From 68e5ca0b3dce1db2e982a21424143617a842bbe8 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 16 Jan 2025 11:20:44 +0100 Subject: [PATCH 01/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add SSVC decision point value selection 1.0.1 to schema - add SSVC decision point value selection 1.0.1 file into referenced schemas - adapt test scripts --- csaf_2.1/json_schema/csaf_json_schema.json | 3 + ...on_Point_Value_Selection-1-0-1.schema.json | 98 +++++++++++++++++++ csaf_2.1/test/aggregator_schema/run_tests.sh | 3 +- csaf_2.1/test/csaf_schema/run_tests.sh | 3 +- csaf_2.1/test/provider_schema/run_tests.sh | 3 +- 5 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 1319a9039..6cdae8fc9 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -1268,6 +1268,9 @@ }, "cvss_v4": { "$ref": "https://www.first.org/cvss/cvss-v4.0.json" + }, + "ssvc_v1_0_1": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json" } } }, diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json new file mode 100644 index 000000000..48c9e562c --- /dev/null +++ b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json @@ -0,0 +1,98 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"] + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": ["1-0-1"] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": ["Automatable", "Exploitation"] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": ["ssvc","cvvsv4"] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/definitions/id" + }, + "role": { + "$ref": "#/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false +} diff --git a/csaf_2.1/test/aggregator_schema/run_tests.sh b/csaf_2.1/test/aggregator_schema/run_tests.sh index fbaf761af..3f8ef7660 100755 --- a/csaf_2.1/test/aggregator_schema/run_tests.sh +++ b/csaf_2.1/test/aggregator_schema/run_tests.sh @@ -8,6 +8,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json +SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py @@ -20,7 +21,7 @@ cd `dirname $0`/../../.. validate() { printf "%s" "Testing file $1 against schema ${SCHEMA} ... " - if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then + if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then printf "%s\n" SUCCESS else printf "%s\n" FAILED diff --git a/csaf_2.1/test/csaf_schema/run_tests.sh b/csaf_2.1/test/csaf_schema/run_tests.sh index d24a9ed4f..e737c33e0 100755 --- a/csaf_2.1/test/csaf_schema/run_tests.sh +++ b/csaf_2.1/test/csaf_schema/run_tests.sh @@ -7,6 +7,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json +SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py TESTPATH=csaf_2.1/examples/csaf/$1/*.json @@ -18,7 +19,7 @@ cd `dirname $0`/../../.. validate() { printf "%s" "Testing file $1 against schema ${SCHEMA} ... " - if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then + if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then printf "%s\n" SUCCESS else printf "%s\n" FAILED diff --git a/csaf_2.1/test/provider_schema/run_tests.sh b/csaf_2.1/test/provider_schema/run_tests.sh index 0ec6b8648..572d97af6 100755 --- a/csaf_2.1/test/provider_schema/run_tests.sh +++ b/csaf_2.1/test/provider_schema/run_tests.sh @@ -7,6 +7,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json +SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py @@ -19,7 +20,7 @@ cd `dirname $0`/../../.. validate() { printf "%s" "Testing file $1 against schema ${SCHEMA} ... " - if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then + if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then printf "%s\n" SUCCESS else printf "%s\n" FAILED From 4eecfc25b98f09eccd6e63ab2145df42e54870fc Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 16 Jan 2025 11:51:58 +0100 Subject: [PATCH 02/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add SSVC link in informative references - mention SSVC in design consideration principles - add SSVC to metrics section --- ...considerations-01-construction-principles.md | 17 +++++++++-------- .../introduction-04-informative-references.md | 3 +++ ...hema-elements-02-props-04-vulnerabilities.md | 6 ++++++ 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md index b4a7fa4d4..dc0516452 100644 --- a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md +++ b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md @@ -34,8 +34,17 @@ Proven and intended usage patterns from practice are given where possible. Delegation to industry best practices technologies is used in referencing schemas for: +* Classification for Document Distribution + * Traffic Light Protocol (TLP) + * Default Definition: https://www.first.org/tlp/ +* Vulnerability Classification + * Common Weakness Enumeration (CWE) [cite](#CWE) + * CWE List: http://cwe.mitre.org/data/index.html * Platform Data: * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N) +* Vulnerability Categorization: + * Stakeholder-Specific Vulnerability Categorization [cite](#SSVC) + * JSON Schema Reference https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json * Vulnerability Scoring: * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40) * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json @@ -45,12 +54,6 @@ Delegation to industry best practices technologies is used in referencing schema * JSON Schema Reference https://www.first.org/cvss/cvss-v3.0.json * Common Vulnerability Scoring System (CVSS) Version 2.0 [cite](#CVSS2) * JSON Schema Reference https://www.first.org/cvss/cvss-v2.0.json -* Vulnerability Classification - * Common Weakness Enumeration (CWE) [cite](#CWE) - * CWE List: http://cwe.mitre.org/data/index.html -* Classification for Document Distribution - * Traffic Light Protocol (TLP) - * Default Definition: https://www.first.org/tlp/ Even though the JSON schema does not prohibit specifically additional properties and custom keywords, it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC's GitHub. @@ -65,5 +68,3 @@ consumers to verify rules from the specification which can not be tested by the Section [sec](#distributing-csaf-documents) states how to distribute and where to find CSAF documents. Safety, Security and Data Protection are considered in section [sec](#safety-security-and-data-protection-considerations). Finally, a set of conformance targets describes tools in the ecosystem. - - diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md index a13b34f08..0c34ec41f 100644 --- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md @@ -102,6 +102,9 @@ SemVer SPDX22 : _The Software Package Data Exchange (SPDX®) Specification Version 2.2_, Linux Foundation and its Contributors, 2020, . +SSVC +: _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, + VERS : _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, . diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md index b2f288d2b..2c9cebd7a 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md @@ -438,6 +438,9 @@ A Content object has at least 1 property. }, "cvss_v4": { // ... + }, + "ssvc_v1": { + // .... } } ``` @@ -452,6 +455,9 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json). +The property SSVC v1 (`ssvc_v1`) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at +[https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json](https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json). + ##### Vulnerabilities Property - Metrics - Products Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given content applies. From a38b3946eec62c8eb903819162598f43f9cd9281 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 16 Jan 2025 11:53:37 +0100 Subject: [PATCH 03/69] SSVC - addresses parts of oasis-tcs/csaf#803 - update SSVC key in schema to align with CVSS --- csaf_2.1/json_schema/csaf_json_schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 6cdae8fc9..af6876040 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -1269,7 +1269,7 @@ "cvss_v4": { "$ref": "https://www.first.org/cvss/cvss-v4.0.json" }, - "ssvc_v1_0_1": { + "ssvc_v1": { "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json" } } From 789785c3a8f164b3b04481914a842379ff1e0ec8 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 16 Jan 2025 11:56:08 +0100 Subject: [PATCH 04/69] SSVC - addresses parts of oasis-tcs/csaf#803 - update referenced SSVC schema to reflect change from CERTCC/SSVC#654 - reformat JSON schema --- ...on_Point_Value_Selection-1-0-1.schema.json | 202 ++++++++++-------- 1 file changed, 109 insertions(+), 93 deletions(-) diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json index 48c9e562c..b096ac1fb 100644 --- a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json +++ b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json @@ -1,98 +1,114 @@ { - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", - "definitions": { - "id": { - "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] - }, - "role": { - "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": ["Supplier","Deployer","Coordinator"] + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "$defs": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": [ + "CVE-2024-101010", + "VU#11111", + "GHSA-11a1-22b2-33c3" + ] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": [ + "Supplier", + "Deployer", + "Coordinator" + ] + }, + "timestamp": { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": [ + "1-0-1" + ] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": [ + "Automatable", + "Exploitation" + ] }, - "timestamp" : { - "description": "Date and time in ISO format ISO 8601 format", - "type": "string", - "format": "date-time" - }, - "schemaVersion": { - "description": "Schema version used to represent this evaluation", - "type": "string", - "enum": ["1-0-1"] + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": [ + "ssvc", + "cvvsv4" + ] }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", - "properties": { - "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", - "type": "string", - "examples": ["Automatable", "Exploitation"] - }, - "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", - "type": "string", - "examples": ["ssvc","cvvsv4"] - }, - "values": { - "description": "Evaluated values of the Decision Point", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" - } - }, - "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/$defs/id" + }, + "role": { + "$ref": "#/$defs/role" + }, + "schemaVersion": { + "$ref": "#/$defs/schemaVersion" + }, + "timestamp": { + "$ref": "#/$defs/timestamp" }, - "properties": { - "id": { - "$ref": "#/definitions/id" - }, - "role": { - "$ref": "#/definitions/role" - }, - "schemaVersion": { - "$ref": "#/definitions/schemaVersion" - }, - "timestamp": { - "$ref": "#/definitions/timestamp" - }, - "selections": { - "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/definitions/SsvcdecisionpointselectionSchema" - } - } - }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false + "selections": { + "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false } From 599b150ffea035e648b72c9c181d7c766c96d6ff Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 16 Jan 2025 21:34:23 +0100 Subject: [PATCH 05/69] SSVC - addresses parts of oasis-tcs/csaf#803 - update referenced SSVC schema --- .../certcc/Decision_Point_Value_Selection-1-0-1.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json index b096ac1fb..970bf8b41 100644 --- a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json +++ b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json @@ -50,7 +50,7 @@ "type": "string", "examples": [ "ssvc", - "cvvsv4" + "cvssv4" ] }, "values": { From 7ac9c47240737fdbb0a5ce1c0bf439c34607531d Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 16 Jan 2025 23:26:36 +0100 Subject: [PATCH 06/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add SSVC to guidance on size --- csaf_2.1/prose/edit/src/guidance-on-size.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md index edd66eb22..4c9c927eb 100644 --- a/csaf_2.1/prose/edit/src/guidance-on-size.md +++ b/csaf_2.1/prose/edit/src/guidance-on-size.md @@ -76,6 +76,8 @@ An array SHOULD NOT have more than: * `/vulnerabilities[]/acknowledgments[]/urls` * `/vulnerabilities[]/cwes` * `/vulnerabilities[]/ids` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values` * `/vulnerabilities[]/remediations[]/entitlements` * 40 000 items for @@ -201,6 +203,12 @@ A string SHOULD NOT have a length greater than: * `/vulnerabilities[]/flags[]/product_ids[]` * `/vulnerabilities[]/ids[]/system_name` * `/vulnerabilities[]/ids[]/text` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/id` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/role` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]` + * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version` * `/vulnerabilities[]/notes[]/audience` * `/vulnerabilities[]/notes[]/title` * `/vulnerabilities[]/product_status/first_affected[]` @@ -263,6 +271,7 @@ The maximum length of strings representing a temporal value is given by the form * `/vulnerabilities[]/flags[]/date` * `/vulnerabilities[]/release_date` * `/vulnerabilities[]/involvements[]/date` +* `/vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp` * `/vulnerabilities[]/remediations[]/date` * `/vulnerabilities[]/threats[]/date` @@ -374,6 +383,7 @@ This applies to: * `/vulnerabilities[]/metrics[]/content/cvss_v4/baseSeverity` (8) * `/vulnerabilities[]/metrics[]/content/cvss_v4/threatSeverity` (8) * `/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity` (8) +* `/vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion` (5) * `/vulnerabilities[]/threats[]/category` (14) ## URI Length From 23556f3e29679bd7e2dd40cedcc36618d1f116cb Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 19 Feb 2025 22:45:48 +0100 Subject: [PATCH 07/69] Seed Editor revision 2025-02-26 - update dates - insert new revision for tracking --- csaf_2.1/prose/edit/src/frontmatter.md | 4 ++-- csaf_2.1/prose/edit/src/revision-history.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md index f04f6f257..cfc75f3fc 100644 --- a/csaf_2.1/prose/edit/src/frontmatter.md +++ b/csaf_2.1/prose/edit/src/frontmatter.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 29 January 2025 +## 26 February 2025 #### This stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \ @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used **[csaf-v2.1]** -_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 29 January 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. +_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 26 February 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. ------- diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md index 40e6dd26d..d6a721900 100644 --- a/csaf_2.1/prose/edit/src/revision-history.md +++ b/csaf_2.1/prose/edit/src/revision-history.md @@ -21,4 +21,5 @@ toc: | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20250129-dev | 2025-01-29 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | +| csaf-v2.0-wd20250226-dev | 2025-02-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | ------- From a239382a813379603f2fc977f7689d7b7f490bce Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 19 Feb 2025 22:56:26 +0100 Subject: [PATCH 08/69] DNS Domain - resolves oasis-tcs/csaf#831 - clarify text - add informative explanation --- csaf_2.1/prose/edit/src/distributing.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index ab2b0f21c..9ae33dbaf 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -162,8 +162,13 @@ The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details ### Requirement 10: DNS path -The DNS record `csaf.data.security.domain.tld` SHALL resolve as a web server which serves directly -the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used. +Assuming that the organization's main domain is `domain.tld`, the DNS record `csaf.data.security.domain.tld` SHALL resolve +as a web server which serves directly the `provider-metadata.json` according to requirement 7. + +> The `domain.tld` is just a placeholder for the organization's main domain. +> For the organization with the main domain being `example.com`, the necessary DNS record is `csaf.data.security.example.com`. + +That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required. ### Requirement 11: One folder per year From 7a9fae02692ae1c040083ee8c98e7ab3ec36b999 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 10:50:39 +0100 Subject: [PATCH 09/69] DNS Domain - addresses review comment from oasis-tcs/csaf#868 - clarify that DNS resolves to IP address which has the webserver Co-authored-by: Stefan Hagen --- csaf_2.1/prose/edit/src/distributing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 9ae33dbaf..6cf7c4191 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -163,7 +163,7 @@ The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details ### Requirement 10: DNS path Assuming that the organization's main domain is `domain.tld`, the DNS record `csaf.data.security.domain.tld` SHALL resolve -as a web server which serves directly the `provider-metadata.json` according to requirement 7. +to the IP address of a web server which serves directly the `provider-metadata.json` according to requirement 7. > The `domain.tld` is just a placeholder for the organization's main domain. > For the organization with the main domain being `example.com`, the necessary DNS record is `csaf.data.security.example.com`. From 4d2388669a2d70d12ebc0971a73f41b78effb255 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 11:07:58 +0100 Subject: [PATCH 10/69] SSVC - addresses parts of oasis-tcs/csaf#803 - update link as indicated by CERT/CC --- .../prose/edit/src/introduction-04-informative-references.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md index c73158bd0..0718143b8 100644 --- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md @@ -103,7 +103,7 @@ SPDX301 : _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, . SSVC -: _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, +: _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, VERS : _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, . From 4946309892113fa5e91ddb55ae3f5b489c35bda5 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 12:00:13 +0100 Subject: [PATCH 11/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add conversion rule --- csaf_2.1/prose/edit/src/conformance.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md index 6bf10e0f8..79f2df30c 100644 --- a/csaf_2.1/prose/edit/src/conformance.md +++ b/csaf_2.1/prose/edit/src/conformance.md @@ -571,6 +571,15 @@ Secondly, the program fulfills the following for all items of: The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches. +* `/vulnerabilities[]/metrics/ssvc_v1`: If a SSVC vector or decision points of an SSVC vector are given in an item of `notes` of the current + vulnerability using the `title` `SSVC` and the `category` `other`, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into the `ssvc_v1` + object within the current vulnerability. + If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid object without loosing any information, the corresponding `notes` item SHALL + be removed. + If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid object with the information given, the CSAF 2.0 to CSAF 2.1 converter SHALL + remove the invalid `ssvc_v1` object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data failed. + If the CSAF 2.0 to CSAF 2.1 converter would loose information during the conversion, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the `ssvc_v1` + object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data would lead to loosing information. * `/vulnerabilities[]/remediations[]`: * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch` if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. @@ -588,6 +597,7 @@ Secondly, the program fulfills the following for all items of: * In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`. * The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed, including the products it was changed for. +* The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning. > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown. From 9762db12e7dc8bb31b5c8c6140cf621f754743f5 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 16:46:34 +0100 Subject: [PATCH 12/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add mandatory test 6.1.43 to detect inconsistent SSVC IDs - add invalid examples - add valid examples --- csaf_2.1/prose/edit/etc/bind.txt | 1 + .../tests-01-mndtr-43-inconsistent-ssvc-id.md | 44 +++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json | 69 +++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json | 74 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json | 74 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json | 101 +++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json | 69 +++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json | 75 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json | 74 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json | 107 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json | 68 +++++++++++ csaf_2.1/test/validator/data/testcases.json | 44 +++++++ .../test/validator/testcases_json_schema.json | 2 +- 13 files changed, 801 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index 95390a140..e99d6de6a 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -73,6 +73,7 @@ tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md tests-01-mndtr-40-invalid-sharing-group-name.md tests-01-mndtr-41-missing-sharing-group-name.md tests-01-mndtr-42-purl-qualifiers.md +tests-01-mndtr-43-inconsistent-ssvc-id.md tests-02-optional.md tests-03-informative.md distributing.md diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md new file mode 100644 index 000000000..5e4a0d4f9 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md @@ -0,0 +1,44 @@ +### Inconsistent SSVC ID + +For each `ssvc_v1` object it MUST be tested that `id` is either the CVE of the vulnerability given in `cve` or the `text` of an item in the `ids` array. +The test MUST fail, if the `id` equals the `/document/tracking/id` and the CSAF document contains more than one vulnerability. + +The relevant paths for this test are: + +``` + /vulnerabilities[]/metrics[]/content/ssvc_v1/id +``` + +*Example 1 (which fails the test):* + +``` + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0002", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + // ... + } + ] + } + ] +``` + +> The SSVC ID does not match the CVE ID. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json new file mode 100644 index 000000000..c9a329d4d --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json @@ -0,0 +1,69 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0002", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json new file mode 100644 index 000000000..00e7e5563 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "ids": [ + { + "system_name": "Example Companies Bugtracker", + "text": "Bug#2723" + } + ], + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json new file mode 100644 index 000000000..1ca4af109 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "ids": [ + { + "system_name": "Example Companies Bugtracker", + "text": "Bug#2723" + } + ], + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "2723", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json new file mode 100644 index 000000000..3bae9469c --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (failing example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-04", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "Bug#2723", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + }, + { + "cve": "CVE-1900-0001", + "ids": [ + { + "system_name": "Example Companies Bugtracker", + "text": "Bug#2723" + } + ], + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-04", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json new file mode 100644 index 000000000..c76f762f0 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json @@ -0,0 +1,69 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json new file mode 100644 index 000000000..9c517e7c5 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json @@ -0,0 +1,75 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "ids": [ + { + "system_name": "Example Companies Bugtracker", + "text": "Bug#2723" + } + ], + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json new file mode 100644 index 000000000..8382ed28b --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "ids": [ + { + "system_name": "Example Companies Bugtracker", + "text": "Bug#2723" + } + ], + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "Bug#2723", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json new file mode 100644 index 000000000..a13be38a4 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json @@ -0,0 +1,107 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (valid example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-14", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "ids": [ + { + "system_name": "Example Companies Bugtracker", + "text": "Bug#3272" + } + ], + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "Bug#3272", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + }, + { + "cve": "CVE-1900-0001", + "ids": [ + { + "system_name": "Example Companies Bugtracker", + "text": "Bug#2723" + } + ], + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json new file mode 100644 index 000000000..03e30fa1d --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json @@ -0,0 +1,68 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Inconsistent SSVC ID (valid example 5)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-15", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-15", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Exploitation", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.1.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index a48be64ef..0686b04a2 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1286,6 +1286,50 @@ } ] }, + { + "id": "6.1.43", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 5b29cc4fb..1a38f4338 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-2]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-3]))$" }, "valid": { "title": "List of valid examples", From 1ec5b952f5f9217d7b943036e06744fdea469f3a Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 17:31:32 +0100 Subject: [PATCH 13/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add SSVC schema to testscript for test data --- csaf_2.1/test/validator/run_tests.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh index 1c287c799..bd156f52f 100755 --- a/csaf_2.1/test/validator/run_tests.sh +++ b/csaf_2.1/test/validator/run_tests.sh @@ -7,6 +7,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json +SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py TESTPATH=csaf_2.1/test/validator/data/$1/*.json @@ -20,7 +21,7 @@ cd `dirname $0`/../../.. validate() { printf "%s" "Testing file $1 against schema ${SCHEMA} ... " - if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then + if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then printf "%s\n" SUCCESS else printf "%s\n" FAILED From 07cfab15964d8792c963ffc004211fd59c2cae86 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 19:02:22 +0100 Subject: [PATCH 14/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add mandatory test 6.1.44 for SSVC - add invalid examples - add valid examples --- csaf_2.1/prose/edit/etc/bind.txt | 1 + .../tests-01-mndtr-44-ssvc-decision-points.md | 49 +++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json | 70 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json | 71 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json | 72 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json | 71 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json | 70 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json | 71 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json | 72 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json | 71 ++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 40 +++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 12 files changed, 659 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index e99d6de6a..c00cde7d4 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -74,6 +74,7 @@ tests-01-mndtr-40-invalid-sharing-group-name.md tests-01-mndtr-41-missing-sharing-group-name.md tests-01-mndtr-42-purl-qualifiers.md tests-01-mndtr-43-inconsistent-ssvc-id.md +tests-01-mndtr-44-ssvc-decision-points.md tests-02-optional.md tests-03-informative.md distributing.md diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md new file mode 100644 index 000000000..af21bc930 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md @@ -0,0 +1,49 @@ +### SSVC Decision Points + +For each SSVC decision point given under `selections` with the `namespace` of `ssvc`, it MUST be tested that given decision point exists, is valid and the items in `values` are ordered correctly. + +> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points). +> The items in `values` need to have the same order as in their definition. + +The relevant paths for this test are: + +``` + /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[] +``` + +*Example 1 (which fails the test):* + +``` + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Mission Impact", + "namespace": "ssvc", + "values": [ + "None", + "Degraded" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + // ... + } + ] + } + ] +``` + +> The SSVC decision point `Mission Impact` doesn't have the value `Degraded` in version `1.0.0`. + +> If applicable, a tool MAY sort the items in `values` according to the order of their definition as a quick fix. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json new file mode 100644 index 000000000..b6d15de2b --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json @@ -0,0 +1,70 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Mission Impact", + "namespace": "ssvc", + "values": [ + "None", + "Degraded" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json new file mode 100644 index 000000000..25bf39134 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Safety Impacts", + "namespace": "ssvc", + "values": [ + "Marginal", + "Critical", + "Catastrophic" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json new file mode 100644 index 000000000..8eee3e3ef --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json @@ -0,0 +1,72 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Safety Impact", + "namespace": "ssvc", + "values": [ + "Catastrophic", + "Critical", + "Marginal", + "Negligible" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json new file mode 100644 index 000000000..f7dcf7ad4 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (failing example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-04", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Safety Impact", + "namespace": "ssvc", + "values": [ + "Marginal", + "Critical", + "Catastrophic" + ], + "version": "1.9.7" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json new file mode 100644 index 000000000..47d5c1d6b --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json @@ -0,0 +1,70 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Mission Impact", + "namespace": "ssvc", + "values": [ + "None", + "Non-Essential Degraded" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json new file mode 100644 index 000000000..69e4d25f5 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Safety Impact", + "namespace": "ssvc", + "values": [ + "Marginal", + "Critical", + "Catastrophic" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json new file mode 100644 index 000000000..c3fcc8e7d --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json @@ -0,0 +1,72 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Safety Impact", + "namespace": "ssvc", + "values": [ + "Negligible", + "Marginal", + "Critical", + "Catastrophic" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json new file mode 100644 index 000000000..4eff00a0a --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: SSVC Decision Points (valid example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-14", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Safety Impact", + "namespace": "ssvc", + "values": [ + "Marginal", + "Critical", + "Catastrophic" + ], + "version": "2.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 0686b04a2..f4520ed63 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1330,6 +1330,46 @@ } ] }, + { + "id": "6.1.44", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 1a38f4338..1fd3d6811 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-3]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-4]))$" }, "valid": { "title": "List of valid examples", From cd9aabf87b687aca540403fd18693fb340efe0ae Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 19:19:57 +0100 Subject: [PATCH 15/69] SSVC - addresses parts of oasis-tcs/csaf#803 - correct that 6.1.43 and 6.1.44 just have a single relevant path, not multiple --- .../prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md | 2 +- .../prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md index 5e4a0d4f9..6d0824702 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md @@ -3,7 +3,7 @@ For each `ssvc_v1` object it MUST be tested that `id` is either the CVE of the vulnerability given in `cve` or the `text` of an item in the `ids` array. The test MUST fail, if the `id` equals the `/document/tracking/id` and the CSAF document contains more than one vulnerability. -The relevant paths for this test are: +The relevant path for this test is: ``` /vulnerabilities[]/metrics[]/content/ssvc_v1/id diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md index af21bc930..81956965c 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md @@ -5,7 +5,7 @@ For each SSVC decision point given under `selections` with the `namespace` of `s > A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points). > The items in `values` need to have the same order as in their definition. -The relevant paths for this test are: +The relevant path for this test is: ``` /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[] From 52f5d9b66e70d38f749942d81dfc31b095b32f47 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 20 Feb 2025 19:33:01 +0100 Subject: [PATCH 16/69] SSVC - addresses parts of oasis-tcs/csaf#803 - add mandatory test 6.1.45 for SSVC Decision Point Namespace - add invalid examples - add valid examples --- csaf_2.1/prose/edit/etc/bind.txt | 1 + ...rohibited-ssvc-decision-point-namespace.md | 53 ++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json | 69 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json | 69 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json | 69 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json | 69 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 25 +++++++ .../test/validator/testcases_json_schema.json | 2 +- 8 files changed, 356 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index c00cde7d4..357098d47 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -75,6 +75,7 @@ tests-01-mndtr-41-missing-sharing-group-name.md tests-01-mndtr-42-purl-qualifiers.md tests-01-mndtr-43-inconsistent-ssvc-id.md tests-01-mndtr-44-ssvc-decision-points.md +tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md tests-02-optional.md tests-03-informative.md distributing.md diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md new file mode 100644 index 000000000..3035b9dbc --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md @@ -0,0 +1,53 @@ +### Prohibited SSVC Decision Point Namespace + +For each SSVC decision point given under `selections` with a `namespace` other than case-sensitive reserved values, it MUST be tested that the +`namespace` it not equal to the case-insensitive reserved values. + +> The following values are reserved: +> +> ``` +> cvssv4 +> ssvc +> ``` + +The relevant path for this test is: + +``` + /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace +``` + +*Example 1 (which fails the test):* + +``` + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Mission Impact", + "namespace": "SSVC", + "values": [ + "None" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + // ... + } + ] + } + ] +``` + +> The SSVC decision point namespace uses the capitalized version of the reserved namespace `ssvc`. + +> A tool MAY convert the reserved namespace to lowercase as a quick fix. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json new file mode 100644 index 000000000..814397d5f --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json @@ -0,0 +1,69 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Mission Impact", + "namespace": "SSVC", + "values": [ + "None" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json new file mode 100644 index 000000000..40a4349b8 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json @@ -0,0 +1,69 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Attack Complexity", + "namespace": "CVSSv4", + "values": [ + "Low" + ], + "version": "3.0.1" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json new file mode 100644 index 000000000..1a64adf1b --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json @@ -0,0 +1,69 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Mission Impact", + "namespace": "ssvc", + "values": [ + "None" + ], + "version": "1.0.0" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json new file mode 100644 index 000000000..4eb290704 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json @@ -0,0 +1,69 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-1900-0001", + "metrics": [ + { + "content": { + "ssvc_v1": { + "id": "CVE-1900-0001", + "schemaVersion": "1-0-1", + "selections": [ + { + "name": "Attack Complexity", + "namespace": "cvssv4", + "values": [ + "Low" + ], + "version": "3.0.1" + } + ], + "timestamp": "2024-01-24T10:00:00.000Z" + } + }, + "products": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index f4520ed63..3b4ca0f09 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1370,6 +1370,30 @@ } ] }, + { + "id": "6.1.45", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", @@ -1386,6 +1410,7 @@ } ] }, + { "id": "6.2.2", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 1fd3d6811..3d64e3adc 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-4]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-5]))$" }, "valid": { "title": "List of valid examples", From 50297558d13c6f3ea469e540bf8ccda372ba3d3a Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Thu, 20 Feb 2025 20:28:55 +0100 Subject: [PATCH 17/69] Fixed CWE link with multiple targets #870 Signed-off-by: Stefan Hagen --- .../edit/etc/example-global-to-local.json | 2 +- .../edit/etc/example-local-to-global.json | 2 +- .../edit/etc/section-display-to-label.json | 2 +- .../edit/etc/section-label-to-display.json | 2 +- .../prose/edit/src/tests-01-mndtr-11-cwe.md | 2 +- csaf_2.1/prose/share/csaf-v2.1-draft.html | 36 +++++++++++++++---- csaf_2.1/prose/share/csaf-v2.1-draft.md | 20 +++++++---- 7 files changed, 47 insertions(+), 19 deletions(-) diff --git a/csaf_2.1/prose/edit/etc/example-global-to-local.json b/csaf_2.1/prose/edit/etc/example-global-to-local.json index cb2f311c0..2cef7e779 100644 --- a/csaf_2.1/prose/edit/etc/example-global-to-local.json +++ b/csaf_2.1/prose/edit/etc/example-global-to-local.json @@ -62,7 +62,7 @@ "60": "invalid-cvss-eg-1", "61": "invalid-cvss-computation-eg-1", "62": "inconsistent-cvss-eg-1", - "63": "cwe-eg-1", + "63": "mandatory-tests--cwe-eg-1", "64": "language-eg-1", "65": "purl-eg-1", "66": "sorted-revision-history-eg-1", diff --git a/csaf_2.1/prose/edit/etc/example-local-to-global.json b/csaf_2.1/prose/edit/etc/example-local-to-global.json index 9fa83b3a7..387f5f1c6 100644 --- a/csaf_2.1/prose/edit/etc/example-local-to-global.json +++ b/csaf_2.1/prose/edit/etc/example-local-to-global.json @@ -22,7 +22,6 @@ "contradicting-remediations-eg-1": "98", "cve-in-field-ids-eg-1": "122", "cvss-for-fixed-products-eg-1": "124", - "cwe-eg-1": "63", "discouraged-product-status-remediation-combination-eg-1": "132", "document-notes-eg-1": "80", "document-property-aggregate-severity-eg-1": "30", @@ -63,6 +62,7 @@ "language-type-eg-1": "18", "latest-document-version-eg-1": "68", "mandatory-tests--branches-recursion-depth-eg-1": "97", + "mandatory-tests--cwe-eg-1": "63", "mandatory-tests--date-and-time-eg-1": "100", "missing-canonical-url-eg-1": "116", "missing-cve-eg-1": "140", diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json index 487adb326..e5362adb2 100644 --- a/csaf_2.1/prose/edit/etc/section-display-to-label.json +++ b/csaf_2.1/prose/edit/etc/section-display-to-label.json @@ -133,7 +133,7 @@ "6.1.8": "invalid-cvss", "6.1.9": "invalid-cvss-computation", "6.1.10": "inconsistent-cvss", - "6.1.11": "cwe", + "6.1.11": "mandatory-tests--cwe", "6.1.12": "language", "6.1.13": "purl", "6.1.14": "sorted-revision-history", diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json index e5250d844..97d9f8eff 100644 --- a/csaf_2.1/prose/edit/etc/section-label-to-display.json +++ b/csaf_2.1/prose/edit/etc/section-label-to-display.json @@ -54,7 +54,6 @@ "contradicting-remediations": "6.1.35", "cve-in-field-ids": "6.2.17", "cvss-for-fixed-products": "6.2.19", - "cwe": "6.1.11", "date": "C.4", "date-and-time": "2.2", "definitions": "3.1", @@ -128,6 +127,7 @@ "latest-document-version": "6.1.16", "mandatory-tests": "6.1", "mandatory-tests--branches-recursion-depth": "6.1.34", + "mandatory-tests--cwe": "6.1.11", "mandatory-tests--date-and-time": "6.1.37", "missing-canonical-url": "6.2.11", "missing-cve": "6.3.3", diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-11-cwe.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-11-cwe.md index 05d8fa167..ead1a0286 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-11-cwe.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-11-cwe.md @@ -1,4 +1,4 @@ -### CWE +### CWE{#mandatory-tests--cwe} For each CWE it MUST be tested that the given CWE exists and is valid in the version provided. Any `id` that refers to a CWE Category or View MUST fail the test. diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html index 937d9e25a..c35880b44 100644 --- a/csaf_2.1/prose/share/csaf-v2.1-draft.html +++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html @@ -41,8 +41,8 @@

