Firmware 4.2 installed on Example Company Controller A 1.0",
"product_id": "CSAFPID-908070605"
},
"product_reference": "CSAFPID-908070603",
"relates_to_product_reference": "CSAFPID-908070601"
}
]
}This requirement is important to allow for correct matching. The serial number
143-D-354identifies theExample Company Controller A 1.0which is in this example the hardware in its version 1.0. The hash3fb9d502d096b1dfbcdfe60eed80ddecd98c8771bf21a82bbe1752735c4dc9e2identifies the software in the version 4.1; the hash0a853ce2337f0608489ac596a308dc5b7b19d35a52b10bf31261586ac368b175identifies the software in the version 4.2. The relationships combine the software and hardware part and form new products. These are used e.g. to assign the product status in the vulnerability section.A matching tool searches in a first step for the product identification helper, e.g the serial number in an asset database to identify the asset that has this specific hardware and matches the software separately in a second step.
Representing the software version as a child element under elements representing hardware unsettles the consumer whether the version applies to the software or hardware. Also, this would violate the rule regarding the full identification of a product by the
product_identification_helperfrom section 3.1.3.3.Based on the CVE statistics up to and including the year 2024, in the majority of cases the vulnerabilities reside in software or are remediated via software. Having multiple products with the same
product_identification_helperin differentproduct_statusfor the same vulnerability would make it undecidable for machines what theproduct_statusactually is.
The first three subsections list a number of tests which all will have a short description and an excerpt of an example which fails the test. The forth subsection groups tests into preset.
Mandatory tests MUST NOT fail at a valid CSAF document. A program MUST handle a test failure as an error.
For each element of type /$defs/product_id_t which is
not inside a Full Product Name (type: full_product_name_t)
and
therefore reference an element within the product_tree it
MUST be tested that the Full Product Name element with the matching
product_id exists.
The same applies for all items of elements of type
/$defs/products_t.
The relevant paths for this test are:
/document/notes[]/product_ids[]
/product_tree/product_groups[]/product_ids[]
/product_tree/relationships[]/product_reference
/product_tree/relationships[]/relates_to_product_reference
/vulnerabilities[]/involvements[]/product_ids[]
/vulnerabilities[]/flags[]/product_ids[]
/vulnerabilities[]/metrics[]/products[]
/vulnerabilities[]/notes[]/product_ids[]
/vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/first_fixed[]
/vulnerabilities[]/product_status/fixed[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/known_not_affected[]
/vulnerabilities[]/product_status/last_affected[]
/vulnerabilities[]/product_status/recommended[]
/vulnerabilities[]/product_status/under_investigation[]
/vulnerabilities[]/remediations[]/product_ids[]
/vulnerabilities[]/threats[]/product_ids[]Example 1 (which fails the test):
"product_tree": {
"product_groups": [
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701"
]
}
]
}Neither
CSAFPID-9080700norCSAFPID-9080701were defined in theproduct_tree.
For each Product ID (type /$defs/product_id_t) in Full
Product Name elements (type: /$defs/full_product_name_t)
it
MUST be tested that the product_id was not already defined
within the same document.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_id
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_idExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080700",
"name": "Product B"
}
]
}
CSAFPID-9080700was defined twice.
For each new defined Product ID (type
/$defs/product_id_t) in items of relationships
(/product_tree/relationships) it
MUST be tested that the product_id does not end up in a
circle.
The relevant path for this test is:
/product_tree/relationships[]/full_product_name/product_idAs this can be quite complex a program for large CSAF documents, a program could check first whether a Product ID defined in a relationship item is used as
product_referenceorrelates_to_product_reference. Only for those which fulfill this condition it is necessary to run the full check following the references.
Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Product B",
"product_id": "CSAFPID-9080701"
},
"product_reference": "CSAFPID-9080700",
"relates_to_product_reference": "CSAFPID-9080701"
}
]
}
CSAFPID-9080701refers to itself - this is a circular definition.
For each element of type /$defs/product_group_id_t which
is not inside a Product Group
(/product_tree/product_groups[]) and
therefore reference an element within the product_tree it
MUST be tested that the Product Group element with the matching
group_id exists.
The same applies for all items of elements of type
/$defs/product_groups_t.
The relevant paths for this test are:
/document/notes[]/group_ids[]
/vulnerabilities[]/flags[]/group_ids[]
/vulnerabilities[]/involvements[]/group_ids[]
/vulnerabilities[]/notes[]/group_ids[]
/vulnerabilities[]/remediations[]/group_ids[]
/vulnerabilities[]/threats[]/group_ids[]Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"threats": [
{
"category": "exploit_status",
"details": "Reliable exploits integrated in Metasploit.",
"group_ids": [
"CSAFGID-1020301"
]
}
]
}
]
CSAFGID-1020301was not defined in the Product Tree.
For each Product Group ID (type
/$defs/product_group_id_t) Product Group elements
(/product_tree/product_groups[]) it
MUST be tested that the group_id was not already defined
within the same document.
The relevant path for this test is:
/product_tree/product_groups[]/group_idExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701"
]
},
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080702"
]
}
]
}
CSAFGID-1020300was defined twice.
For each item in /vulnerabilities it MUST be tested that
the same Product ID is not member of contradicting product status
groups.
The sets formed by the contradicting groups within one vulnerability
item MUST be pairwise disjoint.
The relevant path for this test is:
/vulnerabilities[]/product_statusExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700"
],
"known_not_affected": [
"CSAFPID-9080700"
]
}
}
]
CSAFPID-9080700is a member of the two contradicting groups “Affected” and “Not affected”.
For each item in /vulnerabilities it MUST be tested that
the same Product ID is not member of more than one CVSS-Vectors with the
same version and same source.
Different source might assign different scores for the same product.
The relevant path for this test is:
/vulnerabilities[]/metrics[]Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"metrics": [
{
"content": {
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10,
"baseSeverity": "CRITICAL"
}
}
"products": [
"CSAFPID-9080700"
]
},
{
"content": {
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
}
"products": [
"CSAFPID-9080700"
]
}
]
}
]Two CVSS v3.1 scores are given for
CSAFPID-9080700by the document author.
It MUST be tested that the given CVSS object is valid according to the referenced schema.
The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v2
/vulnerabilities[]/metrics[]/content/cvss_v3
/vulnerabilities[]/metrics[]/content/cvss_v4Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 6.5
}The required element
baseSeverityis missing.
A tool MAY add one or more of the missing properties
version,baseScoreandbaseSeveritybased on the values given invectorStringas quick fix.
It MUST be tested that the given CVSS object has the values computed correctly according to the definition.
The
vectorStringSHOULD take precedence.
The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v2/baseScore
/vulnerabilities[]/metrics[]/content/cvss_v2/temporalScore
/vulnerabilities[]/metrics[]/content/cvss_v2/environmentalScore
/vulnerabilities[]/metrics[]/content/cvss_v3/baseScore
/vulnerabilities[]/metrics[]/content/cvss_v3/baseSeverity
/vulnerabilities[]/metrics[]/content/cvss_v3/temporalScore
/vulnerabilities[]/metrics[]/content/cvss_v3/temporalSeverity
/vulnerabilities[]/metrics[]/content/cvss_v3/environmentalScore
/vulnerabilities[]/metrics[]/content/cvss_v3/environmentalSeverity
/vulnerabilities[]/metrics[]/content/cvss_v4/baseScore
/vulnerabilities[]/metrics[]/content/cvss_v4/baseSeverity
/vulnerabilities[]/metrics[]/content/cvss_v4/threatScore
/vulnerabilities[]/metrics[]/content/cvss_v4/threatSeverity
/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalScore
/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverityExample 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 10.0,
"baseSeverity": "LOW"
}Neither
baseScorenorbaseSeverityhas the correct value according to the specification.
A tool MAY set the correct values as computed according to the specification as quick fix.
It MUST be tested that the given CVSS properties do not contradict the CVSS vector.
The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v2
/vulnerabilities[]/metrics[]/content/cvss_v3
/vulnerabilities[]/metrics[]/content/cvss_v4Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "LOW"
}The values in CVSS vector differs from values of the properties
attackVector,scopeandavailabilityImpact.
A tool MAY overwrite contradicting values according to the
vectorStringas quick fix.
For each CWE it MUST be tested that the given CWE exists and is valid
in the version provided.
Any id that refers to a CWE Category or View MUST fail the
test.
The relevant path for this test is:
/vulnerabilities[]/cwes[]Example 1 (which fails the test):
"cwes": [
{
"id": "CWE-79",
"name": "Improper Input Validation",
"version": "4.13"
}
]The
CWE-79exists. However, its name in version4.13isImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
For each element of type /$defs/lang_t it MUST be tested
that the language code is valid and exists.
The relevant paths for this test are:
/document/lang
/document/source_langExample 1 (which fails the test):
"lang": "EZ"
EZis not a valid language. It is the subtag for the region “Eurozone”.
For any deprecated subtag, a tool MAY replace it with its preferred value as a quick fix.
It MUST be tested that all given purls are valid.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/purls[]
/product_tree/full_product_names[]/product_identification_helper/purls[]
/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"name": "Product A",
"product_id": "CSAFPID-9080700",
"product_identification_helper": {
"purls": [
"pkg:maven/@1.3.4"
]
}
}
]
}Any valid purl has a name component.
It MUST be tested that the value of number of items of
the revision history are sorted ascending when the items are
sorted
ascending by date and as a second level criteria
number.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The relevant path for this test is:
/document/tracking/revision_historyExample 1 (which fails the test):
"revision_history": [
{
"date": "2024-01-22T10:00:00.000Z",
"number": "2",
"summary": "Second version."
},
{
"date": "2024-01-23T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
]The first item has a higher version number than the second.
It MUST be tested that /document/source_lang is present
and set if the value translator is used for
/document/publisher/category.
The relevant path for this test is:
/document/source_langExample 1 (which fails the test):
"document": {
// ...
"publisher": {
"category": "translator",
"name": "CSAF TC Translator",
"namespace": "https://csaf.io/translator"
},
"title": "Mandatory test: Translator (failing example 1)",
// ...
}The required element
source_langis missing.
It MUST be tested that document version has the same value as the
number in the last item of the revision history when
it is sorted ascending by date and as a second level
criteria number.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
Build metadata is ignored in the comparison.
Any pre-release part is also ignored if the document status is
draft.
The relevant path for this test is:
/document/tracking/versionExample 1 (which fails the test):
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-21T09:00:00.000Z",
"number": "1",
"summary": "Initial version."
},
{
"date": "2024-01-21T10:00:00.000Z",
"number": "2",
"summary": "Second version."
}
],
// ...
"version": "1"
}The value of
numberof the last item after sorting is2. However, the document version is1.
It MUST be tested that document status is draft if the
document version is 0 or 0.y.z or contains the
pre-release part.
The relevant path for this test is:
/document/tracking/statusExample 1 (which fails the test):
"tracking": {
// ...
"status": "final",
"version": "0.9.5"
}The
/document/tracking/versionis0.9.5but the document status isfinal.
It MUST be tested that no item of the revision history has a
number of 0 or 0.y.z when the
document status is final or interim.
The relevant path for this test is:
/document/tracking/revision_history[]/numberExample 1 (which fails the test):
"tracking": {
// ...
"revision_history": [
{
"date": "2023-09-17T10:00:00.000Z",
"number": "0",
"summary": "First draft"
},
{
"date": "2024-01-21T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}The document status is
finalbut the revision history includes an item which has0as value fornumber.
It MUST be tested that no item of the revision history has a
number which includes pre-release information.
The relevant path for this test is:
/document/tracking/revision_history[]/numberExample 1 (which fails the test):
"revision_history": [
{
"date": "2023-08-22T10:00:00.000Z",
"number": "1.0.0-rc",
"summary": "Release Candidate for initial version."
},
{
"date": "2023-08-23T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version."
}
]The revision history contains an item which has a
numberthat indicates that this is pre-release.
It MUST be tested that document version does not contain a
pre-release part if the document status is final or
interim.
The relevant path for this test is:
/document/tracking/versionExample 1 (which fails the test):
"tracking": {
// ...
"status": "interim",
"version": "1.0.0-alpha"
}The document status is
interimbut the document version contains the pre-release part-alpha.
It MUST be tested that items of the revision history do not omit a
version number when the items are sorted ascending by
date.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
In the case of semantic versioning, this applies only to the Major
version.
It MUST also be tested that the first item in such a sorted list has
either the version number 0 or 1 in the case of integer versioning
or
a Major version of 0 or 1 in the case of semantic versioning.
The relevant path for this test is:
/document/tracking/revision_historyExample 1 (which fails the test):
"revision_history": [
{
"date": "2023-08-22T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
},
{
"date": "2024-01-21T10:00:00.000Z",
"number": "3",
"summary": "Some other changes."
}
]The item for version
2is missing.
It MUST be tested that items of the revision history do not contain the same version number.
The relevant path for this test is:
/document/tracking/revision_historyExample 1 (which fails the test):
"revision_history": [
{
"date": "2024-01-20T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
},
{
"date": "2024-01-21T10:00:00.000Z",
"number": "1",
"summary": "Some other changes."
}
]The revision history contains two items with the version number
1.
It MUST be tested that a CVE is not used in multiple vulnerability items.
The relevant path for this test is:
/vulnerabilities[]/cveExample 1 (which fails the test):
"vulnerabilities": [
{
"cve": "CVE-2017-0145"
},
{
"cve": "CVE-2017-0145"
}
]The vulnerabilities array contains two items with the same CVE identifier
CVE-2017-0145.
It MUST be tested that items of the list of involvements do not
contain the same party regardless of its
status more than once at any date.
The relevant path for this test is:
/vulnerabilities[]/involvementsExample 1 (which fails the test):
"vulnerabilities": [
{
"involvements": [
{
"date": "2023-08-23T10:00:00.000Z",
"party": "vendor",
"status": "completed"
},
{
"date": "2023-08-23T10:00:00.000Z",
"party": "vendor",
"status": "in_progress",
"summary": "The vendor has released a mitigation and is working to fully resolve the issue."
}
]
}
]The list of involvements contains two items with the same tuple
partyanddate.
It MUST be tested that the same hash algorithm is not used multiple times in one item of hashes.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashesExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"name": "Product A",
"product_id": "CSAFPID-9080700",
"product_identification_helper": {
"hashes": [
{
"file_hashes": [
{
"algorithm": "sha256",
"value": "026a37919b182ef7c63791e82c9645e2f897a3f0b73c7a6028c7febf62e93838"
},
{
"algorithm": "sha256",
"value": "0a853ce2337f0608489ac596a308dc5b7b19d35a52b10bf31261586ac368b175"
}
],
"filename": "product_a.so"
}
]
}
}
]
}The hash algorithm
sha256is used two times in one item of hashes.
It MUST be tested that the document category is not equal to the
(case insensitive) name (without the prefix csaf_) or
value of any other profile than “CSAF Base”. Any occurrences of dash,
whitespace,
and underscore characters are removed from the values on both sides
before the match.
Also the value MUST NOT start with the reserved prefix
csaf_ except if the value is csaf_base.
This test does only apply for CSAF documents with the profile “CSAF Base”. Therefore, it MUST be skipped if the document category matches one of the values defined for the profile other than “CSAF Base”.
For CSAF 2.1, the test must be skipped for the following values in
/document/category:csaf_base csaf_security_incident_response csaf_informational_advisory csaf_security_advisory csaf_vex csaf_deprecated_security_advisory csaf_withdrawn csaf_superseded
This is the only mandatory test related to the profile “CSAF Base” as the required fields SHALL be checked by validating the JSON schema.
The relevant path for this test is:
/document/categoryExamples 1 (for currently prohibited values):
Csaf_a
Informational Advisory
security-incident-response
Security Advisory
veX
V_eX
Deprecated Security Advisory
withdrawn
SupersededExample 2 (which fails the test):
"category": "Security_Incident_Response"The value
Security_Incident_Responseis the name of a profile where the space was replaced with underscores.
This subsubsection structures the mandatory tests for the profiles. Not all tests apply for all profiles. Tests SHOULD be skipped if the document category does not match the one given in the test. Each of the following tests SHOULD be treated as they where listed similar to the other tests.
An application MAY group these tests by profiles when providing the additional function to only run one or more selected tests. This results in one virtual test per profile.
It MUST be tested that at least one item in
/document/notes exists which has a category of
description, details, general or
summary.
The relevant values for /document/category are:
csaf_informational_advisory
csaf_security_incident_responseThe relevant path for this test is:
/document/notesExample 1 (which fails the test):
"notes": [
{
"category": "legal_disclaimer",
"text": "The CSAF document is provided to You \"AS IS\" and \"AS AVAILABLE\" and with all faults and defects without warranty of any kind.",
"title": "Terms of Use"
}
]The document notes do not contain an item which has a
categoryofdescription,details,generalorsummary.
It MUST be tested that at least one item in
/document/references exists that has links to an
external source.
The relevant values for /document/category are:
csaf_informational_advisory
csaf_security_incident_responseThe relevant path for this test is:
/document/referencesExample 1 (which fails the test):
"references": [
{
"category": "self",
"summary": "The canonical URL.",
"url": "https://example.com/security/data/csaf/2024/oasis_csaf_tc-csaf_2_1-2024-6-1-27-02-01.json"
}
]The document references do not contain any item which has the category
external.
It MUST be tested that the element /vulnerabilities does
not exist.
The relevant values for /document/category are:
csaf_informational_advisory
csaf_withdrawn
csaf_supersededThe relevant path for this test is:
/vulnerabilitiesExample 1 (which fails the test):
"vulnerabilities": [
{
"title": "A vulnerability item that SHALL NOT exist"
}
]The element
/vulnerabilitiesexists.
A tool MAY change the
/document/categorytocsaf_baseas a quick fix.
It MUST be tested that the element /product_tree
exists.
The relevant values for /document/category are:
csaf_security_advisory
csaf_vex
csaf_deprecated_security_advisoryThe relevant path for this test is:
/product_treeExample 1 (which fails the test):
{
"document": {
// ...
},
"vulnerabilities": [
// ...
]
}The element
/product_treedoes not exist.
For each item in /vulnerabilities it MUST be tested that
the element notes exists.
The relevant values for /document/category are:
csaf_security_advisory
csaf_vex
csaf_deprecated_security_advisoryThe relevant path for this test is:
/vulnerabilities[]/notesExample 1 (which fails the test):
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700"
]
},
"title": "A vulnerability item without a note"
}
]The vulnerability item has no
noteselement.
For each item in /vulnerabilities it MUST be tested that
the element product_status exists.
The relevant values for /document/category are:
csaf_security_advisory
csaf_deprecated_security_advisoryThe relevant path for this test is:
/vulnerabilities[]/product_statusExample 1 (which fails the test):
"vulnerabilities": [
{
"title": "A vulnerability item without a product status"
}
]The vulnerability item has no
product_statuselement.
For each item in /vulnerabilities it MUST be tested that
at least one of the elements fixed,
known_affected, known_not_affected,
or under_investigation is present in
product_status.
The relevant value for /document/category is:
csaf_vexThe relevant paths for this test are:
/vulnerabilities[]/product_status/fixed
/vulnerabilities[]/product_status/known_affected
/vulnerabilities[]/product_status/known_not_affected
/vulnerabilities[]/product_status/under_investigationExample 1 (which fails the test):
"product_status": {
"first_fixed": [
// ...
],
"recommended": [
// ...
]
}None of the elements
fixed,known_affected,known_not_affected, orunder_investigationis present inproduct_status.
For each item in /vulnerabilities it MUST be tested that
at least one of the elements cve or ids is
present.
The relevant value for /document/category is:
csaf_vexThe relevant paths for this test are:
/vulnerabilities[]/cve
/vulnerabilities[]/idsExample 1 (which fails the test):
"vulnerabilities": [
{
"title": "A vulnerability item without a CVE or ID"
}
]None of the elements
cveoridsis present.
For each item in
/vulnerabilities[]/product_status/known_not_affected it
MUST be tested that
a corresponding impact statement exist in
/vulnerabilities[]/flags or
/vulnerabilities[]/threats.
