Merge remote-tracking branch 'upstream/editor-revision-2025-02-26' in…

…to disclosure_date
oasis-tcs · Feb 27, 2025 · a77be1e · a77be1e
2 parents f66606e + 97f8f01
commit a77be1e
Show file tree

Hide file tree

Showing 20 changed files with 634 additions and 11 deletions.
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -855,7 +855,7 @@
             },
             "initial_release_date": {
               "title": "Initial release date",
-              "description": "The date when this document was first published.",
+              "description": "The date when this document was first released to the specified target group.",
               "type": "string",
               "format": "date-time"
             },

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
@@ -73,6 +73,8 @@ tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md
 tests-01-mndtr-40-invalid-sharing-group-name.md
 tests-01-mndtr-41-missing-sharing-group-name.md
 tests-01-mndtr-42-purl-qualifiers.md
+tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
+tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
@@ -257,6 +257,8 @@ A CSAF content management system satisfies the "CSAF content management system"
     the configuration (default: 3 weeks)
   * suggest to publish a new version of the CSAF document with the document status `final` if the document status was
     `interim` and no new release has be done during the given threshold in the configuration (default: 6 weeks)
+    > Note that the terms "publish", "publication" and their derived forms are used in this conformance profile independent of
+      whether the specified target group is the public or a closed group.
   * support the following workflows:
 
     * "New Advisory": create a new advisory, request a review, provide review comments or approve it, resolve review comments;
@@ -373,6 +375,8 @@ The resulting translated document:
   It SHOULD NOT use the original `/document/tracking/id` as a suffix.
   If an issuer uses a CSAF translator to publish his advisories in multiple languages they MAY use the combination of
   the original `/document/tracking/id` and translated `/document/lang` as a `/document/tracking/id` for the translated document.
+  > Note that the term "publish" is used in this conformance profile independent of whether the specified target group is the public
+    or a closed group.
 * provides the `/document/lang` property with a value matching the language of the translation.
 * provides the `/document/source_lang` to contain the language of the original document (and SHOULD only be set by CSAF translators).
 * has the value `translator` set in `/document/publisher/category`
@@ -539,8 +543,38 @@ Secondly, the program fulfills the following for all items of:
 
 * type `/$defs/full_product_name_t/product_identification_helper/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the
   invalid value and output a warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+* type `/$defs/full_product_name_t/model_number`:
+  * If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+    warning that a partial model number was detected and a star has been added.
+    Such a warning MUST include the model number.
+  * If the model number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+  * If the model number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+    output a warning that a model number with multiple stars was detected and removed.
+    Such a warning MUST include the model number.
+
+  > A tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
+
+  > A tool MAY provide a non-default option to interpret the `?` in all model numbers as part of the model number itself and therefore escape it.
+
+  > A tool MAY provide a non-default option to interpret the `*` in all model numbers as part of the model number itself and therefore escape it.
+
 * type `/$defs/full_product_name_t/product_identification_helper/purls`: If a `/$defs/full_product_name_t/product_identification_helper/purl` is given,
   the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item of the corresponding `purls` array.
+* type `/$defs/full_product_name_t/serial_number`:
+  * If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+    warning that a partial serial number was detected and a star has been added.
+    Such a warning MUST include the serial number.
+  * If the serial number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+  * If the serial number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+    output a warning that a serial number with multiple stars was detected and removed.
+    Such a warning MUST include the serial number.
+
+  > A tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
+
+  > A tool MAY provide a non-default option to interpret the `?` in all serial numbers as part of the serial number itself and therefore escape it.
+
+  > A tool MAY provide a non-default option to interpret the `*` in all serial numbers as part of the serial number itself and therefore escape it.
+
 * `/$schema`: The CSAF 2.0 to CSAF 2.1 converter MUST set property with the value prescribed by the schema.
 * `/document/csaf_version`: The CSAF 2.0 to CSAF 2.1 converter MUST update the value to `2.1`.
 * `/document/distribution/tlp/label`: If a TLP label is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it according to the table below:

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -236,13 +236,19 @@ the component to identify.
 > Often it is abbreviated as "MN", M/N" or "model no.".
 
