- Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 29 January 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 26 February 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
[SPDX301] The System Package Data Exchange® (SPDX®) Specification Version 3.0.1, Linux Foundation and its Contributors, 2024, https://spdx.github.io/spdx-spec/.
++ [SSVC] SSVC: Stakeholder-Specific Vulnerability Categorization, CERT/CC, https://certcc.github.io/SSVC/reference/ +
[VERS] vers: a mostly universal version range specifier, Part of the purl GitHub Project, https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst.
@@ -1651,55 +1676,65 @@ de
en
@@ -2597,7 +2652,7 @@
Audience of note (audience) of value type string with 1 or more characters indicates who is intended to read it.
all
executives
@@ -2641,7 +2696,7 @@
Title of note (title) of value type string with 1 or more characters provides a concise description of what is contained in the text of the note.
Details
Executive summary
@@ -2658,7 +2713,7 @@
// ...
},
CSAFGID-0001
CSAFGID-0002
@@ -2691,7 +2746,7 @@
// ...
},
CSAFPID-0004
CSAFPID-0008
@@ -2784,7 +2839,7 @@
A CSAF document MUST use only one versioning system.
1
4
@@ -2806,7 +2861,7 @@
initial_release_date. The document status MUST be draft. Anything MAY change at any time. The document SHOULD NOT be considered stable.
/document/tracking/status is final has a version number incremented by one.
+ /document/tracking/status is final has a version number incremented by one.
draft) MUST carry the new version number. Sole exception is before the initial release (see rule 2). The combination of document status draft and version 1 MAY be used to indicate that the content is unlikely to change.
- Version 1.0.0 defines the initial public release. The way in which the version number is incremented after this release is dependent on the content and structure of the document and how it changes. + Version 1.0.0 defines the initial release to the specified target group. The way in which the version number is incremented after this release is dependent on the content and structure of the document and how it changes.
1.0.0-0.3.7
1.0.0-alpha
@@ -2928,7 +2983,7 @@
two versions that differ only in the build metadata, have the same precedence.
1.0.0+20130313144700
1.0.0+21AF26D3----117B344092BD
@@ -2950,7 +3005,7 @@
Precedence is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically.
1.0.0 < 2.0.0 < 2.1.0 < 2.1.1
1.0.0-alpha < 1.0.01.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0- Examples 6 (which are invalid): + Examples 6 (which are invalid):
1.16.13.14-Cor
1.0.0-x-y-z.–
@@ -3097,7 +3152,7 @@
The Text of aggregate severity (text) of value type string with 1 or more characters provides a severity which is independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).
Critical
Important
@@ -3121,7 +3176,7 @@
// ...
}
csaf_base
csaf_security_advisory
@@ -3158,7 +3213,7 @@
If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. The Sharing Group SHALL be interpreted as specification to the TLP information. Therefore, the Sharing Group MAY also be used to convey special TLP restrictions:
E-ISAC members-only
Only releasable to European Energy sector
@@ -3253,7 +3308,7 @@
The Textual description (text) of value type string with 1 or more characters provides a textual description of additional constraints.
Copyright 2024, Example Company, All Rights Reserved.
Distribute freely.
@@ -3301,7 +3356,7 @@
https://www.first.org/tlp/
https://www.us-cert.gov/tlp
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
@@ -3449,7 +3504,7 @@
Contact details (contact_details) of value type string with 1 or more characters provides information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
@@ -3465,7 +3520,7 @@
The Name of publisher (name) of value type string with 1 or more characters contains the name of the issuing party.
BSI
Cisco PSIRT
@@ -3494,7 +3549,7 @@
https://csaf.io
https://www.example.com
@@ -3529,7 +3584,7 @@
Title of this document (title) of value type string with 1 or more characters SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.
Cisco IPv6 Crafted Packet Denial of Service Vulnerability
Example Company Cross-Site-Scripting Vulnerability in Example Generator
@@ -3585,7 +3640,7 @@
Every such Alternate Name of value type string with 1 or more characters specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.
CVE-2019-12345
@@ -3634,7 +3689,7 @@
Engine name (name) of value type string with 1 or more characters represents the name of the engine that generated the CSAF document.
Red Hat rhsa-to-cvrf
Secvisogram
@@ -3648,7 +3703,7 @@
0.6.0
1.0.0-beta+exp.sha.a1c44f85
@@ -3672,7 +3727,7 @@
The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
Example Company - 2019-YH3234
RHBA-2019:0024
@@ -3689,7 +3744,16 @@
3.2.2.12.5 Document Property - Tracking - Initial Release Date
- Initial release date (initial_release_date) with value type string with format date-time holds the date when this document was first published.
+ Initial release date (initial_release_date) with value type string with format date-time holds the date when this document was first released to the specified target group.
+
+
+
+ For TLP:CLEAR documents, this is usually the timestamp when the document was published. For TLP:GREEN and higher, this is the timestamp when it was first made available to the specific group. Note that the initial release date does not change after the initial release even if the document is later on released
+ to a broader audience.
+
+
+
+ If the timestamp of the initial release date was set incorrectly, it MUST be corrected. This change MUST be tracked with a new entry in the revision history.
3.2.2.12.6 Document Property - Tracking - Revision History
@@ -3837,7 +3901,7 @@
The summary of the product group (summary) of value type string with 1 or more characters gives a short, optional description of the group.
Products supporting Modbus.
The x64 versions of the operating system.
@@ -3915,7 +3979,7 @@
Relates to Product Reference (relates_to_product_reference) of value type Product ID (product_id_t) holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.
"product_tree": {
"full_product_names": [
@@ -3960,8 +4024,8 @@
}
The Vulnerability item of value type object with 1 or more properties is a container for the aggregation of all fields that are related to a single vulnerability in the document. Any vulnerability MAY provide the optional properties Acknowledgments (acknowledgments), Common Vulnerabilities and Exposures (CVE)
- (cve), Common Weakness Enumeration (CWE) (cwes), Discovery Date (discovery_date), Flags (flags), IDs (ids), Involvements (involvements), Metrics (metrics), Notes (notes), Product Status (product_status), References
- (references), Release Date (release_date), Remediations (remediations), Threats (threats), and Title (title).
+ (cve), Common Weakness Enumeration (CWE) (cwes), Disclosure Date (disclosure_date), Discovery Date (discovery_date), Flags (flags), IDs (ids), Involvements (involvements), Metrics (metrics), Notes (notes), Product Status
+ (product_status), References (references), Remediations (remediations), Threats (threats), and Title (title).
"properties": {
"acknowledgments": {
@@ -3973,6 +4037,9 @@
"cwes": {
// ...
},
+ "disclosure_date": {
+ // ...
+ },
"discovery_date": {
// ...
},
@@ -3997,9 +4064,6 @@
"references": {
// ...
},
- "release_date": {
- // ...
- },
"remediations": {
// ...
},
@@ -4068,7 +4132,7 @@
It holds the ID for the weakness associated.
CWE-22
CWE-352
@@ -4077,7 +4141,7 @@
The Weakness name (name) has value type string with 1 or more characters and holds the full name of the weakness as given in the CWE specification.
Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
@@ -4090,21 +4154,31 @@
It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
"1.0",
"3.4.1",
"4.0",
"4.11",
"4.12"
-
- 3.2.4.4 Vulnerabilities Property - Discovery Date
+
+ 3.2.4.4 Vulnerabilities Property - Disclosure Date
+
+
+ Disclosure date (disclosure_date) with value type string of format date-time holds the date and time the vulnerability was originally disclosed to the public.
+
+
+ For vulnerabilities not yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date for disclosure of the vulnerability. As disclosure dates may change during a vulnerability disclosure process, an issuing party SHOULD produce an updated CSAF document to confirm that the vulnerability was in fact
+ disclosed to the public at that time or update the disclosure_date with the new intended date in the future.
+
+
+ 3.2.4.5 Vulnerabilities Property - Discovery Date
Discovery date (discovery_date) of value type string with format date-time holds the date and time the vulnerability was originally discovered.
-
- 3.2.4.5 Vulnerabilities Property - Flags
+
+ 3.2.4.6 Vulnerabilities Property - Flags
List of flags (flags) of value type array with 1 or more unique items (a set) of value type object contains a list of machine readable flags.
@@ -4188,8 +4262,8 @@
Product IDs (product_ids) are of value type Products (products_t) and contain a list of Products the current flag item applies to.
-
- 3.2.4.6 Vulnerabilities Property - IDs
+
+ 3.2.4.7 Vulnerabilities Property - IDs
List of IDs (ids) of value type array with one or more unique ID items of value type object represents a list of unique labels or tracking IDs for the vulnerability (if such information exists).
@@ -4215,7 +4289,7 @@
System name (system_name) of value type string with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
Cisco Bug ID
GitHub Issue
@@ -4223,7 +4297,7 @@
Text (text) of value type string with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
CSCso66472
oasis-tcs/csaf#210
@@ -4245,8 +4319,8 @@
The ID MAY be a vendor-specific value but is not to be used to publish the CVE tracking numbers (MITRE standard Common Vulnerabilities and Exposures), as these are specified inside the dedicated CVE element.
-
- 3.2.4.7 Vulnerabilities Property - Involvements
+
+ 3.2.4.8 Vulnerabilities Property - Involvements
List of involvements (involvements) of value type array with 1 or more unique items (a set) of value type object contains a list of involvements.
@@ -4330,8 +4404,8 @@
Summary of involvement (summary) of value type string with 1 or more characters contains additional context regarding what is going on.
-
- 3.2.4.8 Vulnerabilities Property - Metrics
+
+ 3.2.4.9 Vulnerabilities Property - Metrics
List of metrics (metrics) of value type array with 1 or more unique items (a set) of value type object Contains metric objects for the current vulnerability.
@@ -4356,8 +4430,8 @@
// ...
}
}
-
- 3.2.4.8.1 Vulnerabilities Property - Metrics - Content
+
+ 3.2.4.9.1 Vulnerabilities Property - Metrics - Content
Content (content) of value type object with the optional properties CVSS v2 (cvss_v2), CVSS v3 (cvss_v3) and CVSS v4 (cvss_v4) specifies information about (at least one) metric or score for the given products regarding the current vulnerability. A Content object has at
@@ -4374,6 +4448,9 @@
},
"cvss_v4": {
// ...
+ },
+ "ssvc_v1": {
+ // ....
}
}
@@ -4385,15 +4462,19 @@
The property CVSS v4 (cvss_v4) holding a CVSS v4.0 value abiding by the schema at https://www.first.org/cvss/cvss-v4.0.json.
-
- 3.2.4.8.2 Vulnerabilities Property - Metrics - Products
+
+ The property SSVC v1 (ssvc_v1) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json.
+
+
+ 3.2.4.9.2 Vulnerabilities Property - Metrics - Products
Product IDs (products) of value type products_t with 1 or more items indicates for which products the given content applies. A metric object SHOULD reflect the associated product's status (for example, a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score
listed; the known affected versions of that product can list the vulnerability score as it applies to them).
-
- 3.2.4.8.3 Vulnerabilities Property - Metrics - Source
+
+ 3.2.4.9.3 Vulnerabilities Property - Metrics - Source
Source (source) of value type string with format uri contains the URL of the source that originally determined the metric. If no source is given, then the metric was assigned by the document author.
@@ -4403,8 +4484,8 @@
For example, this could point to the vendor advisory, discoverer blog post, a multiplier's assessment or other sources that provide metric information.
-
- 3.2.4.9 Vulnerabilities Property - Notes
+
+ 3.2.4.10 Vulnerabilities Property - Notes
Vulnerability notes (notes) of value type Notes Type (notes_t) holds notes associated with this vulnerability item.
@@ -4465,8 +4546,8 @@
-
- 3.2.4.10 Vulnerabilities Property - Product Status
+
+ 3.2.4.11 Vulnerabilities Property - Product Status
Product status (product_status) of value type object with 1 or more properties contains different lists of product_ids which provide details on the status of the referenced product related to the current vulnerability. The eight defined properties are First affected (first_affected),
@@ -4536,8 +4617,8 @@
Under investigation (under_investigation) of value type Products (products_t) represents that it is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.
-
- 3.2.4.11 Vulnerabilities Property - References
+
+ 3.2.4.12 Vulnerabilities Property - References
Vulnerability references (references) of value type References Type (references_t) holds a list of references associated with this vulnerability item.
@@ -4545,12 +4626,6 @@
"references": {
// ...
},
-
- 3.2.4.12 Vulnerabilities Property - Release Date
-
-
- Release date (release_date) with value type string of format date-time holds the date and time the vulnerability was originally released into the wild.
-
3.2.4.13 Vulnerabilities Property - Remediations
@@ -5554,7 +5629,7 @@
cisco-sa-20190513-secureboot.json
example_company_-_2019-yh3234.json
@@ -5565,7 +5640,7 @@
cisco-sa-20190513-secureboot_invalid.json
example_company_-_2019-yh3234_invalid.json
@@ -5620,7 +5695,7 @@
If a product consists of hardware and software, the hardware part MUST be presented as one product in the product tree and the software part as another one. To form the overall product, both parts MUST be combined through a relationship.
"product_tree": {
"branches": [
@@ -5774,7 +5849,7 @@
/vulnerabilities[]/remediations[]/product_ids[]
/vulnerabilities[]/threats[]/product_ids[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"product_groups": [
@@ -5805,7 +5880,7 @@
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5841,7 +5916,7 @@
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5880,7 +5955,7 @@
/vulnerabilities[]/remediations[]/group_ids
/vulnerabilities[]/threats[]/group_ids
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -5919,7 +5994,7 @@
/product_tree/product_groups[]/group_id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6002,7 +6077,7 @@
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6045,7 +6120,7 @@
/vulnerabilities[]/metrics[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6105,7 +6180,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v3
/vulnerabilities[]/metrics[]/content/cvss_v4
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
@@ -6152,7 +6227,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalScore
/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
@@ -6183,7 +6258,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v3
/vulnerabilities[]/metrics[]/content/cvss_v4
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.1",
@@ -6210,7 +6285,7 @@
- 6.1.11 CWE
+ 6.1.11 CWE
For each CWE it MUST be tested that the given CWE exists and is valid in the version provided. Any id that refers to a CWE Category or View MUST fail the test.