Committee Specification Draft 01

-

- 29 January 2025 +

+ 26 February 2025

This stage: @@ -163,7 +163,7 @@

[csaf-v2.1]

- Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 29 January 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 26 February 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.

@@ -525,7 +525,7 @@

  • 6.1.10 Inconsistent CVSS
    • -
  • 6.1.11 CWE +
  • 6.1.11 CWE
  • 6.1.12 Language
    • @@ -6210,7 +6210,7 @@

    - 6.1.11 CWE + 6.1.11 CWE

    For each CWE it MUST be tested that the given CWE exists and is valid in the version provided. Any id that refers to a CWE Category or View MUST fail the test. @@ -6220,7 +6220,7 @@ 

        /vulnerabilities[]/cwes[]

    - Example 1 (which fails the test): + Example 1 (which fails the test): 

      "cwes": [
     {
@@ -9638,7 +9638,15 @@ 
    
       7.1.10 Requirement 10: DNS path 
     
    
     
    
-      The DNS record csaf.data.security.domain.tld SHALL resolve as a web server which serves directly the provider-metadata.json according to requirement 7. That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required.
+      Assuming that the organization's main domain is domain.tld, the DNS record csaf.data.security.domain.tld SHALL resolve to the IP address of a web server which serves directly the provider-metadata.json according to requirement 7.
+    
    
+    
    
+      
    
+        The domain.tld is just a placeholder for the organization's main domain. For the organization with the main domain being example.com, the necessary DNS record is csaf.data.security.example.com.
+      
    
+    
    
+    
    
+      That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required.
     
    
     
    
       7.1.11 Requirement 11: One folder per year 
@@ -13057,6 +13065,20 @@ 
    
             Next Editor Revision
           
         
+        
+          
+            csaf-v2.0-wd20250226-dev
+          
+          
+            2025-02-26
+          
+          
+            Stefan Hagen and Thomas Schmidt
+          
+          
+            Next Editor Revision
+          
+        
       
     
     
    
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index c4bad9764..02b0f47b4 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## 29 January 2025
+## 26 February 2025
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 29 January 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 26 February 2025. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------
@@ -236,7 +236,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.1.8 [Invalid CVSS](#invalid-cvss)  
 		6.1.9 [Invalid CVSS computation](#invalid-cvss-computation)  
 		6.1.10 [Inconsistent CVSS](#inconsistent-cvss)  
-		6.1.11 [CWE](#cwe)  
+		6.1.11 [CWE](#mandatory-tests--cwe)  
 		6.1.12 [Language](#language)  
 		6.1.13 [PURL](#purl)  
 		6.1.14 [Sorted Revision History](#sorted-revision-history)  
@@ -4715,7 +4715,7 @@ The relevant paths for this test are:
 
 > A tool MAY overwrite contradicting values according to the `vectorString` as quick fix.
 
-### 6.1.11 CWE 
+### 6.1.11 CWE 
 
 For each CWE it MUST be tested that the given CWE exists and is valid in the version provided.
 Any `id` that refers to a CWE Category or View MUST fail the test.
@@ -4726,7 +4726,7 @@ The relevant path for this test is:
     /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cwes": [
@@ -7991,8 +7991,13 @@ The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more
 
 ### 7.1.10 Requirement 10: DNS path 
 
-The DNS record `csaf.data.security.domain.tld` SHALL resolve as a web server which serves directly
-the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
+Assuming that the organization's main domain is `domain.tld`, the DNS record `csaf.data.security.domain.tld` SHALL resolve
+to the IP address of a web server which serves directly the `provider-metadata.json` according to requirement 7.
+
+> The `domain.tld` is just a placeholder for the organization's main domain.
+> For the organization with the main domain being `example.com`, the necessary DNS record is `csaf.data.security.example.com`.
+
+That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required.
 
 ### 7.1.11 Requirement 11: One folder per year 
@@ -9423,6 +9428,7 @@ The following individuals were members of the OASIS CSAF Technical Committee dur
 | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20250129-dev | 2025-01-29 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20250226-dev | 2025-02-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 -------
 
 # Appendix C. Guidance on the Size of CSAF Documents 

From 113612286b1869e0b3a5c453280ad53109de953d Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Thu, 20 Feb 2025 22:10:25 +0100
Subject: [PATCH 18/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- add informative test 6.3.13 for Non-Latest SSVC decision point version
- add invalid example
- add valid example
---
 .../prose/edit/src/tests-03-informative.md    | 47 +++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json | 69 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json | 69 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 16 +++++
 .../test/validator/testcases_json_schema.json |  2 +-
 5 files changed, 202 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json
 create mode 100644 csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json

diff --git a/csaf_2.1/prose/edit/src/tests-03-informative.md b/csaf_2.1/prose/edit/src/tests-03-informative.md
index 64a8f94f5..781ec53c0 100644
--- a/csaf_2.1/prose/edit/src/tests-03-informative.md
+++ b/csaf_2.1/prose/edit/src/tests-03-informative.md
@@ -461,4 +461,51 @@ The relevant path for this test is:
 
 > There is no CVSS v4.0 score given for `CSAFPID-9080700`.
 
+### Usage of Non-Latest SSVC Decision Point Version
+
+For each SSVC decision point given under `selections` with the `namespace` of `ssvc`, it MUST be tested the latest decision point `version` available at the time of the `timestamp` was used.
+The test SHALL fail if a later `version` was used.
+
+> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Non-Essential Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> At the timestamp `2024-01-24T10:00:00.000Z` version `2.0.0` of the SSVC decision point `Mission Impact` was already available.
+
 -------
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json
new file mode 100644
index 000000000..a38018fed
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Informative test: Usage of Non-Latest SSVC Decision Point Version (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-13-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Non-Essential Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json
new file mode 100644
index 000000000..1b3602959
--- /dev/null
+++ b/csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Informative test: Usage of Non-Latest SSVC Decision Point Version (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-3-13-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Degraded"
+                  ],
+                  "version": "2.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 3b4ca0f09..10d6b92c7 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -2414,6 +2414,22 @@
           "valid": true
         }
       ]
+    },
+    {
+      "id": "6.3.13",
+      "group": "informative",
+      "failures": [
+        {
+          "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-01.json",
+          "valid": true
+        }
+      ],
+      "valid": [
+        {
+          "name": "informative/oasis_csaf_tc-csaf_2_1-2024-6-3-13-11.json",
+          "valid": true
+        }
+      ]
     }
   ]
 }
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 3d64e3adc..782ab5389 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-5]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-5]))$"
         },
         "valid": {
           "title": "List of valid examples",