 If a part of a model number of the component to identify is given,
-it SHOULD begin with the first character of the model number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).  
-Two `*` MUST NOT follow each other.
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
+This applies also to the first character.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the model number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+
+> Note: A backslash MUST be escaped itself in a JSON string.
 
 *Examples 1:*
 
 ```
+    *-G109A/EU?
+    2024-*
     6RA8096-4MV62-0AA0
     6RA801?-??V62-0AA0
     IC25T060ATCS05-0
@@ -325,9 +331,23 @@ Any given serial number of value type `string` with at least 1 character represe
 abbreviated (partial) serial number of the component to identify.
 
 If a part of a serial number of the component to identify is given,
-it SHOULD begin with the first character of the serial number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).  
-Two `*` MUST NOT follow each other.
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
+This applies also to the first character.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+
+> Note: A backslash MUST be escaped itself in a JSON string.
+
+*Examples 1:*
+
+```
+    *RF8R71YR???
+    11S45N0249Z1ZS9*
+    DSEP147100
+    L15-VM-???
+    L234.696.30.044.712
+```
 
 ##### Full Product Name Type - Product Identification Helper - SKUs
 

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md
@@ -39,7 +39,7 @@ The following rules apply:
    Any modifications MUST be released as a new version.
 2. Version zero (0) is for initial development before the `initial_release_date`.
    The document status MUST be `draft`. Anything MAY change at any time. The document SHOULD NOT be considered stable.
-3. Version 1 defines the initial public release.
+3. Version 1 defines the initial release to the specified target group.
    Each new version where `/document/tracking/status` is `final` has a version number incremented by one.
 4. Pre-release versions (document status `draft`) MUST carry the new version number.
    Sole exception is before the initial release (see rule 2).
@@ -70,7 +70,7 @@ This results in the following rules:
    tracked in this stage with (0.y.z) by incrementing the minor version y instead.
    Changes that would increment the minor or patch version according to rule 6 or 5 are both tracked in this stage with
    (0.y.z) by incrementing the patch version z instead.
-4. Version 1.0.0 defines the initial public release.
+4. Version 1.0.0 defines the initial release to the specified target group.
    The way in which the version number is incremented after this release is dependent on the content and structure of
    the document and how it changes.
 5. Patch version Z (x.y.Z | x > 0) MUST be incremented if only backwards compatible bug fixes are introduced.

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
@@ -643,7 +643,14 @@ This value is also used to determine the filename for the CSAF document (cf. sec
 
 ##### Document Property - Tracking - Initial Release Date
 
-Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first published.
+Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first released to the specified target group.
+
+> For `TLP:CLEAR` documents, this is usually the timestamp when the document was published.
+> For `TLP:GREEN` and higher, this is the timestamp when it was first made available to the specific group.
+> Note that the initial release date does not change after the initial release even if the document is later on released to a broader audience.
+
+If the timestamp of the initial release date was set incorrectly, it MUST be corrected.
+This change MUST be tracked with a new entry in the revision history.
 
 ##### Document Property - Tracking - Revision History
 

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
@@ -0,0 +1,23 @@
+### Use of Multiple Stars in Model Number
+
+For each model number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a model number introduce ambiguity and are therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+  /product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/model_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/model_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+          "model_numbers": [
+            "P*A*"
+          ]
+```
+
+> The model number contains two unescaped stars.
diff --git a/..._2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md b/..._2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
@@ -0,0 +1,23 @@
+### Use of Multiple Stars in Serial Number
+
+For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a serial number introduce ambiguity and are therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+  /product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/serial_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/serial_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+          "serial_numbers": [
+            "P*A*"
+          ]
+```
+
+> The serial number contains two unescaped stars.
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "P*A*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-02",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "*P*\\*?*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
@@ -0,0 +1,49 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "PA*",
+            "P?A*",
+            "P??A*",
+            "P???A*",
+            "P????A*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-12",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "*P\\*\\*?\\*"
+          ]
+        }
+      }
+    ]
+  }
+}