@@ -6220,7 +6295,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -6246,7 +6321,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"lang": "EZ"
@@ -6272,7 +6347,7 @@
/product_tree/full_product_names[]/product_identification_helper/purls[]
/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6303,7 +6378,7 @@
/document/tracking/revision_history
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6333,7 +6408,7 @@
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -6362,7 +6437,7 @@
/document/tracking/version
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6397,7 +6472,7 @@
/document/tracking/status
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6420,7 +6495,7 @@
/document/tracking/revision_history[]/number
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6455,7 +6530,7 @@
/document/tracking/revision_history[]/number
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6485,7 +6560,7 @@
/document/tracking/version
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -6509,7 +6584,7 @@
/document/tracking/revision_history
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6539,7 +6614,7 @@
/document/tracking/revision_history
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -6569,7 +6644,7 @@
/vulnerabilities[]/cve
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6595,7 +6670,7 @@
/vulnerabilities[]/involvements
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6632,7 +6707,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -6692,7 +6767,7 @@
/document/category
- Examples 1 (for currently prohibited values):
+ Examples 1 (for currently prohibited values):
Csaf_a
Informational Advisory
@@ -6701,7 +6776,7 @@
veX
V_eX
- Example 2 (which fails the test):
+ Example 2 (which fails the test):
"category": "Security_Incident_Response"
@@ -6736,7 +6811,7 @@
/document/notes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"notes": [
{
@@ -6766,7 +6841,7 @@
/document/references
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"references": [
{
@@ -6795,7 +6870,7 @@
/vulnerabilities
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6828,7 +6903,7 @@
/product_tree
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
{
"document": {
@@ -6859,7 +6934,7 @@
/vulnerabilities[]/notes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6886,7 +6961,7 @@
/vulnerabilities[]/product_status
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6916,7 +6991,7 @@
/vulnerabilities[]/product_status/known_not_affected
/vulnerabilities[]/product_status/under_investigation
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_status": {
"first_fixed": [
@@ -6947,7 +7022,7 @@
/vulnerabilities[]/cve
/vulnerabilities[]/ids
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -6975,7 +7050,7 @@
/vulnerabilities[]/flags
/vulnerabilities[]/threats
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7046,7 +7121,7 @@
/vulnerabilities[]/remediations
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7119,7 +7194,7 @@
/vulnerabilities
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
{
"document": {
@@ -7146,7 +7221,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -7179,7 +7254,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"remediations": [
{
@@ -7209,7 +7284,7 @@
/document/tracking/revision_history[]/number
/document/tracking/version
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -7277,7 +7352,7 @@
/product_tree/branches[](/branches[])*/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -7302,7 +7377,7 @@
/vulnerabilities[]/flags[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"flags": [
{
@@ -7318,7 +7393,7 @@
6.1.33 Multiple Flags with VEX Justification Codes per Product
- For each item in /vulnerabilities[] it MUST be tested that a Product is not member of more than one Flag item with a VEX justification code (see section 3.2.4.5). This takes indirect relations through Product Groups into account.
+ For each item in /vulnerabilities[] it MUST be tested that a Product is not member of more than one Flag item with a VEX justification code (see section 3.2.4.6). This takes indirect relations through Product Groups into account.
@@ -7330,7 +7405,7 @@
/vulnerabilities[]/flags
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7395,7 +7470,7 @@
/product_tree/branches[](/branches[])*/product
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"branches": [
@@ -7605,7 +7680,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"remediations": [
{
@@ -7645,7 +7720,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_status": {
"known_not_affected": [
@@ -7679,14 +7754,14 @@
/document/tracking/generator/date
/document/tracking/initial_release_date
/document/tracking/revision_history[]/date
+ /vulnerabilities[]/disclosure_date
/vulnerabilities[]/discovery_date
/vulnerabilities[]/flags[]/date
- /vulnerabilities[]/release_date
/vulnerabilities[]/involvements[]/date
/vulnerabilities[]/remediations[]/date
/vulnerabilities[]/threats[]/date
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"current_release_date": "2024-01-24 10:00:00.000Z",
@@ -7705,7 +7780,7 @@
/document/distribution/tlp/label
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"distribution": {
"sharing_group": {
@@ -7737,7 +7812,7 @@
/document/distribution/sharing_group/id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"distribution": {
"sharing_group": {
@@ -7768,7 +7843,7 @@
/document/distribution/sharing_group/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"distribution": {
"sharing_group": {
@@ -7798,7 +7873,7 @@
/document/distribution/sharing_group/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"distribution": {
"sharing_group": {
@@ -7829,7 +7904,7 @@
/product_tree/full_product_names[]/product_identification_helper/purls[]
/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7850,6 +7925,310 @@
The two purls differ in the name component.
+
+ 6.1.43 Use of Multiple Stars in Model Number
+
+
+ For each model number it MUST be tested that the it does not contain multiple unescaped stars.
+
+
+
+ Multiple * that match zero or multiple characters within a model number introduce ambiguity and are therefore prohibited.
+
+
+
+ The relevant paths for this test are:
+
+ /product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]
+ /product_tree/full_product_names[]/product_id/product_identification_helper/model_numbers[]
+ /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/model_numbers[]
+
+ Example 1 (which fails the test):
+
+ "model_numbers": [
+ "P*A*"
+ ]
+
+
+ The model number contains two unescaped stars.
+
+
+
+ 6.1.44 Use of Multiple Stars in Serial Number
+
+
+ For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
+
+
+
+ Multiple * that match zero or multiple characters within a serial number introduce ambiguity and are therefore prohibited.
+
+
+
+ The relevant paths for this test are:
+
+ /product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]
+ /product_tree/full_product_names[]/product_id/product_identification_helper/serial_numbers[]
+ /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/serial_numbers[]
+
+ Example 1 (which fails the test):
+
+ "serial_numbers": [
+ "P*A*"
+ ]
+
+
+ The serial number contains two unescaped stars.
+
+
+
+ 6.1.45 Inconsistent Disclosure Date
+
+
+ For each vulnerability, it MUST be tested that the disclosure_date is earlier or equal to the date of the newest item of the revision_history if the document is labeled TLP:CLEAR and the document status is final or interim. As the timestamps might use
+ different timezones, the sorting MUST take timezones into account.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/disclosure_date
+
+ Example 1 (which fails the test):
+
+ "document": {
+ // ...
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ // ...
+ "tracking": {
+ // ...
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ // ...
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T10:00:00.000Z"
+ }
+ ]
+
+
+ The document is labeled TLP:CLEAR and in status final but the disclosure_date is newer than the date of newest item in the revision_history.
+
+
+
+ 6.1.46 Invalid SSVC
+
+
+ It MUST be tested that the given SSVC object is valid according to the referenced schema.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1
+
+ Example 1 (which fails the test):
+
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+
+
+ The required element selections is missing.
+
+
+
+
+ A tool MAY add the missing property id based on the values given in cve respectively ids[]/text as quick fix.
+
+
+
+ 6.1.47 Inconsistent SSVC ID
+
+
+ For each ssvc_v1 object it MUST be tested that id is either the CVE of the vulnerability given in cve or the text of an item in the ids array. The test MUST fail, if the id equals the /document/tracking/id and the CSAF document contains more than
+ one vulnerability.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/id
+
+ Example 1 (which fails the test):
+
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0002",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+
+
+ The SSVC ID does not match the CVE ID.
+
+
+
+ 6.1.48 SSVC Decision Points
+
+
+ For each SSVC decision point given under selections with a registered namespace, it MUST be tested that given decision point exists, is valid and the items in values are ordered correctly.
+
+
+
+ According to the SSVC project, the following values are currently registered:
+
+ cvss
+ nciss
+ ssvc
+
+ A list of all valid decision points including their values is available at the SSVC repository. The items in values need to have the same order as in their definition.
+
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+
+ Example 1 (which fails the test):
+
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "None",
+ "Degraded"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+
+
+ The SSVC decision point Mission Impact doesn't have the value Degraded in version 1.0.0.
+
+
+
+
+ If applicable, a tool MAY sort the items in values according to the order of their definition as a quick fix.
+
+
+
+ 6.1.49 Inconsistent SSVC Timestamp
+
+
+ For each vulnerability, it MUST be tested that the SSVC timestamp is earlier or equal to the date of the newest item of the revision_history if the document status is final or interim. As the timestamps might use different timezones, the sorting MUST take timezones into
+ account.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
+
+ Example 1 (which fails the test):
+
+ "document": {
+ // ...
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ // ...
+ "tracking": {
+ // ...
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ // ...
+ }
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Active"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-07-13T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+
+
+ The document is in status final but the SSVC timestamp is newer than the date of newest item in the revision_history.
+
+
6.2 Optional Tests
@@ -7872,7 +8251,7 @@
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7911,7 +8290,7 @@
/vulnerabilities[]/product_status/last_affected[]
/vulnerabilities[]/product_status/under_investigation[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7948,7 +8327,7 @@
/vulnerabilities[]/product_status/known_affected[]
/vulnerabilities[]/product_status/last_affected[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -7983,7 +8362,7 @@
/document/tracking/revision_history[]/number
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -8008,7 +8387,7 @@
/document/tracking/initial_release_date
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
// ...
@@ -8043,7 +8422,7 @@
/document/tracking/current_release_date
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"tracking": {
"current_release_date": "2023-09-06T10:00:00.000Z",
@@ -8078,7 +8457,7 @@
/vulnerabilities[]/involvements
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -8113,7 +8492,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -8159,7 +8538,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -8219,7 +8598,7 @@
/document/references
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -8255,7 +8634,7 @@
/document/lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
"category": "csaf_base",
@@ -8286,7 +8665,7 @@
/
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
"csaf_version": "2.1",
@@ -8315,7 +8694,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"lang": "qtx"
@@ -8340,7 +8719,7 @@
/document/lang
/document/source_lang
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"lang": "i-default"
@@ -8366,7 +8745,7 @@
/product_tree/full_product_names[]
/product_tree/relationships[]/full_product_name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"full_product_names": [
{
@@ -8395,7 +8774,7 @@
/vulnerabilities[]/ids[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"ids": [
{
@@ -8430,7 +8809,7 @@
/product_tree/branches[](/branches[])*/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -8457,7 +8836,7 @@
/vulnerabilities[]/product_status/first_fixed[]
/vulnerabilities[]/product_status/fixed[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -8517,7 +8896,7 @@
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
"category": "csaf_base",
@@ -8546,7 +8925,7 @@
/document/tracking/revision_history[]/date
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"revision_history": [
{
@@ -8576,7 +8955,7 @@
/document/title
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
"tracking": {
@@ -8605,7 +8984,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -8635,7 +9014,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -8681,7 +9060,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -8711,7 +9090,7 @@
/vulnerabilities[]/cwes[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cwes": [
{
@@ -8736,7 +9115,7 @@
/vulnerabilities[]/remediations[]
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_status": {
"known_not_affected": [
@@ -8768,7 +9147,7 @@
/document/distribution/sharing_group/id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"distribution": {
"sharing_group": {
@@ -8798,7 +9177,7 @@
/document/distribution/sharing_group/id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"distribution": {
"sharing_group": {
@@ -8828,7 +9207,7 @@
/document/distribution/sharing_group
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"distribution": {
"sharing_group": {
@@ -8868,7 +9247,7 @@
/product_tree/full_product_names[]/product_id
/product_tree/relationships[]/full_product_name/product_id
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"branches": [
@@ -8922,7 +9301,7 @@
/product_tree/full_product_names[]/product_id/product_identification_helper
/product_tree/relationships[]/full_product_name/product_id/product_identification_helper
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"branches": [
@@ -8971,6 +9350,143 @@
Both products are identified by the same serial number 143-D-354.
+
+ 6.2.33 Disclosure Date newer than Revision History
+
+
+ For each vulnerability, it MUST be tested that the disclosure_date is earlier or equal to the date of the newest item of the revision_history if the disclosure_date is in the past at the time of the test execution. As the timestamps might use different timezones, the sorting MUST take
+ timezones into account.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/disclosure_date
+
+ Example 1 (which fails the test):
+
+ "document": {
+ // ...
+ "distribution": {
+ "tlp": {
+ "label": "GREEN"
+ }
+ },
+ // ...
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ // ...
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T10:00:00.000Z"
+ }
+ ]
+
+
+ The disclosure_date is in the past but newer than the date of newest item in the revision_history.
+
+
+
+ 6.2.34 Usage of Unknown SSVC Decision Point Namespace
+
+
+ For each SSVC decision point given under selections, it MUST be tested the namespace is one of the case-sensitive registered namespaces.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
+
+ Example 1 (which fails the test):
+
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "an-yet-unknown-or-maybe-private-namespace",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+
+
+ The namespace an-yet-unknown-or-maybe-private-namespace is not a registered namespace. Its decision point definitions might therefore not be known to the reader of the document.
+
+
+
+ 6.2.35 Usage of Unknown SSVC Role
+
+
+ For each SSVC object, it MUST be tested the role is one of the case-sensitive registered roles.
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/role
+
+ Example 1 (which fails the test):
+
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "an-yet-unknown-or-maybe-private-namespace",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+
+
+ The namespace an-yet-unknown-or-maybe-private-namespace is not a registered namespace. Its decision point definitions might therefore not be known to the reader of the document.
+
+
6.3 Informative Test
@@ -8994,7 +9510,7 @@
/vulnerabilities[]/metrics
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -9045,7 +9561,7 @@
/vulnerabilities[]/metrics[]/content/cvss_v3/version
/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"cvss_v3": {
"version": "3.0",
@@ -9081,7 +9597,7 @@
/vulnerabilities[]/cve
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -9110,7 +9626,7 @@
/vulnerabilities[]/cwe
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"vulnerabilities": [
{
@@ -9136,7 +9652,7 @@
/product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -9199,7 +9715,7 @@
/vulnerabilities[]/references[]/url
/vulnerabilities[]/remediations[]/url
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"references": [
{
@@ -9229,7 +9745,7 @@
/document/references[]/url
/vulnerabilities[]/references[]/url
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"references": [
{
@@ -9290,7 +9806,7 @@
/vulnerabilities[]/threats[]/details
/vulnerabilities[]/title
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"document": {
// ...
@@ -9325,7 +9841,7 @@
/product_tree/branches
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -9370,7 +9886,7 @@
/product_tree/branches[](/branches[])*/category
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"category": "product_version_range",
@@ -9395,7 +9911,7 @@
/product_tree/branches[](/branches[])*/name
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"branches": [
{
@@ -9420,7 +9936,7 @@
/vulnerabilities[]/metrics[]/content
- Example 1 (which fails the test):
+ Example 1 (which fails the test):
"product_tree": {
"full_product_names": [
@@ -9454,6 +9970,56 @@
There is no CVSS v4.0 score given for CSAFPID-9080700.
+
+ 6.3.13 Usage of Non-Latest SSVC Decision Point Version
+
+
+ For each SSVC decision point given under selections with the namespace of ssvc, it MUST be tested the latest decision point version available at the time of the timestamp was used. The test SHALL fail if a later version was used.
+
+
+
+ A list of all valid decision points including their values is available at the SSVC repository.
+
+
+
+ The relevant path for this test is:
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+
+ Example 1 (which fails the test):
+
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Non-Essential Degraded"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+
+
+ At the timestamp 2024-01-24T10:00:00.000Z version 2.0.0 of the SSVC decision point Mission Impact was already available.
+
+
7. Distributing CSAF documents
@@ -9554,7 +10120,7 @@
- Example 1 (minimal with ROLIE document):
+ Example 1 (minimal with ROLIE document):
{
"canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
@@ -9613,7 +10179,7 @@
CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
@@ -9631,14 +10197,22 @@
details.
https://www.example.com/.well-known/csaf/provider-metadata.json
7.1.10 Requirement 10: DNS path
- The DNS record csaf.data.security.domain.tld SHALL resolve as a web server which serves directly the provider-metadata.json according to requirement 7. That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required.