For the latter one, the category value for such a statement
MUST be impact.
The relevant value for /document/category is:
csaf_vexThe relevant path for this test is:
/vulnerabilities[]/flags
/vulnerabilities[]/threatsExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701"
]
}
]
},
"vulnerabilities": [
{
// ...
"product_status": {
"known_not_affected": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
},
"threats": [
{
"category": "impact",
"details": "The vulnerable code is not present in these products.",
"group_ids": [
"CSAFGID-0001"
]
}
]
}
]There is no impact statement for
CSAFPID-9080702.Note: The impact statement for
CSAFPID-9080700andCSAFPID-9080701is given throughCSAFGID-0001.
For each item in
/vulnerabilities[]/product_status/known_affected it MUST be
tested that
a corresponding action statement exist in
/vulnerabilities[]/remediations.
The relevant value for /document/category is:
csaf_vexThe relevant path for this test is:
/vulnerabilities[]/remediationsExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701"
],
"summary": "EOL products"
}
]
},
"vulnerabilities": [
{
// ...
"product_status": {
"known_affected": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
},
"remediations": [
{
"category": "no_fix_planned",
"details": "These products are end-of-life. Therefore, no fix will be provided.",
"group_ids": [
"CSAFGID-0001"
]
}
]
}
]There is no action statement for
CSAFPID-9080702.Note: The action statement for
CSAFPID-9080700andCSAFPID-9080701is given throughCSAFGID-0001.
It MUST be tested that the element /vulnerabilities
exists.
The relevant values for /document/category are:
csaf_security_advisory
csaf_vex
csaf_deprecated_security_advisoryThe relevant path for this test is:
/vulnerabilitiesExample 1 (which fails the test):
{
"document": {
// ...
},
"product_tree": [
// ...
]
}The element
/vulnerabilitiesdoes not exist.
For each item in /vulnerabilities it MUST be tested that
the element product_status/known_affected exists.
The relevant value for /document/category is:
csaf_security_advisoryThe relevant path for this test is:
/vulnerabilities[]/product_status/known_affectedExample 1 (which fails the test):
"product_status": {
"under_investigation": [
"CSAFPID-9080700"
]
}The product status does not contain the
known_affectedelement.
For each product listed in the product status group fixed in any vulnerability, it MUST be tested that a corresponding version of the product is listed as affected in the same vulnerability.
For a relationship
installed_withthe product without any relationship is a corresponding product.
The relevant value for /document/category is:
csaf_security_advisoryThe relevant path for this test is:
/vulnerabilities[]/product_status/known_affectedExample 1 (which fails the test):
{
// ...
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "4.2",
"product": {
"name": "Example Company Product A 4.2",
"product_id": "CSAFPID-9080700"
}
}
],
"category": "product_name",
"name": "Product A"
}
],
"category": "vendor",
"name": "Example Company"
}
]
},
"vulnerabilities": [
{
// ...
"product_status": {
"fixed": [
"CSAFPID-9080700"
]
}
}
]
}The vulnerability just contains the fixed product but does not list corresponding affected products.
It MUST be tested that at least one item in
/document/notes exists which has a category of
description.
The relevant values for /document/category are:
csaf_withdrawn
csaf_supersededThe relevant path for this test is:
/document/notesExample 1 (which fails the test):
"notes": [
{
"category": "legal_disclaimer",
"text": "The CSAF document is provided to You \"AS IS\" and \"AS AVAILABLE\" and with all faults and defects without warranty of any kind.",
"title": "Terms of Use"
}
]The document notes do not contain an item which has a
categoryofdescription.
It MUST be tested that the element /product_tree does
not exist.
The relevant values for /document/category are:
csaf_withdrawn
csaf_supersededThe relevant path for this test is:
/product_treeExample 1 (which fails the test):
"product_tree": [
// ...
]The element
/product_treeexists.
It MUST be tested that the revision history contains at least two entries.
The relevant values for /document/category are:
csaf_withdrawn
csaf_supersededThe relevant path for this test is:
/document/tracking/revision_historyExample 1 (which fails the test):
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],The revision history contains only one entry.
If the document language is English or unspecified, it MUST be tested
that exactly one item in document notes exists
that has the title Reasoning for Withdrawal.
The category of this item MUST be
description.
The relevant value for /document/category is:
csaf_withdrawnThe relevant path for this test is:
/document/notesExample 1 (which fails the test):
"notes": [
{
"category": "summary",
"text": "This CSAF document contained example data and was withdrawn to create test data.",
"title": "Reasoning for Withdrawal"
}
],The note has the correct title. However, it uses the wrong category.
If the document language is English or unspecified, it MUST be tested
that exactly one item in document notes exists
that has the title Reasoning for Supersession.
The category of this item MUST be
description.
The relevant value for /document/category is:
csaf_supersededThe relevant path for this test is:
/document/notesExample 1 (which fails the test):
"notes": [
{
"category": "details",
"text": "This CSAF document contained example data and was withdrawn to create test data.",
"title": "Reasoning for Supersession"
}
],The note has the correct title. However, it uses the wrong category.
If the document language is English or unspecified, it MUST be tested
that at least one item in document references exists
that has a summary starting with
Superseding Document.
The category of this item MUST be
external.
The relevant value for /document/category is:
csaf_supersededThe relevant path for this test is:
/document/referencesExample 1 (which fails the test):
"references": [
{
"category": "self",
"summary": "Superseding Document",
"url": "https://example.com/.well-known/csaf/clear/2024/esa-2024-1234.json"
}
],The reference summary starts correctly with the string “Superseding Document”. However, it uses the wrong category.
It MUST be tested that the given source language and document language are not the same.
The relevant path for this test is:
/document/lang
/document/source_langExample 1 (which fails the test):
"document": {
// ...
"lang": "en-US",
// ...
"source_lang": "en-US",
// ...
}The document language and the source language have the same value
en-US.Note: A translation from
en-UStoen-GBwould pass the test.
A tool MAY remove the source language as quick fix.
For each item in /vulnerabilities[]/remediations it MUST
be tested that it includes at least one of the elements
group_ids or product_ids.
The relevant path for this test is:
/vulnerabilities[]/remediations[]Example 1 (which fails the test):
"remediations": [
{
"category": "no_fix_planned",
"details": "These products are end-of-life. Therefore, no fix will be provided."
}
]The given remediation does not specify to which products it should be applied.
A tool MAY add all products of the affected group of this vulnerability to the remediation as quick fix.
It MUST be tested that all elements of type
/$defs/version_t follow either integer versioning or
semantic versioning homogeneously within the same document.
The relevant paths for this test are:
/document/tracking/revision_history[]/number
/document/tracking/versionExample 1 (which fails the test):
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-21T09:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version."
},
{
"date": "2024-01-21T10:00:00.000Z",
"number": "2",
"summary": "Second version."
}
],
// ...
"version": "2"
}The document started with semantic versioning (
1.0.0) and switched to integer versioning (2).
A tool MAY assign all items their corresponding value according to integer versioning as a quick fix. In such case, the old
numberSHOULD be stored inlegacy_version.
For each element of type /$defs/branches_t with
category of product_version it MUST be tested
that
the value of name does not contain a version range.
To implement this test it is deemed sufficient that, when converted to lower case, the value of
namesatisfies the two requirements below:
It does not contain any of the following operators:
< <= > >=If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords:
after all before earlier later prior versions
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/nameExample 1 (which fails the test):
"branches": [
{
"category": "product_version",
"name": "prior to 4.2",
// ...
}
]The version range
prior to 4.2is given for the branch categoryproduct_version.
For each item in /vulnerabilities[]/flags it MUST be
tested that it includes at least one of the elements
group_ids or product_ids.
The relevant path for this test is:
/vulnerabilities[]/flags[]Example 1 (which fails the test):
"flags": [
{
"label": "component_not_present"
}
]The given flag does not specify to which products it should be applied.
For each item in /vulnerabilities[] it MUST be tested
that a Product is not member of more than one Flag item with
a VEX justification code (see section 3.2.4.7).
This takes indirect relations through Product Groups into account.
Additional flags with a different purpose might be provided in later versions of CSAF. Through the explicit reference of VEX justification codes the test is specified to be forward-compatible.
The relevant path for this test is:
/vulnerabilities[]/flagsExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701"
]
}
]
},
"vulnerabilities": [
{
// ...
"flags": [
{
"label": "component_not_present",
"group_ids": [
"CSAFGID-0001"
]
},
{
"label": "vulnerable_code_cannot_be_controlled_by_adversary",
"product_ids": [
"CSAFPID-9080700"
]
}
],
// ...
"product_status": {
"known_not_affected": [
"CSAFPID-9080700",
"CSAFPID-9080701"
]
}
}
]There are two flags given for
CSAFPID-9080700- one indirect throughCSAFGID-0001and one direct.
For each product defined under /product_tree/branches[]
it MUST be tested that the complete JSON path
does not contain more than 30 instances of branches.
The relevant path for this test is:
/product_tree/branches[](/branches[])*/productExample 1 (which fails the test):
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "branches",
"product": {
"name": "<<generate Product name>>",
"product_id": "CSAFPID-9080700"
}
}
],
"category": "product_family",
"name": "31"
}
],
"category": "product_family",
"name": "with"
}
],
"category": "product_family",
"name": "test"
}
],
"category": "product_family",
"name": "the"
}
],
"category": "product_family",
"name": "fail"
}
],
"category": "product_family",
"name": "and"
}
],
"category": "product_family",
"name": "limits"
}
],
"category": "product_family",
"name": "the"
}
],
"category": "product_family",
"name": "testing"
}
],
"category": "product_family",
"name": "are"
}
],
"category": "product_family",
"name": "they"
}
],
"category": "product_family",
"name": "but"
}
],
"category": "product_family",
"name": "unrealistic"
}
],
"category": "product_family",
"name": "less"
}
],
"category": "product_family",
"name": "or"
}
],
"category": "product_family",
"name": "more"
}
],
"category": "product_family",
"name": "and"
}
],
"category": "product_family",
"name": "unnecessary"
}
],
"category": "product_family",
"name": "seem"
}
],
"category": "product_family",
"name": "which"
}
],
"category": "product_family",
"name": "product"
}
],
"category": "product_family",
"name": "hypothetical"
}
],
"category": "product_family",
"name": "this"
}
],
"category": "product_family",
"name": "for"
}
],
"category": "product_family",
"name": "structure"
}
],
"category": "product_family",
"name": "nested"
}
],
"category": "product_family",
"name": "deeply"
}
],
"category": "product_family",
"name": "a"
}
],
"category": "product_family",
"name": "uses"
}
],
"category": "vendor",
"name": "Example Company"
}
]
}The complete JSON path contains 31 times
branches.
For each item in /vulnerabilities[]/remediations it MUST
be tested that a product is not member of contradicting remediation
categories.
This takes indirect relations through product groups into account.
The relevant path for this test is:
/vulnerabilities[]/remediations[]Example 1 (which fails the test):
"remediations": [
{
"category": "no_fix_planned",
"details": "The product is end-of-life. Therefore, no fix will be provided.",
"product_ids": [
"CSAFPID-9080700"
]
},
{
"category": "vendor_fix",
"details": "Update to version >=14.3 to fix the vulnerability.",
"product_ids": [
"CSAFPID-9080700"
]
}
]The two remediations given for the product with product ID
CSAFPID-908070contradict each other.
A tool MAY apply the conversion rules from the conformance target CSAF 2.0 to CSAF 2.1 converter if applicable or remove the product from the remediation with the lower priority. The priority MAY be defined as follows:
vendor_fix>mitigation>workaround>fix_planned>no_fix_planned>optional_patch>none_available
For each item in /vulnerabilities[]/remediations it MUST
be tested that a product is not member of a contradicting product status
group.
This takes indirect relations through product groups into account.
The relevant path for this test is:
/vulnerabilities[]/remediations[]Example 1 (which fails the test):
"product_status": {
"known_not_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to version >=14.3 to fix the vulnerability.",
"product_ids": [
"CSAFPID-9080700"
]
}
]For the product with product ID
CSAFPID-908070avendor_fixis given but the product was not affected at all.
For each item of type string and format
date-time it MUST be tested that it conforms to the rules
given in section sec.
The relevant path for this test is:
/document/tracking/current_release_date
/document/tracking/generator/date
/document/tracking/initial_release_date
/document/tracking/revision_history[]/date
/vulnerabilities[]/disclosure_date
/vulnerabilities[]/discovery_date
/vulnerabilities[]/first_known_exploitation_dates[]/date
/vulnerabilities[]/first_known_exploitation_dates[]/exploitation_date
/vulnerabilities[]/flags[]/date
/vulnerabilities[]/involvements[]/date
/vulnerabilities[]/remediations[]/date
/vulnerabilities[]/threats[]/dateExample 1 (which fails the test):
"current_release_date": "2024-01-24 10:00:00.000Z",The
current_release_dateuses a whitespace as separator instead the letterT.
It MUST be tested that a CSAF document using Max UUID as sharing
group ID has the TLP label CLEAR.
The relevant path for this test is:
/document/distribution/tlp/labelExample 1 (which fails the test):
"distribution": {
"sharing_group": {
"id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"name": "Public"
},
"tlp": {
"label": "RED"
}
},The sharing group uses the Max UUID but the CSAF document is labeled as
TLP:RED.
A tool MAY remove the property
sharing_groupas a quick fix.
It MUST be tested that a CSAF document with the TLP label
CLEAR use the Max UUID as sharing group ID if any.
The test SHALL pass if no sharing group is present or the Nil UUID is
used and the document status is draft.
The relevant path for this test is:
/document/distribution/sharing_group/idExample 1 (which fails the test):
"distribution": {
"sharing_group": {
"id": "5868d6be-b28a-404e-a245-0b5093b31b8b"
},
"tlp": {
"label": "CLEAR"
}
},The sharing group is present for the
TLP:CLEARdocument but it differs from the Max UUID.
A tool MAY update the sharing group id as a quick fix.
It MUST be tested that the value of sharing group name does not equal the reserved values from section 3.2.2.5.1 if the precondition is not fulfilled.
The relevant path for this test is:
/document/distribution/sharing_group/nameExample 1 (which fails the test):
"distribution": {
"sharing_group": {
"id": "5868d6be-b28a-404e-a245-0b5093b31b8b",
"name": "Public"
},
// ...
},The sharing group name is
Publicbut it does not use the Max UUID.
A tool MAY update the sharing group name as a quick fix.
It MUST be tested that the sharing group name exists and equals the predefined reserved value from section 3.2.2.5.1 if the precondition is fulfilled.
The relevant path for this test is:
/document/distribution/sharing_group/nameExample 1 (which fails the test):
"distribution": {
"sharing_group": {
"id": "ffffffff-ffff-ffff-ffff-ffffffffffff"
},
// ...
},The Max UUID is used but the sharing group name does not exist.
A tool MAY add the corresponding sharing group name as a quick fix.
For each product_identification_helper object containing
multiple purls it MUST be tested that the purls only differ in their
qualifiers.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/purls[]
/product_tree/full_product_names[]/product_identification_helper/purls[]
/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"name": "Product A",
"product_id": "CSAFPID-9080700",
"product_identification_helper": {
"purls": [
"pkg:maven/com.example/logging@1.3.4",
"pkg:maven/com.example/audit@1.3.4"
]
}
}
]
}The two purls differ in the name component.
For each model number it MUST be tested that the it does not contain multiple unescaped stars.
Multiple
*that match zero or multiple characters within a model number introduce ambiguity and are therefore prohibited.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]
/product_tree/full_product_names[]/product_id/product_identification_helper/model_numbers[]
/product_tree/relationships[]/full_product_name/product_id/product_identification_helper/model_numbers[]Example 1 (which fails the test):
"model_numbers": [
"P*A*"
]The model number contains two unescaped stars.
For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
Multiple
*that match zero or multiple characters within a serial number introduce ambiguity and are therefore prohibited.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]
/product_tree/full_product_names[]/product_id/product_identification_helper/serial_numbers[]
/product_tree/relationships[]/full_product_name/product_id/product_identification_helper/serial_numbers[]Example 1 (which fails the test):
"serial_numbers": [
"P*A*"
]The serial number contains two unescaped stars.
For each vulnerability, it MUST be tested that the
disclosure_date is earlier than or equal to the
date of the newest item of the
revision_history
if the document is labeled TLP:CLEAR and the document
status is final or interim.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The relevant path for this test is:
/vulnerabilities[]/disclosure_dateExample 1 (which fails the test):
"document": {
// ...
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
// ...
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
// ...
}
},
"vulnerabilities": [
{
"disclosure_date": "2024-02-24T10:00:00.000Z"
}
]The document is labeled
TLP:CLEARand in statusfinalbut thedisclosure_dateis newer than thedateof newest item in therevision_history.
It MUST be tested that the given SSVC object is valid according to the referenced schema.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1Example 1 (which fails the test):
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"timestamp": "2024-01-24T10:00:00.000Z"
}The required element
selectionsis missing.
A tool MAY add the missing property
idbased on the values given incverespectivelyids[]/textas quick fix.
For each ssvc_v1 object it MUST be tested that
id is either the CVE of the vulnerability given in
cve or the text of an item in the
ids array.
The test MUST fail, if the id equals the
/document/tracking/id and the CSAF document contains more
than one vulnerability.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/idExample 1 (which fails the test):
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0002",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Exploitation",
"namespace": "ssvc",
"values": [
"None"
],
"version": "1.1.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]The SSVC ID does not match the CVE ID.
For each SSVC decision point given under selections with
a registered namespace, it MUST be tested that given
decision point exists,
is valid and the items in values are ordered
correctly.
The test SHALL pass, if a non-registered namespace is
used.
According to the SSVC project, the following values are currently registered:
cvss nciss ssvcA list of all valid decision points including their values is available at the SSVC repository.
The items invaluesneed to have the same order as in their definition.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]Example 1 (which fails the test):
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Mission Impact",
"namespace": "ssvc",
"values": [
"None",
"Degraded"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]The SSVC decision point
Mission Impactdoesn’t have the valueDegradedin version1.0.0.
If applicable, a tool MAY sort the items in
valuesaccording to the order of their definition as a quick fix.
For each vulnerability, it MUST be tested that the each SSVC
timestamp is earlier than or equal to the date
of the newest item of the
revision_history if the document status is
final or interim.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/timestampExample 1 (which fails the test):
"document": {
// ...
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
// ...
}
},
// ...
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Exploitation",
"namespace": "ssvc",
"values": [
"Active"
],
"version": "1.1.0"
}
],
"timestamp": "2024-07-13T10:00:00.000Z"
}
},
// ...
}
]
}
]The document is in status
finalbut the SSVCtimestampis newer than thedateof newest item in therevision_history.
For each element of type /$defs/branches_t with
category of product_version_range, it MUST be
tested that the value of name complies with
the rules given in section 3.1.2.3.2.
The relevant path for this test is:
/product_tree/branches[](/branches[])*/nameExample 1 (which fails the test):
{
"category": "product_version_range",
"name": "all versions < 4.2.0",
// ...
}The version range given does not comply with the rules given in section 3.1.2.3.2.
For each vulnerability, it MUST be tested that the each EPSS
timestamp is earlier than or equal to the date
of the newest item of the
revision_history if the document status is
final or interim.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/epss/timestampExample 1 (which fails the test):
"document": {
// ...
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
// ...
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
// ...
}
},
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"epss": {
"percentile": "0.999990000",
"probability": "0.975570000",
"timestamp": "2024-07-13T10:00:00.000Z"
}
},
"products": [
"CSAFPID-9080700"
]
}
]
}
]The document is in status
finalbut the EPSStimestampis newer than thedateof newest item in therevision_history.
For each First Known Exploitation Dates item, it MUST be tested that
the values of its date and exploitation_date
properties are both earlier than
or equal to the date of the newest item of the
revision_history if the document status is
final or interim.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The relevant paths for this test are:
/vulnerabilities[]/first_known_exploitation_dates[]/date
/vulnerabilities[]/first_known_exploitation_dates[]/exploitation_dateExample 1 (which fails the test):
"document": {
// ...
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
// ...
}
},
// ...