From 95cc1205798e64ddb6323046763d57a6db1cdaac Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Thu, 20 Feb 2025 22:29:27 +0100
Subject: [PATCH 19/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- add optional test 6.2.33 for unknown SSVC namespaces
- add invalid example
- add valid example
---
 csaf_2.1/prose/edit/src/tests-02-optional.md  | 45 ++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json | 69 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json | 69 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 16 +++++
 .../test/validator/testcases_json_schema.json |  2 +-
 5 files changed, 200 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json

diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md
index c6459f39a..f1389a419 100644
--- a/csaf_2.1/prose/edit/src/tests-02-optional.md
+++ b/csaf_2.1/prose/edit/src/tests-02-optional.md
@@ -1038,3 +1038,48 @@ The relevant paths for this test are:
 ```
 
 > Both products are identified by the same serial number `143-D-354`.
+
+### Usage of Unknown SSVC Decision Point Namespace
+
+For each SSVC decision point given under `selections`, it MUST be tested the `namespace` is one of the case-sensitive registered namespaces.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The namespace `an-yet-unknown-or-maybe-private-namespace` is not a registered namespace.
+> Its decision point definitions might therefore not be known to the reader of the document.
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
new file mode 100644
index 000000000..2ae8db383
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
new file mode 100644
index 000000000..8f46eb43b
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 10d6b92c7..9dfb47cd8 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -2121,6 +2121,22 @@
         }
       ]
     },
+    {
+      "id": "6.2.33",
+      "group": "optional",
+      "failures": [
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json",
+          "valid": true
+        }
+      ],
+      "valid": [
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json",
+          "valid": true
+        }
+      ]
+    },
     {
       "id": "6.3.1",
       "group": "informative",
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 782ab5389..41fff8b46 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-5]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-3])|(1\\.3[4-9])|(1\\.4[0-5]))$"
         },
         "valid": {
           "title": "List of valid examples",

From 946d25e07b0970b4fa5f65ea4d6e527c074e3f75 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Thu, 20 Feb 2025 22:32:15 +0100
Subject: [PATCH 20/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- improve wording by using registered namespaces instead of reserved
---
 ...-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
index 3035b9dbc..efa81867a 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
@@ -1,9 +1,9 @@
 ### Prohibited SSVC Decision Point Namespace
 
-For each SSVC decision point given under `selections` with a `namespace` other than case-sensitive reserved values, it MUST be tested that the
-`namespace` it not equal to the case-insensitive reserved values.
+For each SSVC decision point given under `selections` with a `namespace` other than case-sensitive registered values, it MUST be tested that the
+`namespace` it not equal to the case-insensitive registered values.
 
-> The following values are reserved:
+> According to the SSVC project, the following values are currently registered:
 >
 > ```
 >   cvssv4

From 7291d4909986fe1085d1fb7eb2cbe17edb86e7bc Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Thu, 20 Feb 2025 23:40:25 +0100
Subject: [PATCH 21/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- add optional test 6.2.34 for unknown SSVC roles
- add invalid example
- add valid example
---
 csaf_2.1/prose/edit/src/tests-02-optional.md  | 45 ++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json | 70 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json | 70 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 16 +++++
 .../test/validator/testcases_json_schema.json |  2 +-
 5 files changed, 202 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json

diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md
index f1389a419..f4de7fbf5 100644
--- a/csaf_2.1/prose/edit/src/tests-02-optional.md
+++ b/csaf_2.1/prose/edit/src/tests-02-optional.md
@@ -1083,3 +1083,48 @@ The relevant path for this test is:
 
 > The namespace `an-yet-unknown-or-maybe-private-namespace` is not a registered namespace.
 > Its decision point definitions might therefore not be known to the reader of the document.
+
+### Usage of Unknown SSVC Role
+
+For each SSVC object, it MUST be tested the `role` is one of the case-sensitive registered roles.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/role
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The namespace `an-yet-unknown-or-maybe-private-namespace` is not a registered namespace.
+> Its decision point definitions might therefore not be known to the reader of the document.
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
new file mode 100644
index 000000000..a97f984ea
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
@@ -0,0 +1,70 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Unknown SSVC Role (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-34-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "role": "An unregistrable role",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json
new file mode 100644
index 000000000..e03302dea
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json
@@ -0,0 +1,70 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Unknown SSVC Role (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-34-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "role": "Coordinator",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 9dfb47cd8..b88c00a43 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -2137,6 +2137,22 @@
         }
       ]
     },
+    {
+      "id": "6.2.34",
+      "group": "optional",
+      "failures": [
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json",
+          "valid": true
+        }
+      ],
+      "valid": [
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json",
+          "valid": true
+        }
+      ]
+    },
     {
       "id": "6.3.1",
       "group": "informative",
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 41fff8b46..7f18ae377 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-3])|(1\\.3[4-9])|(1\\.4[0-5]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-4])|(1\\.3[5-9])|(1\\.4[0-5]))$"
         },
         "valid": {
           "title": "List of valid examples",

From e7f49c83b70d093502cef103ca5ecffd89c99d56 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Thu, 20 Feb 2025 23:44:17 +0100
Subject: [PATCH 22/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- update with latest developments from SSVC
---
 ...sts-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md | 3 ++-
 .../data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json  | 2 +-
 .../data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json  | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
index efa81867a..355f45d5a 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
@@ -6,7 +6,8 @@ For each SSVC decision point given under `selections` with a `namespace` other t
 > According to the SSVC project, the following values are currently registered:
 >
 > ```
->   cvssv4
+>   cvss
+>   nciss
 >   ssvc
 > ```
 
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
index 40a4349b8..6da75207f 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
@@ -49,7 +49,7 @@
               "selections": [
                 {
                   "name": "Attack Complexity",
-                  "namespace": "CVSSv4",
+                  "namespace": "CVSS",
                   "values": [
                     "Low"
                   ],
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
index 4eb290704..983e84737 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
@@ -49,7 +49,7 @@
               "selections": [
                 {
                   "name": "Attack Complexity",
-                  "namespace": "cvssv4",
+                  "namespace": "cvss",
                   "values": [
                     "Low"
                   ],

From 12e3f58e414353d44ed6afe9643e2699c3b3e5c1 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 16:43:46 +0100
Subject: [PATCH 23/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- correct default open behavior of model and serial number
---
 .../schema-elements-01-defs-03-full-product-name.md    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 26d228393..c8eba27ba 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -236,8 +236,9 @@ the component to identify.
 > Often it is abbreviated as "MN", M/N" or "model no.".
 
 If a part of a model number of the component to identify is given,
-it SHOULD begin with the first character of the model number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).  
+it MUST begin with the first character of the model number and end with the last character.
+Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
+This applies also to the first character.
 Two `*` MUST NOT follow each other.
 
 *Examples 1:*
@@ -325,8 +326,9 @@ Any given serial number of value type `string` with at least 1 character represe
 abbreviated (partial) serial number of the component to identify.
 
 If a part of a serial number of the component to identify is given,
-it SHOULD begin with the first character of the serial number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).  
+it MUST begin with the first character of the serial number and end with the last character.
+Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
+This applies also to the first character.
 Two `*` MUST NOT follow each other.
 
 ##### Full Product Name Type - Product Identification Helper - SKUs

From 51b3efb1ca93784377ec9b8e8ac16d00ce39376d Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 16:49:50 +0100
Subject: [PATCH 24/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- clarify multiple `*` should be avoided
- introduce escaping
---
 .../edit/src/schema-elements-01-defs-03-full-product-name.md  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index c8eba27ba..190574eaf 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -240,6 +240,8 @@ it MUST begin with the first character of the model number and end with the last
 Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
 This applies also to the first character.
 Two `*` MUST NOT follow each other.
+Multiple occurrences of `*` in a single string SHOULD be avoided.
+When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
 *Examples 1:*
 
@@ -330,6 +332,8 @@ it MUST begin with the first character of the serial number and end with the las
 Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
 This applies also to the first character.
 Two `*` MUST NOT follow each other.
+Multiple occurrences of `*` in a single string SHOULD be avoided.
+When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
 ##### Full Product Name Type - Product Identification Helper - SKUs
 

From 1421c2f05940b2a0504f20d318ac629e1e35f44c Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 16:58:14 +0100
Subject: [PATCH 25/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- add conversion rules
---
 csaf_2.1/prose/edit/src/conformance.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 6bf10e0f8..8981893a9 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -538,8 +538,30 @@ Secondly, the program fulfills the following for all items of:
 
 * type `/$defs/full_product_name_t/product_identification_helper/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the
   invalid value and output a warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+* type `/$defs/full_product_name_t/model_number`: If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD
+  add a `*` to the end and output a warning that a partial model number was detected and a star has been added.
+  Such a warning MUST include the model number.
+  If the model number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+  
+  > A tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
+
+  > A tool MAY provide a non-default option to interpret the `?` in all model numbers as part of the model number itself and therefore escape it.
+
+  > A tool MAY provide a non-default option to interpret the `*` in all model numbers as part of the model number itself and therefore escape it.
+
 * type `/$defs/full_product_name_t/product_identification_helper/purls`: If a `/$defs/full_product_name_t/product_identification_helper/purl` is given,
   the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item of the corresponding `purls` array.
+* type `/$defs/full_product_name_t/serial_number`: If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD
+  add a `*` to the end and output a warning that a partial serial number was detected and a star has been added.
+  Such a warning MUST include the serial number.
+  If the serial number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+
+  > A tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
+
+  > A tool MAY provide a non-default option to interpret the `?` in all serial numbers as part of the serial number itself and therefore escape it.
+
+  > A tool MAY provide a non-default option to interpret the `*` in all serial numbers as part of the serial number itself and therefore escape it.
+
 * `/$schema`: The CSAF 2.0 to CSAF 2.1 converter MUST set property with the value prescribed by the schema.
 * `/document/csaf_version`: The CSAF 2.0 to CSAF 2.1 converter MUST update the value to `2.1`.
 * `/document/distribution/tlp/label`: If a TLP label is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it according to the table below:

From 674e64d4410482f6e12bf3d0b1140a14b05523f7 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 19:23:10 +0100
Subject: [PATCH 26/69] SSVC

- addresses review comment from oasis-tcs/csaf#871
- unify formatting
- sort list lexiographically
---
 ...nsiderations-01-construction-principles.md | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
index dc0516452..4cc4df915 100644
--- a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
+++ b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
@@ -37,23 +37,23 @@ Delegation to industry best practices technologies is used in referencing schema
 * Classification for Document Distribution
   * Traffic Light Protocol (TLP)
     * Default Definition: https://www.first.org/tlp/
+* Platform Data
+  * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
+* Vulnerability Categorization
+  * Stakeholder-Specific Vulnerability Categorization [cite](#SSVC)
+    * JSON Schema Reference: https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
 * Vulnerability Classification
   * Common Weakness Enumeration (CWE) [cite](#CWE)
     * CWE List: http://cwe.mitre.org/data/index.html
-* Platform Data:
-  * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
-* Vulnerability Categorization:
-  * Stakeholder-Specific Vulnerability Categorization [cite](#SSVC)
-    * JSON Schema Reference https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
-* Vulnerability Scoring:
+* Vulnerability Scoring
   * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v4.0.json
   * Common Vulnerability Scoring System (CVSS) Version 3.1 [cite](#CVSS31)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.1.json
   * Common Vulnerability Scoring System (CVSS) Version 3.0 [cite](#CVSS30)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.0.json
   * Common Vulnerability Scoring System (CVSS) Version 2.0 [cite](#CVSS2)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v2.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v2.0.json
 
 Even though the JSON schema does not prohibit specifically additional properties and custom keywords,
 it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC's GitHub.

From 4c11d5ee410fbca14f6af468a11e112ca3e330fb Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 19:50:32 +0100
Subject: [PATCH 27/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- tighten definition: prohibit multiple stars
- adapt conversion rule
---
 csaf_2.1/prose/edit/src/conformance.md        | 26 ++++++++++++-------
 ...a-elements-01-defs-03-full-product-name.md |  6 ++---
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 8981893a9..f1650dde4 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -538,11 +538,15 @@ Secondly, the program fulfills the following for all items of:
 
 * type `/$defs/full_product_name_t/product_identification_helper/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the
   invalid value and output a warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
-* type `/$defs/full_product_name_t/model_number`: If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD
-  add a `*` to the end and output a warning that a partial model number was detected and a star has been added.
-  Such a warning MUST include the model number.
-  If the model number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
-  
+* type `/$defs/full_product_name_t/model_number`:
+  * If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+    warning that a partial model number was detected and a star has been added.
+    Such a warning MUST include the model number.
+  * If the model number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+  * If the model number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+    output a warning that a model number with multiple stars was detected and removed.
+    Such a warning MUST include the model number.
+
   > A tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
 
   > A tool MAY provide a non-default option to interpret the `?` in all model numbers as part of the model number itself and therefore escape it.
@@ -551,10 +555,14 @@ Secondly, the program fulfills the following for all items of:
 
 * type `/$defs/full_product_name_t/product_identification_helper/purls`: If a `/$defs/full_product_name_t/product_identification_helper/purl` is given,
   the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item of the corresponding `purls` array.
-* type `/$defs/full_product_name_t/serial_number`: If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD
-  add a `*` to the end and output a warning that a partial serial number was detected and a star has been added.
-  Such a warning MUST include the serial number.
-  If the serial number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+* type `/$defs/full_product_name_t/serial_number`:
+  * If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+    warning that a partial serial number was detected and a star has been added.
+    Such a warning MUST include the serial number.
+  * If the serial number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+  * If the serial number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+    output a warning that a serial number with multiple stars was detected and removed.
+    Such a warning MUST include the serial number.
 
   > A tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
 
diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 190574eaf..f875e8494 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -239,8 +239,7 @@ If a part of a model number of the component to identify is given,
 it MUST begin with the first character of the model number and end with the last character.
 Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
 This applies also to the first character.
-Two `*` MUST NOT follow each other.
-Multiple occurrences of `*` in a single string SHOULD be avoided.
+Multiple unescaped `*` MUST NOT occur in a single string.
 When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
 *Examples 1:*
@@ -331,8 +330,7 @@ If a part of a serial number of the component to identify is given,
 it MUST begin with the first character of the serial number and end with the last character.
 Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
 This applies also to the first character.
-Two `*` MUST NOT follow each other.
-Multiple occurrences of `*` in a single string SHOULD be avoided.
+Multiple unescaped `*` MUST NOT occur in a single string.
 When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
 ##### Full Product Name Type - Product Identification Helper - SKUs

From 23518a71b735680dbaab739d91da231b92463ff1 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Fri, 21 Feb 2025 19:58:19 +0100
Subject: [PATCH 28/69] Nit: Distribution of a sentence across two lines.

---
 ...ts-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
index 355f45d5a..f0ae0ccc8 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
@@ -1,7 +1,7 @@
 ### Prohibited SSVC Decision Point Namespace
 
-For each SSVC decision point given under `selections` with a `namespace` other than case-sensitive registered values, it MUST be tested that the
-`namespace` it not equal to the case-insensitive registered values.
+For each SSVC decision point given under `selections` with a `namespace` other than case-sensitive registered values,
+it MUST be tested that the `namespace` it not equal to the case-insensitive registered values.
 
 > According to the SSVC project, the following values are currently registered:
 >

From 87be6205c8e7200f24b844849b30926d5c0f74de Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 21:09:02 +0100
Subject: [PATCH 29/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- add comment that backslashes need to be escaped themselves in JSON strings
---
 .../edit/src/schema-elements-01-defs-03-full-product-name.md  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index f875e8494..2b81638f4 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -242,6 +242,8 @@ This applies also to the first character.
 Multiple unescaped `*` MUST NOT occur in a single string.
 When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
+> Note: A backslash MUST be escaped itself in a JSON string.
+
 *Examples 1:*
 
 ```
@@ -333,6 +335,8 @@ This applies also to the first character.
 Multiple unescaped `*` MUST NOT occur in a single string.
 When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
+> Note: A backslash MUST be escaped itself in a JSON string.
+
 ##### Full Product Name Type - Product Identification Helper - SKUs
 
 The list of stock keeping units (`skus`) of value type `array` with 1 or more items contains a list of full or

From c581d40603715df7bc7be0f37b3155c169b65eea Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 21:18:46 +0100
Subject: [PATCH 30/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- add mandatory test 6.1.43 for stars in model numbers
- add invalid examples
- add vaild examples
---
 csaf_2.1/prose/edit/etc/bind.txt              |  1 +
 ...3-use-of-multiple-stars-in-model-number.md | 23 +++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json | 45 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json | 45 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json | 49 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json | 45 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json | 45 +++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 28 +++++++++++
 .../test/validator/testcases_json_schema.json |  2 +-
 9 files changed, 282 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
index 95390a140..727f540a2 100644
--- a/csaf_2.1/prose/edit/etc/bind.txt
+++ b/csaf_2.1/prose/edit/etc/bind.txt
@@ -73,6 +73,7 @@ tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md
 tests-01-mndtr-40-invalid-sharing-group-name.md
 tests-01-mndtr-41-missing-sharing-group-name.md
 tests-01-mndtr-42-purl-qualifiers.md
+tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
new file mode 100644
index 000000000..771334694
--- /dev/null
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
@@ -0,0 +1,23 @@
+### Use of Multiple Stars in Model Number
+
+For each model number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a model number introduce an ambiguousness and is therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+  /product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/model_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/model_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+          "model_numbers": [
+            "P*A*"
+          ]
+```
+
+> The model number contains two unescaped stars.
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
new file mode 100644
index 000000000..7b84e48d5
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "P*A*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
new file mode 100644
index 000000000..f1d2bf894
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-02",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "*P*\\*?*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
new file mode 100644
index 000000000..d27289d90
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
@@ -0,0 +1,49 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "PA*",
+            "P?A*",
+            "P??A*",
+            "P???A*",
+            "P????A*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
new file mode 100644
index 000000000..d651d3a60
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-12",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "*P\\*\\*?\\*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json
new file mode 100644
index 000000000..4db911207
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Model Number (valid example 3)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-13",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "model_numbers": [
+            "P\\*\\*\\\\?"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index a48be64ef..51a9607fe 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1286,6 +1286,34 @@
         }
       ]
     },
+    {
+      "id": "6.1.43",
+      "group": "mandatory",
+      "failures": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json",
+          "valid": false
+        }
+      ],
+      "valid": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json",
+          "valid": true
+        }
+      ]
+    },
     {
       "id": "6.2.1",
       "group": "optional",
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 5b29cc4fb..1a38f4338 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-2]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-3]))$"
         },
         "valid": {
           "title": "List of valid examples",

From f29dd52e2409acb9663b808cf2a2f92108d0366b Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 21:25:31 +0100
Subject: [PATCH 31/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- add mandatory test 6.1.44 for stars in serial numbers
- add invalid examples
- add vaild examples
---
 csaf_2.1/prose/edit/etc/bind.txt              |  1 +
 ...-use-of-multiple-stars-in-serial-number.md | 23 +++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json | 45 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json | 45 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json | 49 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json | 45 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json | 45 +++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 28 +++++++++++
 .../test/validator/testcases_json_schema.json |  2 +-
 9 files changed, 282 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
index 727f540a2..9ad5c2749 100644
--- a/csaf_2.1/prose/edit/etc/bind.txt
+++ b/csaf_2.1/prose/edit/etc/bind.txt
@@ -74,6 +74,7 @@ tests-01-mndtr-40-invalid-sharing-group-name.md
 tests-01-mndtr-41-missing-sharing-group-name.md
 tests-01-mndtr-42-purl-qualifiers.md
 tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
+tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
new file mode 100644
index 000000000..f5c2ec8b7
--- /dev/null
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
@@ -0,0 +1,23 @@
+### Use of Multiple Stars in Serial Number
+
+For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a serial number introduce an ambiguousness and is therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+  /product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/serial_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/serial_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+          "serial_numbers": [
+            "P*A*"
+          ]
+```
+
+> The serial number contains two unescaped stars.
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json
new file mode 100644
index 000000000..3a02f2d37
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Serial Number (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "serial_numbers": [
+            "P*A*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json
new file mode 100644
index 000000000..6079b0212
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Serial Number (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-02",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "serial_numbers": [
+            "*P*\\*?*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json
new file mode 100644
index 000000000..a2ca578c1
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json
@@ -0,0 +1,49 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Serial Number (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "serial_numbers": [
+            "PA*",
+            "P?A*",
+            "P??A*",
+            "P???A*",
+            "P????A*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json
new file mode 100644
index 000000000..0f56680d7
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Serial Number (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-12",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "serial_numbers": [
+            "*P\\*\\*?\\*"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json
new file mode 100644
index 000000000..16f384852
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Use of Multiple Stars in Serial Number (valid example 3)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-13",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "serial_numbers": [
+            "P\\*\\*\\\\?"
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 51a9607fe..abcae1510 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1314,6 +1314,34 @@
         }
       ]
     },
+    {
+      "id": "6.1.44",
+      "group": "mandatory",
+      "failures": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json",
+          "valid": false
+        }
+      ],
+      "valid": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json",
+          "valid": true
+        }
+      ]
+    },
     {
       "id": "6.2.1",
       "group": "optional",
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 1a38f4338..1fd3d6811 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-3]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-4]))$"
         },
         "valid": {
           "title": "List of valid examples",

From e7f3dddd492135caf799edf905be027ff132f7e8 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 21:39:23 +0100
Subject: [PATCH 32/69] Initial release date

- addresses parts of oasis-tcs/csaf#791
- rephrase initial release date to avoid confusion with a release to a closed target group
- adapt decription in schema
---
 csaf_2.1/json_schema/csaf_json_schema.json                  | 2 +-
 .../prose/edit/src/schema-elements-02-props-02-document.md  | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
index 67946f32d..906c43770 100644
--- a/csaf_2.1/json_schema/csaf_json_schema.json
+++ b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -855,7 +855,7 @@
             },
             "initial_release_date": {
               "title": "Initial release date",
-              "description": "The date when this document was first published.",
+              "description": "The date when this document was first released to the intended target group.",
               "type": "string",
               "format": "date-time"
             },
diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
index e8e3f8645..610cb8e29 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
@@ -643,7 +643,11 @@ This value is also used to determine the filename for the CSAF document (cf. sec
 
 ##### Document Property - Tracking - Initial Release Date
 
-Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first published.
+Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first released to the intended target group.
+
+> For `TLP:CLEAR` documents, this is usually the timestamp when the document was published.
+> For `TLP:GREEN` and higher, this is the timestamp when it was first made available to the specific group.
+> Note that the initial release date does not change after the initial release even if the document is later on released to a broader audience.
 
 ##### Document Property - Tracking - Revision History
 

From 34b150f90d0f53607843cf1017db0b72a7347aa1 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 21:45:33 +0100
Subject: [PATCH 33/69] Initial release date

- addresses parts of oasis-tcs/csaf#791
- rephrase integer and semantic versioning to avoid confusion with a release to a closed target group
---
 csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md
index ba7b7197a..53e5136f8 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md
@@ -39,7 +39,7 @@ The following rules apply:
    Any modifications MUST be released as a new version.
 2. Version zero (0) is for initial development before the `initial_release_date`.
    The document status MUST be `draft`. Anything MAY change at any time. The document SHOULD NOT be considered stable.
-3. Version 1 defines the initial public release.
+3. Version 1 defines the initial release to the intended target group.
    Each new version where `/document/tracking/status` is `final` has a version number incremented by one.
 4. Pre-release versions (document status `draft`) MUST carry the new version number.
    Sole exception is before the initial release (see rule 2).
@@ -70,7 +70,7 @@ This results in the following rules:
    tracked in this stage with (0.y.z) by incrementing the minor version y instead.
    Changes that would increment the minor or patch version according to rule 6 or 5 are both tracked in this stage with
    (0.y.z) by incrementing the patch version z instead.
-4. Version 1.0.0 defines the initial public release.
+4. Version 1.0.0 defines the initial release to the intended target group.
    The way in which the version number is incremented after this release is dependent on the content and structure of
    the document and how it changes.
 5. Patch version Z (x.y.Z | x > 0) MUST be incremented if only backwards compatible bug fixes are introduced.