+ Assuming that the organization's main domain is domain.tld, the DNS record csaf.data.security.domain.tld SHALL resolve to the IP address of a web server which serves directly the provider-metadata.json according to requirement 7.
+
+
+
+ The domain.tld is just a placeholder for the organization's main domain. For the organization with the main domain being example.com, the necessary DNS record is csaf.data.security.example.com.
+
+
+
+ That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required.
7.1.11 Requirement 11: One folder per year
@@ -9647,7 +10221,7 @@
The CSAF documents MUST be located within folders named <YYYY> where <YYYY> is the year given in the value of /document/tracking/initial_release_date.
2024
2023
@@ -9658,7 +10232,7 @@
The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
2023/esa-2023-09953.json
2022/esa-2022-02723.json
@@ -9682,7 +10256,7 @@
2023/esa-2023-09953.json,2023-07-01T10:09:07Z
2021/esa-2021-03676.json,2023-07-01T10:09:01Z
@@ -9718,7 +10292,7 @@
MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].
{
"feed": {
@@ -9784,7 +10358,7 @@
the filename service.json and reside next to the provider-metadata.json.
{
"service": {
@@ -9851,7 +10425,7 @@
type of product
CPU
Firewall
@@ -9867,7 +10441,7 @@
areas or sectors, the products are used in
Chemical
Commercial
@@ -9885,7 +10459,7 @@
{
"categories": {
@@ -9909,7 +10483,7 @@
MD5 and SHA1 SHOULD NOT be used.
File name of CSAF document: esa-2022-02723.json
File name of SHA-256 hash file: esa-2022-02723.json.sha256
@@ -9918,7 +10492,7 @@
The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.json
@@ -9931,7 +10505,7 @@
All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. This signature SHALL be presented as an ASCII armored file. See [RFC4880] for more details.
File name of CSAF document: esa-2022-02723.json
File name of signature file: esa-2022-02723.json.asc
@@ -9997,7 +10571,7 @@
The file aggregator.json SHOULD only list the latest version of the metadata of a CSAF provider.
{
"aggregator": {
@@ -10054,7 +10628,7 @@
{
"aggregator": {
@@ -10575,6 +11149,9 @@
+
+ /vulnerabilities[]/disclosure_date: If a vuln:ReleaseDate was given, the CVRF CSAF converter MUST convert its value into the disclosure_date element.
+
/vulnerabilities[]/ids: If a vuln:ID element is given, the CVRF CSAF converter converts it into the first item of the ids array.
@@ -10621,7 +11198,7 @@
Retrieve the CVSS version from the CVSS vector, if present.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -10630,7 +11207,7 @@
Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
<!-- -->
@@ -10639,7 +11216,7 @@
is handled the same as
<ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">
@@ -10649,7 +11226,7 @@
decision.
xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -10789,6 +11366,11 @@
suggest to publish a new version of the CSAF document with the document status final if the document status was interim and no new release has be done during the given threshold in the configuration (default: 6 weeks)
+
+
+ Note that the terms "publish", "publication" and their derived forms are used in this conformance profile independent of whether the specified target group is the public or a closed group.
+
+
@@ -11051,6 +11633,11 @@
does not use the same /document/tracking/id as the original document. The translated document can use a completely new /document/tracking/id or compute one by using the original /document/tracking/id as a prefix and adding an ID from the naming scheme of the issuer of the translated version. It
SHOULD NOT use the original /document/tracking/id as a suffix. If an issuer uses a CSAF translator to publish his advisories in multiple languages they MAY use the combination of the original /document/tracking/id and translated /document/lang as a /document/tracking/id for the
translated document.
+
+
+ Note that the term "publish" is used in this conformance profile independent of whether the specified target group is the public or a closed group.
+
+
provides the /document/lang property with a value matching the language of the translation.
@@ -11367,11 +11954,67 @@
type /$defs/full_product_name_t/product_identification_helper/cpe: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+
+
+ type /$defs/full_product_name_t/model_number:
+
+
+ - If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a
* to the end and output a warning that a partial model number was detected and a star has been added. Such a warning MUST include the model number.
+
+ - If the model number contains a
\, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional \ before the character.
+
+ - If the model number contains multiple unescaped
* after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and output a warning that a model number with multiple stars was detected and removed. Such a warning MUST include the model number.
+
+
+
+
+ A tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
+
+
+
+
+ A tool MAY provide a non-default option to interpret the ? in all model numbers as part of the model number itself and therefore escape it.
+
+
+
+
+ A tool MAY provide a non-default option to interpret the * in all model numbers as part of the model number itself and therefore escape it.
+
+
+
type /$defs/full_product_name_t/product_identification_helper/purls: If a /$defs/full_product_name_t/product_identification_helper/purl is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item of the corresponding purls array.
+
+
+ type /$defs/full_product_name_t/serial_number:
+
+
+ - If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a
* to the end and output a warning that a partial serial number was detected and a star has been added. Such a warning MUST include the serial number.
+
+ - If the serial number contains a
\, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional \ before the character.
+
+ - If the serial number contains multiple unescaped
* after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and output a warning that a serial number with multiple stars was detected and removed. Such a warning MUST include the serial number.
+
+
+
+
+ A tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
+
+
+
+
+ A tool MAY provide a non-default option to interpret the ? in all serial numbers as part of the serial number itself and therefore escape it.
+
+
+
+
+ A tool MAY provide a non-default option to interpret the * in all serial numbers as part of the serial number itself and therefore escape it.
+
+
+
/$schema: The CSAF 2.0 to CSAF 2.1 converter MUST set property with the value prescribed by the schema.
@@ -11470,6 +12113,19 @@
The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
+
+
+ /vulnerabilities[]/disclosure_date: If a release_date was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert its value as value into the disclosure_date element.
+
+
+
+
+ /vulnerabilities[]/metrics/ssvc_v1: If a SSVC vector or decision points of an SSVC vector are given in an item of notes of the current vulnerability using the title SSVC and the category other, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into
+ the ssvc_v1 object within the current vulnerability. If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid object without loosing any information, the corresponding notes item SHALL be removed. If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid object with the information
+ given, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the invalid ssvc_v1 object, keep the original item of notes and output a warning that the automatic conversion of the SSVC data failed. If the CSAF 2.0 to CSAF 2.1 converter would loose information during the conversion, the CSAF 2.0 to CSAF 2.1
+ converter SHALL remove the ssvc_v1 object, keep the original item of notes and output a warning that the automatic conversion of the SSVC data would lead to loosing information.
+
+
/vulnerabilities[]/remediations[]:
@@ -11491,6 +12147,11 @@
+
+
+ The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning.
+
+
@@ -13057,6 +13718,20 @@
Next Editor Revision
+
+
+ csaf-v2.0-wd20250226-dev
+
+
+ 2025-02-26
+
+
+ Stefan Hagen and Thomas Schmidt
+
+
+ Next Editor Revision
+
+
@@ -13189,6 +13864,12 @@
/vulnerabilities[]/ids
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections
+
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values
+
/vulnerabilities[]/remediations[]/entitlements
@@ -13574,6 +14255,24 @@
/vulnerabilities[]/metrics[]/content/cvss_v4/vectorString
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/id
+
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/role
+
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name
+
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
+
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]
+
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version
+
/vulnerabilities[]/metrics[]/products[]
@@ -13737,6 +14436,9 @@
/document/tracking/revision_history[]/date
+
+ /vulnerabilities[]/disclosure_date
+
/vulnerabilities[]/discovery_date
@@ -13747,7 +14449,7 @@
/vulnerabilities[]/involvements[]/date
- /vulnerabilities[]/release_date
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
/vulnerabilities[]/remediations[]/date
@@ -14046,6 +14748,9 @@
/vulnerabilities[]/metrics[]/content/cvss_v4/vulnIntegrityImpact (4)
+
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion (5)
+
/vulnerabilities[]/notes[]/category (16)
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index c4bad9764..8ffd3be7e 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -7,7 +7,7 @@
## Committee Specification Draft 01
-## 29 January 2025
+## 26 February 2025
#### This stage:
https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
**[csaf-v2.1]**
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 29 January 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 26 February 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
-------
@@ -188,18 +188,18 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
3.2.4.1 [Vulnerabilities Property - Acknowledgments](#vulnerabilities-property-acknowledgments)
3.2.4.2 [Vulnerabilities Property - CVE](#vulnerabilities-property-cve)
3.2.4.3 [Vulnerabilities Property - CWEs](#vulnerabilities-property-cwes)
- 3.2.4.4 [Vulnerabilities Property - Discovery Date](#vulnerabilities-property-discovery-date)
- 3.2.4.5 [Vulnerabilities Property - Flags](#vulnerabilities-property-flags)
- 3.2.4.6 [Vulnerabilities Property - IDs](#vulnerabilities-property-ids)
- 3.2.4.7 [Vulnerabilities Property - Involvements](#vulnerabilities-property-involvements)
- 3.2.4.8 [Vulnerabilities Property - Metrics](#vulnerabilities-property-metrics)
- 3.2.4.8.1 [Vulnerabilities Property - Metrics - Content](#vulnerabilities-property-metrics-content)
- 3.2.4.8.2 [Vulnerabilities Property - Metrics - Products](#vulnerabilities-property-metrics-products)
- 3.2.4.8.3 [Vulnerabilities Property - Metrics - Source](#vulnerabilities-property-metrics-source)
- 3.2.4.9 [Vulnerabilities Property - Notes](#vulnerabilities-property-notes)
- 3.2.4.10 [Vulnerabilities Property - Product Status](#vulnerabilities-property-product-status)
- 3.2.4.11 [Vulnerabilities Property - References](#vulnerabilities-property-references)
- 3.2.4.12 [Vulnerabilities Property - Release Date](#vulnerabilities-property-release-date)
+ 3.2.4.4 [Vulnerabilities Property - Disclosure Date](#vulnerabilities-property-disclosure-date)
+ 3.2.4.5 [Vulnerabilities Property - Discovery Date](#vulnerabilities-property-discovery-date)
+ 3.2.4.6 [Vulnerabilities Property - Flags](#vulnerabilities-property-flags)
+ 3.2.4.7 [Vulnerabilities Property - IDs](#vulnerabilities-property-ids)
+ 3.2.4.8 [Vulnerabilities Property - Involvements](#vulnerabilities-property-involvements)
+ 3.2.4.9 [Vulnerabilities Property - Metrics](#vulnerabilities-property-metrics)
+ 3.2.4.9.1 [Vulnerabilities Property - Metrics - Content](#vulnerabilities-property-metrics-content)
+ 3.2.4.9.2 [Vulnerabilities Property - Metrics - Products](#vulnerabilities-property-metrics-products)
+ 3.2.4.9.3 [Vulnerabilities Property - Metrics - Source](#vulnerabilities-property-metrics-source)
+ 3.2.4.10 [Vulnerabilities Property - Notes](#vulnerabilities-property-notes)
+ 3.2.4.11 [Vulnerabilities Property - Product Status](#vulnerabilities-property-product-status)
+ 3.2.4.12 [Vulnerabilities Property - References](#vulnerabilities-property-references)
3.2.4.13 [Vulnerabilities Property - Remediations](#vulnerabilities-property-remediations)
3.2.4.13.1 [Vulnerabilities Property - Remediations - Category](#vulnerabilities-property-remediations-category)
3.2.4.13.2 [Vulnerabilities Property - Remediations - Date](#vulnerabilities-property-remediations-date)
@@ -236,7 +236,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
6.1.8 [Invalid CVSS](#invalid-cvss)
6.1.9 [Invalid CVSS computation](#invalid-cvss-computation)
6.1.10 [Inconsistent CVSS](#inconsistent-cvss)
- 6.1.11 [CWE](#cwe)
+ 6.1.11 [CWE](#mandatory-tests--cwe)
6.1.12 [Language](#language)
6.1.13 [PURL](#purl)
6.1.14 [Sorted Revision History](#sorted-revision-history)
@@ -279,6 +279,13 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
6.1.40 [Invalid Sharing Group Name](#invalid-sharing-group-name)
6.1.41 [Missing Sharing Group Name](#missing-sharing-group-name)
6.1.42 [PURL Qualifiers](#purl-qualifiers)
+ 6.1.43 [Use of Multiple Stars in Model Number](#use-of-multiple-stars-in-model-number)
+ 6.1.44 [Use of Multiple Stars in Serial Number](#use-of-multiple-stars-in-serial-number)
+ 6.1.45 [Inconsistent Disclosure Date](#inconsistent-disclosure-date)
+ 6.1.46 [Invalid SSVC](#invalid-ssvc)
+ 6.1.47 [Inconsistent SSVC ID](#inconsistent-ssvc-id)
+ 6.1.48 [SSVC Decision Points](#ssvc-decision-points)
+ 6.1.49 [Inconsistent SSVC Timestamp](#inconsistent-ssvc-timestamp)
6.2 [Optional Tests](#optional-tests)
6.2.1 [Unused Definition of Product ID](#unused-definition-of-product-id)
6.2.2 [Missing Remediation](#missing-remediation)
@@ -312,6 +319,9 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
6.2.30 [Usage of Sharing Group on TLP:CLEAR](#usage-of-sharing-group-on-tlp-clear)
6.2.31 [Hardware and Software](#hardware-and-software)
6.2.32 [Use of same Product Identification Helper for different Products](#use-of-same-product-identification-helper-for-different-products)
+ 6.2.33 [Disclosure Date newer than Revision History](#disclosure-date-newer-than-revision-history)
+ 6.2.34 [Usage of Unknown SSVC Decision Point Namespace](#usage-of-unknown-ssvc-decision-point-namespace)
+ 6.2.35 [Usage of Unknown SSVC Role](#usage-of-unknown-ssvc-role)
6.3 [Informative Test](#informative-test)
6.3.1 [Use of CVSS v2 as the only Scoring System](#use-of-cvss-v2-as-the-only-scoring-system)
6.3.2 [Use of CVSS v3.0](#use-of-cvss-v3-0)
@@ -325,6 +335,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
6.3.10 [Usage of Product Version Range](#usage-of-product-version-range)
6.3.11 [Usage of V as Version Indicator](#usage-of-v-as-version-indicator)
6.3.12 [Missing CVSS v4.0](#missing-cvss-v4-0)
+ 6.3.13 [Usage of Non-Latest SSVC Decision Point Version](#usage-of-non-latest-ssvc-decision-point-version)
7. [Distributing CSAF documents](#distributing-csaf-documents)
7.1 [Requirements](#requirements)
7.1.1 [Requirement 1: Valid CSAF document](#requirement-1-valid-csaf-document)
@@ -712,6 +723,8 @@ For purposes of this document, the following terms and definitions apply:
**\[****SPDX301\]** _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, .
**\[****VEX\]** _Vulnerability-Exploitability eXchange (VEX) - An Overview_, VEX sub-group of the Framing Working Group in the NTIA SBOM initiative, 27 September 2021, .
@@ -811,23 +824,26 @@ Proven and intended usage patterns from practice are given where possible.