"vulnerabilities": [
{
"first_known_exploitation_dates": [
{
"date": "2024-01-24T13:00:00.000Z",
"exploitation_date": "2024-01-24T12:34:56.789Z",
// ...
}
]
}
]The document is in status
finalbut the values of the propertiesdateandexploitation_dateof the First Known Exploitation Dates item are newer than thedateof newest item in therevision_history.
For each First Known Exploitation Dates item, it MUST be tested that
the value of exploitation_date is earlier than or equal to
value of the
sibling element date.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The relevant paths for this test are:
/vulnerabilities[]/first_known_exploitation_dates[]/exploitation_dateExample 1 (which fails the test):
"document": {
// ...
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
// ...
}
},
// ...
"vulnerabilities": [
{
"first_known_exploitation_dates": [
{
"date": "2024-01-24T13:00:00.000Z",
"exploitation_date": "2024-01-24T12:34:56.789Z",
// ...
}
]
}
]The document is in status
finalbut the value ofexploitation_dateis newer than the value ofdatein the same item.
It MUST be tested that the license expression is valid.
To implement this test, it it deemed sufficient to check for the ABNF defined in annex B of [SPDX301] and the restriction on the
DocumentRefpart given in 3.2.2.7
The relevant path for this test is:
/document/license_expressionExample 1 (which fails the test):
"license_expression": "This is a license text that should not be here.",The license expression contains a license text instead of a SPDX license expression.
If the document language is English or unspecified,
and the license_expression contains license identifiers or
exceptions that are not listed in the SPDX license list or Aboutcode’s
“ScanCode LicenseDB”,
it MUST be tested that exactly one item in document notes exists that
has the title License.
The category of this item MUST be legal_disclaimer.
The relevant path for this test is:
/document/notesExample 1 (which fails the test):
"document": {
// ...
"license_expression": "LicenseRef-www.example.com-no-work-pd",
"notes": [
{
"category": "other",
"text": "This is not a work and therefore it can't be licensed. Use it as public domain.",
"title": "License"
}
],
// ...
}The note has the correct title. However, it uses the wrong category.
Recommended tests SHOULD NOT fail at a valid CSAF document without a good reason. Failing such a test does not make the CSAF document invalid. These tests may include information about features which are still supported but expected to be deprecated in a future version of CSAF. A program MUST handle a test failure as a warning.
For each Product ID (type /$defs/product_id_t) in Full
Product Name elements (type: /$defs/full_product_name_t) it
MUST be tested that
the product_id is referenced somewhere within the same
document.
This test SHALL be skipped for CSAF documents conforming the profile “Informational Advisory”.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_id
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_idExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
}
CSAFPID-9080700was defined but never used.
A tool MAY remove the unused definition as quick fix. However, such quick fix shall not be applied if the test was skipped.
For each Product ID (type /$defs/product_id_t) in the
Product Status groups Affected and Under investigation it MUST be tested
that
a remediation exists.
The remediation might be of the category
none_availableorno_fix_planned.
The relevant paths for this test are:
/vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
/vulnerabilities[]/product_status/under_investigation[]Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"last_affected": [
"CSAFPID-9080700"
]
}
}
]
CSAFPID-9080700has in Product Statuslast_affectedbut there is no remediation object for this Product ID.
For each Product ID (type /$defs/product_id_t) in the
Product Status groups Affected it MUST be tested that
a metric object exists which covers this product.
The relevant paths for this test are:
/vulnerabilities[]/product_status/first_affected[]
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"first_affected": [
"CSAFPID-9080700"
]
}
}
]
CSAFPID-9080700has in Product Statusfirst_affectedbut there is no metric object which covers this Product ID.
For each item in revision history it MUST be tested that
number does not include build metadata.
The relevant path for this test is:
/document/tracking/revision_history[]/numberExample 1 (which fails the test):
"revision_history": [
{
"date": "2023-08-23T10:00:00.000Z",
"number": "1.0.0+exp.sha.ac00785",
"summary": "Initial version."
}
]The revision history contains an item which has a
numberthat includes the build metadata+exp.sha.ac00785.
It MUST be tested that the Initial Release Date is not older than the
date of the oldest item in Revision History.
As the timestamps might use different timezones, the sorting and
comparison MUST take timezones into account.
The relevant path for this test is:
/document/tracking/initial_release_dateExample 1 (which fails the test):
"tracking": {
// ...
"initial_release_date": "2023-08-22T10:00:00.000Z",
"revision_history": [
{
"date": "2023-09-06T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
},
{
"date": "2024-01-21T11:00:00.000Z",
"number": "2",
"summary": "Second version."
}
],
// ...
}The initial release date
2023-08-22T10:00:00.000Zis older than2023-09-06T10:00:00.000Zwhich is thedateof the oldest item in Revision History.
It MUST be tested that the Current Release Date is not older than the
date of the newest item in Revision History.
As the timestamps might use different timezones, the sorting and
comparison MUST take timezones into account.
The relevant path for this test is:
/document/tracking/current_release_dateExample 1 (which fails the test):
"tracking": {
"current_release_date": "2023-09-06T10:00:00.000Z",
// ...
"revision_history": [
{
"date": "2023-09-06T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
},
{
"date": "2024-01-21T11:00:00.000Z",
"number": "2",
"summary": "Second version."
}
],
// ...
}The current release date
2023-09-06T10:00:00.000Zis older than2023-09-23T1100:00.000Zwhich is thedateof the newest item in Revision History.
For each item in the list of involvements it MUST be tested that it
includes the property date.
The relevant path for this test is:
/vulnerabilities[]/involvementsExample 1 (which fails the test):
"vulnerabilities": [
{
"involvements": [
{
"party": "vendor",
"status": "in_progress"
}
]
}
]The list of involvements contains an item which does not contain the property
date.
It MUST be tested that the hash algorithm md5 is not the
only one present.
Since collision attacks exist for MD5 such value should be accompanied by a second cryptographically stronger hash. This will allow users to double check the results.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashesExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"name": "Product A",
"product_id": "CSAFPID-9080700",
"product_identification_helper": {
"hashes": [
{
"file_hashes": [
{
"algorithm": "md5",
"value": "6ae24620ea9656230f49234efd078935"
}
],
"filename": "product_a.so"
}
]
}
}
]
}The hash algorithm
md5is used in one item of hashes without being accompanied by a second hash algorithm.
It MUST be tested that the hash algorithm sha1 is not
the only one present.
Since collision attacks exist for SHA-1 such value should be accompanied by a second cryptographically stronger hash. This will allow users to double check the results.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashesExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"name": "Product A",
"product_id": "CSAFPID-9080700",
"product_identification_helper": {
"hashes": [
{
"file_hashes": [
{
"algorithm": "sha1",
"value": "e067035314dd8673fe1c9fc6b01414fe0950fdc4"
}
],
"filename": "product_a.so"
}
]
}
}
]
}The hash algorithm
sha1is used in one item of hashes without being accompanied by a second hash algorithm.
The TLP label is now required by the schema. Therefore, the recommended test is obsolete. This section is kept to document that change and keep the numbering of the remaining sections stable. The test is excluded from any preset and requirement to be executed.
It MUST be tested that the CSAF document has a canonical URL.
To implement this test it is deemed sufficient that one item in
/document/referencesfulfills all of the following:
- It has the category
self.- The
urlstarts withhttps://.- The
urlends with the valid filename for the CSAF document according to the rules in section 5.1.
The relevant path for this test is:
/document/referencesExample 1 (which fails the test):
"document": {
// ...
"references": [
{
"category": "self",
"summary": "A non-canonical URL.",
"url": "https://example.com/security/data/csaf/2024/oasis_csaf_tc-csaf_2.1-2024-6-2-11-01_1.json"
}
],
// ...
"tracking": {
// ...
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-11-01",
// ...
"version": "1"
},
// ...
}The only element where the
categoryisselfhas a URL that does not fulfill the requirement of a valid filename for a CSAF document.
It MUST be tested that the document language is present and set.
The relevant path for this test is:
/document/langExample 1 (which fails the test):
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
// ...
},
// ...
}The document language is not defined.
It MUST be tested that all keys in a CSAF document are sorted alphabetically.
The relevant path for this test is:
/Example 1 (which fails the test):
"document": {
"csaf_version": "2.1",
"category": "csaf_base",
// ...
}The key
csaf_versionis not at the right place.
A tool MAY sort the keys as a quick fix.
For each element of type /$defs/lang_t it MUST be tested
that the language code does not contain subtags reserved for private
use.
The relevant paths for this test are:
/document/lang
/document/source_langExample 1 (which fails the test):
"lang": "qtx"The language code
qtxis reserved for private use.
A tool MAY remove such subtag as a quick fix.
For each element of type /$defs/lang_t it MUST be tested
that the language code is not i-default.
The relevant paths for this test are:
/document/lang
/document/source_langExample 1 (which fails the test):
"lang": "i-default"The language code
i-defaultis used.
A tool MAY remove such element as a quick fix.
For each element of type /$defs/full_product_name_t it
MUST be tested that it includes the property
product_identification_helper.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product
/product_tree/full_product_names[]
/product_tree/relationships[]/full_product_nameExample 1 (which fails the test):
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]The product
CSAFPID-9080700does not provide any Product Identification Helper at all.
For each item in /vulnerabilities[]/ids it MUST be
tested that it is not a CVE ID.
It is sufficient to check, whether the property
textmatches the regex^CVE-[0-9]{4}-[0-9]{4,}$.
The relevant paths for this test are:
/vulnerabilities[]/ids[]Example 1 (which fails the test):
"ids": [
{
"system_name": "CVE Project",
"text": "CVE-2021-44228"
}
]The
CVE-2021-44228is listed in an item of theidsarray instead undercve.
A tool MAY set such element as value for the
cveproperty as a quick fix, if that didn’t exist before. Alternatively, it MAY remove such element as a quick fix.
For each element of type /$defs/branches_t with
category of product_version_range it MUST be
tested that
the value of name conforms the vers specification.
To implement this test it is deemed sufficient that the value of
namematches the following regex:^vers:[a-z\\.\\-\\+][a-z0-9\\.\\-\\+]*/.+
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/nameExample 1 (which fails the test):
"branches": [
{
"category": "product_version_range",
"name": ">4.2",
// ...
}
]The version range
>4.2is a valid vsl but not valid according to the vers specification.
For each item the fixed products group (first_fixed and
fixed) it MUST be tested that
a CVSS applying to this product has an environmental score of
0.
The test SHALL pass if none of the Product IDs listed within product
status fixed or
first_fixed is found in products of any item
of the metrics element.
The relevant path for this test is:
/vulnerabilities[]/product_status/first_fixed[]
/vulnerabilities[]/product_status/fixed[]Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"fixed": [
"CSAFPID-9080700"
]
},
"metrics": [
{
"content": {
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
} ,
"products": [
"CSAFPID-9080700"
]
}
]
}
]Neither the
environmentalScorenor the propertiesmodifiedAvailabilityImpact,modifiedConfidentialityImpact,modifiedIntegrityImpactnor the corresponding attributes in thevectorStringhave been set.
A tool MAY remove any Product IDs listed within product status
fixedorfirst_fixedfromproductsof all items of themetricselement.Alternatively, a tool MAY set those environmental properties according to the CVSS version used that reduce score to
0and compute theenvironmentalScoreas quick fix. The following environmental properties have been identified:
- CVSS v2:
targetDistributiontoNONE- CVSS v3: all of
modifiedAvailabilityImpact,modifiedConfidentialityImpact, andmodifiedIntegrityImpacttoNONE- CVSS v4: all of
modifiedVulnAvailabilityImpact,modifiedVulnConfidentialityImpact, andmodifiedVulnIntegrityImpacttoNONEandmodifiedSubAvailabilityImpact,modifiedSubConfidentialityImpact, andmodifiedSubIntegrityImpacttoNEGLIGIBLE
It MUST be tested that there is no additional property in the CSAF document that was not defined in the CSAF JSON schema. This also applies for referenced schemas.
The relevant path for this test is:
/To implement this test it is deemed sufficient to validate the CSAF document against a “strict” version schema that has all references integrated and sets
additionalPropertiesrespectivelyunevaluatedPropertiestofalseat all appropriate places to detect additional properties.
Example 1 (which fails the test):
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"custom_property": "any",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}The key
custom_propertyis not defined in the JSON schema.
A tool MAY remove such keys as a quick fix.
It MUST be tested that the timestamps of all items in the revision history are pairwise disjoint. As the timestamps might use different timezones, the comparison MUST take timezones into account.
The relevant path for this test is:
/document/tracking/revision_history[]/dateExample 1 (which fails the test):
"revision_history": [
{
"date": "2024-01-21T10:00:00.000Z",
"number": "2.0.0",
"summary": "Second version."
},
{
"date": "2024-01-21T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version."
}
]The first and second revision have the same timestamp.
It MUST be tested that the /document/title does not
contain the /document/tracking/id.
The relevant path for this test is:
/document/titleExample 1 (which fails the test):
"title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Recommended test: Document Tracking ID in Title (failing example 1)",
"tracking": {
// ...
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01",
// ...
}The document title contains the document tracking id.
A tool MAY remove the document tracking id from the document title. It SHOULD also remove any separating characters including whitespace, colon, dash and brackets.
For each item in the CWE array it MUST be tested that the CWE is not deprecated in the given version.
The relevant path for this test is:
/vulnerabilities[]/cwes[]Example 1 (which fails the test):
"cwes": [
{
"id": "CWE-596",
"name": "DEPRECATED: Incorrect Semantic Object Comparison",
"version": "4.13"
}
]The
CWE-596is deprecated in version4.13.
A tool MAY suggest to replace the deprecated CWE with its replacement or closest equivalent.
For each item in the CWE array it MUST be tested that the latest CWE version available at the time of the last revision was used. The test SHALL fail if a later CWE version was used.
The relevant path for this test is:
/vulnerabilities[]/cwes[]Example 1 (which fails the test):
"document": {
// ...
"tracking": {
"current_release_date": "2024-01-21T10:00:00.000Z",
// ...
}
},
"vulnerabilities": [
{
"cwes": [
{
"id": "CWE-256",
"name": "Plaintext Storage of a Password",
"version": "4.12"
}
]
}
]The CWE version listed is
4.12. However, version4.13was most recent version when the document was released on2024-01-21T10:00:00.000Z.
A tool MAY suggest to use the latest version available at the time of the
current_release_date. This is most likely also the overall latest CWE version as modifications to a CSAF document lead to a newcurrent_release_date.
For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed.
Currently, this includes the two usage state
AllowedandAllowed-with-Review.
The relevant path for this test is:
/vulnerabilities[]/cwes[]Example 1 (which fails the test):
"cwes": [
{
"id": "CWE-20",
"name": "Improper Input Validation",
"version": "4.13"
}
]The usage of CWE-20 is discouraged as “is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available”. cite
For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed without review.
Reasoning: CWEs marked with a vulnerability mapping state of
Allowed-with-Reviewshould only be used if a thorough review was done. This test helps to flag such mappings which can be used to trigger processes that ensure the extra review, e.g. by a senior analyst.
The relevant path for this test is:
/vulnerabilities[]/cwes[]Example 1 (which fails the test):
"cwes": [
{
"id": "CWE-1023",
"name": "Incomplete Comparison with Missing Factors",
"version": "4.13"
}
]The usage of CWE-1023 is allowed with review as the “CWE entry is a Class and might have Base-level children that would be more appropriate”. cite
For each item in /vulnerabilities[]/remediations it MUST
be tested that a Product is not member of a discouraged product status
group
remediation category combination.
This takes indirect relations through Product Groups into account.
The relevant path for this test is:
/vulnerabilities[]/remediations[]Example 1 (which fails the test):
"product_status": {
"known_not_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "fix_planned",
"details": "The fix should be available in Q4 2024.",
"product_ids": [
"CSAFPID-9080700"
]
}
]For the product with product ID
CSAFPID-908070a fix is planned but the product was not affected at all.
It MUST be tested that the Max UUID is not used as sharing group id.
The relevant path for this test is:
/document/distribution/sharing_group/idExample 1 (which fails the test):
"distribution": {
"sharing_group": {
"id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"name": "Public"
},
// ...
},The sharing group id uses the Max UUID.
A tool MAY remove the property
sharing_groupas a quick fix.
It MUST be tested that the Nil UUID is not used as sharing group id.
The relevant path for this test is:
/document/distribution/sharing_group/idExample 1 (which fails the test):
"distribution": {
"sharing_group": {
"id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"name": "Public"
},
// ...
},The sharing group id uses the Nil UUID.
A tool MAY remove the property
sharing_groupas a quick fix.
It MUST be tested that no sharing group is used if the document is
TLP:CLEAR.
The relevant path for this test is:
/document/distribution/sharing_groupExample 1 (which fails the test):
"distribution": {
"sharing_group": {
"id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"name": "Public"
},
"tlp": {
"label": "CLEAR"
}
},The CSAF document is
TLP:CLEARbut a sharing group is given.
A tool MAY remove the property
sharing_groupas a quick fix.
For each product containing at least one of the Product
Identification Helpers serial_numbers or
model_numbers it MUST be tested that a relationship exists
referencing this product.
This tests detects a potential situation where hardware and software have been mixed in the
product_tree. Note: This test will fail if the CSAF document contains in itsproduct_treeonly hardware. However, this is expected and considered a good reason for the test to fail. This does not make the CSAF document invalid.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_id
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_idExample 1 (which fails the test):
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "4.1",
"product": {
"name": "Example Company Controller A Firmware 4.1",
"product_id": "CSAFPID-908070601",
"product_identification_helper": {
"serial_numbers": [
"143-D-354"
]
}
}
}
],
"category": "product_name",
"name": "Controller A"
}
],
"category": "vendor",
"name": "Example Company"
}
]
}The
product_treementions the hardware product Example Company Controller A and combines it with the Firmware version 4.1.
For each Product Identification Helper category it MUST be tested that the same value is not used for multiple products in this category.
This test detects a potentially incorrect constructed product tree. Note: This test will fail if the CSAF document contains in its
product_treethe old and new name of a product that was renamed. However, this is expected and considered a good reason for the test to fail. This does not make the CSAF document invalid.For the comparison, arrays need to be treated as unordered sets which need to be pairwise disjoint. When comparing two helper-objects’ array properties whose items are themselves JSON objects (e.g.
hashesorfile_hashes), the array needs to be treated as an unordered set, and each object is compared by deep-equality of its key/value pairs (ignoring key‐order).
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper
/product_tree/full_product_names[]/product_id/product_identification_helper
/product_tree/relationships[]/full_product_name/product_id/product_identification_helperExample 1 (which fails the test):
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "Example Company Product A 1.0",
"product_id": "CSAFPID-908070601",
"product_identification_helper": {
"serial_numbers": [
"143-D-354"
]
}
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "Example Company Product A 2.0",
"product_id": "CSAFPID-908070602",
"product_identification_helper": {
"serial_numbers": [
"143-D-354"
]
}
}
}
],
"category": "product_name",
"name": "Product A"
}
],
"category": "vendor",
"name": "Example Company"
}
]
}Both products are identified by the same serial number
143-D-354.
For each vulnerability, it MUST be tested that the
disclosure_date is earlier or equal to the
date of the newest item of the
revision_history
if the disclosure_date is in the past at the time of the
test execution.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The result of the test is dependent upon the time of the execution of the test - it might change for a given CSAF document over time. However, the latest version of a CSAF document should always pass the test.
The relevant path for this test is:
/vulnerabilities[]/disclosure_dateExample 1 (which fails the test):
"document": {
// ...
"distribution": {
"tlp": {
"label": "GREEN"
}
},
// ...
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
// ...
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"vulnerabilities": [
{
"disclosure_date": "2024-02-24T10:00:00.000Z"
}
]The
disclosure_dateis in the past but newer than the date of newest item in therevision_history.
For each SSVC decision point given under selections, it
MUST be tested the namespace is one of the case-sensitive
registered namespaces.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespaceExample 1 (which fails the test):
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Technical Impact",
"namespace": "some-yet-unknown-or-maybe-private-namespace",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]The namespace
some-yet-unknown-or-maybe-private-namespaceis not a registered namespace. Its decision point definitions might therefore not be known to the reader of the document.
