Merge remote-tracking branch 'upstream/editor-revision-2024-05-29' in…

…to cwe
oasis-tcs · Jun 17, 2024 · 06e1b0b · 06e1b0b
2 parents 5e3d2e9 + f86388e
commit 06e1b0b
Show file tree

Hide file tree

Showing 33 changed files with 1,517 additions and 15 deletions.
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -160,7 +160,7 @@
               "title": "Common Platform Enumeration representation",
               "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.",
               "type": "string",
-              "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
+              "pattern": "^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$",
               "minLength": 5
             },
             "hashes": {
@@ -594,6 +594,7 @@
                   "title": "Label of TLP",
                   "description": "Provides the TLP label of the document.",
                   "type": "string",
+                  "default": "CLEAR",
                   "enum": [
                     "AMBER",
                     "AMBER+STRICT",
@@ -644,6 +645,7 @@
               "enum": [
                 "coordinator",
                 "discoverer",
+                "multiplier",
                 "other",
                 "translator",
                 "user",

diff --git a/csaf_2.1/prose/edit/src/additional-conventions.md b/csaf_2.1/prose/edit/src/additional-conventions.md
@@ -71,4 +71,12 @@ The use of GitHub-flavoured Markdown is permitted in the following fields:
 
 Other fields MUST NOT contain Markdown.
 
+## Branch recursion
+
+The `/product_tree` uses a nested structure for `branches`. Along a single path to a leaf, the recursion of `branches` is limited to 30 repetitions. Therefore, the longest path to a leaf is:
+
+```
+/product_tree/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/branches[]/product
+```
+
 -------
diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
@@ -529,6 +529,9 @@ Secondly, the program fulfills the following for all items of:
   > This is a common case for CSAF 2.0 documents labeled as TLP:RED but actually intended to be TLP:AMBER+STRICT.
 
   If no TLP label was given, the CSAF 2.0 to CSAF 2.1 converter SHOULD assign `TLP:CLEAR` and output a warning that the default TLP has been set.
+* `/document/publisher/category`: If the value is `other`, the CSAF 2.0 to CSAF 2.1 converter SHOULD output a warning that some parties have
+  been regrouped into the new value `multiplier`. An option to suppress this warning MUST exist. In addition, an option SHOULD be provided to
+  set the value to `multiplier`.
 * `/vulnerabilities[]/cwes[]`: The CSAF 2.0 to CSAF 2.1 converter MUST determine the CWE specification version the given CWE was selected from by
   using the latest version that matches the `id` and `name` exactly and was published prior to the value of `/document/tracking/current_release_date`
   of the source document. If no such version exist, the first matching version published after the value of `/document/tracking/current_release_date`
@@ -537,7 +540,7 @@ Secondly, the program fulfills the following for all items of:
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
-> A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+> A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
 
 > A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any
 > of the rules above MAY be ignored to avoid data loss.

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
@@ -288,6 +288,8 @@ having the `rel` value of `signature`.
 
 The use and therefore the existence of ROLIE service document is optional.
 If it is used, each ROLIE service document MUST be a JSON file that conforms with [cite](#RFC8322) and lists the ROLIE feed documents.
+Additionally, it can also list the corresponding ROLIE category documents.
+The ROLIE service document SHOULD use the filename `service.json` and reside next to the `provider-metadata.json`.
 
 *Example 1:*
 
@@ -321,6 +323,7 @@ If it is used, each ROLIE service document MUST be a JSON file that conforms wit
 
 The use and therefore the existence of ROLIE category document is optional.
 If it is used, each ROLIE category document MUST be a JSON file that conforms with [cite](#RFC8322).
+A ROLIE category document SHOULD reside next to the corresponding ROLIE feed.
 ROLIE categories SHOULD be used for to further dissect CSAF documents by one or more of the following criteria:
 
 * document category
@@ -558,6 +561,21 @@ Each such folder MUST at least:
   }
 ```
 
+### Requirement 24: HTTP User-Agent
+
+Access to the CSAF related files and directories provided, for both metadata and documents, MUST be allowed independent of the
+value of HTTP User-Agent.
+
+> Limit the value of HTTP User-Agents to a certain set would hinder adoption of tools retrieving the files.
+
+The only exception is that the temporary blocking of certain HTTP User-Agents is allowed to mitigate an ongoing security incident
+(e.g. a DoS attack on the web server serving the CSAF files).
+However, a less severe measure with a similar effect SHOULD be used.
+CSAF related files and directories SHOULD be exempted from temporary blocking.
+The temporary blocking SHOULD be removed as soon as possible, at latest two weeks after the security incident process was completed.
+
+> Also confer to the TC's guidance on content delivery networks and caching.
+
 ## Roles
 
 This subsection groups the requirements from the previous subsection into named sets which target the roles with the same name.
@@ -595,7 +613,7 @@ A CSAF publisher satisfies the "CSAF provider" role if the party fulfills the fo
 Firstly, the party:
 
 * satisfies the "CSAF publisher" role profile.
-* additionally satisfies the requirements 5 to 7 in section [sec](#requirements).
+* additionally satisfies the requirements 5 to 7 and 24 in section [sec](#requirements).
 
 Secondly, the party:
 
@@ -619,7 +637,7 @@ A CSAF provider satisfies the "CSAF trusted provider" role if the party:
 
 A distributing party satisfies the "CSAF lister" role if the party:
 
-* satisfies the requirements 6, 21 and 22 in section [sec](#requirements).
+* satisfies the requirements 6, 21, 22 and 24 in section [sec](#requirements).
 * uses the value `lister` for `/aggregator/category`.
 * does not list any mirror pointing to a domain under its own control.
 
@@ -630,7 +648,7 @@ A distributing party satisfies the "CSAF lister" role if the party:
 
 A distributing party satisfies the "CSAF aggregator" role if the party:
 
-* satisfies the requirements 1 to 6 and 21 to 23 in section [sec](#requirements).
+* satisfies the requirements 1 to 6 and 21 to 24 in section [sec](#requirements).
 * uses the value `aggregator` for `/aggregator/category`.
 * lists a mirror for at least two disjoint issuing parties pointing to a domain under its own control.
 * links the public part of the OpenPGP key used to sign CSAF documents for each mirrored issuing party in

diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md
@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## 24 April 2024
+## 29 May 2024
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 24 April 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 29 May 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------

diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md
@@ -14,4 +14,5 @@ toc:
 | csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20240327-dev | 2024-03-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20240424-dev | 2024-04-24 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20240529-dev | 2024-05-29 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 -------
diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -80,7 +80,7 @@ and `x_generic_uris`, one is mandatory.
 Common Platform Enumeration representation (`cpe`) of value type `string` of 5 or more characters with `pattern` (regular expression):
 