Delegation to industry best practices technologies is used in referencing schemas for:
-* Platform Data:
+* Classification for Document Distribution
+ * Traffic Light Protocol (TLP)
+ * Default Definition: https://www.first.org/tlp/
+* Platform Data
* Common Platform Enumeration (CPE) Version 2.3 \[[CPE23-N](#CPE23-N)\]
-* Vulnerability Scoring:
+* Vulnerability Categorization
+ * Stakeholder-Specific Vulnerability Categorization \[[SSVC](#SSVC)\]
+ * JSON Schema Reference: https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
+* Vulnerability Classification
+ * Common Weakness Enumeration (CWE) \[[CWE](#CWE)\]
+ * CWE List: http://cwe.mitre.org/data/index.html
+* Vulnerability Scoring
* Common Vulnerability Scoring System (CVSS) Version 4.0 \[[CVSS40](#CVSS40)\]
- * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
+ * JSON Schema Reference: https://www.first.org/cvss/cvss-v4.0.json
* Common Vulnerability Scoring System (CVSS) Version 3.1 \[[CVSS31](#CVSS31)\]
- * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
+ * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.1.json
* Common Vulnerability Scoring System (CVSS) Version 3.0 \[[CVSS30](#CVSS30)\]
- * JSON Schema Reference https://www.first.org/cvss/cvss-v3.0.json
+ * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.0.json
* Common Vulnerability Scoring System (CVSS) Version 2.0 \[[CVSS2](#CVSS2)\]
- * JSON Schema Reference https://www.first.org/cvss/cvss-v2.0.json
-* Vulnerability Classification
- * Common Weakness Enumeration (CWE) \[[CWE](#CWE)\]
- * CWE List: http://cwe.mitre.org/data/index.html
-* Classification for Document Distribution
- * Traffic Light Protocol (TLP)
- * Default Definition: https://www.first.org/tlp/
+ * JSON Schema Reference: https://www.first.org/cvss/cvss-v2.0.json
Even though the JSON schema does not prohibit specifically additional properties and custom keywords,
it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC's GitHub.
@@ -843,7 +859,6 @@ Section [7](#distributing-csaf-documents) states how to distribute and where to
Safety, Security and Data Protection are considered in section [8](#safety-security-and-data-protection-considerations).
Finally, a set of conformance targets describes tools in the ecosystem.
-
## 2.2 Date and Time
This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1.
@@ -1481,13 +1496,19 @@ the component to identify.
> Often it is abbreviated as "MN", M/N" or "model no.".
If a part of a model number of the component to identify is given,
-it SHOULD begin with the first character of the model number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
-Two `*` MUST NOT follow each other.
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
+This applies also to the first character.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the model number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+
+> Note: A backslash MUST be escaped itself in a JSON string.
*Examples 1:*
```
+ *-G109A/EU?
+ 2024-*
6RA8096-4MV62-0AA0
6RA801?-??V62-0AA0
IC25T060ATCS05-0
@@ -1570,9 +1591,23 @@ Any given serial number of value type `string` with at least 1 character represe
abbreviated (partial) serial number of the component to identify.
If a part of a serial number of the component to identify is given,
-it SHOULD begin with the first character of the serial number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
-Two `*` MUST NOT follow each other.
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
+This applies also to the first character.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+
+> Note: A backslash MUST be escaped itself in a JSON string.
+
+*Examples 1:*
+
+```
+ *RF8R71YR???
+ 11S45N0249Z1ZS9*
+ DSEP147100
+ L15-VM-???
+ L234.696.30.044.712
+```
##### 3.1.3.3.7 Full Product Name Type - Product Identification Helper - SKUs
@@ -1639,7 +1674,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
> These elements can be used to reference a specific component from an SBOM:
-*Example 1 (linking a component from a CycloneDX SBOM using the bomlink mechanism):*
+*Example 1 (linking a component from a CycloneDX SBOM using the bomlink mechanism):*
```
"x_generic_uris": [
@@ -1650,7 +1685,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
]
```
-*Example 2 (linking a component from an SPDX SBOM):*
+*Example 2 (linking a component from an SPDX SBOM):*
```
"x_generic_uris": [
@@ -1676,7 +1711,7 @@ See IETF language registry: Even though the private use language tags are supported they should not be used to ensure readability across the ecosystem.
> It is recommended to follow the conventions for the capitalization of the subtags even though it is not mandatory as most users are used to that.
-*Examples 1:*
+*Examples 1:*
```
de
@@ -1722,7 +1757,7 @@ A Note `object` MAY provide the optional properties `audience` and `title`.
Audience of note (`audience`) of value type `string` with 1 or more characters indicates who is intended to read it.
-*Examples 1:*
+*Examples 1:*
```
all
@@ -1769,7 +1804,7 @@ Content varies depending on type.
Title of note (`title`) of value type `string` with 1 or more characters provides a concise description of what
is contained in the text of the note.
-*Examples 2:*
+*Examples 2:*
```
Details
@@ -1791,7 +1826,7 @@ a product group in the context of the current document.
},
```
-*Examples 1:*
+*Examples 1:*
```
CSAFGID-0001
@@ -1829,7 +1864,7 @@ the current document.
},
```
-*Examples 1:*
+*Examples 1:*
```
CSAFPID-0004
@@ -1922,7 +1957,7 @@ There are two options how it can be used:
A CSAF document MUST use only one versioning system.
-*Examples 1:*
+*Examples 1:*
```
1
@@ -1947,7 +1982,7 @@ The following rules apply:
Any modifications MUST be released as a new version.
2. Version zero (0) is for initial development before the `initial_release_date`.
The document status MUST be `draft`. Anything MAY change at any time. The document SHOULD NOT be considered stable.
-3. Version 1 defines the initial public release.
+3. Version 1 defines the initial release to the specified target group.
Each new version where `/document/tracking/status` is `final` has a version number incremented by one.
4. Pre-release versions (document status `draft`) MUST carry the new version number.
Sole exception is before the initial release (see rule 2).
@@ -1978,7 +2013,7 @@ This results in the following rules:
tracked in this stage with (0.y.z) by incrementing the minor version y instead.
Changes that would increment the minor or patch version according to rule 6 or 5 are both tracked in this stage with
(0.y.z) by incrementing the patch version z instead.
-4. Version 1.0.0 defines the initial public release.
+4. Version 1.0.0 defines the initial release to the specified target group.
The way in which the version number is incremented after this release is dependent on the content and structure of
the document and how it changes.
5. Patch version Z (x.y.Z | x > 0) MUST be incremented if only backwards compatible bug fixes are introduced.
@@ -2012,7 +2047,7 @@ This results in the following rules:
A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as
denoted by its associated normal version.
- *Examples 1:*
+ *Examples 1:*
```
1.0.0-0.3.7
@@ -2028,7 +2063,7 @@ This results in the following rules:
Identifiers MUST NOT be empty. Build metadata MUST be ignored when determining version precedence.
Thus two versions that differ only in the build metadata, have the same precedence.
- *Examples 2:*
+ *Examples 2:*
```
1.0.0+20130313144700
@@ -2044,7 +2079,7 @@ This results in the following rules:
2. Precedence is determined by the first difference when comparing each of these identifiers from left to right as follows:
Major, minor, and patch versions are always compared numerically.
- *Example 3:*
+ *Example 3:*
```
1.0.0 < 2.0.0 < 2.1.0 < 2.1.1
@@ -2052,7 +2087,7 @@ This results in the following rules:
3. When major, minor, and patch are equal, a pre-release version has lower precedence than a normal version:
- *Example 4:*
+ *Example 4:*
```
1.0.0-alpha < 1.0.0
@@ -2066,7 +2101,7 @@ This results in the following rules:
3. Numeric identifiers always have lower precedence than non-numeric identifiers.
4. A larger set of pre-release fields has a higher precedence than a smaller set, if all of the preceding identifiers are equal.
- *Example 5:*
+ *Example 5:*
```
1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0
@@ -2074,7 +2109,7 @@ This results in the following rules:
Note, that the following values do no conform the semantic versioning described above.
-*Examples 6 (which are invalid):*
+*Examples 6 (which are invalid):*
```
1.16.13.14-Cor
@@ -2192,7 +2227,7 @@ The Namespace of aggregate severity (`namespace`) of value type `string` with fo
The Text of aggregate severity (`text`) of value type `string` with 1 or more characters provides a severity which is
independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).
-*Examples 1:*
+*Examples 1:*
```
Critical
@@ -2218,7 +2253,7 @@ Document category defines a short canonical name, chosen by the document produce
}
```
-*Examples 1:*
+*Examples 1:*
```
csaf_base
@@ -2262,7 +2297,7 @@ If multiple values are present, the TLP information SHOULD be preferred as this
The Sharing Group SHALL be interpreted as specification to the TLP information.
Therefore, the Sharing Group MAY also be used to convey special TLP restrictions:
-*Examples 1:*
+*Examples 1:*
```
E-ISAC members-only
@@ -2338,7 +2373,7 @@ However, the following values are reserved for the conditions below:
The Textual description (`text`) of value type `string` with 1 or more characters provides a textual description of additional constraints.
-*Examples 1:*
+*Examples 1:*
```
Copyright 2024, Example Company, All Rights Reserved.
@@ -2393,7 +2428,7 @@ The default value is the URL to the definition by FIRST:
https://www.first.org/tlp/
```
-*Examples 1:*
+*Examples 1:*
```
https://www.us-cert.gov/tlp
@@ -2502,7 +2537,7 @@ open source projects as well as product resellers and distributors, including au
Contact details (`contact_details`) of value type `string` with 1 or more characters provides information on how to contact the publisher,
possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
-*Example 1:*
+*Example 1:*
```
Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
@@ -2517,7 +2552,7 @@ the authority of the issuing party to release the document, in particular, the p
The Name of publisher (`name`) of value type `string` with 1 or more characters contains the name of the issuing party.
-*Example 1:*
+*Example 1:*
```
BSI
@@ -2544,7 +2579,7 @@ an incremented (patch) version which has no other changes than:
* the updated item in `/document/references[]` which points to the new version of the CSAF document
* an added item in `/document/references[]` which points to the previous version of the CSAF document (if the URL changed)
-*Examples 1:*
+*Examples 1:*
```
https://csaf.io
@@ -2579,7 +2614,7 @@ The property SHALL NOT be present if the document was not translated.
Title of this document (`title`) of value type `string` with 1 or more characters SHOULD be a canonical name for the document,
and sufficiently unique to distinguish it from similar documents.
-*Examples 1:*
+*Examples 1:*
```
Cisco IPv6 Crafted Packet Denial of Service Vulnerability
@@ -2642,7 +2677,7 @@ list of alternate names for the same document.
Every such Alternate Name of value type `string` with 1 or more characters specifies a non-empty string that represents a
distinct optional alternative ID used to refer to the document.
-*Example 1:*
+*Example 1:*
```
CVE-2019-12345
@@ -2696,7 +2731,7 @@ optional property Engine version (`version`) contains information about the engi
Engine name (`name`) of value type `string` with 1 or more characters represents the name of the engine that generated the CSAF document.
-*Examples 1:*
+*Examples 1:*
```
Red Hat rhsa-to-cvrf
@@ -2709,7 +2744,7 @@ Engine version (`version`) of value type `string` with 1 or more characters cont
> Although it is not formally required, the TC suggests to use a versioning which is compatible with Semantic Versioning as described in
> the external specification [SemVer]. This could help the end user to identify when CSAF consumers have to be updated.
-*Examples 2:*
+*Examples 2:*
```
0.6.0
@@ -2732,7 +2767,7 @@ Unique identifier for the document holds the Identifier.
The ID is a simple label that provides for a wide range of numbering values, types, and schemes.
Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
-*Examples 1:*
+*Examples 1:*
```
Example Company - 2019-YH3234
@@ -2746,7 +2781,14 @@ This value is also used to determine the filename for the CSAF document (cf. sec
##### 3.2.2.12.5 Document Property - Tracking - Initial Release Date
-Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first published.
+Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first released to the specified target group.
+
+> For `TLP:CLEAR` documents, this is usually the timestamp when the document was published.
+> For `TLP:GREEN` and higher, this is the timestamp when it was first made available to the specific group.
+> Note that the initial release date does not change after the initial release even if the document is later on released to a broader audience.
+
+If the timestamp of the initial release date was set incorrectly, it MUST be corrected.
+This change MUST be tracked with a new entry in the revision history.
##### 3.2.2.12.6 Document Property - Tracking - Revision History
@@ -2900,7 +2942,7 @@ the optional Summary (`summary`) property.
The summary of the product group (`summary`) of value type `string` with 1 or more characters gives a short, optional description of the group.
-*Examples 1:*
+*Examples 1:*
```
Products supporting Modbus.
@@ -2989,7 +3031,7 @@ which is referenced as the first element of the relationship.
Relates to Product Reference (`relates_to_product_reference`) of value type Product ID (`product_id_t`) holds a Product ID that refers to
the Full Product Name element, which is referenced as the second element of the relationship.
-*Examples 1:*
+*Examples 1:*
```
"product_tree": {
@@ -3040,8 +3082,8 @@ properties represents a list of all relevant vulnerability information items.
The Vulnerability item of value type `object` with 1 or more properties is a container for the aggregation of all fields that are related to
a single vulnerability in the document.
Any vulnerability MAY provide the optional properties Acknowledgments (`acknowledgments`), Common Vulnerabilities and Exposures (CVE) (`cve`),
-Common Weakness Enumeration (CWE) (`cwes`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`), Involvements (`involvements`),
-Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`), Release Date (`release_date`),
+Common Weakness Enumeration (CWE) (`cwes`), Disclosure Date (`disclosure_date`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`),
+Involvements (`involvements`), Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`),
Remediations (`remediations`), Threats (`threats`), and Title (`title`).
```
@@ -3055,6 +3097,9 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
"cwes": {
// ...
},
+ "disclosure_date": {
+ // ...
+ },
"discovery_date": {
// ...
},
@@ -3079,9 +3124,6 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
"references": {
// ...
},
- "release_date": {
- // ...
- },
"remediations": {
// ...
},
@@ -3155,7 +3197,7 @@ The Weakness ID (`id`) has value type `string` with `pattern` (regular expressio
It holds the ID for the weakness associated.
-*Examples 1:*
+*Examples 1:*
```
CWE-22
@@ -3166,7 +3208,7 @@ It holds the ID for the weakness associated.
The Weakness name (`name`) has value type `string` with 1 or more characters and holds the full name of the weakness as given
in the CWE specification.
-*Examples 2:*
+*Examples 2:*
```
Cross-Site Request Forgery (CSRF)
@@ -3183,7 +3225,7 @@ The CWE version (`version`) has value type `string` with `pattern` (regular expr
It holds the version string of the CWE specification this weakness was extracted from.
When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
-*Examples 3:*
+*Examples 3:*
```
"1.0",
@@ -3193,11 +3235,20 @@ When creating or modifying a CSAF document, the latest published version of the
"4.12"
```
-#### 3.2.4.4 Vulnerabilities Property - Discovery Date
+#### 3.2.4.4 Vulnerabilities Property - Disclosure Date
+
+Disclosure date (`disclosure_date`) with value type `string` of format `date-time` holds the date and time
+the vulnerability was originally disclosed to the public.