For each SSVC decision point given under selections, it
MUST be tested the namespace is not a private one if the
document is labeled TLP:CLEAR.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespaceExample 1 (which fails the test):
{
"document": {
// ...
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
// ...
}
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Technical Impact",
"namespace": "x_custom",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]
}The namespace
x_customis a private namespace. Its decision point definitions might therefore not be known to the reader of the document.
For each SSVC decision point given under selections, it
MUST be tested the namespace does not use an extension if
the document is labeled TLP:CLEAR.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespaceExample 1 (which fails the test):
{
"document": {
// ...
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
// ...
}
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Technical Impact",
"namespace": "ssvc/additional-technical-impacts",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]
}The namespace contains the extension
additional-technical-impacts. Its decision point definitions might therefore not be known to the reader of the document.
For each SSVC object, it MUST be tested the role is one
of the case-sensitive registered roles.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/roleExample 1 (which fails the test):
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"role": "An unregistered role",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Technical Impact",
"namespace": "ssvc",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]The role
An unregistered roleis not a registered role. Its structure might therefore not be known to the reader of the document.
It MUST be tested that the /document/category does not
start with csaf_deprecated_.
The relevant path for this test is:
/document/categoryExample 1 (which fails the test):
"category": "csaf_deprecated_security_advisory",
The document category starts with
csaf_deprecated_.
This subsubsection structures the recommended tests for the profiles. Not all tests apply for all profiles. Tests SHOULD be skipped if the document category does not match the one given in the test. Each of the following tests SHOULD be treated as they where listed similar to the other tests.
For each product listed in the product status group affected in any
vulnerability,
it MUST be tested that a corresponding version of the product is listed
as fixed in the same vulnerability.
The test MUST be skipped if there is a clear indication, that such a
version of the product does not exist.
Indicators include a remediation item with one of the categories
fix_planned, no_fix_planned or
none_available referring to the affected product.
The test MUST NOT be skipped, if there is an indication, that such a
version of the product might exist.
Indicators include an affected product version range with the comparator
< in the last version constraint and
a remediation item with the categories vendor_fix referring
to the affected product.
The relevant value for /document/category is:
csaf_security_advisoryThe relevant path for this test is:
/vulnerabilities[]/product_statusExample 1 (which fails the test):
"vulnerabilities": [
{
// ...
"product_status": {
"known_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to the latest version, at least version 4.2.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]The fixed product is not listed in the advisory but there is a clear indication that such product exists as there is a remediation with category
vendor_fix.
A tool MAY create the missing fixed product based on the data available in the advisory as a quick fix.
If the document language is specified but not English, it MUST be
tested that exactly one item in document notes exists
that has the language specific translation of the term
Reasoning for Withdrawal as title.
The category of this item MUST be
description.
If no language specific translation has been recorded, the test MUST be
skipped and output an information to the user that no such translation
is known.
A list of the language specific translations is kept at the OASIS CSAF TC.
The relevant value for /document/category is:
csaf_withdrawnThe relevant path for this test is:
/document/notesExample 1 (which fails the test):
"notes": [
{
"category": "summary",
"text": "Das CSAF Document enthielt Beispieldaten und wurde zurückgezogen, um Testdaten zu erzeugen.",
"title": "Begründung für die Zurückziehung"
}
],The note has the correct title. However, it uses the wrong category.
If the document language is specified but not English, it MUST be
tested that exactly one item in document notes exists
that has the language specific translation of the term
Reasoning for Supersession as title.
The category of this item MUST be
description.
If no language specific translation has been recorded, the test MUST be
skipped and output an information to the user that no such translation
is known.
A list of the language specific translations is kept at the OASIS CSAF TC.
The relevant value for /document/category is:
csaf_supersededThe relevant path for this test is:
/document/notesExample 1 (which fails the test):
"notes": [
{
"category": "summary",
"text": "Das CSAF Dokument enthielt Beispieldaten und wurde ersetzt, um Testdaten zu erzeugen.",
"title": "Begründung für die Ersetzung"
}
],The note has the correct title. However, it uses the wrong category.
If the document language is specified but not English, it MUST be
tested that at least one item in document references exists
that starts with the language specific translation of the term
Superseding Document as summary.
The category of this item MUST be
external.
If no language specific translation has been recorded, the test MUST be
skipped and output an information to the user that no such translation
is known.
A list of the language specific translations is kept at the OASIS CSAF TC.
The relevant value for /document/category is:
csaf_supersededThe relevant path for this test is:
/document/referencesExample 1 (which fails the test):
"references": [
{
"category": "self",
"summary": "Ersetztes Dokument",
"url": "https://example.com/.well-known/csaf/clear/2024/esa-2024-1234.json"
}
],The note has the correct title. However, it uses the wrong category.
For each product description it MUST be tested that it includes at
least one of the elements group_ids or
product_ids.
If the document language is English or unspecified, the product description can be identified by checking for a note containing the corresponding
categoryandtitlecombination from sec. For other languages, the language specific translation is used.
If no language specific translation has been recorded, the test MUST be skipped and output an information to the user that no translation for product description is known.
The relevant path for this test is:
/document/notes[]Example 1 (which fails the test):
"notes": [
{
"category": "description",
"text": "Product A is a local time tracking tool. It is mainly used by software developers and can be connected with most modern time-tracking systems.",
"title": "Product Description"
}
],The given note item does not specify to which products it applies to.
For each vulnerability, it MUST be tested that the youngest EPSS
timestamp is not more than 15 days older than to the
date of the newest item of the
revision_history if the document status is
final or interim.
As the timestamps might use different timezones, the sorting MUST take
timezones into account.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/epss/timestampExample 1 (which fails the test):
"document": {
// ...
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
// ...
"tracking": {
// ...
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
// ...
}
},
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"epss": {
"percentile": "0.999990000",
"probability": "0.975570000",
"timestamp": "2024-07-13T10:00:00.000Z"
}
},
"products": [
"CSAFPID-9080700"
]
}
]
}
]The document is in status
finalbut the EPSStimestampis more than 15 days older than thedateof newest item in therevision_history.
For each product identification helper which resides in
branches, it MUST be tested that the product identification
helper contain at least
the same information as the categorized strings.
Information that cannot be represented in the specific product
identification helper MUST be omitted from the comparison.
To implement this test it is deemed sufficient to follow the process below. It is based on a static mapping of branch categories to the corresponding part of the product identification helpers. The latter one are referred to as counterparts.
- Determine counterpart in the specific product identification helper for all categories used along the path up to the product.
- Check whether the counterparts in the product identification helper are set.
- Check whether each set counterpart does not contain a wildcard unless the value of the categorized string would indicate that.
- Check whether the version part algins between the categorized strings and the product identification helper.
- For CPE only: Check whether extra information is included in the CPE that is not in the categorized string.
This might be a counterpart that is set but the corresponding categorized string is missing along th path.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/cpe
/product_tree/branches[](/branches[])*/product/product_identification_helper/purlExample 1 (which fails the test):
"product_tree": {
"branches": [
{
"category": "vendor",
"name": "Example Company",
"branches": [
{
"category": "product_name",
"name": "Product A",
"branches": [
{
"category": "product_version",
"name": "2.2.0",
"product": {
"product_id": "CSAFPID-9080700",
"name": "Example Company Product A 2.2.0",
"product_identification_helper": {
"cpe": "cpe:2.3:h:example:product_a:2.2.0:*:*:de:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "2.3.0",
"product": {
"product_id": "CSAFPID-9080701",
"name": "Example Company Product A 2.3.0",
"product_identification_helper": {
"cpe": "cpe:2.3:h:example:product_a:2.3.0:PL17:*:*:*:*:*:*"
}
}
}
]
}
]
}
]
}The CPE of the first product contains a language part that is not given through the categorized strings. The CPE of the second product contains an update part that is not given through the categorized strings.
It MUST be tested that the license expression is present and set.
The relevant path for this test is:
/document/license_expressionExample 1 (which fails the test):
"document": {
// ...
"lang": "en-US",
"publisher": {
// ...
},
// ...
}The license expression is not defined.
It MUST be tested that all license identifier and exceptions used are not deprecated. This SHALL be tested for the SPDX license list and Aboutcode’s “ScanCode LicenseDB”. The test MAY be skipped for other license inventoring entities.
The relevant path for this test is:
/document/license_expressionExample 1 (which fails the test):
"license_expression": "GFDL-1.1",The license identifier
GFDL-1.1was deprecated as of version 3.0.
It MUST be tested that all license identifier and exceptions used exist. This SHALL be tested for the SPDX license list and Aboutcode’s “ScanCode LicenseDB”. The test MAY be skipped for other license inventoring entities.
The relevant path for this test is:
/document/license_expressionExample 1 (which fails the test):
"license_expression": "A-License-Identifier-That-Does-Not-Exist",The license identifier does not exist in the SPDX license list.
If the document language is specified but not English,
and the license_expression contains license identifiers or
exceptions that are not listed in the SPDX license list or Aboutcode’s
“ScanCode LicenseDB”,
it MUST be tested that exactly one item in document notes exists that
has the language specific translation of the term License
as title.
The category of this item MUST be legal_disclaimer.
If no language specific translation has been recorded, the test MUST be
skipped and output an information to the user that no such translation
is known.
The relevant path for this test is:
/document/notesExample 1 (which fails the test):
"document": {
// ...
"lang": "de-DE",
"license_expression": "LicenseRef-www.example.com-no-work",
"notes": [
{
"category": "summary",
"text": "Es handelt sich nicht um ein urheberrechtliches Werk, da die Schöpfungshöhe nicht erreicht ist.",
"title": "Lizenz"
}
],
// ...
}The note has the correct title. However, it uses the wrong category.
Informative tests provide insights in common mistakes and bad practices. They MAY fail at a valid CSAF document. It is up to the issuing party to decide whether this was an intended behavior and can be ignore or should be treated. These tests MAY include information about recommended usage. A program MUST handle a test failure as a information.
For each item in the list of metrics which contains the
cvss_v2 object under content it MUST be tested
that is not the only scoring item present.
The test SHALL pass if a second scoring object is available regarding
the specific product.
One source might just provide CVSS v2. As long as at least one different source provides a different scoring system for the same products, the test passes.
The relevant path for this test is:
/vulnerabilities[]/metricsExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"metrics": [
{
"content": {
"cvss_v2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"baseScore": 10
}
},
"products": [
"CSAFPID-9080700"
]
}
]
}
]There is only a CVSS v2 score given for
CSAFPID-9080700.
Recommendation:
It is recommended to (also) use the CVSS v4.0.
For each item in the list of metrics which contains the
cvss_v3 object under content it MUST be tested
that CVSS v3.0 is not used.
The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v3/version
/vulnerabilities[]/metrics[]/content/cvss_v3/vectorStringExample 1 (which fails the test):
"cvss_v3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}The CVSS v3.0 is used.
Recommendation:
It is recommended to upgrade to CVSS v3.1.
A tool MAY upgrade to CVSS v3.1 as quick fix. However, if such quick fix is supported the tool SHALL also recompute the
baseScoreandbaseSeverity. The same applies fortemporalScoreandtemporalSeverityrespectivelyenvironmentalScoreandenvironmentalSeverityif the necessary fields for computing their value are present and set.
It MUST be tested that the CVE number is given.
The relevant path for this test is:
/vulnerabilities[]/cveExample 1 (which fails the test):
"vulnerabilities": [
{
"title": "BlueKeep"
}
]The CVE number is not given.
Recommendation:
It is recommended to provide a CVE number to support the users efforts to find more details about a vulnerability and potentially track it through multiple advisories. If no CVE exists for that vulnerability, it is recommended to get one assigned.
It MUST be tested that at least one CWE is given.
The relevant path for this test is:
/vulnerabilities[]/cwesExample 1 (which fails the test):
"vulnerabilities": [
{
"cve": "CVE-2019-0708",
"title": "BlueKeep"
}
]No CWE number is given.
It MUST be tested that the length of the hash value is not shorter than 64 characters.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes[]/value
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/valueExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"name": "Product A",
"product_id": "CSAFPID-9080700",
"product_identification_helper": {
"hashes": [
{
"file_hashes": [
{
"algorithm": "md4",
"value": "3202b50e2e5b2fcd75e284c3d9d5f8d6"
}
],
"filename": "product_a.so"
}
]
}
}
]
}The length of the hash value is only 32 characters long.
For each URL which is not in the category self it MUST
be tested that it resolves with a HTTP status code from
the 2xx (Successful) or 3xx (Redirection) class.
This test does not apply for any item in an array of type
references_twith the categoryself. For details about the HTTP status code classes see [RFC7231].
The relevant paths for this test are:
/document/acknowledgments[]/urls[]
/document/aggregate_severity/namespace
/document/distribution/tlp/url
/document/references[]/url
/document/publisher/namespace
/product_tree/branches[]/product/product_identification_helper/sbom_urls[]
/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace
/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri
/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]
/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace
/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri
/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]
/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace
/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri
/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]
/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace
/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri
/vulnerabilities[]/acknowledgments[]/urls[]
/vulnerabilities[]/references[]/url
/vulnerabilities[]/remediations[]/urlExample 1 (which fails the test):
"references": [
{
"summary": "A URL that does not resolve with HTTP status code in the interval between (including) 200 and (excluding) 400.",
"url": "https://example.invalid"
}
]The
categoryis not set and therefore treated as its default valueexternal. A request to that URL does not resolve with a status code from the 2xx (Successful) or 3xx (Redirection) class.
For each item in an array of type references_t with the
category self it MUST be tested that
the URL referenced resolves with a HTTP status code less than 400.
This test will most likely fail if the CSAF document is in a status before the initial release. For details about the HTTP status code classes see [RFC7231].
The relevant paths for this test are:
/document/references[]/url
/vulnerabilities[]/references[]/urlExample 1 (which fails the test):
"references": [
{
"category": "self",
"summary": "A URL that does not resolve with HTTP status code in the interval between (including) 200 and (excluding) 400.",
"url": "https://example.invalid"
}
]The
categoryisselfand a request to that URL does not resolve with a status code from the 2xx (Successful) or 3xx (Redirection) class.
If the document language is given it MUST be tested that a spell
check for the given language does not find any mistakes.
The test SHALL be skipped if the document language is not set.
It SHALL fail if the given language is not supported.
The value of /document/category SHOULD NOT be tested if the
CSAF document does not use the profile “CSAF Base”.
The relevant paths for this test are:
/document/acknowledgments[]/names[]
/document/acknowledgments[]/organization
/document/acknowledgments[]/summary
/document/aggregate_severity/text
/document/category
/document/distribution/text
/document/notes[]/audience
/document/notes[]/text
/document/notes[]/title
/document/publisher/issuing_authority
/document/publisher/name
/document/references[]/summary
/document/title
/document/tracking/aliases[]
/document/tracking/generator/engine/name
/document/tracking/revision_history[]/summary
/product_tree/branches[](/branches[])*/name
/product_tree/branches[](/branches[])*/product/name
/product_tree/branches[]/name
/product_tree/branches[]/product/name
/product_tree/full_product_names[]/name
/product_tree/product_groups[]/summary
/product_tree/relationships[]/full_product_name/name
/vulnerabilities[]/acknowledgments[]/names[]
/vulnerabilities[]/acknowledgments[]/organization
/vulnerabilities[]/acknowledgments[]/summary
/vulnerabilities[]/involvements[]/summary
/vulnerabilities[]/notes[]/audience
/vulnerabilities[]/notes[]/text
/vulnerabilities[]/notes[]/title
/vulnerabilities[]/references[]/summary
/vulnerabilities[]/remediations[]/details
/vulnerabilities[]/remediations[]/entitlements[]
/vulnerabilities[]/remediations[]/restart_required/details
/vulnerabilities[]/threats[]/details
/vulnerabilities[]/titleExample 1 (which fails the test):
"document": {
// ...
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Secruity researchers found multiple vulnerabilities in XYZ."
}
],
// ...
}There is a spelling mistake in
Secruity.
For each element of type /$defs/full_product_name_t in
/product_tree/branches it MUST be tested that
ancestor nodes along the path exist which use the following branch
categories vendor -> product_name ->
product_version in that
order starting with the Product tree node.
Other branch categories can be used before, after or between the aforementioned branch categories without making the test invalid.
The relevant paths for this test are:
/product_tree/branchesExample 1 (which fails the test):
"branches": [
{
"category": "vendor",
"name": "Example Company",
"branches": [
{
"category": "product_name",
"name": "Product A",
"branches": [
{
"category": "patch_level",
"name": "91",
"product": {
"product_id": "CSAFPID-0002",
"name": "Example Company Product A Update 91"
}
}
]
}
]
}
]The product
CSAFPID-9080700does not have any ancestor with the branch categoryproduct_version.
For each element of type /$defs/branches_t it MUST be
tested that the category is not
product_version_range.
It is usually hard decide for machines whether a product version matches a product version ranges. Therefore, it is recommended to avoid version ranges and enumerate versions wherever possible.
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/categoryExample 1 (which fails the test):
"category": "product_version_range",The category
product_version_rangewas used.
For each element of type /$defs/branches_t with
category of product_version it MUST be tested
that
the value of name does not start with v or
V before the version.
To implement this test it is deemed sufficient that the value of
namedoes not match the following regex:^[vV][0-9].*$
The relevant paths for this test are:
/product_tree/branches[](/branches[])*/nameExample 1 (which fails the test):
"branches": [
{
"category": "product_version",
"name": "v4.2",
// ...
}
]The product version starts with a
v.
For each item in the list of metrics it MUST be tested that a
cvss_v4 object is present.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/contentExample 1 (which fails the test):
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"metrics": [
{
"content": {
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10,
"baseSeverity": "CRITICAL"
}
},
"products": [
"CSAFPID-9080700"
]
}
]
}
]There is no CVSS v4.0 score given for
CSAFPID-9080700.
For each SSVC decision point given under selections with
the namespace of ssvc, it MUST be tested the
latest decision point version available at the time of the
timestamp was used.
The test SHALL fail if a later version was used.
A list of all valid decision points including their values is available at the SSVC repository.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]Example 1 (which fails the test):
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Mission Impact",
"namespace": "ssvc",
"values": [
"Non-Essential Degraded"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]At the timestamp
2024-01-24T10:00:00.000Zversion2.0.0of the SSVC decision pointMission Impactwas already available.
For each SSVC decision point given under selections, it
MUST be tested the namespace is not a private one if the
document is not labeled TLP:CLEAR.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespaceExample 1 (which fails the test):
{
"document": {
// ...
"distribution": {
"tlp": {
"label": "GREEN"
}
},
// ...
}
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Technical Impact",
"namespace": "x_custom",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]
}The namespace
x_customis a private namespace. Its decision point definitions might therefore not be known to the reader of the document.
For each SSVC decision point given under selections, it
MUST be tested the namespace does not use an
extension
if the document is not labeled TLP:CLEAR.
The relevant path for this test is:
/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespaceExample 1 (which fails the test):
{
"document": {
// ...
"distribution": {
"tlp": {
"label": "GREEN"
}
},
// ...
}
"vulnerabilities": [
{
"cve": "CVE-1900-0001",
"metrics": [
{
"content": {
"ssvc_v1": {
"id": "CVE-1900-0001",
"schemaVersion": "1-0-1",
"selections": [
{
"name": "Technical Impact",
"namespace": "ssvc/additional-technical-impacts",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "2024-01-24T10:00:00.000Z"
}
},
// ...
}
]
}
]
}The namespace contains the extension
additional-technical-impacts. Its decision point definitions might therefore not be known to the reader of the document.
If the document language is given it MUST be tested that a grammar check for the given language does not find any mistakes. The test SHALL be skipped if the document language is not set. It SHALL fail if the given language is not supported.