From 1c9b84b173aa31e456a5c385f449a702dc24d414 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 21 Feb 2025 22:07:29 +0100
Subject: [PATCH 34/69] Initial release date

- addresses parts of oasis-tcs/csaf#791
- clarify how to correct a wrong `initial_release_date`
- add note to conformance targets that use the word "publish" and its derived forms
---
 csaf_2.1/prose/edit/src/conformance.md                        | 4 ++++
 .../prose/edit/src/schema-elements-02-props-02-document.md    | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 6bf10e0f8..050d1e0d3 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -256,6 +256,8 @@ A CSAF content management system satisfies the "CSAF content management system"
     the configuration (default: 3 weeks)
   * suggest to publish a new version of the CSAF document with the document status `final` if the document status was
     `interim` and no new release has be done during the given threshold in the configuration (default: 6 weeks)
+    > Note that the terms "publish", "publication" and their derived forms are used in this conformance profile independent of
+      whether the intended target group is the public or a closed group.
   * support the following workflows:
 
     * "New Advisory": create a new advisory, request a review, provide review comments or approve it, resolve review comments;
@@ -372,6 +374,8 @@ The resulting translated document:
   It SHOULD NOT use the original `/document/tracking/id` as a suffix.
   If an issuer uses a CSAF translator to publish his advisories in multiple languages they MAY use the combination of
   the original `/document/tracking/id` and translated `/document/lang` as a `/document/tracking/id` for the translated document.
+  > Note that the term "publish" is used in this conformance profile independent of whether the intended target group is the public
+    or a closed group.
 * provides the `/document/lang` property with a value matching the language of the translation.
 * provides the `/document/source_lang` to contain the language of the original document (and SHOULD only be set by CSAF translators).
 * has the value `translator` set in `/document/publisher/category`
diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
index 610cb8e29..8c6fb1435 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
@@ -649,6 +649,9 @@ Initial release date (`initial_release_date`) with value type `string` with form
 > For `TLP:GREEN` and higher, this is the timestamp when it was first made available to the specific group.
 > Note that the initial release date does not change after the initial release even if the document is later on released to a broader audience.
 
+If the timestamp of the initial release date was set incorrectly, it MUST be corrected.
+This change MUST be tracked with a new entry in the revision history.
+
 ##### Document Property - Tracking - Revision History
 
 The Revision History (`revision_history`) with value type `array` of 1 or more Revision History Entries holds one revision item for each version of

From 1dcd3299488ee1e527ec098193cda877c19c3913 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Mon, 24 Feb 2025 18:22:53 +0100
Subject: [PATCH 35/69] simplify language

---
 .../tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
index 771334694..367658cff 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
@@ -2,7 +2,7 @@
 
 For each model number it MUST be tested that the it does not contain multiple unescaped stars.
 
-> Multiple `*` that match zero or multiple characters within a model number introduce an ambiguousness and is therefore prohibited.
+> Multiple `*` that match zero or multiple characters within a model number introduce ambiguity and is therefore prohibited.
 
 The relevant paths for this test are:
 

From f443bdbbae49185c13436bdd76591307eb289350 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Mon, 24 Feb 2025 19:08:56 +0100
Subject: [PATCH 36/69] Simplify and match plurality

---
 .../tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
index f5c2ec8b7..d6d56129b 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
@@ -2,7 +2,7 @@
 
 For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
 
-> Multiple `*` that match zero or multiple characters within a serial number introduce an ambiguousness and is therefore prohibited.
+> Multiple `*` that match zero or multiple characters within a serial number introduce ambiguity and are therefore prohibited.
 
 The relevant paths for this test are:
 

From 0a7a9c74fec08e18dae00677d83e3a7c802418d2 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Mon, 24 Feb 2025 19:09:33 +0100
Subject: [PATCH 37/69] Adapt plurality

---
 .../tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
index 367658cff..77c98f11c 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
@@ -2,7 +2,7 @@
 
 For each model number it MUST be tested that the it does not contain multiple unescaped stars.
 
-> Multiple `*` that match zero or multiple characters within a model number introduce ambiguity and is therefore prohibited.
+> Multiple `*` that match zero or multiple characters within a model number introduce ambiguity and are therefore prohibited.
 
 The relevant paths for this test are:
 

From 8772a187a4a9b7f5f60367fbc59c05871c3d27b3 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Mon, 24 Feb 2025 19:33:35 +0100
Subject: [PATCH 38/69] Review feedback on matchin rules

- The text was very similar across model and serial number
   matching and also exposed (in my reading) "conformance"
   bleeding (e.g. that SHOULD NO be matched is not necessarily a
   concern of the spec).
- Fixed also some failed CPSR-coding where serial number term
   occurred in the model number description of rules.
- Added an example, where the first part of the model number
  "Pattern" is replaced with an asterisk wildcard
- Some semantic clarification of phrasing attempted

Question still remains: Why not allow e.g. *-2024-*?
I understand from our anchoring requirements (pattern describes
the full string from the set of matching model/serial identifiers)
that we would want to allow shell glob like matching on such texts
from inventory management systems.

Use case in point: In the past model numbers had the year
identifier in the middle. Now in the present there is a problem
with all components from models of the year 2024.
Problem: We force the producer to list all such identifiers
explicitly because we prohibit patterns like *-2024-*

Signed-off-by: Stefan Hagen 
---
 ...ema-elements-01-defs-03-full-product-name.md | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 2b81638f4..697e10f0c 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -236,17 +236,18 @@ the component to identify.
 > Often it is abbreviated as "MN", M/N" or "model no.".
 
 If a part of a model number of the component to identify is given,
-it MUST begin with the first character of the model number and end with the last character.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
 This applies also to the first character.
-Multiple unescaped `*` MUST NOT occur in a single string.
-When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the model number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
 > Note: A backslash MUST be escaped itself in a JSON string.
 
 *Examples 1:*
 
 ```
+    *-2024
     6RA8096-4MV62-0AA0
     6RA801?-??V62-0AA0
     IC25T060ATCS05-0
@@ -329,11 +330,11 @@ Any given serial number of value type `string` with at least 1 character represe
 abbreviated (partial) serial number of the component to identify.
 
 If a part of a serial number of the component to identify is given,
-it MUST begin with the first character of the serial number and end with the last character.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
 This applies also to the first character.
-Multiple unescaped `*` MUST NOT occur in a single string.
-When part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
 
 > Note: A backslash MUST be escaped itself in a JSON string.
 

From 39a992af59e2a47933a360e9724a3ff682af5e9c Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 24 Feb 2025 21:33:07 +0100
Subject: [PATCH 39/69] Initial release date

- addresses review comment from oasis-tcs/csaf#873
- replace "intended" with "specified"
---
 csaf_2.1/json_schema/csaf_json_schema.json                    | 2 +-
 csaf_2.1/prose/edit/src/conformance.md                        | 4 ++--
 .../prose/edit/src/schema-elements-02-props-02-document.md    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
index 906c43770..9da518720 100644
--- a/csaf_2.1/json_schema/csaf_json_schema.json
+++ b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -855,7 +855,7 @@
             },
             "initial_release_date": {
               "title": "Initial release date",
-              "description": "The date when this document was first released to the intended target group.",
+              "description": "The date when this document was first released to the specified target group.",
               "type": "string",
               "format": "date-time"
             },
diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 050d1e0d3..db9d3fdee 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -257,7 +257,7 @@ A CSAF content management system satisfies the "CSAF content management system"
   * suggest to publish a new version of the CSAF document with the document status `final` if the document status was
     `interim` and no new release has be done during the given threshold in the configuration (default: 6 weeks)
     > Note that the terms "publish", "publication" and their derived forms are used in this conformance profile independent of
-      whether the intended target group is the public or a closed group.
+      whether the specified target group is the public or a closed group.
   * support the following workflows:
 
     * "New Advisory": create a new advisory, request a review, provide review comments or approve it, resolve review comments;
@@ -374,7 +374,7 @@ The resulting translated document:
   It SHOULD NOT use the original `/document/tracking/id` as a suffix.
   If an issuer uses a CSAF translator to publish his advisories in multiple languages they MAY use the combination of
   the original `/document/tracking/id` and translated `/document/lang` as a `/document/tracking/id` for the translated document.
-  > Note that the term "publish" is used in this conformance profile independent of whether the intended target group is the public
+  > Note that the term "publish" is used in this conformance profile independent of whether the specified target group is the public
     or a closed group.
 * provides the `/document/lang` property with a value matching the language of the translation.
 * provides the `/document/source_lang` to contain the language of the original document (and SHOULD only be set by CSAF translators).
diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
index 8c6fb1435..2b3108581 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md
@@ -643,7 +643,7 @@ This value is also used to determine the filename for the CSAF document (cf. sec
 
 ##### Document Property - Tracking - Initial Release Date
 
-Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first released to the intended target group.
+Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first released to the specified target group.
 
 > For `TLP:CLEAR` documents, this is usually the timestamp when the document was published.
 > For `TLP:GREEN` and higher, this is the timestamp when it was first made available to the specific group.

From f3f2cde8fe44e9111dfde7da64eca67246cca1a8 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 24 Feb 2025 21:38:01 +0100
Subject: [PATCH 40/69] Initial release date

- addresses review comment from oasis-tcs/csaf#873
- replace "intended" with "specified" also in the definition of version
---
 csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md
index 53e5136f8..ff64ab20f 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-11-version.md
@@ -39,7 +39,7 @@ The following rules apply:
    Any modifications MUST be released as a new version.
 2. Version zero (0) is for initial development before the `initial_release_date`.
    The document status MUST be `draft`. Anything MAY change at any time. The document SHOULD NOT be considered stable.
-3. Version 1 defines the initial release to the intended target group.
+3. Version 1 defines the initial release to the specified target group.
    Each new version where `/document/tracking/status` is `final` has a version number incremented by one.
 4. Pre-release versions (document status `draft`) MUST carry the new version number.
    Sole exception is before the initial release (see rule 2).
@@ -70,7 +70,7 @@ This results in the following rules:
    tracked in this stage with (0.y.z) by incrementing the minor version y instead.
    Changes that would increment the minor or patch version according to rule 6 or 5 are both tracked in this stage with
    (0.y.z) by incrementing the patch version z instead.
-4. Version 1.0.0 defines the initial release to the intended target group.
+4. Version 1.0.0 defines the initial release to the specified target group.
    The way in which the version number is incremented after this release is dependent on the content and structure of
    the document and how it changes.
 5. Patch version Z (x.y.Z | x > 0) MUST be incremented if only backwards compatible bug fixes are introduced.

From fca42fe483ab6c3e080bd6ead4075bfc7c394217 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 24 Feb 2025 21:56:41 +0100
Subject: [PATCH 41/69] Model and Serial Number

- addresses parts of oasis-tcs/csaf#847
- add examples for serial numbers
- improve examples for model numbers
---
 .../schema-elements-01-defs-03-full-product-name.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
index 697e10f0c..73a9983fb 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -247,7 +247,8 @@ As part of the model number, the special characters `?`, `*` and `\` MUST be esc
 *Examples 1:*
 
 ```
-    *-2024
+    *-G109A/EU?
+    2024-*
     6RA8096-4MV62-0AA0
     6RA801?-??V62-0AA0
     IC25T060ATCS05-0
@@ -338,6 +339,16 @@ As part of the serial number, the special characters `?`, `*` and `\` MUST be es
 
 > Note: A backslash MUST be escaped itself in a JSON string.
 
+*Examples 1:*
+
+```
+    *RF8R71YR???
+    11S45N0249Z1ZS9*
+    DSEP147100
+    L15-VM-???
+    L234.696.30.044.712
+```
+
 ##### Full Product Name Type - Product Identification Helper - SKUs
 
 The list of stock keeping units (`skus`) of value type `array` with 1 or more items contains a list of full or

From 4b694e3d2c1dbb68ed0990b28eca80856e65e22b Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 26 Feb 2025 17:41:40 +0100
Subject: [PATCH 42/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- update name and description in JSON schema
---
 csaf_2.1/json_schema/csaf_json_schema.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
index 67946f32d..91a94d275 100644
--- a/csaf_2.1/json_schema/csaf_json_schema.json
+++ b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -1099,6 +1099,12 @@
               }
             }
           },
+          "disclosure_date": {
+            "title": "Disclosure date",
+            "description": "Holds the date and time the vulnerability was originally disclosed to the public.",
+            "type": "string",
+            "format": "date-time"
+          },
           "discovery_date": {
             "title": "Discovery date",
             "description": "Holds the date and time the vulnerability was originally discovered.",
@@ -1348,12 +1354,6 @@
             "description": "Holds a list of references associated with this vulnerability item.",
             "$ref": "#/$defs/references_t"
           },
-          "release_date": {
-            "title": "Release date",
-            "description": "Holds the date and time the vulnerability was originally released into the wild.",
-            "type": "string",
-            "format": "date-time"
-          },
           "remediations": {
             "title": "List of remediations",
             "description": "Contains a list of remediations.",

From 6a0df71cc2ea4773919d3e88200626508b1b3595 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 26 Feb 2025 17:51:25 +0100
Subject: [PATCH 43/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- adapt prose to match schema
- add rule on `disclosure_date` in future
---
 .../schema-elements-02-props-04-vulnerabilities.md | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
index b2f288d2b..41fd3adfd 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
@@ -168,6 +168,15 @@ When creating or modifying a CSAF document, the latest published version of the
     "4.12"
 ```
 
+#### Vulnerabilities Property - Disclosure Date
+
+Disclosure date (`disclosure_date`) with value type `string` of format `date-time` holds the date and time
+the vulnerability was originally disclosed to the public.
+
+For vulnerabilities no yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date of disclosure of the vulnerability.
+As disclosure dates may change during a vulnerability disclosure process, an issuing party SHOULD produce an updated CSAF document to confirm that the
+vulnerability was in fact disclosed to the public at that time or update the `disclosure_date` with the new intended date in the future.
+
 #### Vulnerabilities Property - Discovery Date
 
 Discovery date (`discovery_date`) of value type `string` with format `date-time` holds the date and time the vulnerability was originally discovered.
@@ -569,11 +578,6 @@ list of references associated with this vulnerability item.
     },
 ```
 
-#### Vulnerabilities Property - Release Date
-
-Release date (`release_date`) with value type `string` of format `date-time` holds the date and time
-the vulnerability was originally released into the wild.
-
 #### Vulnerabilities Property - Remediations
 
 List of remediations (`remediations`) of value type `array` with 1 or more Remediation items of value type `object` contains a list of remediations.

From 5d9002b1032af88524e415489274e5769435dce2 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 26 Feb 2025 17:55:52 +0100
Subject: [PATCH 44/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- adapt guidance on size
---
 csaf_2.1/prose/edit/src/guidance-on-size.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
index e1b8e1855..35dc7ee00 100644
--- a/csaf_2.1/prose/edit/src/guidance-on-size.md
+++ b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -263,10 +263,10 @@ The maximum length of strings representing a temporal value is given by the form
 * `/document/tracking/generator/date`
 * `/document/tracking/initial_release_date`
 * `/document/tracking/revision_history[]/date`
+* `/vulnerabilities[]/disclosure_date`
 * `/vulnerabilities[]/discovery_date`
 * `/vulnerabilities[]/flags[]/date`
 * `/vulnerabilities[]/involvements[]/date`
-* `/vulnerabilities[]/release_date`
 * `/vulnerabilities[]/remediations[]/date`
 * `/vulnerabilities[]/threats[]/date`
 

From bc9a183b5c8c216e11fe74fc54396da48077962e Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 26 Feb 2025 18:09:15 +0100
Subject: [PATCH 45/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- add conversion rules
---
 csaf_2.1/prose/edit/src/conformance.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 6bf10e0f8..e86659a21 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -146,6 +146,7 @@ Secondly, the program fulfills the following for all items of:
     been removed.
   * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
     warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
+* `/vulnerabilities[]/disclosure_date`: If a `vuln:ReleaseDate` was given, the CVRF CSAF converter MUST convert its value into the `disclosure_date`.
 * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
 * `/vulnerabilities[]/remediations[]`:
   * If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under
@@ -570,7 +571,7 @@ Secondly, the program fulfills the following for all items of:
   > This is done to create a deterministic conversion.
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
-
+* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST set its value as `disclosure_date`.
 * `/vulnerabilities[]/remediations[]`:
   * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
     if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.

From b0064614206baec4206cc5a017838985387afb5c Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 26 Feb 2025 18:15:08 +0100
Subject: [PATCH 46/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- update path in test 6.1.37
---
 csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md
index a56a13bf0..5824671e7 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md
@@ -9,9 +9,9 @@ The relevant path for this test is:
   /document/tracking/generator/date
   /document/tracking/initial_release_date
   /document/tracking/revision_history[]/date
+  /vulnerabilities[]/disclosure_date
   /vulnerabilities[]/discovery_date
   /vulnerabilities[]/flags[]/date
-  /vulnerabilities[]/release_date
   /vulnerabilities[]/involvements[]/date
   /vulnerabilities[]/remediations[]/date
   /vulnerabilities[]/threats[]/date

From dcc987abfc6f6a72b92b981bc0c6fc0eb54d11f9 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 26 Feb 2025 18:18:13 +0100
Subject: [PATCH 47/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- update overview in vulnerabilities section
---
 .../src/schema-elements-02-props-04-vulnerabilities.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
index 41fd3adfd..2ee858941 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
@@ -15,8 +15,8 @@ properties represents a list of all relevant vulnerability information items.
 The Vulnerability item of value type `object` with 1 or more properties is a container for the aggregation of all fields that are related to
 a single vulnerability in the document.
 Any vulnerability MAY provide the optional properties Acknowledgments (`acknowledgments`), Common Vulnerabilities and Exposures (CVE) (`cve`),
-Common Weakness Enumeration (CWE) (`cwes`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`), Involvements (`involvements`),
-Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`), Release Date (`release_date`),
+Common Weakness Enumeration (CWE) (`cwes`), Disclosure Date (`disclosure_date`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`),
+Involvements (`involvements`), Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`),
 Remediations (`remediations`), Threats (`threats`), and Title (`title`).
 
 ```
@@ -30,6 +30,9 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
       "cwes": {
         // ...
       },
+      "disclosure_date": {
+        // ...
+      },
       "discovery_date": {
         // ...
       },
@@ -54,9 +57,6 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
       "references": {
         // ...
       },
-      "release_date": {
-        // ...
-      },
       "remediations": {
         // ...
       },

From f66606e15d76a759b36c04066e222811eeb73fd2 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 26 Feb 2025 18:24:48 +0100
Subject: [PATCH 48/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- adapt examples
---
 csaf_2.1/examples/csaf/rhsa-2021_5186.json | 6 +++---
 csaf_2.1/examples/csaf/rhsa-2021_5217.json | 4 ++--
 csaf_2.1/examples/csaf/rhsa-2022_0011.json | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/csaf_2.1/examples/csaf/rhsa-2021_5186.json b/csaf_2.1/examples/csaf/rhsa-2021_5186.json
index a905de27a..6a62e888a 100644
--- a/csaf_2.1/examples/csaf/rhsa-2021_5186.json
+++ b/csaf_2.1/examples/csaf/rhsa-2021_5186.json
@@ -173,6 +173,7 @@
           "version": "4.6"
         }
       ],
+      "disclosure_date": "2021-12-10T00:00:00Z",
       "discovery_date": "2021-12-13T00:00:00Z",
       "ids": [
         {
@@ -228,7 +229,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667"
         }
       ],
-      "release_date": "2021-12-10T00:00:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -252,6 +252,7 @@
     },
     {
       "cve": "CVE-2021-4125",
+      "disclosure_date": "2021-12-16T00:00:00Z",
       "discovery_date": "2021-12-16T00:00:00Z",
       "ids": [
         {
@@ -297,7 +298,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121"
         }
       ],
-      "release_date": "2021-12-16T00:00:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -320,4 +320,4 @@
       "title": "CVE-2021-4125 kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/csaf_2.1/examples/csaf/rhsa-2021_5217.json b/csaf_2.1/examples/csaf/rhsa-2021_5217.json
index 26e7eb9e4..e1e49c8ab 100644
--- a/csaf_2.1/examples/csaf/rhsa-2021_5217.json
+++ b/csaf_2.1/examples/csaf/rhsa-2021_5217.json
@@ -124,6 +124,7 @@
           "version": "4.6"
         }
       ],
+      "disclosure_date": "2021-12-16T17:05:00Z",
       "discovery_date": "2021-12-17T00:00:00Z",
       "ids": [
         {
@@ -165,7 +166,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"
         }
       ],
-      "release_date": "2021-12-16T17:05:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -186,4 +186,4 @@
       "title": "CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/csaf_2.1/examples/csaf/rhsa-2022_0011.json b/csaf_2.1/examples/csaf/rhsa-2022_0011.json
index e25209a91..35a361a3d 100644
--- a/csaf_2.1/examples/csaf/rhsa-2022_0011.json
+++ b/csaf_2.1/examples/csaf/rhsa-2022_0011.json
@@ -348,6 +348,7 @@
           "version": "4.6"
         }
       ],
+      "disclosure_date": "2020-02-28T00:00:00Z",
       "discovery_date": "2020-03-06T00:00:00Z",
       "ids": [
         {
@@ -393,7 +394,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811673"
         }
       ],
-      "release_date": "2020-02-28T00:00:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -428,4 +428,4 @@
       "title": "CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code"
     }
   ]
-}
\ No newline at end of file
+}

From 7d9d451c88282c114c52e78717c88f406e5bd37f Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 28 Feb 2025 16:57:48 +0100
Subject: [PATCH 49/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- add mandatory test 6.1.45 for inconsistent disclosure date
- add valid examples
- add invalid examples
---
 ...1-mndtr-45-inconsistent-disclosure-date.md | 46 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json | 37 +++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json | 42 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json | 37 +++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json | 42 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json | 42 +++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 28 +++++++++++
 .../test/validator/testcases_json_schema.json |  2 +-
 8 files changed, 275 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
new file mode 100644
index 000000000..de75ffbc4
--- /dev/null
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
@@ -0,0 +1,46 @@
+### Inconsistent Disclosure Date
+
+For each vulnerability, it MUST be tested that the `disclosure_date` is not newer than the `date` of the newest item of the `revision_history`
+if the document is labeled `TLP:CLEAR` and the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/disclosure_date
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      // ...
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+```
+
+> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the date of newest item in the `revision_history`.
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json
new file mode 100644
index 000000000..6f6e6954a
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent Disclosure Date (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
new file mode 100644
index 000000000..0b7df51c2
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent Disclosure Date (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-02-29T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-02",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2025-02-26T10:00:00.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json
new file mode 100644
index 000000000..b66dd4834
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent Disclosure Date (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-01-24T10:00:00.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
new file mode 100644
index 000000000..1c0abf5ad
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent Disclosure Date (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-02-29T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-12",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-26T10:00:00.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json
new file mode 100644
index 000000000..7c76f9ab8
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "AMBER+STRICT"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent Disclosure Date (valid example 3)",
+    "tracking": {
+      "current_release_date": "2024-02-29T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-13",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2025-02-26T10:00:00.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index abcae1510..c42533fa3 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1342,6 +1342,34 @@
         }
       ]
     },
+    {
+      "id": "6.1.45",
+      "group": "mandatory",
+      "failures": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json",
+          "valid": false
+        }
+      ],
+      "valid": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json",
+          "valid": true
+        }
+      ]
+    },
     {
       "id": "6.2.1",
       "group": "optional",
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 1fd3d6811..3d64e3adc 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-4]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-5]))$"
         },
         "valid": {
           "title": "List of valid examples",

From b13b272480c3b34fbb969677961c2e468e925806 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 28 Feb 2025 19:16:44 +0100
Subject: [PATCH 50/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- remove unnecessary lines from example
---
 .../src/tests-01-mndtr-45-inconsistent-disclosure-date.md     | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
index de75ffbc4..e08ff3d8a 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
@@ -22,9 +22,7 @@ The relevant path for this test is:
     },
     // ...
     "tracking": {
-      "current_release_date": "2024-01-24T10:00:00.000Z",
       // ...
-      "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
           "date": "2024-01-24T10:00:00.000Z",
@@ -33,7 +31,7 @@ The relevant path for this test is:
         }
       ],
       "status": "final",
-      "version": "1"
+      // ...
     }
   },
   "vulnerabilities": [

From 07a6877ef380bc79a8803bd4d24d56f565993613 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 28 Feb 2025 19:25:49 +0100
Subject: [PATCH 51/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- add optional test 6.2.33 for past disclosure date after release
- add invalid example
- add valid example
---
 csaf_2.1/prose/edit/src/tests-02-optional.md  | 47 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json | 37 +++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json | 42 +++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json | 42 +++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 20 ++++++++
 .../test/validator/testcases_json_schema.json |  2 +-
 6 files changed, 189 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json

diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md
index c6459f39a..680a59bba 100644
--- a/csaf_2.1/prose/edit/src/tests-02-optional.md
+++ b/csaf_2.1/prose/edit/src/tests-02-optional.md
@@ -1038,3 +1038,50 @@ The relevant paths for this test are:
 ```
 