+
+For vulnerabilities not yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date for disclosure of the vulnerability.
+As disclosure dates may change during a vulnerability disclosure process, an issuing party SHOULD produce an updated CSAF document to confirm that the
+vulnerability was in fact disclosed to the public at that time or update the `disclosure_date` with the new intended date in the future.
+
+#### 3.2.4.5 Vulnerabilities Property - Discovery Date
Discovery date (`discovery_date`) of value type `string` with format `date-time` holds the date and time the vulnerability was originally discovered.
-#### 3.2.4.5 Vulnerabilities Property - Flags
+#### 3.2.4.6 Vulnerabilities Property - Flags
List of flags (`flags`) of value type `array` with 1 or more unique items (a set) of value type `object` contains a list of machine readable flags.
@@ -3266,7 +3317,7 @@ The given values reflect the VEX not affected justifications. See [VEX-Justifica
Product IDs (`product_ids`) are of value type Products (`products_t`) and contain a list of Products the current flag item applies to.
-#### 3.2.4.6 Vulnerabilities Property - IDs
+#### 3.2.4.7 Vulnerabilities Property - IDs
List of IDs (`ids`) of value type `array` with one or more unique ID items of value type `object` represents a list of unique labels or
tracking IDs for the vulnerability (if such information exists).
@@ -3296,7 +3347,7 @@ tracking ID for the vulnerability.
System name (`system_name`) of value type `string` with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
-*Examples 1:*
+*Examples 1:*
```
Cisco Bug ID
@@ -3305,7 +3356,7 @@ System name (`system_name`) of value type `string` with 1 or more characters ind
Text (`text`) of value type `string` with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
-*Examples 2:*
+*Examples 2:*
```
CSCso66472
@@ -3322,7 +3373,7 @@ Text (`text`) of value type `string` with 1 or more characters is unique label o
> The ID MAY be a vendor-specific value but is not to be used to publish the CVE tracking numbers
> (MITRE standard Common Vulnerabilities and Exposures), as these are specified inside the dedicated CVE element.
-#### 3.2.4.7 Vulnerabilities Property - Involvements
+#### 3.2.4.8 Vulnerabilities Property - Involvements
List of involvements (`involvements`) of value type `array` with 1 or more unique items (a set) of value type `object` contains a list of involvements.
@@ -3417,7 +3468,7 @@ The use of this status by a vendor indicates that future updates from the vendor
Summary of involvement (`summary`) of value type `string` with 1 or more characters contains additional context regarding what is going on.
-#### 3.2.4.8 Vulnerabilities Property - Metrics
+#### 3.2.4.9 Vulnerabilities Property - Metrics
List of metrics (`metrics`) of value type `array` with 1 or more unique items (a set) of value type `object` Contains metric objects for the current vulnerability.
@@ -3446,7 +3497,7 @@ Every Metric item of value type `object` with the mandatory properties `content`
}
```
-##### 3.2.4.8.1 Vulnerabilities Property - Metrics - Content
+##### 3.2.4.9.1 Vulnerabilities Property - Metrics - Content
Content (`content`) of value type `object` with the optional properties CVSS v2 (`cvss_v2`), CVSS v3 (`cvss_v3`) and CVSS v4 (`cvss_v4`) specifies information about (at least one) metric or score for the given products regarding the current vulnerability.
A Content object has at least 1 property.
@@ -3463,6 +3514,9 @@ A Content object has at least 1 property.
},
"cvss_v4": {
// ...
+ },
+ "ssvc_v1": {
+ // ....
}
}
```
@@ -3477,21 +3531,24 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at
[https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
-##### 3.2.4.8.2 Vulnerabilities Property - Metrics - Products
+The property SSVC v1 (`ssvc_v1`) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at
+[https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json](https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json).
+
+##### 3.2.4.9.2 Vulnerabilities Property - Metrics - Products
Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given content applies.
A metric object SHOULD reflect the associated product's status (for example,
a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed;
the known affected versions of that product can list the vulnerability score as it applies to them).
-##### 3.2.4.8.3 Vulnerabilities Property - Metrics - Source
+##### 3.2.4.9.3 Vulnerabilities Property - Metrics - Source
Source (`source`) of value type `string` with format `uri` contains the URL of the source that originally determined the metric.
If no source is given, then the metric was assigned by the document author.
> For example, this could point to the vendor advisory, discoverer blog post, a multiplier's assessment or other sources that provide metric information.
-#### 3.2.4.9 Vulnerabilities Property - Notes
+#### 3.2.4.10 Vulnerabilities Property - Notes
Vulnerability notes (`notes`) of value type Notes Type (`notes_t`) holds notes associated with this vulnerability item.
@@ -3509,7 +3566,7 @@ The following combinations of `category` and `title` have a special meaning and
| `description` | Preconditions | Contains a description of the preconditions that have to be fulfilled to be able to exploit the vulnerability, e.g. user account or physical access. |
| `summary` | Vulnerability Summary | Contains a summary of the vulnerability which is not the official CVE description. |
-#### 3.2.4.10 Vulnerabilities Property - Product Status
+#### 3.2.4.11 Vulnerabilities Property - Product Status
Product status (`product_status`) of value type `object` with 1 or more properties contains different lists of `product_ids` which
provide details on the status of the referenced product related to the current vulnerability.
@@ -3583,7 +3640,7 @@ Under investigation (`under_investigation`) of value type Products (`products_t`
are not affected by the vulnerability.
However, it is still under investigation - the result will be provided in a later release of the document.
-#### 3.2.4.11 Vulnerabilities Property - References
+#### 3.2.4.12 Vulnerabilities Property - References
Vulnerability references (`references`) of value type References Type (`references_t`) holds a
list of references associated with this vulnerability item.
@@ -3594,11 +3651,6 @@ list of references associated with this vulnerability item.
},
```
-#### 3.2.4.12 Vulnerabilities Property - Release Date
-
-Release date (`release_date`) with value type `string` of format `date-time` holds the date and time
-the vulnerability was originally released into the wild.
-
#### 3.2.4.13 Vulnerabilities Property - Remediations
List of remediations (`remediations`) of value type `array` with 1 or more Remediation items of value type `object` contains a list of remediations.
@@ -4084,7 +4136,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
> As a result, a `/document/tracking/id` with the value `2022_#01-A` is converted into `2022_01-a` instead of `2022__01-a`.
3. The file extension `.json` MUST be appended.
-*Examples 1:*
+*Examples 1:*
```
cisco-sa-20190513-secureboot.json
@@ -4095,7 +4147,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
> It is currently considered best practice to indicate that a CSAF document is invalid by
> inserting `_invalid` into the filename in front of the file extension.
-*Examples 2:*
+*Examples 2:*
```
cisco-sa-20190513-secureboot_invalid.json
@@ -4149,7 +4201,7 @@ The `/product_tree` uses a nested structure for `branches`. Along a single path
If a product consists of hardware and software, the hardware part MUST be presented as one product in the product tree and the software part as another one.
To form the overall product, both parts MUST be combined through a relationship.
-*Examples 1:*
+*Examples 1:*
```
"product_tree": {
@@ -4307,7 +4359,7 @@ The relevant paths for this test are:
/vulnerabilities[]/threats[]/product_ids[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4338,7 +4390,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_id
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4372,7 +4424,7 @@ The relevant path for this test is:
> a Product ID defined in a relationship item is used as `product_reference` or `relates_to_product_reference`.
> Only for those which fulfill this condition it is necessary to run the full check following the references.
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4411,7 +4463,7 @@ The relevant paths for this test are:
/vulnerabilities[]/threats[]/group_ids
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4450,7 +4502,7 @@ The relevant path for this test is:
/product_tree/product_groups[]/group_id
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4526,7 +4578,7 @@ Contradiction groups are:
> Note: An issuer might recommend (`/vulnerabilities[]/product_status/recommended`) a product version from any group - also from the affected group,
> i.e. if it was discovered that fixed versions introduce a more severe vulnerability.
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4565,7 +4617,7 @@ The relevant path for this test is:
/vulnerabilities[]/metrics[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4624,7 +4676,7 @@ The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v4
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cvss_v3": {
@@ -4665,7 +4717,7 @@ The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cvss_v3": {
@@ -4692,7 +4744,7 @@ The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v4
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cvss_v3": {
@@ -4715,7 +4767,7 @@ The relevant paths for this test are:
> A tool MAY overwrite contradicting values according to the `vectorString` as quick fix.
-### 6.1.11 CWE
+### 6.1.11 CWE
For each CWE it MUST be tested that the given CWE exists and is valid in the version provided.
Any `id` that refers to a CWE Category or View MUST fail the test.
@@ -4726,7 +4778,7 @@ The relevant path for this test is:
/vulnerabilities[]/cwes[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cwes": [
@@ -4751,7 +4803,7 @@ The relevant paths for this test are:
/document/source_lang
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"lang": "EZ"
@@ -4773,7 +4825,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -4805,7 +4857,7 @@ The relevant path for this test is:
/document/tracking/revision_history
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"revision_history": [
@@ -4834,7 +4886,7 @@ The relevant path for this test is:
/document/source_lang
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -4865,7 +4917,7 @@ The relevant path for this test is:
/document/tracking/version
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"tracking": {
@@ -4899,7 +4951,7 @@ The relevant path for this test is:
/document/tracking/status
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"tracking": {
@@ -4921,7 +4973,7 @@ The relevant path for this test is:
/document/tracking/revision_history[]/number
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"tracking": {
@@ -4955,7 +5007,7 @@ The relevant path for this test is:
/document/tracking/revision_history[]/number
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"revision_history": [
@@ -4984,7 +5036,7 @@ The relevant path for this test is:
/document/tracking/version
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"tracking": {
@@ -5010,7 +5062,7 @@ The relevant path for this test is:
/document/tracking/revision_history
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"revision_history": [
@@ -5039,7 +5091,7 @@ The relevant path for this test is:
/document/tracking/revision_history
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"revision_history": [
@@ -5068,7 +5120,7 @@ The relevant path for this test is:
/vulnerabilities[]/cve
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -5093,7 +5145,7 @@ The relevant path for this test is:
/vulnerabilities[]/involvements
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -5129,7 +5181,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -5189,7 +5241,7 @@ The relevant path for this test is:
/document/category
```
-*Examples 1 (for currently prohibited values):*
+*Examples 1 (for currently prohibited values):*
```
Csaf_a
@@ -5200,7 +5252,7 @@ The relevant path for this test is:
V_eX
```
-*Example 2 (which fails the test):*
+*Example 2 (which fails the test):*
```
"category": "Security_Incident_Response"
@@ -5234,7 +5286,7 @@ The relevant path for this test is:
/document/notes
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"notes": [
@@ -5265,7 +5317,7 @@ The relevant path for this test is:
/document/references
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"references": [
@@ -5295,7 +5347,7 @@ The relevant path for this test is:
/vulnerabilities
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -5326,7 +5378,7 @@ The relevant path for this test is:
/product_tree
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
{
@@ -5358,7 +5410,7 @@ The relevant path for this test is:
/vulnerabilities[]/notes
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -5386,7 +5438,7 @@ The relevant path for this test is:
/vulnerabilities[]/product_status
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -5418,7 +5470,7 @@ The relevant paths for this test are:
/vulnerabilities[]/product_status/under_investigation
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_status": {
@@ -5450,7 +5502,7 @@ The relevant paths for this test are:
/vulnerabilities[]/ids
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -5481,7 +5533,7 @@ The relevant path for this test is:
/vulnerabilities[]/threats
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -5553,7 +5605,7 @@ The relevant path for this test is:
/vulnerabilities[]/remediations
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -5626,7 +5678,7 @@ The relevant path for this test is:
/vulnerabilities
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
{
@@ -5652,7 +5704,7 @@ The relevant path for this test is:
/document/source_lang
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -5680,7 +5732,7 @@ The relevant path for this test is:
/vulnerabilities[]/remediations[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"remediations": [
@@ -5707,7 +5759,7 @@ The relevant paths for this test are:
/document/tracking/version
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"tracking": {
@@ -5768,7 +5820,7 @@ The relevant paths for this test are:
/product_tree/branches[](/branches[])*/name
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"branches": [
@@ -5792,7 +5844,7 @@ The relevant path for this test is:
/vulnerabilities[]/flags[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"flags": [
@@ -5807,7 +5859,7 @@ The relevant path for this test is:
### 6.1.33 Multiple Flags with VEX Justification Codes per Product
For each item in `/vulnerabilities[]` it MUST be tested that a Product is not member of more than one Flag item with
-a VEX justification code (see section [3.2.4.5](#vulnerabilities-property-flags)).
+a VEX justification code (see section [3.2.4.6](#vulnerabilities-property-flags)).
This takes indirect relations through Product Groups into account.
> Additional flags with a different purpose might be provided in later versions of CSAF.
@@ -5819,7 +5871,7 @@ The relevant path for this test is:
/vulnerabilities[]/flags
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -5884,7 +5936,7 @@ The relevant path for this test is:
/product_tree/branches[](/branches[])*/product
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6094,7 +6146,7 @@ The relevant path for this test is:
/vulnerabilities[]/remediations[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"remediations": [
@@ -6133,7 +6185,7 @@ The relevant path for this test is:
/vulnerabilities[]/remediations[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_status": {
@@ -6165,15 +6217,15 @@ The relevant path for this test is:
/document/tracking/generator/date
/document/tracking/initial_release_date
/document/tracking/revision_history[]/date
+ /vulnerabilities[]/disclosure_date
/vulnerabilities[]/discovery_date
/vulnerabilities[]/flags[]/date
- /vulnerabilities[]/release_date
/vulnerabilities[]/involvements[]/date
/vulnerabilities[]/remediations[]/date
/vulnerabilities[]/threats[]/date
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"current_release_date": "2024-01-24 10:00:00.000Z",
@@ -6191,7 +6243,7 @@ The relevant path for this test is:
/document/distribution/tlp/label
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"distribution": {
@@ -6220,7 +6272,7 @@ The relevant path for this test is:
/document/distribution/sharing_group/id
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"distribution": {
@@ -6247,7 +6299,7 @@ The relevant path for this test is:
/document/distribution/sharing_group/name
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"distribution": {
@@ -6273,7 +6325,7 @@ The relevant path for this test is:
/document/distribution/sharing_group/name
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"distribution": {
@@ -6300,7 +6352,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6321,6 +6373,293 @@ The relevant paths for this test are:
> The two purls differ in the name component.
+### 6.1.43 Use of Multiple Stars in Model Number
+
+For each model number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a model number introduce ambiguity and are therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+ /product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]
+ /product_tree/full_product_names[]/product_id/product_identification_helper/model_numbers[]
+ /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/model_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "model_numbers": [
+ "P*A*"
+ ]
+```
+
+> The model number contains two unescaped stars.
+
+### 6.1.44 Use of Multiple Stars in Serial Number
+
+For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a serial number introduce ambiguity and are therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+ /product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]
+ /product_tree/full_product_names[]/product_id/product_identification_helper/serial_numbers[]
+ /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/serial_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "serial_numbers": [
+ "P*A*"
+ ]
+```
+
+> The serial number contains two unescaped stars.