The relevant paths for this test are:
/document/acknowledgments[]/summary
/document/aggregate_severity/text
/document/distribution/text
/document/notes[]/audience
/document/notes[]/text
/document/notes[]/title
/document/publisher/issuing_authority
/document/references[]/summary
/document/title
/document/tracking/revision_history[]/summary
/product_tree/product_groups[]/summary
/vulnerabilities[]/acknowledgments[]/summary
/vulnerabilities[]/involvements[]/summary
/vulnerabilities[]/notes[]/audience
/vulnerabilities[]/notes[]/text
/vulnerabilities[]/notes[]/title
/vulnerabilities[]/references[]/summary
/vulnerabilities[]/remediations[]/details
/vulnerabilities[]/remediations[]/entitlements[]
/vulnerabilities[]/remediations[]/restart_required/details
/vulnerabilities[]/threats[]/details
/vulnerabilities[]/titleExample 1 (which fails the test):
"document": {
// ...
"lang": "en",
"notes": [
{
"category": "summary",
"text": "The security hardening guide must followed for ensure secure operations of a products."
}
],
// ...
}Multiple grammar mistakes exist:
- a
beis missing betweenmustandfollowed- the
forneeds to be atoa productsis also incorrect asaindicates singular.
It MUST be tested that the all license identifiers and exceptions are listed either in the official SPDX license identifier list or AboutCode’s “ScanCode LicenseDB”.
The relevant path for this test is:
/document/license_expressionExample 1 (which fails the test):
"license_expression": "LicenseRef-www.example.com-no-work-pd",The
license_expressioncontains a license identifier that is neither listed in the official SPDX license identifier list nor AboutCode’s “ScanCode LicenseDB”.
A test preset is a predefined set of tests that was given a name. It MAY contain any number of tests. Two presets MAY overlap. The content of a preset MAY vary in different CSAF versions. A CSAF validator MUST support every official preset that solely include tests that are implemented by the CSAF validator. A CSAF validator MAY provide or support additional presets. A CSAF validator MUST implement all tests for any supported preset. Names of presets not defined in this CSAF standard SHALL have the following prefix before their name:
x_: for any CSAF validator specific preset.org_ followed by an organization identifier and an
underscore (_): for any preset specified by an organization
as a part of a public definition[0-9a-zA-Z-].csaf_: for any preset defined later on by the OASIS
CSAF TC.Official presets are defined in different parts of the standard.
The following presets are defined through subsections of the test section:
mandatory: all tests given in section 6.1recommended: all tests given in section 6.2informative: all tests given in section 6.3The following presets are defined through conformance targets:
schema: Check against the JSON schema (see section sec)basic: schema + mandatory
(see section sec)extended: basic + recommended
(see section sec)full: extended + informative
(see section sec)As presets are sets, the operator + MUST be interpreted
as the union operation.
Additional presets are defined as follows:
external-request-free:
full excluding tests 6.3.6consistent-revision-history:
consistent-date-times:
This section lists requirements and roles defined for distributing CSAF documents. The first subsection provides all requirements - the second one the roles. It is mandatory to fulfill the basic role “CSAF publisher”. The last section provides specific rules for the process of retrieving CSAF documents.
The requirements in this subsection are consecutively numbered to be able to refer to them directly. The order does not give any hint about the importance. Not all requirements have to be fulfilled to conform to this specification - the sets of requirements per conformance clause are defined in section 7.2.
The document is a valid CSAF document (cf. Conformance clause 1).
The CSAF document has a filename according to the rules in section 5.1.
The CSAF document is per default retrievable from a website which uses TLS for encryption and server authenticity. The CSAF document MUST NOT be downloadable from a location which does not encrypt the transport when crossing organizational boundaries to maintain the chain of custody.
If the CSAF document is labeled TLP:CLEAR, it MUST be freely accessible.
This does not exclude that such a document is also available in an access protected customer portal. However, there MUST be one copy of the document available for people without access to the portal.
Reasoning: If an advisory is already in the media, an end user should not be forced to collect the pieces of information from a press release but be able to retrieve the CSAF document.
CSAF documents labeled TLP:AMBER, TLP:AMBER+STRICT or TLP:RED MUST be access protected. If they are provided via a web server this SHALL be done under a different path than for TLP:CLEAR, TLP:GREEN and unlabeled CSAF documents. TLS client authentication, access tokens or any other automatable authentication method SHALL be used.
An issuing party MAY agree with the recipients to use any kind of secured drop at the recipients’ side to avoid putting them on their own website. However, it MUST be ensured that the documents are still access protected.
Redirects SHOULD NOT be used. If they are inevitable only HTTP Header redirects are allowed.
Reasoning: Clients should not parse the payload for navigation and some, as e.g.
curl, do not follow any other kind of redirects.
If any redirects are used, there SHOULD not be more than 5 and MUST NOT be more than 10 consecutive redirects.
The party MUST provide a valid provider-metadata.json
according to the schema CSAF provider metadata for its own metadata.
The publisher object SHOULD match the one used in the CSAF
documents of the issuing party but can be set to whatever value a
CSAF aggregator SHOULD display over any individual
publisher values in the CSAF documents themselves.
This information is used to collect the data for CSAF aggregators, listers and end users. The CSAF provider metadata schema ensures the consistency of the metadata for a CSAF provider across the ecosystem. Other approaches, like extracting the
publisherobject from CSAF documents, are likely to fail if the object differs between CSAF documents.It is suggested to put the file
provider-metadata.jsonadjacent to the ROLIE feed documents (requirement 15) or in the main directory adjacent to the year folders (requirement 14),changes.csv(requirement 13) and theindex.txt(requirement 12). Suggested locations to store theprovider-metadata.jsonare:
Example 1 (minimal with ROLIE document):
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/provider.json",
"canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
"distributions": [
{
"rolie": {
"feeds": [
{
"last_updated": "2024-01-24T20:20:56.169Z",
"summary": "All TLP:CLEAR advisories of Example Company.",
"tlp_label": "CLEAR",
"url": "https://www.example.com/.well-known/csaf/feed-tlp-clear.json"
}
]
}
}
],
"last_updated": "2024-01-24T20:20:56.169Z",
"list_on_CSAF_aggregators": true,
"metadata_version": "2.1",
"mirror_on_CSAF_aggregators": true,
"public_openpgp_keys": [
{
"fingerprint": "8F5F267907B2C4559DB360DB2294BA7D2B2298B1",
"url": "https://keys.example.net/vks/v1/by-fingerprint/8F5F267907B2C4559DB360DB2294BA7D2B2298B1"
}
],
"publisher": {
"category": "vendor",
"name": "Example Company ProductCERT",
"namespace": "https://psirt.example.com"
},
"role": "csaf_trusted_provider"
}The maintained_until and maintained_from
properties can be used to indicate that the distributions contained in
provider-metadata.json at
the given canonical_url are only guaranteed to be
maintained until or after the specified date and time.
This SHOULD be used to support a transition period between CSAF 2.0 and
CSAF 2.1 (cf. section sec).
CSAF downloaders (cf. section sec) and programs
retrieving or providing a provider-metadata.json
SHOULD evaluate this property and emit a warning if the current date is
less than 90 days away from maintained_until and an error
if the current
date exceeds maintained_until.
The programs MAY provide a non-default option to use the
provider-metadata.json anyway.
Furthermore, such programs SHOULD evaluate the
maintained_from property and output a warning if the
current date is still before the maintained_from
timestamp.
If a CSAF publisher (cf. section 7.2.1) does not provide the
provider-metadata.json,
an aggregator SHOULD contact the CSAF publisher in question to determine
the values for list_on_CSAF_aggregators and
mirror_on_CSAF_aggregators.
If that is impossible or if the CSAF publisher is unresponsive the
following values MUST be used:
"list_on_CSAF_aggregators": true,
"mirror_on_CSAF_aggregators": falseThis prevents that CSAF documents of a CSAF publisher which have been collected by one CSAF aggregator A are mirrored again on a second CSAF aggregator B. Such cascades are prone to outdated information. If the first aggregator A collects the CSAF documents on best effort and B copies the files from A and announces that this is done weekly, one might assume that B’s CSAF documents are more recent. However, that is not the case as B’s information depends on A.
In the security.txt there MUST be at least one field
CSAF which points to the
provider-metadata.json (requirement 7). If this field indicates a web URI, then it MUST begin with “https://” (as per section 2.7.2 of [RFC7230]).
See [SECURITY-TXT] for more details.
The security.txt was published as [RFC9116] in April 2022. The
CSAFfield was officially added through the IANA registry.
CSAF: https://www.example.com/.well-known/csaf/provider-metadata.json
CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
CSAF: https://domain.tld/security/csaf/provider-metadata.jsonIt is possible to advertise more than one
provider-metadata.json by adding multiple CSAF
fields,
e.g. in case of changes to the organizational structure through mergers
and acquisitions.
However, this SHOULD NOT be done and removed as soon as possible.
A valid use case for temporarily including multiple entries would be a
transition phase between different CSAF versions, in which
documents
and provider metadata of both versions are served simultaneously
(cf. section sec).
If one of the URLs fulfills requirement 9, it MUST be set as the first
CSAF entry in the security.txt.
The URL path /.well-known/csaf/provider-metadata.json
under the main domain of the issuing authority serves directly
the provider-metadata.json according to requirement 7. That
implies that redirects SHALL NOT be used.
The use of the scheme “HTTPS” is required. See [RFC8615] for more details.
https://www.example.com/.well-known/csaf/provider-metadata.jsonAs specified in sec, the value of
canonical_url MAY differ from the URL that was
requested as a part of this requirement.
Such state is intended and MUST NOT be reported as error.
Assuming that the organization’s main domain is
domain.tld, the DNS record
csaf.data.security.domain.tld SHALL resolve
to the IP address of a web server which serves directly the
provider-metadata.json according to requirement 7.
The
domain.tldis just a placeholder for the organization’s main domain. For the organization with the main domain beingexample.com, the necessary DNS record iscsaf.data.security.example.com.
That implies that redirects SHALL NOT be used. The use of the scheme “HTTPS” is required.
The CSAF documents MUST be located within folders named
<YYYY> where <YYYY> is the year
given in the
value of /document/tracking/initial_release_date.
2024
2023The file index.txt MUST contain the list of all filenames of CSAF documents which are located in the sub-directories with their filenames. Each entry SHALL be terminated by a newline sequence. The last entry MAY skip the newline sequence.
If different TLP labels are used, multiple index.txt exist. However, they are located in the corresponding folders and contain only the filenames of files for that TLP label.
2023/esa-2023-09953.json
2022/esa-2022-02723.json
2021/esa-2021-31916.json
2021/esa-2021-03676.jsonThis can be used to download all CSAF documents.
The file changes.csv contains a list of CSAF documents
in the current TLP level that were changed recently.
Therefore, it MUST contain the filename as well as the value of
/document/tracking/current_release_date for each
CSAF document in the sub-directories without a heading; lines MUST be
sorted by the current_release_date timestamp with the
latest one first.
The changes.csv SHALL be a valid comma separated values
format as defined by [RFC4180] without double
quotes.
Note: As a consequence of section sec Requirement 2 for filenames and section sec Requirement for directory names, there must not be any characters within the
changes.csvthat would require quoting.
2023/esa-2023-09953.json,2023-07-01T10:09:07Z
2021/esa-2021-03676.json,2023-07-01T10:09:01Z
2022/esa-2022-02723.json,2022-04-17T15:08:41Z
2021/esa-2021-31916.json,2022-03-01T06:01:00ZNote: As CSAF 2.0 requires quotes, an [RFC4180] parser can read both format revisions.
Server-side generated directory listing SHALL be enabled to support manual navigation.
As the content of the directory listing is more or less static, there is little to no benefit in using of client-side scripts. Moreover, client-side scripts, like JavaScript, are usually not evaluated in text-based browsers and are also hard to check programmatically.
Resource-Oriented Lightweight Information Exchange (ROLIE) is a standard to ease discovery of security content. ROLIE is built on top of the Atom Publishing Format and Protocol, with specific requirements that support publishing security content. All CSAF documents with the same TLP level MUST be listed in a single ROLIE feed (summary feed). Additional ROLIE feeds might exist that contain only a subset of the CSAF documents. The selection criteria SHOULD be described through the summary. At least one of the feeds
MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].
The ROLIE feed document MUST contain a feed category with the
registered ROLIE information type csaf.
The scheme for this category MUST be
urn:ietf:params:rolie:category:information-type.
{
"feed": {
"id": "example-csaf-feed-tlp-clear",
"title": "Example CSAF feed (TLP:CLEAR)",
"link": [
{
"rel": "self",
"href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-clear.json"
}
],
"category": [
{
"scheme": "urn:ietf:params:rolie:category:information-type",
"term": "csaf"
}
],
"updated": "2024-01-01T12:00:00.000Z",
"entry": [
{
"id": "ESA-2024-001",
"title": "Multiple vulnerabilities in ABC 0.0.2",
"link": [
{
"rel": "self",
"href": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json"
},
{
"rel": "hash",
"href": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json.sha512"
},
{
"rel": "signature",
"href": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json.asc"
}
],
"published": "2024-01-01T11:00:00.000Z",
"updated": "2024-01-01T12:00:00.000Z",
"summary": {
"content": "Multiple vulnerabilities were fixed in ABC 0.0.3"
},
"content": {
"type": "application/json",
"src": "https://psirt.domain.tld/advisories/csaf/2024/esa-2024-001.json"
},
"format": {
"schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json",
"version": "2.1"
}
}
]
}
}Any existing hash file (requirement 18) MUST be listed in the
corresponding entry of the ROLIE feed as an item of
the array link having the rel value of
hash.
Any existing signature file (requirement 19) MUST be listed in the
corresponding entry of the ROLIE feed as an item of the array
link
having the rel value of signature.
The use and therefore the existence of ROLIE service document is
optional.
If it is used, each ROLIE service document MUST be a JSON file that
conforms with [RFC8322] and lists the ROLIE feed
documents.
Additionally, it can also list the corresponding ROLIE category
documents.
The ROLIE service document SHOULD use the filename
service.json and reside next to the
provider-metadata.json.
{
"service": {
"workspace": [
{
"title": "Public CSAF feed",
"collection": [
{
"title": "Example CSAF feed (TLP:CLEAR)",
"href": "https://psirt.domain.tld/advisories/csaf/feed-tlp-clear.json",
"categories": {
"category": [
{
"scheme": "urn:ietf:params:rolie:category:information-type",
"term": "csaf"
}
]
}
}
]
}
]
}
}The use and therefore the existence of ROLIE category document is optional. If it is used, each ROLIE category document MUST be a JSON file that conforms with [RFC8322]. A ROLIE category document SHOULD reside next to the corresponding ROLIE feed. ROLIE categories SHOULD be used for to further dissect CSAF documents by one or more of the following criteria:
document category
document language
values of the branch category within the Product Tree including but not limited to
vendorproduct_familyproduct_nameproduct_versiontype of product
CPU
Firewall
Monitor
PLC
Printer
Router
Sensor
Serverareas or sectors, the products are used in
Chemical
Commercial
Communication
Critical Manufacturing
Dams
Energy
Healthcare
Waterany other categorization useful to the consumers
{
"categories": {
"category": [
{
"term": "Example Company Product A"
},
{
"term": "Example Company Product B"
}
]
}
}All CSAF documents SHALL have at least one hash file computed with a secure cryptographic hash algorithm (e.g. SHA-512 or SHA-3) to ensure their integrity. The filename is constructed by appending the file extension which is given by the algorithm.
MD5 and SHA1 SHOULD NOT be used.
File name of CSAF document: esa-2022-02723.json
File name of SHA-256 hash file: esa-2022-02723.json.sha256
File name of SHA-512 hash file: esa-2022-02723.json.sha512The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.jsonIf a ROLIE feed exists, each hash file MUST be listed in it as described in requirement 15.
All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. This signature SHALL be presented as an ASCII armored file. See [RFC4880] for more details.
File name of CSAF document: esa-2022-02723.json
File name of signature file: esa-2022-02723.json.ascIf a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
At all times, signatures MUST remain valid for a minimum of 30 days and ideally for at least 90 days. When executing CSAF document signatures, the signing party SHOULD adhere to or surpass the prevailing best practices and recommendations regarding key length. Tools SHOULD treat the violation of the rules given in the first sentence as:
The public part of the OpenPGP key used to sign the CSAF documents MUST be available. This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server.
For example, the public part of the OpenPGP key could be placed in a directory
openpgpadjacent to theprovider-metadata.json.
The OpenPGP key SHOULD have a strength that is considered secure.
Guidance on OpenPGP key strength can be retrieved from technical guidelines of competent authorities.
The file aggregator.json MUST be present and valid
according to the JSON schema CSAF aggregator.
It MUST NOT be stored adjacent to a
provider-metadata.json.
Suggested locations to store the
aggregator.jsonare:
The file aggregator.json SHOULD only list the latest
version of the metadata of a CSAF provider.
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/aggregator.json",
"aggregator": {
"category": "lister",
"contact_details": "Example CSAF Lister can be reached at contact_us@lister.example, or via our website at https://lister.example/security/csaf/aggregator/contact.",
"issuing_authority": "This service is provided as it is. It is free for everybody.",
"name": "Example CSAF Lister",
"namespace": "https://lister.example"
},
"aggregator_version": "2.1",
"canonical_url": "https://aggregator.example/.well-known/csaf-aggregator/aggregator.json",
"csaf_providers": [
{
"metadata": {
"last_updated": "2024-01-12T20:20:56.169Z",
"publisher": {
"category": "vendor",
"name": "Example Company ProductCERT",
"namespace": "https://psirt.example.com"
},
"role": "csaf_provider",
"url": "https://www.example.com/.well-known/csaf/provider-metadata.json"
}
},
{
"metadata": {
"last_updated": "2024-01-12T21:35:38.000Z",
"publisher": {
"category": "coordinator",
"name": "Example Coordinator CERT",
"namespace": "https://cert.example"
},
"role": "csaf_trusted_provider",
"url": "https://cert.example/advisories/csaf/provider-metadata.json"
}
}
],
"last_updated": "2024-01-24T22:35:38.978Z"
}The file aggregator.json (requirement 21) lists at least
two disjoint CSAF providers (including CSAF trusted providers)
or one CSAF publisher and one CSAF provider (including CSAF trusted
provider).
The CSAF documents for each issuing party that is mirrored MUST be in
a different folder.
The folder name SHOULD be retrieved from the name of the issuing
authority.
This folders MUST be adjacent to the aggregator.json
(requirement 21).
Each such folder MUST at least:
provider-metadata.json for the current
issuing party. {
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/aggregator.json",
"aggregator": {
"category": "aggregator",
"contact_details": "Example Aggregator can be reached at contact_us@aggregator.example, or via our website at https://aggregator.example/security/csaf/aggregator/contact.",
"issuing_authority": "This service is provided as it is. It is free for everybody.",
"name": "Example Aggregator",
"namespace": "https://aggregator.example"
},
"aggregator_version": "2.1",
"canonical_url": "https://aggregator.example/.well-known/csaf-aggregator/aggregator.json",
"csaf_providers": [
{
"metadata": {
"last_updated": "2024-01-12T20:20:56.169Z",
"publisher": {
"category": "vendor",
"name": "Example Company ProductCERT",
"namespace": "https://psirt.example.com"
},
"role": "csaf_provider",
"url": "https://www.example.com/.well-known/csaf/provider-metadata.json"
},
"mirrors": [
"https://aggregator.example/.well-known/csaf-aggregator/Example_Company_ProductCERT/provider-metadata.json"
]
},
{
"metadata": {
"last_updated": "2024-01-12T21:35:38.000Z",
"publisher": {
"category": "coordinator",
"name": "Example Coordinator CERT",
"namespace": "https://cert.example"
},
"role": "csaf_trusted_provider",
"url": "https://cert.example/advisories/csaf/provider-metadata.json"
},
"mirrors": [
"https://aggregator.example/.well-known/csaf-aggregator/Example_Coordinator_CERT/provider-metadata.json"
]
}
],
"last_updated": "2024-01-24T22:35:38.978Z"
}Access to the CSAF related files and directories provided, for both metadata and documents, MUST be allowed independent of the value of HTTP User-Agent.
Limit the value of HTTP User-Agents to a certain set would hinder adoption of tools retrieving the files.