 > Both products are identified by the same serial number `143-D-354`.
+
+### Disclosure Date newer than Revision History
+
+For each vulnerability, it MUST be tested that the `disclosure_date` is not newer than the `date` of the newest item of the `revision_history`
+if the `disclosure_date` is in the past at the time of the test execution.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/disclosure_date
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "GREEN"
+      }
+    },
+    // ...
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      // ...
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+```
+
+> The `disclosure_date` is in the past but newer than the date of newest item in the `revision_history`.
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
new file mode 100644
index 000000000..7cef5b689
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "GREEN"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Informative test: Disclosure Date newer than Revision History (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
new file mode 100644
index 000000000..ea59d8af1
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "GREEN"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Informative test: Disclosure Date newer than Revision History (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-02-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-24T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json
new file mode 100644
index 000000000..fb1f49535
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "GREEN"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Informative test: Disclosure Date newer than Revision History (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-02-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-12",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-24T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "9999-12-31T23:59:59.000Z"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index c42533fa3..5c78312a6 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -2096,6 +2096,26 @@
         }
       ]
     },
+    {
+      "id": "6.2.33",
+      "group": "optional",
+      "failures": [
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json",
+          "valid": true
+        }
+      ],
+      "valid": [
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json",
+          "valid": true
+        },
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json",
+          "valid": true
+        }
+      ]
+    },
     {
       "id": "6.3.1",
       "group": "informative",
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 3d64e3adc..0a592e73c 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-2])|(1\\.3[3-9])|(1\\.4[0-5]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-3])|(1\\.3[4-9])|(1\\.4[0-5]))$"
         },
         "valid": {
           "title": "List of valid examples",

From 62154b71c68077a734cc69e8a5dd6e190b2eb2b8 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 28 Feb 2025 19:27:37 +0100
Subject: [PATCH 52/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- add 6.1.45 to bind.txt
---
 csaf_2.1/prose/edit/etc/bind.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
index 9ad5c2749..bd4ba57c7 100644
--- a/csaf_2.1/prose/edit/etc/bind.txt
+++ b/csaf_2.1/prose/edit/etc/bind.txt
@@ -75,6 +75,7 @@ tests-01-mndtr-41-missing-sharing-group-name.md
 tests-01-mndtr-42-purl-qualifiers.md
 tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
 tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
+tests-01-mndtr-45-inconsistent-disclosure-date.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

From 69eb92dde36d35eaaebd4d8adacb64ea6ffff4e2 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 28 Feb 2025 19:40:35 +0100
Subject: [PATCH 53/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782
- add invalid timezone example for 6.1.45
- add valid timezone example for 6.1.45
- add invalid timezone example for 6.2.33
- add valid timezone example for 6.2.33
---
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json | 37 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json | 37 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json | 37 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json | 37 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 16 ++++++++
 5 files changed, 164 insertions(+)
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json
 create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json

diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json
new file mode 100644
index 000000000..b21be1b02
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent Disclosure Date (failing example 3)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-03",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-01-24T09:00:00.000-06:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json
new file mode 100644
index 000000000..fbee7b5e3
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent Disclosure Date (valid example 4)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-14",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-01-24T09:00:00.000+06:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json
new file mode 100644
index 000000000..3ef922ad0
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "RED"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Informative test: Disclosure Date newer than Revision History (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-02",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-23T14:00:00.000-21:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json
new file mode 100644
index 000000000..fd61dd2b3
--- /dev/null
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "RED"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Informative test: Disclosure Date newer than Revision History (valid example 3)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-13",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T14:00:00.000+07:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 5c78312a6..088a4fb0e 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1353,6 +1353,10 @@
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json",
           "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-03.json",
+          "valid": false
         }
       ],
       "valid": [
@@ -1367,6 +1371,10 @@
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-13.json",
           "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-14.json",
+          "valid": true
         }
       ]
     },
@@ -2103,6 +2111,10 @@
         {
           "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json",
           "valid": true
+        },
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-02.json",
+          "valid": true
         }
       ],
       "valid": [
@@ -2113,6 +2125,10 @@
         {
           "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-12.json",
           "valid": true
+        },
+        {
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-13.json",
+          "valid": true
         }
       ]
     },

From 24109fdb0b12ea7801d719b533dfae600dc6e39f Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 28 Feb 2025 20:01:11 +0100
Subject: [PATCH 54/69] Disclosure Date

- addresses parts of oasis-tcs/csaf#782, oasis-tcs/csaf#469
- add invalid examples for 6.1.37 (leap second and year)
- add valid examples for 6.1.37 (leap second and year)
---
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json | 32 ++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json | 38 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json | 38 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json | 38 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json | 38 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json | 38 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json | 38 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json | 38 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 32 ++++++++++++++++
 9 files changed, 330 insertions(+)
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json

diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json
new file mode 100644
index 000000000..513dd0cd4
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-02",
+      "initial_release_date": "2024-01-24T10:00:00.000z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000+00:10:21",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  }
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json
new file mode 100644
index 000000000..48e0045ee
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (failing example 3)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-03",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2017-01-01T02:59:60+04:00",
+      "discovery_date": "2014-13-31T00:00:00+01:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json
new file mode 100644
index 000000000..e00b3731c
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (failing example 4)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-04",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2023-04-31T00:00:00+01:00",
+      "discovery_date": "2023-02-30T00:00:00+01:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json
new file mode 100644
index 000000000..01f0db67b
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (failing example 5)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-05",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2023-02-29T00:00:00+01:00",
+      "discovery_date": "1900-02-29T00:00:00+01:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json
new file mode 100644
index 000000000..200a1e68e
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-12",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2015-06-30T10:29:60-13:30",
+      "discovery_date": "2015-06-30T23:59:60+00:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json
new file mode 100644
index 000000000..46994847d
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (valid example 3)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-13",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2016-12-31T00:00:60+23:59",
+      "discovery_date": "2015-07-01T06:59:60+07:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json
new file mode 100644
index 000000000..2178a28f6
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (valid example 4)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-14",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2016-12-31T23:59:60+00:00",
+      "discovery_date": "2017-01-01T02:59:60+03:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json
new file mode 100644
index 000000000..b7790f42f
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Date and Time (valid example 4)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-14",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2020-02-29T03:14:58+00:00",
+      "discovery_date": "2000-02-29T02:14:58+03:00"
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 088a4fb0e..90fb65b41 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1121,12 +1121,44 @@
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json",
           "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json",
+          "valid": false
         }
       ],
       "valid": [
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json",
           "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json",
+          "valid": true
         }
       ]
     },

From c41d8f6e14f8a4ab4a2c21aa5163dc5d8575863b Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 28 Feb 2025 20:13:03 +0100
Subject: [PATCH 55/69] Daten and Time

- addresses parts of oasis-tcs/csaf#469
- correct filename
- exclude leap seconds files from testing
- exclude invalid date-time format from testing
---
 .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json   | 4 ++--
 csaf_2.1/test/validator/run_tests.sh                       | 7 ++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json
index b7790f42f..eed43f7e5 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-15.json
@@ -13,10 +13,10 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Date and Time (valid example 4)",
+    "title": "Mandatory test: Date and Time (valid example 5)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-14",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-15",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
index 1c287c799..7e3f13783 100755
--- a/csaf_2.1/test/validator/run_tests.sh
+++ b/csaf_2.1/test/validator/run_tests.sh
@@ -10,7 +10,8 @@ CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
 TESTPATH=csaf_2.1/test/validator/data/$1/*.json
-EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json'
+EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json'
+EXCLUDE_LEAP='oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json'
 EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json
 
 FAIL=0
@@ -30,14 +31,14 @@ validate() {
 }
 
 test_all() {
-  for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}")
+  for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}" | grep -Ev "${EXCLUDE_LEAP}")
   do
     validate $i
   done
 }
 
 test_all_strict() {
-  for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}" | grep -v ${EXCLUDE_STRICT})
+  for i in $(ls -1 ${TESTPATH} | grep -Ev "${EXCLUDE}" | grep -Ev "${EXCLUDE_LEAP}" | grep -v ${EXCLUDE_STRICT})
   do
     validate $i
   done

From db0cfa590c8a286b5426a528c5122675e646e950 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Fri, 28 Feb 2025 22:30:08 +0100
Subject: [PATCH 56/69] Nit: More direct, closer to the format terms

---
 csaf_2.1/prose/edit/src/conformance.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 739282a24..672f51364 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -605,7 +605,7 @@ Secondly, the program fulfills the following for all items of:
   > This is done to create a deterministic conversion.
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
-* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST set its value as `disclosure_date`.
+* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as `disclosure_date`.
 * `/vulnerabilities[]/remediations[]`:
   * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
     if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.

From c4a03aefc352c1ec546efd3d83ec224b19f5cc74 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Fri, 28 Feb 2025 22:32:36 +0100
Subject: [PATCH 57/69] Nits: typo and varied speech

---
 .../edit/src/schema-elements-02-props-04-vulnerabilities.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
index 2ee858941..8a8eeda7d 100644
--- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
+++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
@@ -173,7 +173,7 @@ When creating or modifying a CSAF document, the latest published version of the
 Disclosure date (`disclosure_date`) with value type `string` of format `date-time` holds the date and time
 the vulnerability was originally disclosed to the public.
 
-For vulnerabilities no yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date of disclosure of the vulnerability.
+For vulnerabilities not yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date for disclosure of the vulnerability.
 As disclosure dates may change during a vulnerability disclosure process, an issuing party SHOULD produce an updated CSAF document to confirm that the
 vulnerability was in fact disclosed to the public at that time or update the `disclosure_date` with the new intended date in the future.
 

From c7a22c4a3b4eb257d8707d10ea426e6306c24480 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Fri, 28 Feb 2025 22:34:43 +0100
Subject: [PATCH 58/69] Nit: Replaced not newer with earlier or equal to

---
 .../edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
index e08ff3d8a..11c744782 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
@@ -1,6 +1,6 @@
 ### Inconsistent Disclosure Date
 
-For each vulnerability, it MUST be tested that the `disclosure_date` is not newer than the `date` of the newest item of the `revision_history`
+For each vulnerability, it MUST be tested that the `disclosure_date` is earlier or equal to the `date` of the newest item of the `revision_history`
 if the document is labeled `TLP:CLEAR` and the document status is `final` or `interim`.
 As the timestamps might use different timezones, the sorting MUST take timezones into account.
 

From 7e90404e979cbe68f9bbfbecfb89f9beb81e3454 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Fri, 28 Feb 2025 22:36:36 +0100
Subject: [PATCH 59/69] Nit: Replaced not newer with earlier or equal to

---
 csaf_2.1/prose/edit/src/tests-02-optional.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md
index 680a59bba..591688cdf 100644
--- a/csaf_2.1/prose/edit/src/tests-02-optional.md
+++ b/csaf_2.1/prose/edit/src/tests-02-optional.md
@@ -1041,7 +1041,7 @@ The relevant paths for this test are:
 
 ### Disclosure Date newer than Revision History
 
-For each vulnerability, it MUST be tested that the `disclosure_date` is not newer than the `date` of the newest item of the `revision_history`
+For each vulnerability, it MUST be tested that the `disclosure_date` is earlier or equal to the `date` of the newest item of the `revision_history`
 if the `disclosure_date` is in the past at the time of the test execution.
 As the timestamps might use different timezones, the sorting MUST take timezones into account.
 

From 85aefd843a36028a94f8f212b954fd653ba7d4de Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 1 Mar 2025 11:19:02 +0100
Subject: [PATCH 60/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- prepare merge from editor-revision-2025-02-26
- rename tests
- adapt test data
---
 csaf_2.1/prose/edit/etc/bind.txt              |  6 +-
 ...tests-01-mndtr-47-inconsistent-ssvc-id.md} |  0
 ...tests-01-mndtr-48-ssvc-decision-points.md} |  0
 ...ohibited-ssvc-decision-point-namespace.md} |  0
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-01.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-02.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-03.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-04.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-11.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-12.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-13.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-14.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-47-15.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-01.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-02.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-03.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-04.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-11.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-12.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-13.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-48-14.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-49-01.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-49-02.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-49-11.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-49-12.json} |  2 +-
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json |  5 +-
 ...oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json |  3 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-2-35-01.json} |  7 ++-
 ...asis_csaf_tc-csaf_2_1-2024-6-2-35-11.json} |  5 +-
 csaf_2.1/test/validator/data/testcases.json   | 60 +++++++++----------
 .../test/validator/testcases_json_schema.json |  2 +-
 31 files changed, 65 insertions(+), 65 deletions(-)
 rename csaf_2.1/prose/edit/src/{tests-01-mndtr-43-inconsistent-ssvc-id.md => tests-01-mndtr-47-inconsistent-ssvc-id.md} (100%)
 rename csaf_2.1/prose/edit/src/{tests-01-mndtr-44-ssvc-decision-points.md => tests-01-mndtr-48-ssvc-decision-points.md} (100%)
 rename csaf_2.1/prose/edit/src/{tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md => tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md} (100%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json} (97%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json} (97%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json} (97%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json => oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json => oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json => oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json => oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json => oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json} (96%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json => oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json} (96%)
 rename csaf_2.1/test/validator/data/optional/{oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json => oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json} (86%)
 rename csaf_2.1/test/validator/data/optional/{oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json => oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json} (90%)

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
index 357098d47..3feaef46f 100644
--- a/csaf_2.1/prose/edit/etc/bind.txt
+++ b/csaf_2.1/prose/edit/etc/bind.txt
@@ -73,9 +73,9 @@ tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md
 tests-01-mndtr-40-invalid-sharing-group-name.md
 tests-01-mndtr-41-missing-sharing-group-name.md
 tests-01-mndtr-42-purl-qualifiers.md
-tests-01-mndtr-43-inconsistent-ssvc-id.md
-tests-01-mndtr-44-ssvc-decision-points.md
-tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
+tests-01-mndtr-47-inconsistent-ssvc-id.md
+tests-01-mndtr-48-ssvc-decision-points.md
+tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-47-inconsistent-ssvc-id.md
similarity index 100%
rename from csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md
rename to csaf_2.1/prose/edit/src/tests-01-mndtr-47-inconsistent-ssvc-id.md
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md
similarity index 100%
rename from csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md
rename to csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
similarity index 100%
rename from csaf_2.1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
rename to csaf_2.1/prose/edit/src/tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json
index c9a329d4d..91a4ce2dd 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json
index 00e7e5563..6e94e4b70 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (failing example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-02",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json
index 1ca4af109..67c1539ba 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (failing example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-03",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-03",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json
similarity index 97%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json
index 3bae9469c..712483f88 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (failing example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-04",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-04",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json
index c76f762f0..931f5d9ce 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json
similarity index 97%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json
index 9c517e7c5..16e531e47 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (valid example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-12",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json
index 8382ed28b..d7e4d8201 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (valid example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-13",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-13",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json
similarity index 97%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json
index a13be38a4..8a29027ae 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (valid example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-14",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-14",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json
index 03e30fa1d..3167981b6 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Inconsistent SSVC ID (valid example 5)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-43-15",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-47-15",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json
index b6d15de2b..8c55143ce 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json
index 25bf39134..ad7feff83 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (failing example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-02",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json
index 8eee3e3ef..eae682056 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (failing example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-03",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-03",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json
index f7dcf7ad4..1236e8dc0 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (failing example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-04",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-04",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json
index 47d5c1d6b..4d5845cb7 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json
index 69e4d25f5..4e91e36ad 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (valid example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-12",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json
index c3fcc8e7d..463d139f5 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (valid example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-13",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-13",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json
index 4eff00a0a..ee895468a 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: SSVC Decision Points (valid example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-44-14",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-14",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
index 814397d5f..769a2bb53 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
index 6da75207f..59d3682ba 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-02",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
index 1a64adf1b..e51c584ed 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
similarity index 96%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
index 983e84737..1a1a43c3f 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-45-12",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
index a97f984ea..44e1bf321 100644
--- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json
@@ -13,7 +13,7 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Optional test: Usage of Unknown SSVC Role (failing example 1)",
+    "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-34-01",
@@ -45,12 +45,11 @@
           "content": {
             "ssvc_v1": {
               "id": "CVE-1900-0001",
-              "role": "An unregistrable role",
               "schemaVersion": "1-0-1",
               "selections": [
                 {
                   "name": "Technical Impact",
-                  "namespace": "ssvc",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
                   "values": [
                     "Total"
                   ],
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json
index e03302dea..3c21bc401 100644
--- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json
@@ -13,7 +13,7 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Optional test: Usage of Unknown SSVC Role (valid example 1)",
+    "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-34-11",
@@ -45,7 +45,6 @@
           "content": {
             "ssvc_v1": {
               "id": "CVE-1900-0001",
-              "role": "Coordinator",
               "schemaVersion": "1-0-1",
               "selections": [
                 {
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json
similarity index 86%
rename from csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
rename to csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json
index 2ae8db383..6ce8ea49b 100644
--- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json
@@ -13,10 +13,10 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (failing example 1)",
+    "title": "Optional test: Usage of Unknown SSVC Role (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-35-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
@@ -45,11 +45,12 @@
           "content": {
             "ssvc_v1": {
               "id": "CVE-1900-0001",
+              "role": "An unregistrable role",
               "schemaVersion": "1-0-1",
               "selections": [
                 {
                   "name": "Technical Impact",
-                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "namespace": "ssvc",
                   "values": [
                     "Total"
                   ],
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json
similarity index 90%
rename from csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
rename to csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json
index 8f46eb43b..c9366b2f3 100644
--- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json
+++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json
@@ -13,10 +13,10 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Optional test: Usage of Unknown SSVC Decision Point Namespace (valid example 1)",
+    "title": "Optional test: Usage of Unknown SSVC Role (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-33-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-35-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
@@ -45,6 +45,7 @@
           "content": {
             "ssvc_v1": {
               "id": "CVE-1900-0001",
+              "role": "Coordinator",
               "schemaVersion": "1-0-1",
               "selections": [
                 {
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index b88c00a43..904c48280 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1287,109 +1287,109 @@
       ]
     },
     {
-      "id": "6.1.43",
+      "id": "6.1.47",
       "group": "mandatory",
       "failures": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-01.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-01.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-02.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-02.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-03.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-03.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-04.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-04.json",
           "valid": false
         }
       ],
       "valid": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-11.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-11.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-12.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-12.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-13.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-13.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-14.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-14.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-43-15.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-47-15.json",
           "valid": true
         }
       ]
     },
     {
-      "id": "6.1.44",
+      "id": "6.1.48",
       "group": "mandatory",
       "failures": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-01.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-01.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-02.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-02.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-03.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-03.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-04.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json",
           "valid": false
         }
       ],
       "valid": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-11.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-11.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-12.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-12.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-13.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-13.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-44-14.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json",
           "valid": true
         }
       ]
     },
     {
-      "id": "6.1.45",
+      "id": "6.1.49",
       "group": "mandatory",
       "failures": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-01.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-02.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json",
           "valid": false
         }
       ],
       "valid": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-11.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-45-12.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json",
           "valid": true
         }
       ]
@@ -2122,33 +2122,33 @@
       ]
     },
     {
-      "id": "6.2.33",
+      "id": "6.2.34",
       "group": "optional",
       "failures": [
         {
-          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-01.json",
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json",
           "valid": true
         }
       ],
       "valid": [
         {
-          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-33-11.json",
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json",
           "valid": true
         }
       ]
     },
     {
-      "id": "6.2.34",
+      "id": "6.2.35",
       "group": "optional",
       "failures": [
         {
-          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-01.json",
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-01.json",
           "valid": true
         }
       ],
       "valid": [
         {
-          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-34-11.json",
+          "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-35-11.json",
           "valid": true
         }
       ]
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 7f18ae377..9ea0b7175 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-4])|(1\\.3[5-9])|(1\\.4[0-5]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-3])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|([12]\\.3[0-5])|(1\\.3[6-9])|(1\\.4[0-9]))$"
         },
         "valid": {
           "title": "List of valid examples",