+
+### 6.1.45 Inconsistent Disclosure Date
+
+For each vulnerability, it MUST be tested that the `disclosure_date` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document is labeled `TLP:CLEAR` and the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/disclosure_date
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "document": {
+ // ...
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ // ...
+ "tracking": {
+ // ...
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ // ...
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T10:00:00.000Z"
+ }
+ ]
+```
+
+> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the `date` of newest item in the `revision_history`.
+
+### 6.1.46 Invalid SSVC
+
+It MUST be tested that the given SSVC object is valid according to the referenced schema.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/metrics[]/content/ssvc_v1
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+```
+
+> The required element `selections` is missing.
+
+> A tool MAY add the missing property `id` based on the values given in `cve` respectively `ids[]/text` as quick fix.
+
+### 6.1.47 Inconsistent SSVC ID
+
+For each `ssvc_v1` object it MUST be tested that `id` is either the CVE of the vulnerability given in `cve` or the `text` of an item in the `ids` array.
+The test MUST fail, if the `id` equals the `/document/tracking/id` and the CSAF document contains more than one vulnerability.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/id
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0002",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+```
+
+> The SSVC ID does not match the CVE ID.
+
+### 6.1.48 SSVC Decision Points
+
+For each SSVC decision point given under `selections` with a registered `namespace`, it MUST be tested that given decision point exists, is valid and the items in `values` are ordered correctly.
+
+> According to the SSVC project, the following values are currently registered:
+>
+> ```
+> cvss
+> nciss
+> ssvc
+> ```
+>
+> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
+> The items in `values` need to have the same order as in their definition.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "None",
+ "Degraded"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+```
+
+> The SSVC decision point `Mission Impact` doesn't have the value `Degraded` in version `1.0.0`.
+
+> If applicable, a tool MAY sort the items in `values` according to the order of their definition as a quick fix.
+
+### 6.1.49 Inconsistent SSVC Timestamp
+
+For each vulnerability, it MUST be tested that the SSVC `timestamp` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "document": {
+ // ...
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ // ...
+ "tracking": {
+ // ...
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ // ...
+ }
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Active"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-07-13T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+```
+
+> The document is in status `final` but the SSVC `timestamp` is newer than the `date` of newest item in the `revision_history`.
+
## 6.2 Optional Tests
Optional tests SHOULD NOT fail at a valid CSAF document without a good reason. Failing such a test does not make the CSAF document invalid.
@@ -6342,7 +6681,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_id
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6375,7 +6714,7 @@ The relevant paths for this test are:
/vulnerabilities[]/product_status/under_investigation[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6412,7 +6751,7 @@ The relevant paths for this test are:
/vulnerabilities[]/product_status/last_affected[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6446,7 +6785,7 @@ The relevant path for this test is:
/document/tracking/revision_history[]/number
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"revision_history": [
@@ -6471,7 +6810,7 @@ The relevant path for this test is:
/document/tracking/initial_release_date
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"tracking": {
@@ -6507,7 +6846,7 @@ The relevant path for this test is:
/document/tracking/current_release_date
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"tracking": {
@@ -6542,7 +6881,7 @@ The relevant path for this test is:
/vulnerabilities[]/involvements
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -6574,7 +6913,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6617,7 +6956,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6666,7 +7005,7 @@ The relevant path for this test is:
/document/references
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -6701,7 +7040,7 @@ The relevant path for this test is:
/document/lang
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -6731,7 +7070,7 @@ The relevant path for this test is:
/
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -6756,7 +7095,7 @@ The relevant paths for this test are:
/document/source_lang
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"lang": "qtx"
@@ -6777,7 +7116,7 @@ The relevant paths for this test are:
/document/source_lang
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"lang": "i-default"
@@ -6799,7 +7138,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"full_product_names": [
@@ -6824,7 +7163,7 @@ The relevant paths for this test are:
/vulnerabilities[]/ids[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"ids": [
@@ -6857,7 +7196,7 @@ The relevant paths for this test are:
/product_tree/branches[](/branches[])*/name
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"branches": [
@@ -6885,7 +7224,7 @@ The relevant path for this test is:
/vulnerabilities[]/product_status/fixed[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -6941,7 +7280,7 @@ The relevant path for this test is:
> To implement this test it is deemed sufficient to validate the CSAF document against a "strict" version schema that
> sets `additionalProperties` to `false` for every key of type `object`.
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -6967,7 +7306,7 @@ The relevant path for this test is:
/document/tracking/revision_history[]/date
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"revision_history": [
@@ -6996,7 +7335,7 @@ The relevant path for this test is:
/document/title
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
@@ -7022,7 +7361,7 @@ The relevant path for this test is:
/vulnerabilities[]/cwes[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cwes": [
@@ -7049,7 +7388,7 @@ The relevant path for this test is:
/vulnerabilities[]/cwes[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -7089,7 +7428,7 @@ The relevant path for this test is:
/vulnerabilities[]/cwes[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cwes": [
@@ -7116,7 +7455,7 @@ The relevant path for this test is:
/vulnerabilities[]/cwes[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cwes": [
@@ -7142,7 +7481,7 @@ The relevant path for this test is:
/vulnerabilities[]/remediations[]
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_status": {
@@ -7173,7 +7512,7 @@ The relevant path for this test is:
/document/distribution/sharing_group/id
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"distribution": {
@@ -7199,7 +7538,7 @@ The relevant path for this test is:
/document/distribution/sharing_group/id
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"distribution": {
@@ -7225,7 +7564,7 @@ The relevant path for this test is:
/document/distribution/sharing_group
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"distribution": {
@@ -7260,7 +7599,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_id
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -7313,7 +7652,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_id/product_identification_helper
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -7362,6 +7701,143 @@ The relevant paths for this test are:
> Both products are identified by the same serial number `143-D-354`.
+### 6.2.33 Disclosure Date newer than Revision History
+
+For each vulnerability, it MUST be tested that the `disclosure_date` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the `disclosure_date` is in the past at the time of the test execution.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/disclosure_date
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "document": {
+ // ...
+ "distribution": {
+ "tlp": {
+ "label": "GREEN"
+ }
+ },
+ // ...
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ // ...
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T10:00:00.000Z"
+ }
+ ]
+```
+
+> The `disclosure_date` is in the past but newer than the date of newest item in the `revision_history`.
+
+### 6.2.34 Usage of Unknown SSVC Decision Point Namespace
+
+For each SSVC decision point given under `selections`, it MUST be tested the `namespace` is one of the case-sensitive registered namespaces.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "an-yet-unknown-or-maybe-private-namespace",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+```
+
+> The namespace `an-yet-unknown-or-maybe-private-namespace` is not a registered namespace.
+> Its decision point definitions might therefore not be known to the reader of the document.
+
+### 6.2.35 Usage of Unknown SSVC Role
+
+For each SSVC object, it MUST be tested the `role` is one of the case-sensitive registered roles.
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/role
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "an-yet-unknown-or-maybe-private-namespace",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+```
+
+> The namespace `an-yet-unknown-or-maybe-private-namespace` is not a registered namespace.
+> Its decision point definitions might therefore not be known to the reader of the document.
+
## 6.3 Informative Test
Informative tests provide insights in common mistakes and bad practices.
@@ -7384,7 +7860,7 @@ The relevant path for this test is:
/vulnerabilities[]/metrics
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -7432,7 +7908,7 @@ The relevant paths for this test are:
/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"cvss_v3": {
@@ -7464,7 +7940,7 @@ The relevant path for this test is:
/vulnerabilities[]/cve
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -7492,7 +7968,7 @@ The relevant path for this test is:
/vulnerabilities[]/cwe
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"vulnerabilities": [
@@ -7517,7 +7993,7 @@ The relevant paths for this test are:
/product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -7578,7 +8054,7 @@ The relevant paths for this test are:
/vulnerabilities[]/remediations[]/url
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"references": [
@@ -7607,7 +8083,7 @@ The relevant paths for this test are:
/vulnerabilities[]/references[]/url
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"references": [
@@ -7668,7 +8144,7 @@ The relevant paths for this test are:
/vulnerabilities[]/title
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"document": {
@@ -7700,7 +8176,7 @@ The relevant paths for this test are:
/product_tree/branches
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"branches": [
@@ -7742,7 +8218,7 @@ The relevant paths for this test are:
/product_tree/branches[](/branches[])*/category
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"category": "product_version_range",
@@ -7767,7 +8243,7 @@ The relevant paths for this test are:
/product_tree/branches[](/branches[])*/name
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"branches": [
@@ -7791,7 +8267,7 @@ The relevant path for this test is:
/vulnerabilities[]/metrics[]/content
```
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
```
"product_tree": {
@@ -7825,6 +8301,53 @@ The relevant path for this test is:
> There is no CVSS v4.0 score given for `CSAFPID-9080700`.
+### 6.3.13 Usage of Non-Latest SSVC Decision Point Version
+
+For each SSVC decision point given under `selections` with the `namespace` of `ssvc`, it MUST be tested the latest decision point `version` available at the time of the `timestamp` was used.
+The test SHALL fail if a later `version` was used.
+
+> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
+
+The relevant path for this test is:
+
+```
+ /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Non-Essential Degraded"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ // ...
+ }
+ ]
+ }
+ ]
+```
+
+> At the timestamp `2024-01-24T10:00:00.000Z` version `2.0.0` of the SSVC decision point `Mission Impact` was already available.
+
-------
# 7. Distributing CSAF documents
@@ -7901,7 +8424,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA
> * https://psirt.domain.tld/advisories/csaf/provider-metadata.json
> * https://domain.tld/security/csaf/provider-metadata.json
-*Example 1 (minimal with ROLIE document):*
+*Example 1 (minimal with ROLIE document):*
```
{
@@ -7963,7 +8486,7 @@ See \[[SECURITY-TXT](#SECURITY-TXT)\] for more details.
> The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022.
> The `CSAF` field was officially added through the IANA registry.
-*Examples 1:*
+*Examples 1:*
```
CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
@@ -7983,7 +8506,7 @@ The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of
the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more details.
-*Example 1:*
+*Example 1:*
```
https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -7991,8 +8514,13 @@ The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more
### 7.1.10 Requirement 10: DNS path
-The DNS record `csaf.data.security.domain.tld` SHALL resolve as a web server which serves directly
-the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
+Assuming that the organization's main domain is `domain.tld`, the DNS record `csaf.data.security.domain.tld` SHALL resolve
+to the IP address of a web server which serves directly the `provider-metadata.json` according to requirement 7.
+
+> The `domain.tld` is just a placeholder for the organization's main domain.
+> For the organization with the main domain being `example.com`, the necessary DNS record is `csaf.data.security.example.com`.
+
+That implies that redirects SHALL NOT be used.
The use of the scheme "HTTPS" is required.
### 7.1.11 Requirement 11: One folder per year
@@ -8000,7 +8528,7 @@ The use of the scheme "HTTPS" is required.
The CSAF documents MUST be located within folders named `` where `` is the year given in the
value of `/document/tracking/initial_release_date`.
-*Examples 1:*
+*Examples 1:*
```
2024
@@ -8011,7 +8539,7 @@ value of `/document/tracking/initial_release_date`.
The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
-*Example 1:*
+*Example 1:*
```
2023/esa-2023-09953.json
@@ -8032,7 +8560,7 @@ The `changes.csv` SHALL be a valid comma separated values format as defined by \
> Note: As a consequence of section [sec](#requirement-2-filename) Requirement 2 for filenames and section [sec](#requirement-11-one-folder-per-year)
> Requirement for directory names, there must not be any characters within the `changes.csv` that would require quoting.
-*Example 1:*
+*Example 1:*
```
2023/esa-2023-09953.json,2023-07-01T10:09:07Z
@@ -8061,7 +8589,7 @@ At least one of the feeds
MUST exist.
Each ROLIE feed document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\].
-*Example 1:*
+*Example 1:*
```
{
@@ -8130,7 +8658,7 @@ If it is used, each ROLIE service document MUST be a JSON file that conforms wit
Additionally, it can also list the corresponding ROLIE category documents.
The ROLIE service document SHOULD use the filename `service.json` and reside next to the `provider-metadata.json`.
-*Example 1:*
+*Example 1:*
```
{
@@ -8174,7 +8702,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
* `product_version`
* type of product
- *Examples 1:*
+ *Examples 1:*
```
CPU
@@ -8189,7 +8717,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
* areas or sectors, the products are used in
- *Examples 2:*
+ *Examples 2:*
```
Chemical
@@ -8204,7 +8732,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
* any other categorization useful to the consumers
-*Example 3:*
+*Example 3:*
```
{
@@ -8228,7 +8756,7 @@ to ensure their integrity. The filename is constructed by appending the file ext
MD5 and SHA1 SHOULD NOT be used.
-*Example 1:*
+*Example 1:*
```
File name of CSAF document: esa-2022-02723.json
@@ -8239,7 +8767,7 @@ File name of SHA-512 hash file: esa-2022-02723.json.sha512
The file content SHALL start with the first byte of the hexadecimal hash value.
Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
-*Example 2:*
+*Example 2:*
```
ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38 esa-2022-02723.json
@@ -8254,7 +8782,7 @@ extended by the appropriate extension.
This signature SHALL be presented as an ASCII armored file.
See \[[RFC4880](#RFC4880)\] for more details.
-*Example 1:*
+*Example 1:*
```
File name of CSAF document: esa-2022-02723.json
@@ -8300,7 +8828,7 @@ It MUST NOT be stored adjacent to a `provider-metadata.json`.
The file `aggregator.json` SHOULD only list the latest version of the metadata of a CSAF provider.
-*Example 1:*
+*Example 1:*
```
{
@@ -8356,7 +8884,7 @@ Each such folder MUST at least:
* provide a `provider-metadata.json` for the current issuing party.
* provide the ROLIE feed document according to requirement 15 which links to the local copy of the CSAF document.
-*Example 1:*
+*Example 1:*
```
{
@@ -8749,6 +9277,7 @@ Secondly, the program fulfills the following for all items of:
been removed.
* If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
+* `/vulnerabilities[]/disclosure_date`: If a `vuln:ReleaseDate` was given, the CVRF CSAF converter MUST convert its value into the `disclosure_date` element.
* `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
* `/vulnerabilities[]/remediations[]`:
* If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under
@@ -8787,7 +9316,7 @@ Secondly, the program fulfills the following for all items of:
the CVRF CSAF converter uses the following steps:
1. Retrieve the CVSS version from the CVSS vector, if present.
- *Example 1:*
+ *Example 1:*
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -8796,7 +9325,7 @@ Secondly, the program fulfills the following for all items of:
2. Retrieve the CVSS version from the CVSS element's namespace, if present.
The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
- *Example 2:*
+ *Example 2:*
```
xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
@@ -8806,7 +9335,7 @@ Secondly, the program fulfills the following for all items of:
is handled the same as
- *Example 3:*
+ *Example 3:*
```
@@ -8817,7 +9346,7 @@ Secondly, the program fulfills the following for all items of:
If more than one CVSS namespace is present and the element is not clearly defined via the namespace,
this step MUST be skipped without a decision.