The only exception is that the temporary blocking of certain HTTP User-Agents is allowed to mitigate an ongoing security incident (e.g. a DoS attack on the web server serving the CSAF files). However, a less severe measure with a similar effect SHOULD be used. CSAF related files and directories SHOULD be exempted from temporary blocking. The temporary blocking SHOULD be removed as soon as possible, at latest two weeks after the security incident process was completed.
Also confer to the TC’s guidance on content delivery networks and caching.
For any CSAF documents and related metadata, the web server SHOULD
set the HTTP header Access-Control-Allow-Origin: *.
The HTTP header enables users to access the CSAF data with web browser based clients.
The value of the HTTP header MAY be altered to allow just specified
domains.
In such case, the response SHOULD follow the recommendations of [FETCH] including but not limited to those about the
Vary header.
Such restriction may allow the allow-listed domains to send credentials.
This subsection groups the requirements from the previous subsection into named sets which target the roles with the same name. This allows end users to request their suppliers to fulfill a certain set of requirements. A supplier can use roles for advertising and marketing.
The roles “CSAF publisher”, “CSAF provider”, and “CSAF trusted provider” are intended directly for issuing parties and form the first group. The second group consists of the roles “CSAF lister” and “CSAF aggregator”. They collect data from the aforementioned issuing parties of the first group and provide them in a single place to aid in automation. Parties of the second group can also issue their own advisories. However, they MUST follow the rules for the first group for that.
Both, a CSAF lister and a CSAF aggregator, decide based on their own rules which issuing parties to list respectively to mirror. However, an issuing party MAY apply to be listed or mirrored.
Issuing parties MUST indicate through the value false in
list_on_CSAF_aggregators if they do not want to be
listed.
Issuing parties MUST indicate through the value false in
mirror_on_CSAF_aggregators if they do not want to be
mirrored.
The values are independent.
The combination of the value false in
list_on_CSAF_aggregators and true in
mirror_on_CSAF_aggregators implies that
the issuing party does not want to be listed without having the CSAF
documents mirrored.
Therefore, a CSAF aggregator can list that issuing party if it mirrors
the files.
A distributing party satisfies the “CSAF publisher” role if the party:
A CSAF publisher satisfies the “CSAF provider” role if the party fulfills the following three groups of requirements:
Firstly, the party:
Secondly, the party:
Thirdly, the party:
If the party uses the ROLIE-based distribution, it MUST also satisfy requirements 15 to 17. If it uses the directory-based distribution, it MUST also satisfy requirements 11 to 14.
A CSAF provider satisfies the “CSAF trusted provider” role if the party:
A distributing party satisfies the “CSAF lister” role if the party:
lister for
/aggregator/category.The purpose of this role is to provide a list of URLs where to find CSAF documents. It is not assumed that the list will be complete.
A distributing party satisfies the “CSAF aggregator” role if the party:
aggregator for
/aggregator/category.provider-metadata.json.Additionally, a CSAF aggregator MAY list one or more issuing parties that it does not mirror.
The purpose of this role is to provide a single point where CSAF documents can be retrieved. Multiple CSAF aggregators are expected to exist around the world. None of them is required to mirror all CSAF documents of all issuing parties. CSAF aggregators can be provided for free or as a paid service.
To aid in automation, CSAF aggregators MAY mirror CSAF documents from CSAF publishers. Regarding the terms of use they SHOULD consult with the issuing party. The purpose of this option is that a consumer can retrieve CSAF documents from a CSAF publisher as if this issuing party would be a CSAF trusted provider. To reach that goal, a CSAF aggregator collects the CSAF documents from the CSAF publisher and mirrors it. The collection process MAY be automated or manual. CSAF aggregators announce the collection interval through the field
update_intervalin the corresponding item of the CSAF publishers list (csaf_publishers) in theiraggregator.json. To minimize the implementation efforts and process overhead, a CSAF aggregator MAY upload the CSAF documents of a CSAF publisher into an internal instance of a CSAF provider software. Such construct is called “CSAF proxy provider” as it can be mirrored by the CSAF aggregator software. However, such a CSAF proxy provider MUST NOT be accessible from anyone else than the CSAF aggregator itself. Otherwise, that would violate the second rule of section 7.2.1. Therefore, it is recommended to expose the CSAF proxy provider only on localhost and allow the access only from the CSAF aggregator software.
The retrieving process executes in two phases: Finding the
provider-metadata.json (requirement 7 in section 7.1) and
retrieving CSAF documents.
A retrieving party SHOULD do the first phase every time. Based on the setup and use case of the retrieving party it MAY choose to do it less often, e.g. only when adding new or updating distributing parties. In that case, it SHOULD to check regularly whether new information is available.
Direct locating: The following process SHOULD be
used to determine the location of a
provider-metadata.json
(requirement 7 in section 7.1) based on the
main domain of the issuing party.
First, an ordered list of possible
provider-metadata.json candidates SHOULD be generated in
the following way:
Second, select one or more provider-metadata.json to use
from the list of valid candidates.
If the retrieving party is only able to process one
provider-metadata.json, the first one in the list SHOULD be
chosen.
The term “checking” used in the listing above SHOULD be understood as follows: Try to access the resource and test whether the response provides an expected result as defined in the requirement in section 7.1. If that is the case, the response is added to the list of candidates - otherwise not. If the resource yields more than one response, the responses are added to the list in the order they are returned from the resource.
Indirect locating: A retrieving party MAY choose to
determine the location of a provider-metadata.json by
retrieving
its location from an aggregator.json (requirement 21 in
section 7.1) of a CSAF lister or CSAF
aggregator.
Given a provider-metadata.json, the following process
SHOULD be used to retrieve CSAF documents:
provider-metadata.json to determine whether
the directory-based (requirements 11 to 14 in section 7.1)This subsection details the process that SHOULD be followed when transitioning the distribution of documents from CSAF 2.0 to CSAF 2.1. Different scenarios can be encountered:
provider-metadata.json to CSAF 2.1.In the last scenario, a temporary parallel distribution of CSAF 2.0 and CSAF 2.1 documents and provider metadata is RECOMMENDED. The provider SHOULD announce a transition period containing three points in time:
The announcement MAY contain also the following information:
provider-metadata.json.provider-metadata.json.The following process SHOULD be followed:
provider-metadata.json in conformance to CSAF 2.0
SHOULD be placed at
/.well-known/csaf/v2.0/provider-metadata.json.
canonical_url MUST be set to an URL corresponding
to the /.well-known/csaf/v2.0/provider-metadata.json
path.maintained_until was not defined in CSAF
2.0 and therefore cannot be used -provider-metadata.json in conformance to CSAF 2.1
SHOULD be placed at
/.well-known/csaf/v2.1/provider-metadata.json.
canonical_url MUST be set to an URL corresponding
to the /.well-known/csaf/v2.1/provider-metadata.json
path.maintained_from can be set to
an appropriate date in the future, if the service is not considered
stable yet.maintained_from as this is the point in timeprovider-metadata.json in conformance to CSAF 2.0 SHOULD be
placed at /.well-known/csaf/provider-metadata.json.
/.well-known/csaf/v2.0/provider-metadata.json.provider-metadata.json in
conformance to CSAF 2.1 SHOULD be placed at
/.well-known/csaf/provider-metadata.json.
/.well-known/csaf/v2.1/provider-metadata.json.provider-metadata.json SHOULD be removed from the
security.txt.
If a DNS path (cf. section sec) is used instead of the well-known URL, the same process SHOULD be followed taking the rules below into account:
provider-metadata.json is
always served according to the DNS path requirement (see section sec).provider-metadata.json is
served at the beginning andprovider-metadata.json at the
roll-over-date.v2.0 and
v2.1 to differentiate between the CSAF versions.The following rules apply for the archival of CSAF document from a previous version:
/.well-known/csaf/archive/ and use the file name
v2.0.tar.zst, v2.0.tar.bz2 or
v2.0.tar.xz.Similarly, to the transition process for a CSAF provider, the same process SHOULD be used for a CSAF aggregator. It is RECOMMENDED to use the following URLs during the process:
/.well-known/csaf-aggregator/aggregator.json for the
currently valid aggregator metadata./.well-known/csaf-aggregator/v2.0/aggregator.json for a
valid CSAF 2.0 aggregator.json/.well-known/csaf-aggregator/v2.1/aggregator.json for a
valid CSAF 2.1 aggregator.jsonA CSAF 2.1 aggregator MUST only sync and list CSAF 2.1 publishers and providers.
CSAF documents are based on JSON, thus the security considerations of [RFC8259] apply and are repeated here as service for the reader:
Generally, there are security issues with scripting languages. JSON is a subset of JavaScript but excludes assignment and invocation.
Since JSON’s syntax is borrowed from JavaScript, it is possible to use that language’s
eval()function to parse most JSON texts (but not all; certain characters such asU+2028 LINE SEPARATORandU+2029 PARAGRAPH SEPARATORare legal in JSON but not JavaScript). This generally constitutes an unacceptable security risk, since the text could contain executable code along with data declarations. The same consideration applies to the use of eval()-like functions in any other programming language in which JSON texts conform to that language’s syntax.
In addition, CSAF documents may be rendered by consumers in various human-readable formats like HTML or PDF. Thus, for security reasons, CSAF producers and consumers SHALL adhere to the following:
cmark Markdown processor [GFMCMARK].data:image/svg+xml),--safe option in the cmark Markdown
processor)javascript: links),The distribution requirements of CSAF data allow to specify domains
as the value of the HTTP header
Access-Control-Allow-Origin.
While a wildcard (*) as header value usually prevents
implementing browsers from sending credentials during the CORS
request,
the restriction to specified domains often enables sending
credentials.
Allowing several specified domains results in using dynamics on the
server, which can widen the attack surface by using more code and
configuration.
Furthermore, this might reveal information about internal structures,
e.g. which domains are allowed to send credentials, or which tools are
used.
Given that credentials from a browser are a potent tool in the event of
an attack, restricting the origins seems to imply a higher risk
and
therefore less secure than allowing all domains without credentials.
As setting the Access-Control-Allow-Origin header
potentially allows for cross site request forgery,
it SHOULD only be served on files and directories containing CSAF
data.
For any restricted feeds, standard authentication methods SHOULD be used
that are not send by web browsers if the wildcard is used as header
value.
In the only subsection of this section, the conformance targets and clauses are listed. The clauses, matching the targets one to one, are listed in separate sub-subsections of the targets listing subsection.
Informative Comments:
The order in which targets, and their corresponding clauses appear is somewhat arbitrary as there is no natural order on such diverse roles participating in the document exchanging ecosystem.
Except for the target CSAF document, all other 24 targets span a taxonomy of the complex CSAF ecosystems existing in and between diverse security advisory generating, sharing, and consuming communities.
In any case, there are no capabilities organized in increasing quality levels for targets because the security advisory sharing communities follow the chain link model. Instead, a single minimum capability level for every target is given to maintain important goals of providing a common framework for security advisories:
- Fast production, sharing, and actionable consumption of security advisories
- Consistent end to end automation through collaborating actors
- Clear baseline across the communities per this specification
- Additional per-community cooperative extensions which may flow back into future updates of this specification
This document defines requirements for the CSAF file format and for certain software components that interact with it. The entities (“conformance targets”) for which this document defines requirements are:
A text file or data stream satisfies the “CSAF document” conformance profile if it:
A program satisfies the “CSAF producer” conformance profile if the program:
An analysis tool satisfies the “CSAF direct producer” conformance profile if the analysis tool:
A converter satisfies the “CSAF converter” conformance profile if the converter:
A program satisfies the “CVRF CSAF converter” conformance profile if the program fulfills the following two groups of requirements:
Firstly, the program:
Secondly, the program fulfills the following for all items of:
value type string with format
date-time: If the value contains a 60 in the
seconds place, the CVRF CSAF converter MUST replace the seconds
and their fractions with 59.999999.
In addition, the converter outputs a warning that leap seconds are now
prohibited in CSAF and the value has been replaced.
The CVRF CSAF converter SHOULD indicate in such warning message whether
the value was a valid leap second or not.
type /$defs/branches_t: If any
prod:Branch instance has the type Realm or
Resource,
the CVRF CSAF converter replaces those with the category
product_name.
In addition, the converter outputs a warning that those types do not
exist in CSAF and have been replaced with the category
product_name.
type /$defs/version_t: If any element doesn’t match
the semantic versioning,
replace the all elements of type /$defs/version_t with the
corresponding integer version.
For that, CVRF CSAF converter sorts the items of
/document/tracking/revision_history by number
ascending according to the rules of CVRF.
Then, it replaces the value of number with the index number
in the array (starting with 1).
The value of /document/tracking/version is replaced by
value of number of the corresponding revision item.
The match MUST be calculated by the original values used in the CVRF
document.
If this conversion was applied, for each Revision the original value of
cvrf:Number MUST be set as legacy_version in
the converted document.
/document/acknowledgments[]/organization and
/vulnerabilities[]/acknowledgments[]/organization:
If more than one cvrf:Organization instance is given, the
CVRF CSAF converter converts the first one into the
organization.
In addition, the converter outputs a warning that information might be
lost during conversion of document or vulnerability
acknowledgment.
/document/category:
If the cvrf:DocumentType is Security Advisory
(case-insensitive), the CVRF CSAF converter MUST try to convert the
data
into a valid CSAF document in this profile according to CSAF 2.1.
A tool MAY offer rules to create the missing fixed products from version ranges, if applicable.
If the CVRF CSAF converter is unable to create a valid CSAF 2.1
document according to the profile, it SHALL set the
category value to
csaf_deprecated_security_advisory.
If one or more CVRF elements containing an xml:lang
attribute exist and their value is English or
the document language of the CVRF document is unspecified,
the following rules apply:
cvrf:DocumentTitle starts with the string
Superseded or the cvrf:DocumentType starts
with Superseded (case-insensitive),cvrf:DocumentTitle starts with the string
Withdrawn or the cvrf:DocumentType starts with
Withdrawn (case-insensitive),A tool MAY support this detection for other languages.
If the CVRF CSAF converter is unable to create a valid CSAF 2.1
document according to the profile, it SHALL set the
category
according to the conversion rules and output a warning a potentially
withdrawn CSAF document was created which would result in an invalid
CSAF.
/document/lang: If one or more CVRF elements
containing an xml:lang attribute exist and contain the
exact same value,
the CVRF CSAF converter converts this value into
lang.
If the values of xml:lang attributes are not equal, the
CVRF CSAF converter outputs a warning that the language could not
be
determined and possibly a document with multiple languages was
produced.
In addition, it SHOULD also present all values of xml:lang
attributes as a set in the warning.
/document/license_expression: If any
cvrf:Note item with Type
Legal Disclaimer contains a valid SPDX license
expression,
the CVRF CSAF converter SHALL convert this value into
license_expression.
In addition, the converter outputs an information that license
expression was found and set as document license expression.
/document/notes: If any cvrf:Note item
contains one of the category and title
combinations specified in 3.2.2.8,
where the title is extended, the CVRF CSAF converter SHALL
try to identify whether that extension is a specific product name,
version or family.
In such case, the CVRF CSAF converter SHALL try to add the corresponding
products to the note item and output a warning that a potential
product
specific note has been discovered and products have been assigned to
it.
Such warning MUST also include the note and the assigned products.
If the CVRF CSAF converter is unable to create a valid object, it MUST
remove the reference to the products and output a warning that a
potential
product specific note has been discovered and no products could been
assigned to it.
/document/publisher/name and
/document/publisher/namespace:
Sets the value as given in the configuration of the program or the
corresponding argument the program was invoked with.
If values from both sources are present, the program SHOULD prefer the
latter one.
The program SHALL NOT use hard-coded values.
/document/tracking/id: If the element
cvrf:ID contains any newline sequence or leading or
trailing white space,
the CVRF CSAF converter removes those characters.
In addition, the converter outputs a warning that the ID was
changed.
/product_tree/relationships[]: If more than one
prod:FullProductName instance is given,
the CVRF CSAF converter converts the first one into the
full_product_name.
In addition, the converter outputs a warning that information might be
lost during conversion of product relationships.
/vulnerabilities[]/cwes[]:
The CVRF CSAF converter MUST remove all preceding and trailing
white space from the name.
The CVRF CSAF converter MUST determine the CWE specification
version the given CWE was selected from by
using the latest version that matches the id and
name exactly and was published prior to the value of
/document/tracking/current_release_date of the source
document.
If no such version exist, the first matching version published after the
value of /document/tracking/current_release_date
of the source document SHOULD be used.
This is done to create a deterministic conversion.
If the CWE does not match at all, the CVRF CSAF converter MUST omit this CWE and output a warning that an invalid CWE was found and has been removed.
If a vuln:CWE instance refers to a CWE category or
view, the CVRF CSAF converter MUST omit this instance and output a
warning that this CWE has been removed as its usage is not allowed in
vulnerability mappings.
/vulnerabilities[]/disclosure_date: If a
vuln:ReleaseDate was given, the CVRF CSAF converter MUST
convert its value into the disclosure_date
element.
/vulnerabilities[]/ids: If a vuln:ID
element is given, the CVRF CSAF converter converts it into the first
item of the ids array.
/vulnerabilities[]/metrics[]:
For any CVSS v4 element, the CVRF CSAF converter MUST compute the
baseSeverity from the baseScore according
to
the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS
v4.0.)
For any CVSS v3 element, the CVRF CSAF converter MUST compute the
baseSeverity from the baseScore according
to
the rules of the applicable CVSS standard.
If no product_id is given, the CVRF CSAF converter
appends all Product IDs which are listed under
../product_status in
the arrays known_affected, first_affected and
last_affected.
If none of these arrays exist, the CVRF CSAF converter outputs an error
that no matching Product ID was found for this score element.
If a vectorString is missing, the CVRF CSAF
converter outputs an error that the CVSS element could not be converted
as
the CVSS vector was missing.
A CVRF CSAF converter MAY offer a configuration option to delete such
elements.
If there are CVSS v3.0 and CVSS v3.1 Vectors available for the same product, the CVRF CSAF converter discards the CVSS v3.0 information and provide in CSAF only the CVSS v3.1 information.
To determine, which minor version of CVSS v3 is used and to evaluate a CVSS v4 that was wrongly inserted in a CVSS v3 element, the CVRF CSAF converter uses the following steps:
Retrieve the CVSS version from the CVSS vector, if present.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1Retrieve the CVSS version from the CVSS element’s namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element’s namespace.
xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
<!-- -->
<cvssv31:ScoreSetV3>is handled the same as
<ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">Retrieve the CVSS version from the CVSS namespace given in the root element, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the global namespace. If more than one CVSS namespace is present and the element is not clearly defined via the namespace, this step MUST be skipped without a decision.
xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0Retrieve the CVSS version from a config value, which defaults to
3.0.
(As CSAF CVRF v1.2 predates CVSS v3.1.) The CVRF CSAF converter outputs
a warning that this value was taken from the config.
/vulnerabilities[]/metrics/cvss_v4: If an external
reference in the vulnerability linking to the official FIRST.org CVSS
v4.0 calculator exists,
the CVRF CSAF converter MUST convert the vector given in the fragment
into a cvss_v4 object linked to all affected products of
the vulnerability.
> A tool MAY implement an option to suppress this conversion.
> If the CVRF CSAF converter converter is unable to construct a valid
object with the information given, the CVRF CSAF converter converter
SHALL
> remove the invalid cvss_v4 object and output a warning
that the automatic conversion of the CVSS v4.0 reference failed.
> Such warning SHOULD include the specific error that
occurred.
/vulnerabilities[]/notes: If any
vuln:Note item contains one of the category
and title combinations specified in
3.2.4.11, where the
title is extended, the CVRF CSAF converter SHALL try to
identify whether that extension is
a specific product name, version or family.
In such case, the CVRF CSAF converter SHALL try to add the corresponding
products to the note item and output a warning that a potential
product
specific note has been discovered and products have been assigned to
it.
Such warning MUST also include the note and the assigned products.
If the CVRF CSAF converter is unable to create a valid object, it MUST
remove the reference to the products and output a warning that a
potential
product specific note has been discovered and no products could been
assigned to it.