From 4a421c3571521ec79b99ab267c1ba780e7df3169 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 1 Mar 2025 19:43:57 +0100
Subject: [PATCH 61/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- update referenced schemas for SSVC
---
 .../certcc/Decision_Point-1-0-1.schema.json   | 125 ++++++++++++++++++
 ...on_Point_Value_Selection-1-0-1.schema.json |  56 +++-----
 csaf_2.1/test/aggregator_schema/run_tests.sh  |   5 +-
 csaf_2.1/test/csaf_schema/run_tests.sh        |   5 +-
 csaf_2.1/test/provider_schema/run_tests.sh    |   5 +-
 csaf_2.1/test/validator/run_tests.sh          |   5 +-
 6 files changed, 155 insertions(+), 46 deletions(-)
 create mode 100644 csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json

diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
new file mode 100644
index 000000000..e5e295446
--- /dev/null
+++ b/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
@@ -0,0 +1,125 @@
+{
+	"$schema": "https://json-schema.org/draft/2020-12/schema",
+	"title": "Decision Point schema definition",
+	"$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json",
+	"description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.",
+	"$defs": {
+		"schemaVersion": {
+			"description": "Schema version used to represent this Decision Point.",
+			"type": "string",
+			"enum": [
+				"1-0-1"
+			]
+		},
+		"decision_point_value": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"key": {
+					"type": "string",
+					"description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.",
+					"minLength": 1,
+					"examples": [
+						"P",
+						"Y"
+					]
+				},
+				"name": {
+					"type": "string",
+					"description": "A short label that identifies a Decision Point Value",
+					"minLength": 1,
+					"examples": [
+						"Public PoC",
+						"Yes"
+					]
+				},
+				"description": {
+					"type": "string",
+					"description": "A full description of the Decision Point Value.",
+					"minLength": 1,
+					"examples": [
+						"One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.",
+						"Attackers can reliably automate steps 1-4 of the kill chain."
+					]
+				}
+			},
+			"required": [
+				"key",
+				"name",
+				"description"
+			]
+		},
+		"decision_point": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"schemaVersion": {
+					"$ref": "#/$defs/schemaVersion"
+				},
+				"namespace": {
+					"type": "string",
+					"description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
+					"pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
+					"examples": [
+						"ssvc",
+						"cvss",
+						"ssvc-jp",
+						"ssvc/acme",
+						"ssvc/example.com"
+					]
+				},
+				"version": {
+					"type": "string",
+					"description": "Version (a semantic version string) that identifies the version of a Decision Point.",
+					"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
+					"examples": [
+						"1.0.1",
+						"1.0.1-alpha"
+					]
+				},
+				"key": {
+					"type": "string",
+					"description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point.",
+					"minLength": 1,
+					"examples": [
+						"E",
+						"A"
+					]
+				},
+				"name": {
+					"type": "string",
+					"description": "A short label that identifies a Decision Point.",
+					"minLength": 1,
+					"examples": [
+						"Exploitation",
+						"Automatable"
+					]
+				},
+				"description": {
+					"type": "string",
+					"description": "A full description of the Decision Point, explaining what it represents and how it is used in SSVC.",
+					"minLength": 1
+				},
+				"values": {
+					"description": "A set of possible answers for a given Decision Point",
+					"uniqueItems": true,
+					"type": "array",
+					"minItems": 1,
+					"items": {
+						"$ref": "#/$defs/decision_point_value"
+					}
+				}
+			},
+			"required": [
+				"namespace",
+				"version",
+				"key",
+				"name",
+				"description",
+				"values",
+				"schemaVersion"
+			]
+		}
+	},
+	"$ref": "#/$defs/decision_point"
+}
\ No newline at end of file
diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
index 970bf8b41..ca4d43efe 100644
--- a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+++ b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
@@ -1,73 +1,53 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
+  "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
   "$defs": {
     "id": {
       "type": "string",
-      "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
+      "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
       "examples": [
-        "CVE-2024-101010",
+        "CVE-1900-1234",
         "VU#11111",
         "GHSA-11a1-22b2-33c3"
-      ]
+      ],
+      "minLength": 1
     },
     "role": {
       "type": "string",
-      "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
+      "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
       "examples": [
         "Supplier",
         "Deployer",
         "Coordinator"
-      ]
+      ],
+      "minLength": 1
     },
     "timestamp": {
-      "description": "Date and time in ISO format  ISO 8601 format",
+      "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
       "type": "string",
       "format": "date-time"
     },
-    "schemaVersion": {
-      "description": "Schema version used to represent this evaluation",
-      "type": "string",
-      "enum": [
-        "1-0-1"
-      ]
-    },
     "SsvcdecisionpointselectionSchema": {
-      "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
+      "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
       "properties": {
         "name": {
-          "description": "Name of the Decision Point that were evaluated",
-          "title": "name",
-          "type": "string",
-          "examples": [
-            "Automatable",
-            "Exploitation"
-          ]
+          "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name"
         },
         "namespace": {
-          "description": "SSVC Namespace that were used for defining the evaluated Decision Points",
-          "title": "namespace",
-          "type": "string",
-          "examples": [
-            "ssvc",
-            "cvssv4"
-          ]
+          "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace"
         },
         "values": {
-          "description": "Evaluated values of the Decision Point",
+          "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
           "title": "values",
           "type": "array",
           "minItems": 1,
           "items": {
-            "description": "Each value that were down-selected for a Decision Point",
-            "title": "values",
-            "type": "string"
+            "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name"
           }
         },
         "version": {
-          "description": "Version of the Decision Points that were evaluated",
-          "title": "version",
-          "type": "string"
+          "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version"
         }
       },
       "type": "object",
@@ -88,13 +68,13 @@
       "$ref": "#/$defs/role"
     },
     "schemaVersion": {
-      "$ref": "#/$defs/schemaVersion"
+      "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion"
     },
     "timestamp": {
       "$ref": "#/$defs/timestamp"
     },
     "selections": {
-      "description": "An array of Decision Points and their Values that were down-selected or evaluated ",
+      "description": "An array of Decision Points and their selected values for the identified Vulnerability.  If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
       "title": "selections",
       "type": "array",
       "minItems": 1,
@@ -111,4 +91,4 @@
     "schemaVersion"
   ],
   "additionalProperties": false
-}
+}
\ No newline at end of file
diff --git a/csaf_2.1/test/aggregator_schema/run_tests.sh b/csaf_2.1/test/aggregator_schema/run_tests.sh
index 3f8ef7660..21b3ff0d9 100755
--- a/csaf_2.1/test/aggregator_schema/run_tests.sh
+++ b/csaf_2.1/test/aggregator_schema/run_tests.sh
@@ -8,7 +8,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -21,7 +22,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED
diff --git a/csaf_2.1/test/csaf_schema/run_tests.sh b/csaf_2.1/test/csaf_schema/run_tests.sh
index e737c33e0..1d5aeb18c 100755
--- a/csaf_2.1/test/csaf_schema/run_tests.sh
+++ b/csaf_2.1/test/csaf_schema/run_tests.sh
@@ -7,7 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
 TESTPATH=csaf_2.1/examples/csaf/$1/*.json
@@ -19,7 +20,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED
diff --git a/csaf_2.1/test/provider_schema/run_tests.sh b/csaf_2.1/test/provider_schema/run_tests.sh
index 572d97af6..24ff6181f 100755
--- a/csaf_2.1/test/provider_schema/run_tests.sh
+++ b/csaf_2.1/test/provider_schema/run_tests.sh
@@ -7,7 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -20,7 +21,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED
diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
index 71f1b4aac..0e015ba24 100755
--- a/csaf_2.1/test/validator/run_tests.sh
+++ b/csaf_2.1/test/validator/run_tests.sh
@@ -7,7 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
 TESTPATH=csaf_2.1/test/validator/data/$1/*.json
@@ -22,7 +23,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
+  if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED

From 3d3ad6ed7b8c6531f9b67f999ae145236426f6a0 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 1 Mar 2025 21:18:04 +0100
Subject: [PATCH 62/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- adapt test 6.1.48 to reflect registered namespaces
- add invalid examples for namespace `cvss`
- add valid examples for namespace `cvss`
---
 .../tests-01-mndtr-48-ssvc-decision-points.md | 12 +++-
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json | 69 ++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json | 71 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json | 69 ++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json | 71 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 16 +++++
 6 files changed, 306 insertions(+), 2 deletions(-)
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md
index 81956965c..af6b624f9 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md
@@ -1,7 +1,15 @@
 ### SSVC Decision Points
 
-For each SSVC decision point given under `selections` with the `namespace` of `ssvc`, it MUST be tested that given decision point exists, is valid and the items in `values` are ordered correctly.
-
+For each SSVC decision point given under `selections` with a registered `namespace`, it MUST be tested that given decision point exists, is valid and the items in `values` are ordered correctly.
+
+> According to the SSVC project, the following values are currently registered:
+>
+> ```
+>   cvss
+>   nciss
+>   ssvc
+> ```
+>
 > A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
 > The items in `values` need to have the same order as in their definition.
 
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json
new file mode 100644
index 000000000..64c1d646d
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: SSVC Decision Points (failing example 5)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-05",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Attack Complexity",
+                  "namespace": "cvss",
+                  "values": [
+                    "Easy"
+                  ],
+                  "version": "3.0.1"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json
new file mode 100644
index 000000000..c8d3cca5b
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json
@@ -0,0 +1,71 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: SSVC Decision Points (failing example 6)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-06",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploit Maturity",
+                  "namespace": "cvss",
+                  "values": [
+                    "Proof-of-Concept",
+                    "Unreported",
+                    "Not Defined"
+                  ],
+                  "version": "2.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json
new file mode 100644
index 000000000..076e12c54
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: SSVC Decision Points (valid example 5)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-15",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Attack Complexity",
+                  "namespace": "cvss",
+                  "values": [
+                    "Low"
+                  ],
+                  "version": "3.0.1"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json
new file mode 100644
index 000000000..9c641c611
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json
@@ -0,0 +1,71 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: SSVC Decision Points (valid example 6)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-48-16",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploit Maturity",
+                  "namespace": "cvss",
+                  "values": [
+                    "Unreported",
+                    "Proof-of-Concept",
+                    "Not Defined"
+                  ],
+                  "version": "2.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 125b2dc00..4f000a9fd 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1473,6 +1473,14 @@
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-04.json",
           "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-05.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-06.json",
+          "valid": false
         }
       ],
       "valid": [
@@ -1491,6 +1499,14 @@
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-14.json",
           "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-15.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-48-16.json",
+          "valid": true
         }
       ]
     },

From 789e037b305d0c3e9f6d71559ca3384f090fe209 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 1 Mar 2025 21:34:25 +0100
Subject: [PATCH 63/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- add test 6.1.46 for invalid ssvc
- add invalid examples
- add valid examples
---
 csaf_2.1/prose/edit/etc/bind.txt              |  1 +
 .../src/tests-01-mndtr-46-invalid-ssvc.md     | 23 +++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json | 59 ++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json | 67 ++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json | 69 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json | 69 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   | 24 +++++++
 csaf_2.1/test/validator/run_tests.sh          |  2 +-
 8 files changed, 313 insertions(+), 1 deletion(-)
 create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-46-invalid-ssvc.md
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
index dfd58c756..52c67553e 100644
--- a/csaf_2.1/prose/edit/etc/bind.txt
+++ b/csaf_2.1/prose/edit/etc/bind.txt
@@ -76,6 +76,7 @@ tests-01-mndtr-42-purl-qualifiers.md
 tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
 tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
 tests-01-mndtr-45-inconsistent-disclosure-date.md
+tests-01-mndtr-46-invalid-ssvc.md
 tests-01-mndtr-47-inconsistent-ssvc-id.md
 tests-01-mndtr-48-ssvc-decision-points.md
 tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-46-invalid-ssvc.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-46-invalid-ssvc.md
new file mode 100644
index 000000000..a8abc7060
--- /dev/null
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-46-invalid-ssvc.md
@@ -0,0 +1,23 @@
+### Invalid SSVC
+
+It MUST be tested that the given SSVC object is valid according to the referenced schema.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/metrics[]/content/ssvc_v1
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "ssvc_v1": {
+    "id": "CVE-1900-0001",
+    "schemaVersion": "1-0-1",
+    "timestamp": "2024-01-24T10:00:00.000Z"
+  }
+```
+
+> The required element `selections` is missing.
+
+> A tool MAY add the missing property `id` based on the values given in `cve` respectively `ids[]/text` as quick fix.
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json
new file mode 100644
index 000000000..d7b15647a
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json
@@ -0,0 +1,59 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Invalid SSVC (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-01",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json
new file mode 100644
index 000000000..ce1c77daa
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json
@@ -0,0 +1,67 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Invalid SSVC (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-02",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Attack Complexity",
+                  "namespace": "cvss",
+                  "value": "Low",
+                  "version": "3.0.1"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json
new file mode 100644
index 000000000..26240b953
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Invalid SSVC (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json
new file mode 100644
index 000000000..2854910c2
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json
@@ -0,0 +1,69 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Invalid SSVC (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-46-12",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Attack Complexity",
+                  "namespace": "cvss",
+                  "values": [
+                    "Low"
+                  ],
+                  "version": "3.0.1"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 4f000a9fd..0009d4b38 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1410,6 +1410,30 @@
         }
       ]
     },
+    {
+      "id": "6.1.46",
+      "group": "mandatory",
+      "failures": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json",
+          "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json",
+          "valid": false
+        }
+      ],
+      "valid": [
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-11.json",
+          "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-46-12.json",
+          "valid": true
+        }
+      ]
+    },
     {
       "id": "6.1.47",
       "group": "mandatory",
diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
index 0e015ba24..e75937c2b 100755
--- a/csaf_2.1/test/validator/run_tests.sh
+++ b/csaf_2.1/test/validator/run_tests.sh
@@ -12,7 +12,7 @@ SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Sele
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
 TESTPATH=csaf_2.1/test/validator/data/$1/*.json
-EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json'
+EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-46-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-46-02.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json'
 EXCLUDE_LEAP='oasis_csaf_tc-csaf_2_1-2024-6-1-37-12.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-13.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-14.json'
 EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json
 

From 8e19dc4673a974f98c0c69b68b86d67715db7b09 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Sat, 1 Mar 2025 21:59:11 +0100
Subject: [PATCH 64/69] SSVC