- *Example 4:*
+ *Example 4:*
```
xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -8859,6 +9388,8 @@ A CSAF content management system satisfies the "CSAF content management system"
the configuration (default: 3 weeks)
* suggest to publish a new version of the CSAF document with the document status `final` if the document status was
`interim` and no new release has be done during the given threshold in the configuration (default: 6 weeks)
+ > Note that the terms "publish", "publication" and their derived forms are used in this conformance profile independent of
+ whether the specified target group is the public or a closed group.
* support the following workflows:
* "New Advisory": create a new advisory, request a review, provide review comments or approve it, resolve review comments;
@@ -8975,6 +9506,8 @@ The resulting translated document:
It SHOULD NOT use the original `/document/tracking/id` as a suffix.
If an issuer uses a CSAF translator to publish his advisories in multiple languages they MAY use the combination of
the original `/document/tracking/id` and translated `/document/lang` as a `/document/tracking/id` for the translated document.
+ > Note that the term "publish" is used in this conformance profile independent of whether the specified target group is the public
+ or a closed group.
* provides the `/document/lang` property with a value matching the language of the translation.
* provides the `/document/source_lang` to contain the language of the original document (and SHOULD only be set by CSAF translators).
* has the value `translator` set in `/document/publisher/category`
@@ -9141,8 +9674,38 @@ Secondly, the program fulfills the following for all items of:
* type `/$defs/full_product_name_t/product_identification_helper/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the
invalid value and output a warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+* type `/$defs/full_product_name_t/model_number`:
+ * If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+ warning that a partial model number was detected and a star has been added.
+ Such a warning MUST include the model number.
+ * If the model number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+ * If the model number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+ output a warning that a model number with multiple stars was detected and removed.
+ Such a warning MUST include the model number.
+
+ > A tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
+
+ > A tool MAY provide a non-default option to interpret the `?` in all model numbers as part of the model number itself and therefore escape it.
+
+ > A tool MAY provide a non-default option to interpret the `*` in all model numbers as part of the model number itself and therefore escape it.
+
* type `/$defs/full_product_name_t/product_identification_helper/purls`: If a `/$defs/full_product_name_t/product_identification_helper/purl` is given,
the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item of the corresponding `purls` array.
+* type `/$defs/full_product_name_t/serial_number`:
+ * If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+ warning that a partial serial number was detected and a star has been added.
+ Such a warning MUST include the serial number.
+ * If the serial number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+ * If the serial number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+ output a warning that a serial number with multiple stars was detected and removed.
+ Such a warning MUST include the serial number.
+
+ > A tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
+
+ > A tool MAY provide a non-default option to interpret the `?` in all serial numbers as part of the serial number itself and therefore escape it.
+
+ > A tool MAY provide a non-default option to interpret the `*` in all serial numbers as part of the serial number itself and therefore escape it.
+
* `/$schema`: The CSAF 2.0 to CSAF 2.1 converter MUST set property with the value prescribed by the schema.
* `/document/csaf_version`: The CSAF 2.0 to CSAF 2.1 converter MUST update the value to `2.1`.
* `/document/distribution/tlp/label`: If a TLP label is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it according to the table below:
@@ -9174,6 +9737,16 @@ Secondly, the program fulfills the following for all items of:
The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
+* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert its value as value into the `disclosure_date` element.
+* `/vulnerabilities[]/metrics/ssvc_v1`: If a SSVC vector or decision points of an SSVC vector are given in an item of `notes` of the current
+ vulnerability using the `title` `SSVC` and the `category` `other`, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into the `ssvc_v1`
+ object within the current vulnerability.
+ If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid object without loosing any information, the corresponding `notes` item SHALL
+ be removed.
+ If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid object with the information given, the CSAF 2.0 to CSAF 2.1 converter SHALL
+ remove the invalid `ssvc_v1` object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data failed.
+ If the CSAF 2.0 to CSAF 2.1 converter would loose information during the conversion, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the `ssvc_v1`
+ object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data would lead to loosing information.
* `/vulnerabilities[]/remediations[]`:
* The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
@@ -9191,6 +9764,7 @@ Secondly, the program fulfills the following for all items of:
* In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`.
* The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
including the products it was changed for.
+* The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning.
> A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
@@ -9423,6 +9997,7 @@ The following individuals were members of the OASIS CSAF Technical Committee dur
| csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
| csaf-v2.0-wd20250129-dev | 2025-01-29 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20250226-dev | 2025-02-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
-------
# Appendix C. Guidance on the Size of CSAF Documents
@@ -9486,6 +10061,8 @@ An array SHOULD NOT have more than:
* `/vulnerabilities[]/acknowledgments[]/urls`
* `/vulnerabilities[]/cwes`
* `/vulnerabilities[]/ids`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values`
* `/vulnerabilities[]/remediations[]/entitlements`
* 40 000 items for
@@ -9614,6 +10191,12 @@ A string SHOULD NOT have a length greater than:
* `/vulnerabilities[]/metrics[]/content/cvss_v2/vectorString`
* `/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString`
* `/vulnerabilities[]/metrics[]/content/cvss_v4/vectorString`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/id`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/role`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]`
+ * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version`
* `/vulnerabilities[]/metrics[]/products[]`
* `/vulnerabilities[]/notes[]/audience`
* `/vulnerabilities[]/notes[]/title`
@@ -9669,10 +10252,11 @@ The maximum length of strings representing a temporal value is given by the form
* `/document/tracking/generator/date`
* `/document/tracking/initial_release_date`
* `/document/tracking/revision_history[]/date`
+* `/vulnerabilities[]/disclosure_date`
* `/vulnerabilities[]/discovery_date`
* `/vulnerabilities[]/flags[]/date`
* `/vulnerabilities[]/involvements[]/date`
-* `/vulnerabilities[]/release_date`
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp`
* `/vulnerabilities[]/remediations[]/date`
* `/vulnerabilities[]/threats[]/date`
@@ -9690,6 +10274,7 @@ It seems to be safe to assume that the length of this value is not greater than
For all other values, it seems to be safe to assume that the length of each value is not greater than 50.
This applies to:
+
* `/document/csaf_version` (3)
* `/document/distribution/tlp/label` (12)
* `/document/notes[]/category` (16)
@@ -9779,6 +10364,7 @@ This applies to:
* `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnConfidentialityImpact` (4)
* `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnerabilityResponseEffort` (11)
* `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion` (5)
* `/vulnerabilities[]/notes[]/category` (16)
* `/vulnerabilities[]/references[]/category` (8)
* `/vulnerabilities[]/remediations[]/category` (14)
diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
new file mode 100644
index 000000000..e5e295446
--- /dev/null
+++ b/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
@@ -0,0 +1,125 @@
+{
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "title": "Decision Point schema definition",
+ "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json",
+ "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.",
+ "$defs": {
+ "schemaVersion": {
+ "description": "Schema version used to represent this Decision Point.",
+ "type": "string",
+ "enum": [
+ "1-0-1"
+ ]
+ },
+ "decision_point_value": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "key": {
+ "type": "string",
+ "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.",
+ "minLength": 1,
+ "examples": [
+ "P",
+ "Y"
+ ]
+ },
+ "name": {
+ "type": "string",
+ "description": "A short label that identifies a Decision Point Value",
+ "minLength": 1,
+ "examples": [
+ "Public PoC",
+ "Yes"
+ ]
+ },
+ "description": {
+ "type": "string",
+ "description": "A full description of the Decision Point Value.",
+ "minLength": 1,
+ "examples": [
+ "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.",
+ "Attackers can reliably automate steps 1-4 of the kill chain."
+ ]
+ }
+ },
+ "required": [
+ "key",
+ "name",
+ "description"
+ ]
+ },
+ "decision_point": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "schemaVersion": {
+ "$ref": "#/$defs/schemaVersion"
+ },
+ "namespace": {
+ "type": "string",
+ "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
+ "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
+ "examples": [
+ "ssvc",
+ "cvss",
+ "ssvc-jp",
+ "ssvc/acme",
+ "ssvc/example.com"
+ ]
+ },
+ "version": {
+ "type": "string",
+ "description": "Version (a semantic version string) that identifies the version of a Decision Point.",
+ "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
+ "examples": [
+ "1.0.1",
+ "1.0.1-alpha"
+ ]
+ },
+ "key": {
+ "type": "string",
+ "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point.",
+ "minLength": 1,
+ "examples": [
+ "E",
+ "A"
+ ]
+ },
+ "name": {
+ "type": "string",
+ "description": "A short label that identifies a Decision Point.",
+ "minLength": 1,
+ "examples": [
+ "Exploitation",
+ "Automatable"
+ ]
+ },
+ "description": {
+ "type": "string",
+ "description": "A full description of the Decision Point, explaining what it represents and how it is used in SSVC.",
+ "minLength": 1
+ },
+ "values": {
+ "description": "A set of possible answers for a given Decision Point",
+ "uniqueItems": true,
+ "type": "array",
+ "minItems": 1,
+ "items": {
+ "$ref": "#/$defs/decision_point_value"
+ }
+ }
+ },
+ "required": [
+ "namespace",
+ "version",
+ "key",
+ "name",
+ "description",
+ "values",
+ "schemaVersion"
+ ]
+ }
+ },
+ "$ref": "#/$defs/decision_point"
+}
\ No newline at end of file
diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
new file mode 100644
index 000000000..ca4d43efe
--- /dev/null
+++ b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
@@ -0,0 +1,94 @@
+{
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
+ "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
+ "$defs": {
+ "id": {
+ "type": "string",
+ "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
+ "examples": [
+ "CVE-1900-1234",
+ "VU#11111",
+ "GHSA-11a1-22b2-33c3"
+ ],
+ "minLength": 1
+ },
+ "role": {
+ "type": "string",
+ "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
+ "examples": [
+ "Supplier",
+ "Deployer",
+ "Coordinator"
+ ],
+ "minLength": 1
+ },
+ "timestamp": {
+ "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
+ "type": "string",
+ "format": "date-time"
+ },
+ "SsvcdecisionpointselectionSchema": {
+ "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
+ "properties": {
+ "name": {
+ "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name"
+ },
+ "namespace": {
+ "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace"
+ },
+ "values": {
+ "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
+ "title": "values",
+ "type": "array",
+ "minItems": 1,
+ "items": {
+ "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name"
+ }
+ },
+ "version": {
+ "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version"
+ }
+ },
+ "type": "object",
+ "required": [
+ "name",
+ "namespace",
+ "values",
+ "version"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "properties": {
+ "id": {
+ "$ref": "#/$defs/id"
+ },
+ "role": {
+ "$ref": "#/$defs/role"
+ },
+ "schemaVersion": {
+ "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion"
+ },
+ "timestamp": {
+ "$ref": "#/$defs/timestamp"
+ },
+ "selections": {
+ "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
+ "title": "selections",
+ "type": "array",
+ "minItems": 1,
+ "items": {
+ "$ref": "#/$defs/SsvcdecisionpointselectionSchema"
+ }
+ }
+ },
+ "type": "object",
+ "required": [
+ "selections",
+ "id",
+ "timestamp",
+ "schemaVersion"
+ ],
+ "additionalProperties": false
+}
\ No newline at end of file
diff --git a/csaf_2.1/test/aggregator_schema/run_tests.sh b/csaf_2.1/test/aggregator_schema/run_tests.sh
index fbaf761af..21b3ff0d9 100755
--- a/csaf_2.1/test/aggregator_schema/run_tests.sh
+++ b/csaf_2.1/test/aggregator_schema/run_tests.sh
@@ -8,6 +8,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -20,7 +22,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
+ if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
diff --git a/csaf_2.1/test/csaf_schema/run_tests.sh b/csaf_2.1/test/csaf_schema/run_tests.sh
index d24a9ed4f..1d5aeb18c 100755
--- a/csaf_2.1/test/csaf_schema/run_tests.sh
+++ b/csaf_2.1/test/csaf_schema/run_tests.sh
@@ -7,6 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
TESTPATH=csaf_2.1/examples/csaf/$1/*.json
@@ -18,7 +20,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
+ if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
diff --git a/csaf_2.1/test/provider_schema/run_tests.sh b/csaf_2.1/test/provider_schema/run_tests.sh
index 0ec6b8648..24ff6181f 100755
--- a/csaf_2.1/test/provider_schema/run_tests.sh
+++ b/csaf_2.1/test/provider_schema/run_tests.sh
@@ -7,6 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -19,7 +21,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
+ if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json
new file mode 100644
index 000000000..a38018fed
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Usage of Non-Latest SSVC Decision Point Version (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-13-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Non-Essential Degraded"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json
new file mode 100644
index 000000000..1b3602959
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Usage of Non-Latest SSVC Decision Point Version (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-13-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Degraded"
+ ],
+ "version": "2.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json
new file mode 100644
index 000000000..513dd0cd4
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json
@@ -0,0 +1,32 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-02",
+ "initial_release_date": "2024-01-24T10:00:00.000z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000+00:10:21",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json
new file mode 100644
index 000000000..48e0045ee
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json
@@ -0,0 +1,38 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2017-01-01T02:59:60+04:00",
+ "discovery_date": "2014-13-31T00:00:00+01:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json
new file mode 100644
index 000000000..e00b3731c
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json
@@ -0,0 +1,38 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2023-04-31T00:00:00+01:00",
+ "discovery_date": "2023-02-30T00:00:00+01:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json
new file mode 100644
index 000000000..01f0db67b
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json
@@ -0,0 +1,38 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (failing example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-05",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2023-02-29T00:00:00+01:00",
+ "discovery_date": "1900-02-29T00:00:00+01:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json
new file mode 100644
index 000000000..200a1e68e
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json
@@ -0,0 +1,38 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2015-06-30T10:29:60-13:30",
+ "discovery_date": "2015-06-30T23:59:60+00:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json
new file mode 100644
index 000000000..46994847d
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json
@@ -0,0 +1,38 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2016-12-31T00:00:60+23:59",
+ "discovery_date": "2015-07-01T06:59:60+07:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json
new file mode 100644
index 000000000..2178a28f6
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json
@@ -0,0 +1,38 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2016-12-31T23:59:60+00:00",
+ "discovery_date": "2017-01-01T02:59:60+03:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json
new file mode 100644
index 000000000..eed43f7e5
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json
@@ -0,0 +1,38 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Date and Time (valid example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-15",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2020-02-29T03:14:58+00:00",
+ "discovery_date": "2000-02-29T02:14:58+03:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
new file mode 100644
index 000000000..7b84e48d5
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Model Number (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "model_numbers": [
+ "P*A*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
new file mode 100644
index 000000000..f1d2bf894
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Model Number (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "model_numbers": [
+ "*P*\\*?*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
new file mode 100644
index 000000000..d27289d90
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "model_numbers": [
+ "PA*",
+ "P?A*",
+ "P??A*",
+ "P???A*",
+ "P????A*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
new file mode 100644
index 000000000..d651d3a60
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "model_numbers": [
+ "*P\\*\\*?\\*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json
new file mode 100644
index 000000000..4db911207
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "model_numbers": [
+ "P\\*\\*\\\\?"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json
new file mode 100644
index 000000000..3a02f2d37
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Serial Number (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "serial_numbers": [
+ "P*A*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json
new file mode 100644
index 000000000..6079b0212
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Serial Number (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "serial_numbers": [
+ "*P*\\*?*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json
new file mode 100644
index 000000000..a2ca578c1
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Serial Number (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "serial_numbers": [
+ "PA*",
+ "P?A*",
+ "P??A*",
+ "P???A*",
+ "P????A*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json
new file mode 100644
index 000000000..0f56680d7
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Serial Number (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "serial_numbers": [
+ "*P\\*\\*?\\*"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json
new file mode 100644
index 000000000..16f384852
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json
@@ -0,0 +1,45 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Use of Multiple Stars in Serial Number (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "name": "Product A",
+ "product_id": "CSAFPID-9080700",
+ "product_identification_helper": {
+ "serial_numbers": [
+ "P\\*\\*\\\\?"