/vulnerabilities[]/remediations[]:
product_ids nor group_ids are
given, the CVRF CSAF converter appends all Product IDs which are listed
under../product_status in the arrays
known_affected, first_affected and
last_affected into product_ids.Vendor Fix into the category optional_patch if
the product invendor_fix MUST be set.optional_patch and distribute the products accordingly
as stated by the conversion rule.None Available into the category
fix_plannedVendor Fix with a Date in the future or no
Date at all.vendor_fix.None AvailableVendor Fix with a Date in the past or to the
exact same time.none_available.The CVRF CSAF converter SHALL provide the JSON path where the warning occurred together with the warning.
A CSAF content management system satisfies the “CSAF content management system” conformance profile if the content management system:
satisfies the “CSAF producer” conformance profile.
satisfies the “CSAF viewer” conformance profile.
provides at least the following management functions:
create new CSAF documents
prefill CSAF documents based on values given in the configuration (see below)
create a new version of an existing CSAF document
checkout old versions of a CSAF document
show all differences between versions of a CSAF document
list all CSAF documents within the system
delete CSAF documents from the system
review CSAF documents in the system
approve CSAF documents
search for CSAF documents by values of required fields at
document-level or their children within the system
search for CSAF documents by values of cve within
the system
search for CSAF documents based on properties of
product_tree
filter on all properties which it is required to search for
export of CSAF documents
show an audit log for each CSAF document
identify the latest version of CSAF documents with the same
/document/tracking/id
suggest a /document/tracking/id based on the given
configuration.
track of the version of CSAF documents automatically and increment according to the versioning scheme (see also subsections of 3.1.11) selected in the configuration.
check that the document version is set correctly based on the changes in comparison to the previous version (see also subsections of 3.1.11).
suggest to use the document status interim if a CSAF
document is updated more frequent than the given threshold in
the configuration (default: 3 weeks)
suggest to publish a new version of the CSAF document with the
document status final if the document status was
interim and no new release has be done during the given
threshold in the configuration (default: 6 weeks)
> Note that the terms “publish”, “publication” and their derived
forms are used in this conformance profile independent of
> whether the specified target group is the public or a closed
group.
support the following workflows:
final (or
ìnterim based on the selection in approval or
configuration)final (or
ìnterim based on the selection in approval or
configuration)offers both: publication immediately or at a given date/time.
automates handling of date/time and version.
provides an API to retrieve all CSAF documents which are currently in the status published.
optionally provides an API to import or create new advisories from outside systems (e.g. bug tracker, CVD platform,…).
provides a user management and support at least the following roles:
may use groups to support client separation (multitenancy) and therefore restrict the roles to actions within their group. In this case, there MUST be a Group configurator which is able to change the values which are used to prefill fields in new advisories for that group. He might also do the user management for the group up to a configured level.
prefills the following fields in new CSAF documents with the values given below or based on the templates from configuration:
/$schema with the value prescribed by the schema/document/csaf_version with the value prescribed by the
schema/document/lang/document/notes
legal_disclaimer (Terms of use from the
configuration)general (General Security recommendations from the
configuration)/document/tracking/current_release_date with the
current date/document/tracking/generator and children/document/tracking/initial_release_date with the
current date/document/tracking/revision_history
date with the current datenumber (based on the templates according to the
versioning scheme configured)summary (based on the templates from configuration;
default: “Initial version.”)/document/tracking/status with draft/document/tracking/version with the value of
number the latest
/document/tracking/revision_history[] element/document/publisher and children/document/category (based on the templates from
configuration)When updating an existing CSAF document:
/document/tracking/revision_history[]/$schema with the value prescribed by the schema/document/csaf_version with the value prescribed by the
schema/document/lang/document/notes
legal_disclaimer (Terms of use from the
configuration)general (General Security recommendations from the
configuration)/document/tracking/current_release_date with the
current date/document/tracking/generator and children/document/tracking/revision_history[]
date with the current datenumber (based on the templates according to the
versioning scheme configured)/document/tracking/status with draft/document/tracking/version with the value of
number the latest
/document/tracking/revision_history[] element/document/publisher and childrenA CSAF post-processor satisfies the “CSAF post-processor” conformance profile if the post-processor:
A program satisfies the “CSAF modifier” conformance profile if the program fulfills the two following groups of requirements:
The program:
The resulting modified document:
/document/tracking/id as the
original document./document/tracking/id or compute one by appending the
original /document/tracking/id as/document/tracking/id as a
prefix./document/references[].A program satisfies the “CSAF translator” conformance profile if the program fulfills the two following groups of requirements:
The program:
The resulting translated document:
/document/tracking/id as the
original document./document/tracking/id or compute one by using the original
/document/tracking/id as/document/tracking/id as a
suffix./document/tracking/id and translated
/document/lang as a /document/tracking/id for
the translated document./document/lang property with a value
matching the language of the translation./document/source_lang to contain the
language of the original document (and SHOULD only be set by CSAF
translators).translator set in
/document/publisher/category/document/references[].references_t after the first element.A processor satisfies the “CSAF consumer” conformance profile if the processor:
A viewer satisfies the “CSAF viewer” conformance profile if the viewer fulfills the two following groups of requirements:
The viewer:
For each CVSS-Score in /vulnerabilities[]/metrics[] the
viewer:
vector if there is an
inconsistency between the vector and any other sibling
attribute.metrics[] for each
product_id which originates from the document author (and
therefore has no property source)product_id is listed in more than one item of
metrics[].A CSAF management system satisfies the “CSAF management system” conformance profile if the management system:
document-level or their children within the systemcve within the
system/product_tree/document/aggregate_severity/text/document/tracking/id./document/tracking/id.A CSAF asset matching system satisfies the “CSAF asset matching system” conformance profile if the asset matching system:
A program satisfies the “CSAF basic validator” conformance profile if the program:
mandatory as given in
section 6.4.1.A CSAF basic validator MAY provide one or more additional functions:
A CSAF basic validator satisfies the “CSAF extended validator” conformance profile if the CSAF basic validator:
recommended as given in section 6.4.1.A CSAF extended validator MAY provide an additional function to only run one or more selected recommended tests.
A CSAF extended validator satisfies the “CSAF full validator” conformance profile if the CSAF extended validator:
informative as given in section 6.4.1.A CSAF full validator MAY provide an additional function to only run one or more selected informative tests.
A CSAF SBOM matching system satisfies the “CSAF SBOM matching system” conformance profile if the SBOM matching system:
A program satisfies the “CSAF 2.0 to CSAF 2.1 converter” conformance profile if the program fulfills the following two groups of requirements:
Firstly, the program:
Secondly, the program fulfills the following for all items of:
value type string with format
date-time: If the value contains a 60 in the
seconds place, the CSAF 2.0 to CSAF 2.1 converter MUST replace
the seconds and their fractions with 59.999999.
In addition, the converter outputs a warning that leap seconds are now
prohibited in CSAF and the value has been replaced.
The CSAF 2.0 to CSAF 2.1 converter SHOULD indicate in such warning
message whether the value was a valid leap second or not.
type
/$defs/full_product_name_t/product_identification_helper/cpe:
If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed
the
invalid value and output a warning that an invalid CPE was detected and
removed. Such a warning MUST include the invalid CPE.
type /$defs/full_product_name_t/model_number:
* to the end and output
a\, the CSAF 2.0 to CSAF
2.1 converter MUST escape it by inserting an additional \
before the character.* after
the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry
andA tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
A tool MAY provide a non-default option to interpret the
?in all model numbers as part of the model number itself and therefore escape it.
A tool MAY provide a non-default option to interpret the
*in all model numbers as part of the model number itself and therefore escape it.
type
/$defs/full_product_name_t/product_identification_helper/purls:
If a
/$defs/full_product_name_t/product_identification_helper/purl
is given,
the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item
of the corresponding purls array.
type /$defs/full_product_name_t/serial_number:
* to the end and
output a\, the CSAF 2.0 to CSAF
2.1 converter MUST escape it by inserting an additional \
before the character.*
after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the
entry andA tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
A tool MAY provide a non-default option to interpret the
?in all serial numbers as part of the serial number itself and therefore escape it.
A tool MAY provide a non-default option to interpret the
*in all serial numbers as part of the serial number itself and therefore escape it.
/$schema: The CSAF 2.0 to CSAF 2.1 converter MUST
set property with the value prescribed by the schema.
/document/category:
If the category equals
csaf_security_advisory, the CSAF 2.0 to CSAF 2.1 converter
MUST try to convert the data into a
valid CSAF document in this profile according to CSAF 2.1.
For any version range of affected products that uses the strict
<, i.e. not <=, as comparator of the
last version constraint, the CSAF 2.0
to CSAF 2.1 converter SHOULD add a new product with the version of the
last constraint and add that in the appropriate places as
fixed.
The CSAF 2.0 to CSAF 2.1 converter MUST output a warning that a product
was added to the product_tree and the corresponding
/vulnerabilities[].
Such warning MUST contain the full product name and its path as well as
the paths of the /vulnerabilities[] it was added to.
If the CSAF 2.0 to CSAF 2.1 converter is unable to create a valid CSAF
2.1 document according to the profile, it SHALL set the
category value to
csaf_deprecated_security_advisory.
If the /document/lang is English or unspecified, the
following rules apply:
/document/title starts with the string
Superseded or the /document/category has the
value Superseded (case-insensitive),/document/title starts with the string
Withdrawn or the /document/category has the
value Withdrawn (case-insensitive),A tool MAY support this detection for other languages.
If the CSAF 2.0 to CSAF 2.1 converter is unable to create a valid
CSAF 2.1 document according to the profile, it SHALL set the
category
of the original CSAF document and output a warning a potentially
withdrawn CSAF document was created which would result in an invalid
CSAF.
/document/csaf_version: The CSAF 2.0 to CSAF 2.1
converter MUST update the value to 2.1.
/document/distribution/tlp/label: If a TLP label is
given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it according to
the table below:
| CSAF 2.0 (using TLP v1.0) | CSAF 2.1 (using TLP v2.0) |
|---|---|
TLP:WHITE |
TLP:CLEAR |
TLP:GREEN |
TLP:GREEN |
TLP:AMBER |
TLP:AMBER |
TLP:RED |
TLP:RED |
If /document/distribution/text contains the string
TLP v2.0: TLP:<ValidTLPLabel>, the CSAF 2.0 to CSAF
2.1 converter SHOULD provide an
option to use this label instead. If the TLP label changes through such
conversion in a way that is not reflected in the table above, the
the CSAF 2.0 to CSAF 2.1 converter MUST output a warning that the TLP
label was taken from the distribution text. Such a warning MUST
include
both values: the converted one based on the table and the one from the
distribution text.
This is a common case for CSAF 2.0 documents labeled as
TLP:REDbut actually intended to beTLP:AMBER+STRICT.
If no TLP label was given, the CSAF 2.0 to CSAF 2.1 converter SHOULD
assign TLP:CLEAR and output a warning that the default TLP
has been set.
/document/license_expression: If any
/document/notes item in with category
legal_disclaimer contains a valid SPDX license
expression,license_expression./document/notes: If any /document/notes
item contains one of the category and title
combinations specified in
3.2.2.8, where the
title is extended, the CSAF 2.0 to CSAF 2.1 converter SHALL
try to identify whether that extension
is a specific product name, version or family.
In such case, the CSAF 2.0 to CSAF 2.1 SHALL try to add the
corresponding products to the note item and output a warning that a
potential product
specific note has been discovered and products have been assigned to
it.
Such warning MUST also include the note and the assigned products.
If the CSAF 2.0 to CSAF 2.1 is unable to create a valid object, it MUST
remove the reference to the products and output a warning that a
potential
product specific note has been discovered and no products could been
assigned to it.
/document/publisher/category: If the value is
other, the CSAF 2.0 to CSAF 2.1 converter SHOULD output a
warning that some parties have
been regrouped into the new value multiplier. An option to
suppress this warning MUST exist. In addition, an option SHOULD be
provided to
set the value to multiplier.
/document/title: If the value contains the
/document/tracking/id, the CSAF 2.0 to CSAF 2.1 converter
MUST remove the /document/tracking/id
from the /document/title. In addition, separating
characters including but not limited to whitespace, colon, dash and
brackets MUST be removed.
/vulnerabilities[]/cwes[]:
The CSAF 2.0 to CSAF 2.1 converter MUST remove all preceding and
trailing white space from the name.
The CSAF 2.0 to CSAF 2.1 converter MUST determine the CWE
specification version the given CWE was selected from by
using the latest version that matches the id and
name exactly and was published prior to the value of
/document/tracking/current_release_date of the source
document.
If no such version exist, the first matching version published after the
value of /document/tracking/current_release_date
of the source document SHOULD be used.
This is done to create a deterministic conversion.
The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
/vulnerabilities[]/disclosure_date: If a
release_date was given, the CSAF 2.0 to CSAF 2.1 converter
MUST convert its value as value
into the disclosure_date element.
/vulnerabilities[]/metrics/cvss_v4: If an external
reference in the vulnerability linking to the official FIRST.org CVSS
v4.0 calculator exists,
the CSAF 2.0 to CSAF 2.1 converter MUST convert the vector given in the
fragment into a cvss_v4 object linked to all affected
products of the vulnerability.
> A tool MAY implement an option to suppress this conversion.
> If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a
valid object with the information given, the CSAF 2.0 to CSAF 2.1
converter SHALL
> remove the invalid cvss_v4 object and output a warning
that the automatic conversion of the CVSS v4.0 reference failed.
> Such warning SHOULD include the specific error that
occurred.
/vulnerabilities[]/metrics/ssvc_v1: If a SSVC vector
or decision points of an SSVC vector are given in an item of
notes of the current
vulnerability using the title SSVC and the
category other, the CSAF 2.0 to CSAF 2.1
converter MUST convert that data into the ssvc_v1
object within the current vulnerability.
If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid
object without loosing any information, the corresponding
notes item SHALL
be removed.
If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid
object with the information given, the CSAF 2.0 to CSAF 2.1 converter
SHALL
remove the invalid ssvc_v1 object, keep the original item
of notes and output a warning that the automatic conversion
of the SSVC data failed.
If the CSAF 2.0 to CSAF 2.1 converter would loose information during the
conversion, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the
ssvc_v1
object, keep the original item of notes and output a
warning that the automatic conversion of the SSVC data would lead to
loosing information.
/vulnerabilities[]/notes: If any
/vulnerabilities[]/notes item contains one of the
category and title combinations specified
in
3.2.4.11, where the
title is extended, the CSAF 2.0 to CSAF 2.1 converter SHALL
try to identify whether that
extension is a specific product name, version or family.
In such case, the CSAF 2.0 to CSAF 2.1 converter SHALL try to add the
corresponding products to the note item and output a warning that a
potential
product specific note has been discovered and products have been
assigned to it.
Such warning MUST also include the note and the assigned products.
If the CSAF 2.0 to CSAF 2.1 converter is unable to create a valid
object, it MUST remove the reference to the products and output a
warning that a
potential product specific note has been discovered and no products
could been assigned to it.
/vulnerabilities[]/remediations[]:
vendor_fix into the category
optional_patchvendor_fix MUST stay the
same.optional_patchnone_available into the category
fix_plannedvendor_fix with a date in the future
or no date at all.vendor_fix.none_availablevendor_fix with a date in the past or
to the exact same time.none_available.The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning.
A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any of the rules above MAY be ignored to avoid data loss.
A library satisfies the “CSAF library” conformance profile if the library:
product_id for each new element of type
full_product_name_t unless an ID is given during the
creation.group_id for each new element of type
product_group_id_t unless an ID is given during the
creation.product_id_t with its corresponding
full_product_name_t/name andfull_product_name_t/product_identification_helper.product_identification_helper and their mapping to elements
of type product_id_t.full_product_name_t/name with in branches
through concatenating the name values separated by
whitespaceThe library MAY implement an option to retrieve the keys unsorted.
A CSAF library satisfies the “CSAF library with basic validation” conformance profile if the CSAF library:
A CSAF library does not satisfies the “CSAF library with basic validation” conformance profile if the CSAF library uses an external library or program for the “CSAF basic validator” part and does not enforce its presence.
A CSAF library satisfies the “CSAF library with extended validation” conformance profile if the CSAF library:
A CSAF library does not satisfies the “CSAF library with extended validation” conformance profile if the CSAF library uses an external library or program for the “CSAF extended validator” part and does not enforce its presence.
A CSAF library satisfies the “CSAF library with extended validation” conformance profile if the CSAF library:
A CSAF library does not satisfies the “CSAF library with full validation” conformance profile if the CSAF library uses an external library or program for the “CSAF full validator” part and does not enforce its presence.
A program satisfies the “CSAF downloader” conformance profile if the program:
A tool MAY implement an option to store CSAF documents that fail any of the steps in section 7.3.2.
A program satisfies the “CSAF withdrawer” conformance profile if the program:
/document/tracking/id./product_tree./vulnerabilities.A tool MAY implement an option to additionally remove any element that would hinder the production of a valid CSAF.
A program satisfies the “CSAF superseder” conformance profile if the program:
/document/tracking/id./product_tree./vulnerabilities.A tool MAY implement an option to additionally remove any element that would hinder the production of a valid CSAF.