- addresses parts of oasis-tcs/csaf#803
- add test 6.1.49 for inconsistent SSVC timestamp
- add invalid examples
- add valid examples
---
 ...1-mndtr-45-inconsistent-disclosure-date.md |  2 +-
 ...01-mndtr-49-inconsistent-ssvc-timestamp.md | 66 +++++++++++++++++
 ...rohibited-ssvc-decision-point-namespace.md | 54 --------------
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json | 12 +--
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json | 21 ++++--
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json | 74 +++++++++++++++++++
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json |  8 +-
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json | 21 ++++--
 ...oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json | 74 +++++++++++++++++++
 csaf_2.1/test/validator/data/testcases.json   |  8 ++
 10 files changed, 259 insertions(+), 81 deletions(-)
 create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-49-inconsistent-ssvc-timestamp.md
 delete mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json
 create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
index 11c744782..3dbef9d58 100644
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
@@ -41,4 +41,4 @@ The relevant path for this test is:
   ]
 ```
 
-> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the date of newest item in the `revision_history`.
+> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the `date` of newest item in the `revision_history`.
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-49-inconsistent-ssvc-timestamp.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-49-inconsistent-ssvc-timestamp.md
new file mode 100644
index 000000000..fec69c751
--- /dev/null
+++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-49-inconsistent-ssvc-timestamp.md
@@ -0,0 +1,66 @@
+### Inconsistent SSVC Timestamp
+
+For each vulnerability, it MUST be tested that the SSVC `timestamp` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Active"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-07-13T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The document is in status `final` but the SSVC `timestamp` is newer than the `date` of newest item in the `revision_history`.
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
deleted file mode 100644
index f0ae0ccc8..000000000
--- a/csaf_2.1/prose/edit/src/tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
+++ /dev/null
@@ -1,54 +0,0 @@
-### Prohibited SSVC Decision Point Namespace
-
-For each SSVC decision point given under `selections` with a `namespace` other than case-sensitive registered values,
-it MUST be tested that the `namespace` it not equal to the case-insensitive registered values.
-
-> According to the SSVC project, the following values are currently registered:
->
-> ```
->   cvss
->   nciss
->   ssvc
-> ```
-
-The relevant path for this test is:
-
-```
-   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
-```
-
-*Example 1 (which fails the test):*
-
-```
-  "vulnerabilities": [
-    {
-      "cve": "CVE-1900-0001",
-      "metrics": [
-        {
-          "content": {
-            "ssvc_v1": {
-              "id": "CVE-1900-0001",
-              "schemaVersion": "1-0-1",
-              "selections": [
-                {
-                  "name": "Mission Impact",
-                  "namespace": "SSVC",
-                  "values": [
-                    "None"
-                  ],
-                  "version": "1.0.0"
-                }
-              ],
-              "timestamp": "2024-01-24T10:00:00.000Z"
-            }
-          },
-          // ...
-        }
-      ]
-    }
-  ]
-```
-
-> The SSVC decision point namespace uses the capitalized version of the reserved namespace `ssvc`.
-
-> A tool MAY convert the reserved namespace to lowercase as a quick fix.
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
index 769a2bb53..501149c79 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json
@@ -13,7 +13,7 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 1)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-01",
@@ -48,15 +48,15 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Mission Impact",
-                  "namespace": "SSVC",
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
                   "values": [
-                    "None"
+                    "Active"
                   ],
-                  "version": "1.0.0"
+                  "version": "1.1.0"
                 }
               ],
-              "timestamp": "2024-01-24T10:00:00.000Z"
+              "timestamp": "2024-07-13T10:00:00.000Z"
             }
           },
           "products": [
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
index 59d3682ba..e5608a9a1 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json
@@ -13,9 +13,9 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 2)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 2)",
     "tracking": {
-      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "current_release_date": "2024-02-29T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
@@ -23,10 +23,15 @@
           "date": "2024-01-24T10:00:00.000Z",
           "number": "1",
           "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
         }
       ],
       "status": "final",
-      "version": "1"
+      "version": "2"
     }
   },
   "product_tree": {
@@ -48,15 +53,15 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Attack Complexity",
-                  "namespace": "CVSS",
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
                   "values": [
-                    "Low"
+                    "Public PoC"
                   ],
-                  "version": "3.0.1"
+                  "version": "1.1.0"
                 }
               ],
-              "timestamp": "2024-01-24T10:00:00.000Z"
+              "timestamp": "2024-02-28T14:30:00.000-20:00"
             }
           },
           "products": [
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json
new file mode 100644
index 000000000..e4d23c566
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json
@@ -0,0 +1,74 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 3)",
+    "tracking": {
+      "current_release_date": "2024-02-29T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-03",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Public PoC"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-02-29T14:30:00.000+04:00"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
index e51c584ed..93a69b7c4 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json
@@ -13,7 +13,7 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 1)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-11",
@@ -48,12 +48,12 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Mission Impact",
+                  "name": "Exploitation",
                   "namespace": "ssvc",
                   "values": [
-                    "None"
+                    "Active"
                   ],
-                  "version": "1.0.0"
+                  "version": "1.1.0"
                 }
               ],
               "timestamp": "2024-01-24T10:00:00.000Z"
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
index 1a1a43c3f..221133af9 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json
@@ -13,9 +13,9 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 2)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 2)",
     "tracking": {
-      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "current_release_date": "2024-02-29T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
@@ -23,10 +23,15 @@
           "date": "2024-01-24T10:00:00.000Z",
           "number": "1",
           "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
         }
       ],
       "status": "final",
-      "version": "1"
+      "version": "2"
     }
   },
   "product_tree": {
@@ -48,15 +53,15 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Attack Complexity",
-                  "namespace": "cvss",
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
                   "values": [
-                    "Low"
+                    "Public PoC"
                   ],
-                  "version": "3.0.1"
+                  "version": "1.1.0"
                 }
               ],
-              "timestamp": "2024-01-24T10:00:00.000Z"
+              "timestamp": "2024-02-28T14:30:00.000-19:00"
             }
           },
           "products": [
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json
new file mode 100644
index 000000000..204e93f41
--- /dev/null
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json
@@ -0,0 +1,74 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 3)",
+    "tracking": {
+      "current_release_date": "2024-02-29T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-13",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Public PoC"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-02-29T14:30:00.000+07:00"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 0009d4b38..b1097f286 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1545,6 +1545,10 @@
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json",
           "valid": false
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json",
+          "valid": false
         }
       ],
       "valid": [
@@ -1555,6 +1559,10 @@
         {
           "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-12.json",
           "valid": true
+        },
+        {
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-13.json",
+          "valid": true
         }
       ]
     },

From 11333d6bbdcfd81f61e4a0f883721bea4f33bdc1 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Tue, 4 Mar 2025 17:56:30 +0100
Subject: [PATCH 65/69] Suggested from review feedback / dsicussions

Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
---
 csaf_2.1/prose/edit/src/conformance.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 9fe2040a1..cd76bc960 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -146,7 +146,7 @@ Secondly, the program fulfills the following for all items of:
     been removed.
   * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
     warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
-* `/vulnerabilities[]/disclosure_date`: If a `vuln:ReleaseDate` was given, the CVRF CSAF converter MUST convert its value into the `disclosure_date`.
+* `/vulnerabilities[]/disclosure_date`: If a `vuln:ReleaseDate` was given, the CVRF CSAF converter MUST convert its value into the `disclosure_date` element.
 * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
 * `/vulnerabilities[]/remediations[]`:
   * If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under

From 5858221ec036f65140d16a6dc440ca79267487b6 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Tue, 4 Mar 2025 18:03:02 +0100
Subject: [PATCH 66/69] Fixed entry in the binder

Signed-off-by: Stefan Hagen 
---
 csaf_2.1/prose/edit/etc/bind.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
index 52c67553e..6259e6084 100644
--- a/csaf_2.1/prose/edit/etc/bind.txt
+++ b/csaf_2.1/prose/edit/etc/bind.txt
@@ -79,7 +79,7 @@ tests-01-mndtr-45-inconsistent-disclosure-date.md
 tests-01-mndtr-46-invalid-ssvc.md
 tests-01-mndtr-47-inconsistent-ssvc-id.md
 tests-01-mndtr-48-ssvc-decision-points.md
-tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
+tests-01-mndtr-49-inconsistent-ssvc-timestamp.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

From 39939b9dc794fc925fa56c7eb926b4cd6a4cfcf2 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Tue, 4 Mar 2025 20:30:03 +0100
Subject: [PATCH 67/69] Completed section and example mappings

- completed section mappings
- completed example mappings
- generated user facing derlivery items

Signed-off-by: Stefan Hagen 
---
 .../edit/etc/example-global-to-local.json     |  321 ++---
 .../edit/etc/example-local-to-global.json     |  321 ++---
 .../edit/etc/section-display-to-label.json    |   35 +-
 .../edit/etc/section-label-to-display.json    |   37 +-
 csaf_2.1/prose/share/csaf-v2.1-draft.html     | 1147 +++++++++++++----
 csaf_2.1/prose/share/csaf-v2.1-draft.md       | 1002 +++++++++++---
 6 files changed, 2087 insertions(+), 776 deletions(-)

diff --git a/csaf_2.1/prose/edit/etc/example-global-to-local.json b/csaf_2.1/prose/edit/etc/example-global-to-local.json
index 2cef7e779..566021755 100644
--- a/csaf_2.1/prose/edit/etc/example-global-to-local.json
+++ b/csaf_2.1/prose/edit/etc/example-global-to-local.json
@@ -15,158 +15,171 @@
   "13": "full-product-name-type-product-identification-helper-hashes-eg-3",
   "14": "full-product-name-type-product-identification-helper-model-numbers-eg-1",
   "15": "full-product-name-type-product-identification-helper-sbom-urls-eg-1",
-  "16": "full-product-name-type-product-identification-helper-generic-uris-eg-1",
-  "17": "full-product-name-type-product-identification-helper-generic-uris-eg-2",
-  "18": "language-type-eg-1",
-  "19": "notes-type-eg-1",
-  "20": "notes-type-eg-2",
-  "21": "product-group-id-type-eg-1",
-  "22": "product-id-type-eg-1",
-  "23": "version-type-eg-1",
-  "24": "version-type-semantic-versioning-eg-1",
-  "25": "version-type-semantic-versioning-eg-2",
-  "26": "version-type-semantic-versioning-eg-3",
-  "27": "version-type-semantic-versioning-eg-4",
-  "28": "version-type-semantic-versioning-eg-5",
-  "29": "version-type-semantic-versioning-eg-6",
-  "30": "document-property-aggregate-severity-eg-1",
-  "31": "document-property-category-eg-1",
-  "32": "document-property-distribution-eg-1",
-  "33": "document-property-distribution-text-eg-1",
-  "34": "document-property-distribution-tlp-eg-1",
-  "35": "document-property-publisher-contact-details-eg-1",
-  "36": "document-property-publisher-name-eg-1",
-  "37": "document-property-publisher-namespace-eg-1",
-  "38": "document-property-title-eg-1",
-  "39": "document-property-tracking-aliases-eg-1",
-  "40": "document-property-tracking-generator-eg-1",
-  "41": "document-property-tracking-generator-eg-2",
-  "42": "document-property-tracking-id-eg-1",
-  "43": "product-tree-property-product-groups-eg-1",
-  "44": "product-tree-property-relationships-eg-1",
-  "45": "vulnerabilities-property-cwes-eg-1",
-  "46": "vulnerabilities-property-cwes-eg-2",
-  "47": "vulnerabilities-property-cwes-eg-3",
-  "48": "vulnerabilities-property-ids-eg-1",
-  "49": "vulnerabilities-property-ids-eg-2",
-  "50": "filename-eg-1",
-  "51": "filename-eg-2",
-  "52": "hardware-and-software-within-the-product-tree-eg-1",
-  "53": "missing-definition-of-product-id-eg-1",
-  "54": "multiple-definition-of-product-id-eg-1",
-  "55": "circular-definition-of-product-id-eg-1",
-  "56": "missing-definition-of-product-group-id-eg-1",
-  "57": "multiple-definition-of-product-group-id-eg-1",
-  "58": "contradicting-product-status-eg-1",
-  "59": "multiple-scores-with-same-version-per-product-eg-1",
-  "60": "invalid-cvss-eg-1",
-  "61": "invalid-cvss-computation-eg-1",
-  "62": "inconsistent-cvss-eg-1",
-  "63": "mandatory-tests--cwe-eg-1",
-  "64": "language-eg-1",
-  "65": "purl-eg-1",
-  "66": "sorted-revision-history-eg-1",
-  "67": "translator-eg-1",
-  "68": "latest-document-version-eg-1",
-  "69": "document-status-draft-eg-1",
-  "70": "released-revision-history-eg-1",
-  "71": "revision-history-entries-for-pre-release-versions-eg-1",
-  "72": "non-draft-document-version-eg-1",
-  "73": "missing-item-in-revision-history-eg-1",
-  "74": "multiple-definition-in-revision-history-eg-1",
-  "75": "multiple-use-of-same-cve-eg-1",
-  "76": "multiple-definition-in-involvements-eg-1",
-  "77": "multiple-use-of-same-hash-algorithm-eg-1",
-  "78": "prohibited-document-category-name-eg-1",
-  "79": "prohibited-document-category-name-eg-2",
-  "80": "document-notes-eg-1",
-  "81": "document-references-eg-1",
-  "82": "vulnerabilities-for-informational-advisory-eg-1",
-  "83": "product-tree-eg-1",
-  "84": "vulnerability-notes-eg-1",
-  "85": "product-status-eg-1",
-  "86": "vex-product-status-eg-1",
-  "87": "vulnerability-id-eg-1",
-  "88": "impact-statement-eg-1",
-  "89": "action-statement-eg-1",
-  "90": "vulnerabilities-for-security-advisory-or-vex-eg-1",
-  "91": "translation-eg-1",
-  "92": "remediation-without-product-reference-eg-1",
-  "93": "mixed-integer-and-semantic-versioning-eg-1",
-  "94": "version-range-in-product-version-eg-1",
-  "95": "flag-without-product-reference-eg-1",
-  "96": "multiple-flags-with-vex-justification-codes-per-product-eg-1",
-  "97": "mandatory-tests--branches-recursion-depth-eg-1",
-  "98": "contradicting-remediations-eg-1",
-  "99": "contradicting-product-status-remediation-combination-eg-1",
-  "100": "mandatory-tests--date-and-time-eg-1",
-  "101": "non-public-sharing-group-with-max-uuid-eg-1",
-  "102": "public-sharing-group-with-no-max-uuid-eg-1",
-  "103": "invalid-sharing-group-name-eg-1",
-  "104": "missing-sharing-group-name-eg-1",
-  "105": "purl-qualifiers-eg-1",
-  "106": "unused-definition-of-product-id-eg-1",
-  "107": "missing-remediation-eg-1",
-  "108": "missing-metric-eg-1",
-  "109": "build-metadata-in-revision-history-eg-1",
-  "110": "older-initial-release-date-than-revision-history-eg-1",
-  "111": "older-current-release-date-than-revision-history-eg-1",
-  "112": "missing-date-in-involvements-eg-1",
-  "113": "use-of-md5-as-the-only-hash-algorithm-eg-1",
-  "114": "use-of-sha-1-as-the-only-hash-algorithm-eg-1",
-  "115": "missing-tlp-label-eg-1",
-  "116": "missing-canonical-url-eg-1",
-  "117": "missing-document-language-eg-1",
-  "118": "optional-tests--sorting-eg-1",
-  "119": "use-of-private-language-eg-1",
-  "120": "use-of-default-language-eg-1",
-  "121": "missing-product-identification-helper-eg-1",
-  "122": "cve-in-field-ids-eg-1",
-  "123": "product-version-range-without-vers-eg-1",
-  "124": "cvss-for-fixed-products-eg-1",
-  "125": "additional-properties-eg-1",
-  "126": "same-timestamps-in-revision-history-eg-1",
-  "127": "document-tracking-id-in-title-eg-1",
-  "128": "usage-of-deprecated-cwe-eg-1",
-  "129": "usage-of-non-latest-cwe-version-eg-1",
-  "130": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1",
-  "131": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1",
-  "132": "discouraged-product-status-remediation-combination-eg-1",
-  "133": "usage-of-max-uuid-eg-1",
-  "134": "usage-of-nil-uuid-eg-1",
-  "135": "usage-of-sharing-group-on-tlp-clear-eg-1",
-  "136": "hardware-and-software-eg-1",
-  "137": "use-of-same-product-identification-helper-for-different-products-eg-1",
-  "138": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
-  "139": "use-of-cvss-v3-0-eg-1",
-  "140": "missing-cve-eg-1",
-  "141": "missing-cwe-eg-1",
-  "142": "use-of-short-hash-eg-1",
-  "143": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
-  "144": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
-  "145": "spell-check-eg-1",
-  "146": "branch-categories-eg-1",
-  "147": "usage-of-product-version-range-eg-1",
-  "148": "usage-of-v-as-version-indicator-eg-1",
-  "149": "missing-cvss-v4-0-eg-1",
-  "150": "requirement-7-provider-metadata-json-eg-1",
-  "151": "requirement-8-security-txt-eg-1",
-  "152": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
-  "153": "requirement-11-one-folder-per-year-eg-1",
-  "154": "requirement-12-index-txt-eg-1",
-  "155": "requirement-13-changes-csv-eg-1",
-  "156": "requirement-15-rolie-feed-eg-1",
-  "157": "requirement-16-rolie-service-document-eg-1",
-  "158": "requirement-17-rolie-category-document-eg-1",
-  "159": "requirement-17-rolie-category-document-eg-2",
-  "160": "requirement-17-rolie-category-document-eg-3",
-  "161": "requirement-18-integrity-eg-1",
-  "162": "requirement-18-integrity-eg-2",
-  "163": "requirement-19-signatures-eg-1",
-  "164": "requirement-21-list-of-csaf-providers-eg-1",
-  "165": "requirement-23-mirror-eg-1",
-  "166": "conformance-clause-5-cvrf-csaf-converter-eg-1",
-  "167": "conformance-clause-5-cvrf-csaf-converter-eg-2",
-  "168": "conformance-clause-5-cvrf-csaf-converter-eg-3",
-  "169": "conformance-clause-5-cvrf-csaf-converter-eg-4"
+  "16": "full-product-name-type-product-identification-helper-serial-numbers-eg-1",
+  "17": "full-product-name-type-product-identification-helper-skus-numbers-eg-1",
+  "18": "full-product-name-type-product-identification-helper-generic-uris-eg-1",
+  "19": "full-product-name-type-product-identification-helper-generic-uris-eg-2",
+  "20": "language-type-eg-1",
+  "21": "notes-type-eg-1",
+  "22": "notes-type-eg-2",
+  "23": "product-group-id-type-eg-1",
+  "24": "product-id-type-eg-1",
+  "25": "version-type-eg-1",
+  "26": "version-type-semantic-versioning-eg-1",
+  "27": "version-type-semantic-versioning-eg-2",
+  "28": "version-type-semantic-versioning-eg-3",
+  "29": "version-type-semantic-versioning-eg-4",
+  "30": "version-type-semantic-versioning-eg-5",
+  "31": "version-type-semantic-versioning-eg-6",
+  "32": "document-property-aggregate-severity-eg-1",
+  "33": "document-property-category-eg-1",
+  "34": "document-property-distribution-eg-1",
+  "35": "document-property-distribution-text-eg-1",
+  "36": "document-property-distribution-tlp-eg-1",
+  "37": "document-property-publisher-contact-details-eg-1",
+  "38": "document-property-publisher-name-eg-1",
+  "39": "document-property-publisher-namespace-eg-1",
+  "40": "document-property-title-eg-1",
+  "41": "document-property-tracking-aliases-eg-1",
+  "42": "document-property-tracking-generator-eg-1",
+  "43": "document-property-tracking-generator-eg-2",
+  "44": "document-property-tracking-id-eg-1",
+  "45": "product-tree-property-product-groups-eg-1",
+  "46": "product-tree-property-relationships-eg-1",
+  "47": "vulnerabilities-property-cwes-eg-1",
+  "48": "vulnerabilities-property-cwes-eg-2",
+  "49": "vulnerabilities-property-cwes-eg-3",
+  "50": "vulnerabilities-property-ids-eg-1",
+  "51": "vulnerabilities-property-ids-eg-2",
+  "52": "filename-eg-1",
+  "53": "filename-eg-2",
+  "54": "hardware-and-software-within-the-product-tree-eg-1",
+  "55": "missing-definition-of-product-id-eg-1",
+  "56": "multiple-definition-of-product-id-eg-1",
+  "57": "circular-definition-of-product-id-eg-1",
+  "58": "missing-definition-of-product-group-id-eg-1",