+ ]
+ }
+ }
+ ]
+ }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json
new file mode 100644
index 000000000..6f6e6954a
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json
@@ -0,0 +1,37 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent Disclosure Date (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T10:00:00.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
new file mode 100644
index 000000000..0b7df51c2
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
@@ -0,0 +1,42 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent Disclosure Date (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-02-29T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-29T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2025-02-26T10:00:00.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json
new file mode 100644
index 000000000..b21be1b02
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json
@@ -0,0 +1,37 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent Disclosure Date (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-01-24T09:00:00.000-06:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json
new file mode 100644
index 000000000..b66dd4834
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json
@@ -0,0 +1,37 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent Disclosure Date (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-01-24T10:00:00.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
new file mode 100644
index 000000000..1c0abf5ad
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
@@ -0,0 +1,42 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent Disclosure Date (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-02-29T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-29T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-26T10:00:00.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json
new file mode 100644
index 000000000..7c76f9ab8
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json
@@ -0,0 +1,42 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "AMBER+STRICT"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent Disclosure Date (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-02-29T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-29T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2025-02-26T10:00:00.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json
new file mode 100644
index 000000000..fbee7b5e3
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json
@@ -0,0 +1,37 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent Disclosure Date (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-01-24T09:00:00.000+06:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json
new file mode 100644
index 000000000..d7b15647a
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid SSVC (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json
new file mode 100644
index 000000000..ce1c77daa
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json
@@ -0,0 +1,67 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid SSVC (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Attack Complexity",
+ "namespace": "cvss",
+ "value": "Low",
+ "version": "3.0.1"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json
new file mode 100644
index 000000000..26240b953
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid SSVC (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json
new file mode 100644
index 000000000..2854910c2
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Invalid SSVC (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Attack Complexity",
+ "namespace": "cvss",
+ "values": [
+ "Low"
+ ],
+ "version": "3.0.1"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json
new file mode 100644
index 000000000..91a4ce2dd
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0002",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json
new file mode 100644
index 000000000..6e94e4b70
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "ids": [
+ {
+ "system_name": "Example Companies Bugtracker",
+ "text": "Bug#2723"
+ }
+ ],
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json
new file mode 100644
index 000000000..67c1539ba
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "ids": [
+ {
+ "system_name": "Example Companies Bugtracker",
+ "text": "Bug#2723"
+ }
+ ],
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "2723",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json
new file mode 100644
index 000000000..712483f88
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json
@@ -0,0 +1,101 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "Bug#2723",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ },
+ {
+ "cve": "CVE-1900-0001",
+ "ids": [
+ {
+ "system_name": "Example Companies Bugtracker",
+ "text": "Bug#2723"
+ }
+ ],
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-04",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json
new file mode 100644
index 000000000..931f5d9ce
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json
new file mode 100644
index 000000000..16e531e47
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "ids": [
+ {
+ "system_name": "Example Companies Bugtracker",
+ "text": "Bug#2723"
+ }
+ ],
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json
new file mode 100644
index 000000000..d7e4d8201
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "ids": [
+ {
+ "system_name": "Example Companies Bugtracker",
+ "text": "Bug#2723"
+ }
+ ],
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "Bug#2723",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json
new file mode 100644
index 000000000..8a29027ae
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json
@@ -0,0 +1,107 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "ids": [
+ {
+ "system_name": "Example Companies Bugtracker",
+ "text": "Bug#3272"
+ }
+ ],
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "Bug#3272",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ },
+ {
+ "cve": "CVE-1900-0001",
+ "ids": [
+ {
+ "system_name": "Example Companies Bugtracker",
+ "text": "Bug#2723"
+ }
+ ],
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json
new file mode 100644
index 000000000..3167981b6
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC ID (valid example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-15",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-15",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "None"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json
new file mode 100644
index 000000000..8c55143ce
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "None",
+ "Degraded"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json
new file mode 100644
index 000000000..ad7feff83
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Safety Impacts",
+ "namespace": "ssvc",
+ "values": [
+ "Marginal",
+ "Critical",
+ "Catastrophic"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json
new file mode 100644
index 000000000..eae682056
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json
@@ -0,0 +1,72 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Safety Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Catastrophic",
+ "Critical",
+ "Marginal",
+ "Negligible"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json
new file mode 100644
index 000000000..1236e8dc0
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (failing example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-04",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Safety Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Marginal",
+ "Critical",
+ "Catastrophic"
+ ],
+ "version": "1.9.7"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json
new file mode 100644
index 000000000..64c1d646d
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (failing example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-05",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Attack Complexity",
+ "namespace": "cvss",
+ "values": [
+ "Easy"
+ ],
+ "version": "3.0.1"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json
new file mode 100644
index 000000000..c8d3cca5b
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (failing example 6)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-06",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploit Maturity",
+ "namespace": "cvss",
+ "values": [
+ "Proof-of-Concept",
+ "Unreported",
+ "Not Defined"
+ ],
+ "version": "2.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json
new file mode 100644
index 000000000..4d5845cb7
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Mission Impact",
+ "namespace": "ssvc",
+ "values": [
+ "None",
+ "Non-Essential Degraded"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json
new file mode 100644
index 000000000..4e91e36ad
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Safety Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Marginal",
+ "Critical",
+ "Catastrophic"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json
new file mode 100644
index 000000000..463d139f5
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json
@@ -0,0 +1,72 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Safety Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Negligible",
+ "Marginal",
+ "Critical",
+ "Catastrophic"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json
new file mode 100644
index 000000000..ee895468a
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (valid example 4)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-14",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Safety Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Marginal",
+ "Critical",
+ "Catastrophic"
+ ],
+ "version": "2.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json
new file mode 100644
index 000000000..076e12c54
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (valid example 5)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-15",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Attack Complexity",
+ "namespace": "cvss",
+ "values": [
+ "Low"
+ ],
+ "version": "3.0.1"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json
new file mode 100644
index 000000000..9c641c611
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: SSVC Decision Points (valid example 6)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-16",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploit Maturity",
+ "namespace": "cvss",
+ "values": [
+ "Unreported",
+ "Proof-of-Concept",
+ "Not Defined"
+ ],
+ "version": "2.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
new file mode 100644
index 000000000..501149c79
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Active"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-07-13T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
new file mode 100644
index 000000000..e5608a9a1
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-02-29T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-29T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Public PoC"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-02-28T14:30:00.000-20:00"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json
new file mode 100644
index 000000000..e4d23c566
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 3)",
+ "tracking": {
+ "current_release_date": "2024-02-29T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-03",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-29T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Public PoC"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-02-29T14:30:00.000+04:00"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
new file mode 100644
index 000000000..93a69b7c4
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Active"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
new file mode 100644
index 000000000..221133af9
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-02-29T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-29T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Public PoC"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-02-28T14:30:00.000-19:00"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json
new file mode 100644
index 000000000..204e93f41
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-02-29T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-29T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Exploitation",
+ "namespace": "ssvc",
+ "values": [
+ "Public PoC"
+ ],
+ "version": "1.1.0"
+ }
+ ],
+ "timestamp": "2024-02-29T14:30:00.000+07:00"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
new file mode 100644
index 000000000..7cef5b689
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
@@ -0,0 +1,37 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "GREEN"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Disclosure Date newer than Revision History (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T10:00:00.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json
new file mode 100644
index 000000000..3ef922ad0
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json
@@ -0,0 +1,37 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "RED"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Disclosure Date newer than Revision History (failing example 2)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-02",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-23T14:00:00.000-21:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
new file mode 100644
index 000000000..ea59d8af1
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
@@ -0,0 +1,42 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "GREEN"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Disclosure Date newer than Revision History (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-02-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-24T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T10:00:00.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json
new file mode 100644
index 000000000..fb1f49535
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json
@@ -0,0 +1,42 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "GREEN"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Disclosure Date newer than Revision History (valid example 2)",
+ "tracking": {
+ "current_release_date": "2024-02-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-12",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ },
+ {
+ "date": "2024-02-24T10:00:00.000Z",
+ "number": "2",
+ "summary": "Second version."
+ }
+ ],
+ "status": "final",
+ "version": "2"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "9999-12-31T23:59:59.000Z"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json
new file mode 100644
index 000000000..fd61dd2b3
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json
@@ -0,0 +1,37 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "RED"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Informative test: Disclosure Date newer than Revision History (valid example 3)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-13",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "disclosure_date": "2024-02-24T14:00:00.000+07:00"
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
new file mode 100644
index 000000000..44e1bf321
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-34-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "an-yet-unknown-or-maybe-private-namespace",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json
new file mode 100644
index 000000000..3c21bc401
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-34-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json
new file mode 100644
index 000000000..6ce8ea49b
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: Usage of Unknown SSVC Role (failing example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-35-01",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "role": "An unregistrable role",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json
new file mode 100644
index 000000000..c9366b2f3
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+ "document": {
+ "category": "csaf_base",
+ "csaf_version": "2.1",
+ "distribution": {
+ "tlp": {
+ "label": "CLEAR"
+ }
+ },
+ "publisher": {
+ "category": "other",
+ "name": "OASIS CSAF TC",
+ "namespace": "https://csaf.io"
+ },
+ "title": "Optional test: Usage of Unknown SSVC Role (valid example 1)",
+ "tracking": {
+ "current_release_date": "2024-01-24T10:00:00.000Z",
+ "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-35-11",
+ "initial_release_date": "2024-01-24T10:00:00.000Z",
+ "revision_history": [
+ {
+ "date": "2024-01-24T10:00:00.000Z",
+ "number": "1",
+ "summary": "Initial version."
+ }
+ ],
+ "status": "final",
+ "version": "1"
+ }
+ },
+ "product_tree": {
+ "full_product_names": [
+ {
+ "product_id": "CSAFPID-9080700",
+ "name": "Product A"
+ }
+ ]
+ },
+ "vulnerabilities": [
+ {
+ "cve": "CVE-1900-0001",
+ "metrics": [
+ {
+ "content": {
+ "ssvc_v1": {
+ "id": "CVE-1900-0001",
+ "role": "Coordinator",
+ "schemaVersion": "1-0-1",
+ "selections": [
+ {
+ "name": "Technical Impact",
+ "namespace": "ssvc",
+ "values": [
+ "Total"
+ ],
+ "version": "1.0.0"
+ }
+ ],
+ "timestamp": "2024-01-24T10:00:00.000Z"
+ }
+ },
+ "products": [
+ "CSAFPID-9080700"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index a48be64ef..b1097f286 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1121,12 +1121,44 @@
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json",
"valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json",
+ "valid": false
}
],
"valid": [
{
"name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json",
"valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json",
+ "valid": true
}
]
},
@@ -1286,6 +1318,254 @@
}
]
},
+ {
+ "id": "6.1.43",
+ "group": "mandatory",
+ "failures": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.1.44",
+ "group": "mandatory",
+ "failures": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.1.45",
+ "group": "mandatory",
+ "failures": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.1.46",
+ "group": "mandatory",
+ "failures": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.1.47",
+ "group": "mandatory",
+ "failures": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.1.48",
+ "group": "mandatory",
+ "failures": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.1.49",
+ "group": "mandatory",
+ "failures": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json",
+ "valid": false
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json",
+ "valid": false
+ }
+ ],
+ "valid": [
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json",
+ "valid": true
+ },
+ {
+ "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json",
+ "valid": true
+ }
+ ]
+ },
{
"id": "6.2.1",
"group": "optional",
@@ -1302,6 +1582,7 @@
}
]
},
+
{
"id": "6.2.2",
"group": "optional",
@@ -2012,6 +2293,66 @@
}
]
},
+ {
+ "id": "6.2.33",
+ "group": "optional",
+ "failures": [
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json",
+ "valid": true
+ },
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json",
+ "valid": true
+ }
+ ],
+ "valid": [
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json",
+ "valid": true
+ },
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json",
+ "valid": true
+ },
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.2.34",
+ "group": "optional",
+ "failures": [
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json",
+ "valid": true
+ }
+ ],
+ "valid": [
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json",
+ "valid": true
+ }
+ ]
+ },
+ {
+ "id": "6.2.35",
+ "group": "optional",
+ "failures": [
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json",
+ "valid": true
+ }
+ ],
+ "valid": [
+ {
+ "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json",
+ "valid": true
+ }
+ ]
+ },
{
"id": "6.3.1",
"group": "informative",
@@ -2305,6 +2646,22 @@
"valid": true
}
]
+ },
+ {
+ "id": "6.3.13",
+ "group": "informative",
+ "failures": [
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json",
+ "valid": true
+ }
+ ],
+ "valid": [
+ {
+ "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json",
+ "valid": true
+ }
+ ]
}
]
}
diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
index 1c287c799..e75937c2b 100755
--- a/csaf_2.1/test/validator/run_tests.sh
+++ b/csaf_2.1/test/validator/run_tests.sh
@@ -7,10 +7,13 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
VALIDATOR=csaf_2.1/test/validator.py
STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
TESTPATH=csaf_2.1/test/validator/data/$1/*.json
-EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json'
+EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json'
+EXCLUDE_LEAP='oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json'
EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json
FAIL=0
@@ -20,7 +23,7 @@ cd `dirname $0`/../../..
validate() {
printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
- if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
+ if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
printf "%s\n" SUCCESS
else
printf "%s\n" FAILED
@@ -30,14 +33,14 @@ validate() {
}
test_all() {
- for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}")
+ for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}" | grep -Ev "${EXCLUDE_LEAP}")
do
validate $i
done
}
test_all_strict() {
- for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}" | grep -v ${EXCLUDE_STRICT})
+ for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}" | grep -Ev "${EXCLUDE_LEAP}" | grep -v ${EXCLUDE_STRICT})
do
validate $i
done
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 5b29cc4fb..9ea0b7175 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
"title": "Number of the test",
"description": "Contains the section number of the test in the specification.",
"type": "string",
- "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-2]))$"
+ "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-5])|(1\\.3[6-9])|(1\\.4[0-9]))$"
},
"valid": {
"title": "List of valid examples",