The following individuals were members of the OASIS CSAF Technical Committee during the creation of this specification and their contributions are gratefully acknowledged:
CSAF TC Members:
| First Name | Last Name | Company |
|---|---|---|
| Alexandre | Dulaunoy | CIRCL |
| Anthony | Berglas | Cryptsoft Pty Ltd. |
| Art | Manion | Carnegie Mellon University |
| Aukjan | van Belkum | EclecticIQ |
| Ben | Sooter | Electric Power Research Institute (EPRI) |
| Bernd | Grobauer | Siemens AG |
| Bruce | Rich | Cryptsoft Pty Ltd. |
| Chok | Poh | Oracle |
| Dan | West | Microsoft |
| David | Waltermire | NIST |
| Denny | Page | TIBCO Software Inc. |
| Duncan | Sparrell | sFractal Consulting LLC |
| Eric | Johnson | TIBCO Software Inc. |
| Ethan | Rahn | Arista Networks |
| Feng | Cao | Oracle |
| Greg | Scott | Cryptsoft Pty Ltd. |
| Harold | Booth | NIST |
| Jason | Masters | TELUS |
| Jennifer | Victor | Dell |
| Jessica | Fitzgerald-McKay | National Security Agency |
| Jonathan | Bitle | Kaiser Permanente |
| Justin | Corlett | Cryptsoft Pty Ltd. |
| Kazuo | Noguchi | Hitachi, Ltd. |
| Kent | Landfield | McAfee |
| Langley | Rock | Red Hat |
| Martin | Prpic | Red Hat |
| Masato | Terada | Hitachi, Ltd. |
| Mike | Gorski | Cisco Systems |
| Nicole | Parrish | Mitre Corporation |
| Omar | Santos | Cisco Systems |
| Patrick | Maroney | AT&T |
| Rhonda | Levy | Cisco Systems |
| Richard | Struse | Mitre Corporation |
| Ritwik | Ghoshal | Oracle |
| Robert | Coderre | Accenture |
| Robert | Keith | Accenture |
| Stefan | Hagen | Individual |
| Tania | Ward | Dell |
| Ted | Bedwell | Cisco Systems |
| Thomas | Proell | Siemens AG |
| Thomas | Schmidt | Federal Office for Information Security (BSI) Germany |
| Tim | Hudson | Cryptsoft Pty Ltd. |
| Tobias | Limmer | Siemens AG |
| Tony | Cox | Cryptsoft Pty Ltd. |
| Vincent | Danen | Red Hat |
| Will | Rideout | Arista Networks |
| Xiaoyu | Ge | Huawei Technologies Co., Ltd. |
The following individuals were members of the OASIS CSAF Technical Committee during the creation of the previous version (CVRF v1.2) of this specification and their contributions are gratefully acknowledged:
CSAF TC Members:
| First Name | Last Name | Company |
|---|---|---|
| Adam | Montville | CIS |
| Allan | Thomson | LookingGlass |
| Anthony | Berglas | Cryptsoft Pty Ltd. |
| Art | Manion | Carnegie Mellon University |
| Aukjan | van Belkum | EclecticIQ |
| Ben | Sooter | Electric Power Research Institute |
| Bernd | Grobauer | Siemens AG |
| Beth | Pumo | Kaiser Permanente |
| Bret | Jordan | Symantec Corp. |
| Bruce | Rich | Cryptsoft Pty Ltd. |
| Chet | Ensign | OASIS |
| Chok | Poh | Oracle |
| Chris | Rouland | Individual |
| David | Waltermire | NIST |
| Denny | Page | TIBCO Software Inc. |
| Doron | Shiloach | IBM |
| Duncan | Sparrell | sFractal Consulting LLC |
| Eric | Johnson | TIBCO Software Inc. |
| Feng | Cao | Oracle |
| Greg | Reaume | TELUS |
| Greg | Scott | Cryptsoft Pty Ltd. |
| Harold | Booth | NIST |
| Jamison | Day | LookingGlass |
| Jared | Semrau | “FireEye, Inc.” |
| Jason | Masters | TELUS |
| Jerome | Athias | Individual |
| Jessica | Fitzgerald-McKay | National Security Agency |
| Jonathan | Bitle | Kaiser Permanente |
| Justin | Corlett | Cryptsoft Pty Ltd. |
| Karen | Scarfone | Individual |
| Kazuo | Noguchi | “Hitachi, Ltd.” |
| Kent | Landfield | McAfee |
| Lothar | Braun | Siemens AG |
| Louis | Ronnau | Cisco Systems |
| Mark | Davidson | NC4 |
| Mark-David | McLaughlin | Cisco Systems |
| Masato | Terada | “Hitachi, Ltd.” |
| Masood | Nasir | TELUS |
| Nicole | Gong | Mitre Corporation |
| Omar | Santos | Cisco Systems |
| Patrick | Maroney | Wapack Labs LLC |
| Paul | Patrick | “FireEye, Inc.” |
| Peter | Allor | IBM |
| Phillip | Boles | “FireEye, Inc.” |
| Ravi | Balupari | Netskope |
| Rich | Reybok | ServiceNow |
| Richard | Struse | DHS Office of Cybersecurity and Communications (CS&C) |
| Ritwik | Ghoshal | Oracle |
| Robert | Coderre | VeriSign |
| Robin | Cover | OASIS |
| Rupert | Wimmer | Siemens AG |
| Sanjiv | Kalkar | Individual |
| Sean | Barnum | Mitre Corporation |
| Stefan | Hagen | Individual |
| Ted | Bedwell | Cisco Systems |
| Thomas | Schreck | Siemens AG |
| Tim | Hudson | Cryptsoft Pty Ltd. |
| Tony | Cox | Cryptsoft Pty Ltd. |
| Trey | Darley | “Kingfisher Operations, sprl” |
| Vincent | Danen | Red Hat |
| Zach | Turk | Microsoft |
| Revision | Date | Editor | Changes Made |
|---|---|---|---|
| csaf-v2.1-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
| csaf-v2.1-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20240327-dev | 2024-03-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20240424-dev | 2024-04-24 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20240529-dev | 2024-05-29 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20240626-dev | 2024-06-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20250129-dev | 2025-01-29 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20250226-dev | 2025-02-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20250326-dev | 2025-03-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20250430-dev | 2025-04-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.1-wd20250528-dev | 2025-05-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
This appendix provides informative guidance on the size of CSAF documents.
The TC carefully considered all known aspects to provide size limits for CSAF documents for this version of the specification with the result that hard limits SHOULD NOT be enforced. However, since there is the need for guidance to ensure interoperability in the ecosystem, the TC provides a set of soft limits. A CSAF document which exceeds those, can still be valid but it might not be processable for some parties.
All CSAF consumers SHOULD be able to process CSAF documents which comply with the limits below. All CSAF producers SHOULD NOT produce CSAF documents which exceed those limits.
If you come across a case where these limits are exceeded, please provide feedback to the TC.
A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB.
The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve. At least one database technology in wide use for storing CSAF documents rejects insert attempts when the transformed BSON size exceeds 16 megabytes. The BSON format optimizes for accessibility and not size. So, small integers and small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.
An array SHOULD NOT have more than:
10 000 items for
/document/acknowledgments/document/acknowledgments[]/names/document/acknowledgments[]/urls/document/tracking/aliases/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes/product_tree/branches[](/branches[])*/product/product_identification_helper/purls/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris/product_tree/branches[]/product/product_identification_helper/hashes/product_tree/branches[]/product/product_identification_helper/hashes[]/file_hashes/product_tree/branches[]/product/product_identification_helper/purls/product_tree/branches[]/product/product_identification_helper/sbom_urls/product_tree/branches[]/product/product_identification_helper/x_generic_uris/product_tree/full_product_names[]/product_identification_helper/hashes/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes/product_tree/full_product_names[]/product_identification_helper/purls/product_tree/full_product_names[]/product_identification_helper/sbom_urls/product_tree/full_product_names[]/product_identification_helper/x_generic_uris/product_tree/relationships[]/full_product_name/product_identification_helper/hashes/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes/product_tree/relationships[]/full_product_name/product_identification_helper/purls/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris/vulnerabilities[]/acknowledgments/vulnerabilities[]/acknowledgments[]/names/vulnerabilities[]/acknowledgments[]/urls/vulnerabilities[]/cwes/vulnerabilities[]/ids/vulnerabilities[]/metrics[]/content/ssvc_v1/selections/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values/vulnerabilities[]/remediations[]/entitlements40 000 items for
/document/notes/document/references/vulnerabilities[]/involvements/vulnerabilities[]/notes/vulnerabilities[]/references100 000 for
/document/tracking/revision_history/product_tree/branches/product_tree(/branches[])*/branches/product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers/product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers/product_tree/branches[](/branches[])*/product/product_identification_helper/skus/product_tree/branches[]/product/product_identification_helper/model_numbers/product_tree/branches[]/product/product_identification_helper/serial_numbers/product_tree/branches[]/product/product_identification_helper/skus/product_tree/full_product_names/product_tree/full_product_names[]/product_identification_helper/model_numbers/product_tree/full_product_names[]/product_identification_helper/serial_numbers/product_tree/full_product_names[]/product_identification_helper/skus/product_tree/product_groups[]/product_ids/product_tree/relationships[]/full_product_name/product_identification_helper/model_numbers/product_tree/relationships[]/full_product_name/product_identification_helper/serial_numbers/product_tree/relationships[]/full_product_name/product_identification_helper/skus/vulnerabilities10 000 000 for
/product_tree/product_groups/product_tree/relationships/vulnerabilities[]/remediations[]/group_ids100 000 000 for
/document/notes[]/group_ids/document/notes[]/product_ids/vulnerabilities[]/first_known_exploitation_dates/vulnerabilities[]/first_known_exploitation_dates[]/group_ids/vulnerabilities[]/first_known_exploitation_dates[]/product_ids/vulnerabilities[]/flags/vulnerabilities[]/flags[]/group_ids/vulnerabilities[]/flags[]/product_ids/vulnerabilities[]/involvements[]/group_ids/vulnerabilities[]/involvements[]/product_ids/vulnerabilities[]/metrics/vulnerabilities[]/metrics[]/products/vulnerabilities[]/notes[]/group_ids/vulnerabilities[]/notes[]/product_ids/vulnerabilities[]/product_status/first_affected/vulnerabilities[]/product_status/first_fixed/vulnerabilities[]/product_status/fixed/vulnerabilities[]/product_status/known_affected/vulnerabilities[]/product_status/known_not_affected/vulnerabilities[]/product_status/last_affected/vulnerabilities[]/product_status/recommended/vulnerabilities[]/product_status/under_investigation/vulnerabilities[]/product_status/unknown/vulnerabilities[]/remediations/vulnerabilities[]/remediations[]/product_ids/vulnerabilities[]/threats/vulnerabilities[]/threats[]/group_ids/vulnerabilities[]/threats[]/product_idsA string SHOULD NOT have a length greater than:
1000 for
/document/acknowledgments[]/names[]/document/acknowledgments[]/organization/document/aggregate_severity/text/document/category/document/distribution/sharing_group/name/document/lang/document/license_expression/document/notes[]/audience/document/notes[]/group_ids[]/document/notes[]/product_ids[]/document/notes[]/title/document/publisher/name/document/source_lang/document/title/document/tracking/aliases[]/document/tracking/generator/engine/name/document/tracking/generator/engine/version/document/tracking/id/document/tracking/revision_history[]/legacy_version/document/tracking/revision_history[]/number/document/tracking/version/product_tree/branches[](/branches[])*/name/product_tree/branches[](/branches[])*/product/name/product_tree/branches[](/branches[])*/product/product_id/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes[]/algorithm/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/file_hashes[]/value/product_tree/branches[](/branches[])*/product/product_identification_helper/hashes[]/filename/product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]/product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]/product_tree/branches[](/branches[])*/product/product_identification_helper/skus[]/product_tree/branches[]/name/product_tree/branches[]/product/name/product_tree/branches[]/product/product_id/product_tree/branches[]/product/product_identification_helper/hashes[]/file_hashes[]/algorithm/product_tree/branches[]/product/product_identification_helper/hashes[]/file_hashes[]/value/product_tree/branches[]/product/product_identification_helper/hashes[]/filename/product_tree/branches[]/product/product_identification_helper/model_numbers[]/product_tree/branches[]/product/product_identification_helper/serial_numbers[]/product_tree/branches[]/product/product_identification_helper/skus[]/product_tree/full_product_names[]/name/product_tree/full_product_names[]/product_id/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/algorithm/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value/product_tree/full_product_names[]/product_identification_helper/hashes[]/filename/product_tree/full_product_names[]/product_identification_helper/model_numbers[]/product_tree/full_product_names[]/product_identification_helper/serial_numbers[]/product_tree/full_product_names[]/product_identification_helper/skus[]/product_tree/product_groups[]/group_id/product_tree/product_groups[]/product_ids[]/product_tree/relationships[]/full_product_name/name/product_tree/relationships[]/full_product_name/product_id/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/algorithm/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/filename/product_tree/relationships[]/full_product_name/product_identification_helper/model_numbers[]/product_tree/relationships[]/full_product_name/product_identification_helper/serial_numbers[]/product_tree/relationships[]/full_product_name/product_identification_helper/skus[]/product_tree/relationships[]/product_reference/product_tree/relationships[]/relates_to_product_reference/vulnerabilities[]/acknowledgments[]/names[]/vulnerabilities[]/acknowledgments[]/organization/vulnerabilities[]/cve/vulnerabilities[]/cwes[]/id/vulnerabilities[]/cwes[]/name/vulnerabilities[]/cwes[]/version/vulnerabilities[]/flags[]/group_ids[]/vulnerabilities[]/flags[]/product_ids[]/vulnerabilities[]/ids[]/system_name/vulnerabilities[]/ids[]/text/vulnerabilities[]/involvements[]/contact/vulnerabilities[]/metrics[]/content/cvss_v2/vectorString/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString/vulnerabilities[]/metrics[]/content/cvss_v4/vectorString/vulnerabilities[]/metrics[]/content/epss/percentile/vulnerabilities[]/metrics[]/content/epss/probability/vulnerabilities[]/metrics[]/content/ssvc_v1/id/vulnerabilities[]/metrics[]/content/ssvc_v1/role/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version/vulnerabilities[]/metrics[]/products[]/vulnerabilities[]/notes[]/audience/vulnerabilities[]/notes[]/group_ids[]/vulnerabilities[]/notes[]/product_ids[]/vulnerabilities[]/notes[]/title/vulnerabilities[]/product_status/first_affected[]/vulnerabilities[]/product_status/first_fixed[]/vulnerabilities[]/product_status/fixed[]/vulnerabilities[]/product_status/known_affected[]/vulnerabilities[]/product_status/known_not_affected[]/vulnerabilities[]/product_status/last_affected[]/vulnerabilities[]/product_status/recommended[]/vulnerabilities[]/product_status/under_investigation[]/vulnerabilities[]/remediations[]/group_ids[]/vulnerabilities[]/remediations[]/product_ids[]/vulnerabilities[]/threats[]/group_ids[]/vulnerabilities[]/threats[]/product_ids[]/vulnerabilities[]/title10 000 for
/document/acknowledgments[]/summary/document/distribution/text/document/publisher/contact_details/document/publisher/issuing_authority/document/references[]/summary/document/tracking/revision_history[]/summary/product_tree/branches[](/branches[])*/product/product_identification_helper/cpe/product_tree/branches[](/branches[])*/product/product_identification_helper/purls[]/product_tree/branches[]/product/product_identification_helper/cpe/product_tree/branches[]/product/product_identification_helper/purls[]/product_tree/full_product_names[]/product_identification_helper/cpe/product_tree/full_product_names[]/product_identification_helper/purls[]/product_tree/product_groups[]/summary/product_tree/relationships[]/full_product_name/product_identification_helper/cpe/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]/vulnerabilities[]/acknowledgments[]/summary/vulnerabilities[]/involvements[]/summary/vulnerabilities[]/references[]/summary/vulnerabilities[]/remediations[]/entitlements[]30 000 for
/document/notes[]/text/vulnerabilities[]/notes[]/text250 000 for
/vulnerabilities[]/remediations[]/details/vulnerabilities[]/remediations[]/restart_required/details/vulnerabilities[]/threats[]/detailsThe maximum length of strings representing a temporal value is given by the format specifier. This applies to:
/document/tracking/current_release_date/document/tracking/generator/date/document/tracking/initial_release_date/document/tracking/revision_history[]/date/vulnerabilities[]/disclosure_date/vulnerabilities[]/discovery_date/vulnerabilities[]/first_known_exploitation_dates[]/date/vulnerabilities[]/first_known_exploitation_dates[]/exploitation_date/vulnerabilities[]/flags[]/date/vulnerabilities[]/involvements[]/date/vulnerabilities[]/metrics[]/content/epss/timestamp/vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp/vulnerabilities[]/remediations[]/date/vulnerabilities[]/threats[]/dateA string which is an enum has a fixed maximum length given by its longest value.
Later versions of CSAF might add, modify or delete possible value which could change the longest value. Therefore, this sizes should not be implemented as fixed limits if forward compatibility is desired.
The value of /$schema is a fixed URL, currently pointing
to the JSON schema location.
It seems to be safe to assume that the length of this value is not
greater than 150. This applies to:
/$schema (59)For all other values, it seems to be safe to assume that the length of each value is not greater than 50. This applies to:
/document/csaf_version (3)/document/distribution/tlp/label (12)/document/notes[]/category (16)/document/publisher/category (11)/document/references[]/category (8)/document/tracking/status (7)/product_tree/branches[](/branches[])*/category
(15)/product_tree/branches[]/category (15)/product_tree/relationships[]/category (21)/vulnerabilities[]/flags[]/label (49)/vulnerabilities[]/involvements[]/party (11)/vulnerabilities[]/involvements[]/status (17)/vulnerabilities[]/metrics[]/content/cvss_v2/accessComplexity
(6)/vulnerabilities[]/metrics[]/content/cvss_v2/accessVector
(16)/vulnerabilities[]/metrics[]/content/cvss_v2/authentication
(8)/vulnerabilities[]/metrics[]/content/cvss_v2/availabilityImpact
(8)/vulnerabilities[]/metrics[]/content/cvss_v2/availabilityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v2/collateralDamagePotential
(11)/vulnerabilities[]/metrics[]/content/cvss_v2/confidentialityImpact
(8)/vulnerabilities[]/metrics[]/content/cvss_v2/confidentialityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v2/exploitability
(16)/vulnerabilities[]/metrics[]/content/cvss_v2/integrityImpact
(8)/vulnerabilities[]/metrics[]/content/cvss_v2/integrityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v2/remediationLevel
(13)/vulnerabilities[]/metrics[]/content/cvss_v2/reportConfidence
(14)/vulnerabilities[]/metrics[]/content/cvss_v2/targetDistribution
(11)/vulnerabilities[]/metrics[]/content/cvss_v2/version
(3)/vulnerabilities[]/metrics[]/content/cvss_v3/attackComplexity
(4)/vulnerabilities[]/metrics[]/content/cvss_v3/attackVector
(16)/vulnerabilities[]/metrics[]/content/cvss_v3/availabilityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v3/availabilityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/baseSeverity
(8)/vulnerabilities[]/metrics[]/content/cvss_v3/confidentialityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v3/confidentialityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/environmentalSeverity
(8)/vulnerabilities[]/metrics[]/content/cvss_v3/exploitCodeMaturity
(16)/vulnerabilities[]/metrics[]/content/cvss_v3/integrityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v3/integrityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedAttackComplexity
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedAttackVector
(16)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedAvailabilityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedConfidentialityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedIntegrityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedPrivilegesRequired
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedScope
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/modifiedUserInteraction
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/privilegesRequired
(4)/vulnerabilities[]/metrics[]/content/cvss_v3/remediationLevel
(13)/vulnerabilities[]/metrics[]/content/cvss_v3/reportConfidence
(11)/vulnerabilities[]/metrics[]/content/cvss_v3/scope
(9)/vulnerabilities[]/metrics[]/content/cvss_v3/temporalSeverity
(8)/vulnerabilities[]/metrics[]/content/cvss_v3/userInteraction
(8)/vulnerabilities[]/metrics[]/content/cvss_v3/version
(3)/vulnerabilities[]/metrics[]/content/cvss_v4/attackComplexity
(4)/vulnerabilities[]/metrics[]/content/cvss_v4/attackRequirements
(7)/vulnerabilities[]/metrics[]/content/cvss_v4/attackVector
(8)/vulnerabilities[]/metrics[]/content/cvss_v4/Automatable
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/availabilityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/baseSeverity
(8)/vulnerabilities[]/metrics[]/content/cvss_v4/confidentialityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
(8)/vulnerabilities[]/metrics[]/content/cvss_v4/exploitMaturity
(16)/vulnerabilities[]/metrics[]/content/cvss_v4/integrityRequirement
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedAttackComplexity
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedAttackRequirements
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedAttackVector
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedPrivilegesRequired
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedSubAvailabilityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedSubConfidentialityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedSubIntegrityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedUserInteraction
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedVulnAvailabilityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedVulnConfidentialityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/modifiedVulnIntegrityImpact
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/privilegesRequired
(4)/vulnerabilities[]/metrics[]/content/cvss_v4/providerUrgency
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/Recovery
(13)/vulnerabilities[]/metrics[]/content/cvss_v4/Safety
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/subAvailabilityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v4/subConfidentialityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v4/subIntegrityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v4/threatSeverity
(8)/vulnerabilities[]/metrics[]/content/cvss_v4/userInteraction
(7)/vulnerabilities[]/metrics[]/content/cvss_v4/valueDensity
(12)/vulnerabilities[]/metrics[]/content/cvss_v4/version
(3)/vulnerabilities[]/metrics[]/content/cvss_v4/vulnAvailabilityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v4/vulnConfidentialityImpact
(4)/vulnerabilities[]/metrics[]/content/cvss_v4/vulnerabilityResponseEffort
(11)/vulnerabilities[]/metrics[]/content/cvss_v4/vulnIntegrityImpact
(4)/vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion
(5)/vulnerabilities[]/notes[]/category (16)/vulnerabilities[]/references[]/category (8)/vulnerabilities[]/remediations[]/category (14)/vulnerabilities[]/remediations[]/restart_required/category
(20)/vulnerabilities[]/threats[]/category (14)A string with format uri SHOULD NOT have a length
greater than 20000. This applies to:
/document/acknowledgments[]/urls[]/document/aggregate_severity/namespace/document/distribution/tlp/url/document/publisher/namespace/document/references[]/url/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri/product_tree/branches[]/product/product_identification_helper/sbom_urls[]/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri/vulnerabilities[]/acknowledgments[]/urls[]/vulnerabilities[]/metrics[]/source/vulnerabilities[]/references[]/url/vulnerabilities[]/remediations[]/urlA string with format uuid SHOULD NOT have a length
greater than 50. This applies to:
/document/distribution/sharing_group/id (36)