 ```
-    ^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$
+    ^((cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,\\/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:\\/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}))$
 ```
 
 The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-01-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-01-document.md
@@ -200,6 +200,11 @@ Valid values of the `enum` are:
 > To simplify the JSON structure, avoid additional business level tests and aid in parsing, consumption and
 > processing, it is provided as a label to be selected instead of having a separate field.
 
+The default value for `label` is `CLEAR`.
+
+> Note: This provides the suggested default value for anyone writing CSAF documents as the majority of those
+> are intended to be publicly available.
+
 The URL of TLP version (`url`) with value type `string` with format `uri` provides a URL where to find
 the textual description of the TLP version which is used in this document.
 The default value is the URL to the definition by FIRST:
@@ -276,6 +281,7 @@ The valid values are:
 ```
     coordinator
     discoverer
+    multiplier
     other
     translator
     user
@@ -289,10 +295,20 @@ This includes all Computer Emergency/Incident Response Teams (CERTs/CIRTs) or ag
 The value `discoverer` indicates individuals or organizations that find vulnerabilities or security weaknesses.
 This includes all manner of researchers.
 
+The value `multiplier` indicates individuals or organizations that use existing CSAF documents or information that could
+be represented in CSAF, and create their own CSAF documents for distribution to a specific target audience.
+A single multiplier might have target audiences.
+> For example, a National CSIRT might create different CSAF documents for the same vulnerability for critical
+  infrastructure companies in different sectors, government agencies, non-critical industry, and the public based on
+  information sharing agreements and threats to the target group.
+
+The creation step can make use of a CSAF modifier that replaces metadata, e.g. the document publisher.
+Currently, this value includes multipliers, republishers, and forwarders.
+
 The value `translator` indicates individuals or organizations that translate CSAF documents.
 This includes all manner of language translators, also those who work for the party issuing the original advisory.
 
-The value `other` indicates a catchall for everyone else. Currently this includes editors, reviewers, forwarders, republishers,
+The value `other` indicates a catchall for everyone else. Currently this includes editors, reviewers,
 and miscellaneous contributors.
 
 The value `user` indicates anyone using a vendor’s product.

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
@@ -299,7 +299,7 @@ Text (`text`) of value type `string` with 1 or more characters is unique label o
 
 #### Vulnerabilities Property - Involvements
 
-List of involvements (`involvements`) of value type `array` with 1 or more items of value type `object` contains a list of involvements.
+List of involvements (`involvements`) of value type `array` with 1 or more unique items (a set) of value type `object` contains a list of involvements.
 
 ```
     "involvements": {
@@ -330,7 +330,7 @@ The ordered tuple of the values of `party` and `date` (if present) SHALL be uniq
           },
           "summary": {
             // ...
-          },
+          }
         }
 ```
 

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-14-sorted-revision-history.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-14-sorted-revision-history.md
@@ -1,6 +1,8 @@
 ### Sorted Revision History
 
-It MUST be tested that the value of `number` of items of the revision history are sorted ascending when the items are sorted ascending by `date`.
+It MUST be tested that the value of `number` of items of the revision history are sorted ascending when the items are sorted
+ascending by `date` and as a second level criteria `number`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
 
 The relevant path for this test is:
 

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-16-latest-document-version.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-16-latest-document-version.md
@@ -1,7 +1,9 @@
 ### Latest Document Version
 
-It MUST be tested that document version has the same value as the `number` in the last item of Revision History when
-it is sorted ascending by `date`. Build metadata is ignored in the comparison.
+It MUST be tested that document version has the same value as the `number` in the last item of the revision history when
+it is sorted ascending by `date` and as a second level criteria `number`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+Build metadata is ignored in the comparison.
 Any pre-release part is also ignored if the document status is `draft`.
 
 The relevant path for this test is:

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-21-missing-item-in-revision-history.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-21-missing-item-in-revision-history.md
@@ -1,6 +1,7 @@
 ### Missing Item in Revision History
 
 It MUST be tested that items of the revision history do not omit a version number when the items are sorted ascending by `date`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
 In the case of semantic versioning, this applies only to the Major version.
 It MUST also be tested that the first item in such a sorted list has either the version number 0 or 1 in the case of integer versioning or
 a Major version of 0 or 1 in the case of semantic versioning.