+  "59": "multiple-definition-of-product-group-id-eg-1",
+  "60": "contradicting-product-status-eg-1",
+  "61": "multiple-scores-with-same-version-per-product-eg-1",
+  "62": "invalid-cvss-eg-1",
+  "63": "invalid-cvss-computation-eg-1",
+  "64": "inconsistent-cvss-eg-1",
+  "65": "mandatory-tests--cwe-eg-1",
+  "66": "language-eg-1",
+  "67": "purl-eg-1",
+  "68": "sorted-revision-history-eg-1",
+  "69": "translator-eg-1",
+  "70": "latest-document-version-eg-1",
+  "71": "document-status-draft-eg-1",
+  "72": "released-revision-history-eg-1",
+  "73": "revision-history-entries-for-pre-release-versions-eg-1",
+  "74": "non-draft-document-version-eg-1",
+  "75": "missing-item-in-revision-history-eg-1",
+  "76": "multiple-definition-in-revision-history-eg-1",
+  "77": "multiple-use-of-same-cve-eg-1",
+  "78": "multiple-definition-in-involvements-eg-1",
+  "79": "multiple-use-of-same-hash-algorithm-eg-1",
+  "80": "prohibited-document-category-name-eg-1",
+  "81": "prohibited-document-category-name-eg-2",
+  "82": "document-notes-eg-1",
+  "83": "document-references-eg-1",
+  "84": "vulnerabilities-for-informational-advisory-eg-1",
+  "85": "product-tree-eg-1",
+  "86": "vulnerability-notes-eg-1",
+  "87": "product-status-eg-1",
+  "88": "vex-product-status-eg-1",
+  "89": "vulnerability-id-eg-1",
+  "90": "impact-statement-eg-1",
+  "91": "action-statement-eg-1",
+  "92": "vulnerabilities-for-security-advisory-or-vex-eg-1",
+  "93": "translation-eg-1",
+  "94": "remediation-without-product-reference-eg-1",
+  "95": "mixed-integer-and-semantic-versioning-eg-1",
+  "96": "version-range-in-product-version-eg-1",
+  "97": "flag-without-product-reference-eg-1",
+  "98": "multiple-flags-with-vex-justification-codes-per-product-eg-1",
+  "99": "mandatory-tests--branches-recursion-depth-eg-1",
+  "100": "contradicting-remediations-eg-1",
+  "101": "contradicting-product-status-remediation-combination-eg-1",
+  "102": "mandatory-tests--date-and-time-eg-1",
+  "103": "non-public-sharing-group-with-max-uuid-eg-1",
+  "104": "public-sharing-group-with-no-max-uuid-eg-1",
+  "105": "invalid-sharing-group-name-eg-1",
+  "106": "missing-sharing-group-name-eg-1",
+  "107": "purl-qualifiers-eg-1",
+  "108": "use-of-multiple-stars-in-model-number-eg-1",
+  "109": "use-of-multiple-stars-in-serial-number-eg-1",
+  "110": "inconsistent-disclosure-date-eg-1",
+  "111": "invalid-ssvc-eg-1",
+  "112": "inconsistent-ssvc-id-eg-1",
+  "113": "ssvc-decision-points-eg-1",
+  "114": "inconsistent-ssvc-timestamp-eg-1",
+  "115": "unused-definition-of-product-id-eg-1",
+  "116": "missing-remediation-eg-1",
+  "117": "missing-metric-eg-1",
+  "118": "build-metadata-in-revision-history-eg-1",
+  "119": "older-initial-release-date-than-revision-history-eg-1",
+  "120": "older-current-release-date-than-revision-history-eg-1",
+  "121": "missing-date-in-involvements-eg-1",
+  "122": "use-of-md5-as-the-only-hash-algorithm-eg-1",
+  "123": "use-of-sha-1-as-the-only-hash-algorithm-eg-1",
+  "124": "missing-tlp-label-eg-1",
+  "125": "missing-canonical-url-eg-1",
+  "126": "missing-document-language-eg-1",
+  "127": "optional-tests--sorting-eg-1",
+  "128": "use-of-private-language-eg-1",
+  "129": "use-of-default-language-eg-1",
+  "130": "missing-product-identification-helper-eg-1",
+  "131": "cve-in-field-ids-eg-1",
+  "132": "product-version-range-without-vers-eg-1",
+  "133": "cvss-for-fixed-products-eg-1",
+  "134": "additional-properties-eg-1",
+  "135": "same-timestamps-in-revision-history-eg-1",
+  "136": "document-tracking-id-in-title-eg-1",
+  "137": "usage-of-deprecated-cwe-eg-1",
+  "138": "usage-of-non-latest-cwe-version-eg-1",
+  "139": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1",
+  "140": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1",
+  "141": "discouraged-product-status-remediation-combination-eg-1",
+  "142": "usage-of-max-uuid-eg-1",
+  "143": "usage-of-nil-uuid-eg-1",
+  "144": "usage-of-sharing-group-on-tlp-clear-eg-1",
+  "145": "hardware-and-software-eg-1",
+  "146": "use-of-same-product-identification-helper-for-different-products-eg-1",
+  "147": "disclosure-date-newer-than-revision-history-eg-1",
+  "148": "usage-of-unknown-ssvc-decision-point-namespace-eg-1",
+  "149": "usage-of-unknown-ssvc-role-eg-1",
+  "150": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
+  "151": "use-of-cvss-v3-0-eg-1",
+  "152": "missing-cve-eg-1",
+  "153": "missing-cwe-eg-1",
+  "154": "use-of-short-hash-eg-1",
+  "155": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
+  "156": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
+  "157": "spell-check-eg-1",
+  "158": "branch-categories-eg-1",
+  "159": "usage-of-product-version-range-eg-1",
+  "160": "usage-of-v-as-version-indicator-eg-1",
+  "161": "missing-cvss-v4-0-eg-1",
+  "162": "usage-of-non-latest-ssvc-decision-point-version-eg-1",
+  "163": "requirement-7-provider-metadata-json-eg-1",
+  "164": "requirement-8-security-txt-eg-1",
+  "165": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
+  "166": "requirement-11-one-folder-per-year-eg-1",
+  "167": "requirement-12-index-txt-eg-1",
+  "168": "requirement-13-changes-csv-eg-1",
+  "169": "requirement-15-rolie-feed-eg-1",
+  "170": "requirement-16-rolie-service-document-eg-1",
+  "171": "requirement-17-rolie-category-document-eg-1",
+  "172": "requirement-17-rolie-category-document-eg-2",
+  "173": "requirement-17-rolie-category-document-eg-3",
+  "174": "requirement-18-integrity-eg-1",
+  "175": "requirement-18-integrity-eg-2",
+  "176": "requirement-19-signatures-eg-1",
+  "177": "requirement-21-list-of-csaf-providers-eg-1",
+  "178": "requirement-23-mirror-eg-1",
+  "179": "conformance-clause-5-cvrf-csaf-converter-eg-1",
+  "180": "conformance-clause-5-cvrf-csaf-converter-eg-2",
+  "181": "conformance-clause-5-cvrf-csaf-converter-eg-3",
+  "182": "conformance-clause-5-cvrf-csaf-converter-eg-4"
 }
diff --git a/csaf_2.1/prose/edit/etc/example-local-to-global.json b/csaf_2.1/prose/edit/etc/example-local-to-global.json
index 387f5f1c6..715050616 100644
--- a/csaf_2.1/prose/edit/etc/example-local-to-global.json
+++ b/csaf_2.1/prose/edit/etc/example-local-to-global.json
@@ -3,170 +3,183 @@
   "acknowledgments-type-names-eg-1": "1",
   "acknowledgments-type-organization-eg-1": "2",
   "acknowledgments-type-summary-eg-1": "3",
-  "action-statement-eg-1": "89",
-  "additional-properties-eg-1": "125",
-  "branch-categories-eg-1": "146",
+  "action-statement-eg-1": "91",
+  "additional-properties-eg-1": "134",
+  "branch-categories-eg-1": "158",
   "branches-type-name-eg-1": "5",
   "branches-type-name-under-product-version-eg-1": "6",
   "branches-type-name-under-product-version-eg-2": "7",
   "branches-type-name-under-product-version-range-eg-1": "8",
   "branches-type-name-under-product-version-range-eg-2": "9",
-  "build-metadata-in-revision-history-eg-1": "109",
-  "circular-definition-of-product-id-eg-1": "55",
-  "conformance-clause-5-cvrf-csaf-converter-eg-1": "166",
-  "conformance-clause-5-cvrf-csaf-converter-eg-2": "167",
-  "conformance-clause-5-cvrf-csaf-converter-eg-3": "168",
-  "conformance-clause-5-cvrf-csaf-converter-eg-4": "169",
-  "contradicting-product-status-eg-1": "58",
-  "contradicting-product-status-remediation-combination-eg-1": "99",
-  "contradicting-remediations-eg-1": "98",
-  "cve-in-field-ids-eg-1": "122",
-  "cvss-for-fixed-products-eg-1": "124",
-  "discouraged-product-status-remediation-combination-eg-1": "132",
-  "document-notes-eg-1": "80",
-  "document-property-aggregate-severity-eg-1": "30",
-  "document-property-category-eg-1": "31",
-  "document-property-distribution-eg-1": "32",
-  "document-property-distribution-text-eg-1": "33",
-  "document-property-distribution-tlp-eg-1": "34",
-  "document-property-publisher-contact-details-eg-1": "35",
-  "document-property-publisher-name-eg-1": "36",
-  "document-property-publisher-namespace-eg-1": "37",
-  "document-property-title-eg-1": "38",
-  "document-property-tracking-aliases-eg-1": "39",
-  "document-property-tracking-generator-eg-1": "40",
-  "document-property-tracking-generator-eg-2": "41",
-  "document-property-tracking-id-eg-1": "42",
-  "document-references-eg-1": "81",
-  "document-status-draft-eg-1": "69",
-  "document-tracking-id-in-title-eg-1": "127",
-  "filename-eg-1": "50",
-  "filename-eg-2": "51",
-  "flag-without-product-reference-eg-1": "95",
+  "build-metadata-in-revision-history-eg-1": "118",
+  "circular-definition-of-product-id-eg-1": "57",
+  "conformance-clause-5-cvrf-csaf-converter-eg-1": "179",
+  "conformance-clause-5-cvrf-csaf-converter-eg-2": "180",
+  "conformance-clause-5-cvrf-csaf-converter-eg-3": "181",
+  "conformance-clause-5-cvrf-csaf-converter-eg-4": "182",
+  "contradicting-product-status-eg-1": "60",
+  "contradicting-product-status-remediation-combination-eg-1": "101",
+  "contradicting-remediations-eg-1": "100",
+  "cve-in-field-ids-eg-1": "131",
+  "cvss-for-fixed-products-eg-1": "133",
+  "disclosure-date-newer-than-revision-history-eg-1": "147",
+  "discouraged-product-status-remediation-combination-eg-1": "141",
+  "document-notes-eg-1": "82",
+  "document-property-aggregate-severity-eg-1": "32",
+  "document-property-category-eg-1": "33",
+  "document-property-distribution-eg-1": "34",
+  "document-property-distribution-text-eg-1": "35",
+  "document-property-distribution-tlp-eg-1": "36",
+  "document-property-publisher-contact-details-eg-1": "37",
+  "document-property-publisher-name-eg-1": "38",
+  "document-property-publisher-namespace-eg-1": "39",
+  "document-property-title-eg-1": "40",
+  "document-property-tracking-aliases-eg-1": "41",
+  "document-property-tracking-generator-eg-1": "42",
+  "document-property-tracking-generator-eg-2": "43",
+  "document-property-tracking-id-eg-1": "44",
+  "document-references-eg-1": "83",
+  "document-status-draft-eg-1": "71",
+  "document-tracking-id-in-title-eg-1": "136",
+  "filename-eg-1": "52",
+  "filename-eg-2": "53",
+  "flag-without-product-reference-eg-1": "97",
   "full-product-name-type-name-eg-1": "10",
-  "full-product-name-type-product-identification-helper-generic-uris-eg-1": "16",
-  "full-product-name-type-product-identification-helper-generic-uris-eg-2": "17",
+  "full-product-name-type-product-identification-helper-generic-uris-eg-1": "18",
+  "full-product-name-type-product-identification-helper-generic-uris-eg-2": "19",
   "full-product-name-type-product-identification-helper-hashes-eg-1": "11",
   "full-product-name-type-product-identification-helper-hashes-eg-2": "12",
   "full-product-name-type-product-identification-helper-hashes-eg-3": "13",
   "full-product-name-type-product-identification-helper-model-numbers-eg-1": "14",
   "full-product-name-type-product-identification-helper-sbom-urls-eg-1": "15",
-  "hardware-and-software-eg-1": "136",
-  "hardware-and-software-within-the-product-tree-eg-1": "52",
-  "impact-statement-eg-1": "88",
-  "inconsistent-cvss-eg-1": "62",
-  "invalid-cvss-computation-eg-1": "61",
-  "invalid-cvss-eg-1": "60",
-  "invalid-sharing-group-name-eg-1": "103",
-  "language-eg-1": "64",
-  "language-type-eg-1": "18",
-  "latest-document-version-eg-1": "68",
-  "mandatory-tests--branches-recursion-depth-eg-1": "97",
-  "mandatory-tests--cwe-eg-1": "63",
-  "mandatory-tests--date-and-time-eg-1": "100",
-  "missing-canonical-url-eg-1": "116",
-  "missing-cve-eg-1": "140",
-  "missing-cvss-v4-0-eg-1": "149",
-  "missing-cwe-eg-1": "141",
-  "missing-date-in-involvements-eg-1": "112",
-  "missing-definition-of-product-group-id-eg-1": "56",
-  "missing-definition-of-product-id-eg-1": "53",
-  "missing-document-language-eg-1": "117",
-  "missing-item-in-revision-history-eg-1": "73",
-  "missing-metric-eg-1": "108",
-  "missing-product-identification-helper-eg-1": "121",
-  "missing-remediation-eg-1": "107",
-  "missing-sharing-group-name-eg-1": "104",
-  "missing-tlp-label-eg-1": "115",
-  "mixed-integer-and-semantic-versioning-eg-1": "93",
-  "multiple-definition-in-involvements-eg-1": "76",
-  "multiple-definition-in-revision-history-eg-1": "74",
-  "multiple-definition-of-product-group-id-eg-1": "57",
-  "multiple-definition-of-product-id-eg-1": "54",
-  "multiple-flags-with-vex-justification-codes-per-product-eg-1": "96",
-  "multiple-scores-with-same-version-per-product-eg-1": "59",
-  "multiple-use-of-same-cve-eg-1": "75",
-  "multiple-use-of-same-hash-algorithm-eg-1": "77",
-  "non-draft-document-version-eg-1": "72",
-  "non-public-sharing-group-with-max-uuid-eg-1": "101",
-  "notes-type-eg-1": "19",
-  "notes-type-eg-2": "20",
-  "older-current-release-date-than-revision-history-eg-1": "111",
-  "older-initial-release-date-than-revision-history-eg-1": "110",
-  "optional-tests--sorting-eg-1": "118",
-  "product-group-id-type-eg-1": "21",
-  "product-id-type-eg-1": "22",
-  "product-status-eg-1": "85",
-  "product-tree-eg-1": "83",
-  "product-tree-property-product-groups-eg-1": "43",
-  "product-tree-property-relationships-eg-1": "44",
-  "product-version-range-without-vers-eg-1": "123",
-  "prohibited-document-category-name-eg-1": "78",
-  "prohibited-document-category-name-eg-2": "79",
-  "public-sharing-group-with-no-max-uuid-eg-1": "102",
-  "purl-eg-1": "65",
-  "purl-qualifiers-eg-1": "105",
-  "released-revision-history-eg-1": "70",
-  "remediation-without-product-reference-eg-1": "92",
-  "requirement-11-one-folder-per-year-eg-1": "153",
-  "requirement-12-index-txt-eg-1": "154",
-  "requirement-13-changes-csv-eg-1": "155",
-  "requirement-15-rolie-feed-eg-1": "156",
-  "requirement-16-rolie-service-document-eg-1": "157",
-  "requirement-17-rolie-category-document-eg-1": "158",
-  "requirement-17-rolie-category-document-eg-2": "159",
-  "requirement-17-rolie-category-document-eg-3": "160",
-  "requirement-18-integrity-eg-1": "161",
-  "requirement-18-integrity-eg-2": "162",
-  "requirement-19-signatures-eg-1": "163",
-  "requirement-21-list-of-csaf-providers-eg-1": "164",
-  "requirement-23-mirror-eg-1": "165",
-  "requirement-7-provider-metadata-json-eg-1": "150",
-  "requirement-8-security-txt-eg-1": "151",
-  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "152",
-  "revision-history-entries-for-pre-release-versions-eg-1": "71",
-  "same-timestamps-in-revision-history-eg-1": "126",
-  "sorted-revision-history-eg-1": "66",
-  "spell-check-eg-1": "145",
-  "translation-eg-1": "91",
-  "translator-eg-1": "67",
+  "full-product-name-type-product-identification-helper-serial-numbers-eg-1": "16",
+  "full-product-name-type-product-identification-helper-skus-numbers-eg-1": "17",
+  "hardware-and-software-eg-1": "145",
+  "hardware-and-software-within-the-product-tree-eg-1": "54",
+  "impact-statement-eg-1": "90",
+  "inconsistent-cvss-eg-1": "64",
+  "inconsistent-disclosure-date-eg-1": "110",
+  "inconsistent-ssvc-id-eg-1": "112",
+  "inconsistent-ssvc-timestamp-eg-1": "114",
+  "invalid-cvss-computation-eg-1": "63",
+  "invalid-cvss-eg-1": "62",
+  "invalid-sharing-group-name-eg-1": "105",
+  "invalid-ssvc-eg-1": "111",
+  "language-eg-1": "66",
+  "language-type-eg-1": "20",
+  "latest-document-version-eg-1": "70",
+  "mandatory-tests--branches-recursion-depth-eg-1": "99",
+  "mandatory-tests--cwe-eg-1": "65",
+  "mandatory-tests--date-and-time-eg-1": "102",
+  "missing-canonical-url-eg-1": "125",
+  "missing-cve-eg-1": "152",
+  "missing-cvss-v4-0-eg-1": "161",
+  "missing-cwe-eg-1": "153",
+  "missing-date-in-involvements-eg-1": "121",
+  "missing-definition-of-product-group-id-eg-1": "58",
+  "missing-definition-of-product-id-eg-1": "55",
+  "missing-document-language-eg-1": "126",
+  "missing-item-in-revision-history-eg-1": "75",
+  "missing-metric-eg-1": "117",
+  "missing-product-identification-helper-eg-1": "130",
+  "missing-remediation-eg-1": "116",
+  "missing-sharing-group-name-eg-1": "106",
+  "missing-tlp-label-eg-1": "124",
+  "mixed-integer-and-semantic-versioning-eg-1": "95",
+  "multiple-definition-in-involvements-eg-1": "78",
+  "multiple-definition-in-revision-history-eg-1": "76",
+  "multiple-definition-of-product-group-id-eg-1": "59",
+  "multiple-definition-of-product-id-eg-1": "56",
+  "multiple-flags-with-vex-justification-codes-per-product-eg-1": "98",
+  "multiple-scores-with-same-version-per-product-eg-1": "61",
+  "multiple-use-of-same-cve-eg-1": "77",
+  "multiple-use-of-same-hash-algorithm-eg-1": "79",
+  "non-draft-document-version-eg-1": "74",
+  "non-public-sharing-group-with-max-uuid-eg-1": "103",
+  "notes-type-eg-1": "21",
+  "notes-type-eg-2": "22",
+  "older-current-release-date-than-revision-history-eg-1": "120",
+  "older-initial-release-date-than-revision-history-eg-1": "119",
+  "optional-tests--sorting-eg-1": "127",
+  "product-group-id-type-eg-1": "23",
+  "product-id-type-eg-1": "24",
+  "product-status-eg-1": "87",
+  "product-tree-eg-1": "85",
+  "product-tree-property-product-groups-eg-1": "45",
+  "product-tree-property-relationships-eg-1": "46",
+  "product-version-range-without-vers-eg-1": "132",
+  "prohibited-document-category-name-eg-1": "80",
+  "prohibited-document-category-name-eg-2": "81",
+  "public-sharing-group-with-no-max-uuid-eg-1": "104",
+  "purl-eg-1": "67",
+  "purl-qualifiers-eg-1": "107",
+  "released-revision-history-eg-1": "72",
+  "remediation-without-product-reference-eg-1": "94",
+  "requirement-11-one-folder-per-year-eg-1": "166",
+  "requirement-12-index-txt-eg-1": "167",
+  "requirement-13-changes-csv-eg-1": "168",
+  "requirement-15-rolie-feed-eg-1": "169",
+  "requirement-16-rolie-service-document-eg-1": "170",
+  "requirement-17-rolie-category-document-eg-1": "171",
+  "requirement-17-rolie-category-document-eg-2": "172",
+  "requirement-17-rolie-category-document-eg-3": "173",
+  "requirement-18-integrity-eg-1": "174",
+  "requirement-18-integrity-eg-2": "175",
+  "requirement-19-signatures-eg-1": "176",
+  "requirement-21-list-of-csaf-providers-eg-1": "177",
+  "requirement-23-mirror-eg-1": "178",
+  "requirement-7-provider-metadata-json-eg-1": "163",
+  "requirement-8-security-txt-eg-1": "164",
+  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "165",
+  "revision-history-entries-for-pre-release-versions-eg-1": "73",
+  "same-timestamps-in-revision-history-eg-1": "135",
+  "sorted-revision-history-eg-1": "68",
+  "spell-check-eg-1": "157",
+  "ssvc-decision-points-eg-1": "113",
+  "translation-eg-1": "93",
+  "translator-eg-1": "69",
   "typographical-conventions-eg-1": "4321",
-  "unused-definition-of-product-id-eg-1": "106",
-  "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "131",
-  "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "130",
-  "usage-of-deprecated-cwe-eg-1": "128",
-  "usage-of-max-uuid-eg-1": "133",
-  "usage-of-nil-uuid-eg-1": "134",
-  "usage-of-non-latest-cwe-version-eg-1": "129",
-  "usage-of-product-version-range-eg-1": "147",
-  "usage-of-sharing-group-on-tlp-clear-eg-1": "135",
-  "usage-of-v-as-version-indicator-eg-1": "148",
-  "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "138",
-  "use-of-cvss-v3-0-eg-1": "139",
-  "use-of-default-language-eg-1": "120",
-  "use-of-md5-as-the-only-hash-algorithm-eg-1": "113",
-  "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "143",
-  "use-of-private-language-eg-1": "119",
-  "use-of-same-product-identification-helper-for-different-products-eg-1": "137",
-  "use-of-self-referencing-urls-failing-to-resolve-eg-1": "144",
-  "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "114",
-  "use-of-short-hash-eg-1": "142",
-  "version-range-in-product-version-eg-1": "94",
-  "version-type-eg-1": "23",
-  "version-type-semantic-versioning-eg-1": "24",
-  "version-type-semantic-versioning-eg-2": "25",
-  "version-type-semantic-versioning-eg-3": "26",
-  "version-type-semantic-versioning-eg-4": "27",
-  "version-type-semantic-versioning-eg-5": "28",
-  "version-type-semantic-versioning-eg-6": "29",
-  "vex-product-status-eg-1": "86",
-  "vulnerabilities-for-informational-advisory-eg-1": "82",
-  "vulnerabilities-for-security-advisory-or-vex-eg-1": "90",
-  "vulnerabilities-property-cwes-eg-1": "45",
-  "vulnerabilities-property-cwes-eg-2": "46",
-  "vulnerabilities-property-cwes-eg-3": "47",
-  "vulnerabilities-property-ids-eg-1": "48",
-  "vulnerabilities-property-ids-eg-2": "49",
-  "vulnerability-id-eg-1": "87",
-  "vulnerability-notes-eg-1": "84"
+  "unused-definition-of-product-id-eg-1": "115",
+  "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "140",
+  "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "139",
+  "usage-of-deprecated-cwe-eg-1": "137",
+  "usage-of-max-uuid-eg-1": "142",
+  "usage-of-nil-uuid-eg-1": "143",
+  "usage-of-non-latest-cwe-version-eg-1": "138",
+  "usage-of-non-latest-ssvc-decision-point-version-eg-1": "162",
+  "usage-of-product-version-range-eg-1": "159",
+  "usage-of-sharing-group-on-tlp-clear-eg-1": "144",
+  "usage-of-unknown-ssvc-decision-point-namespace-eg-1": "148",
+  "usage-of-unknown-ssvc-role-eg-1": "149",
+  "usage-of-v-as-version-indicator-eg-1": "160",
+  "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "150",
+  "use-of-cvss-v3-0-eg-1": "151",
+  "use-of-default-language-eg-1": "129",
+  "use-of-md5-as-the-only-hash-algorithm-eg-1": "122",
+  "use-of-multiple-stars-in-model-number-eg-1": "108",
+  "use-of-multiple-stars-in-serial-number-eg-1": "109",
+  "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "155",
+  "use-of-private-language-eg-1": "128",
+  "use-of-same-product-identification-helper-for-different-products-eg-1": "146",
+  "use-of-self-referencing-urls-failing-to-resolve-eg-1": "156",
+  "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "123",
+  "use-of-short-hash-eg-1": "154",
+  "version-range-in-product-version-eg-1": "96",
+  "version-type-eg-1": "25",
+  "version-type-semantic-versioning-eg-1": "26",
+  "version-type-semantic-versioning-eg-2": "27",
+  "version-type-semantic-versioning-eg-3": "28",
+  "version-type-semantic-versioning-eg-4": "29",
+  "version-type-semantic-versioning-eg-5": "30",
+  "version-type-semantic-versioning-eg-6": "31",
+  "vex-product-status-eg-1": "88",
+  "vulnerabilities-for-informational-advisory-eg-1": "84",
+  "vulnerabilities-for-security-advisory-or-vex-eg-1": "92",
+  "vulnerabilities-property-cwes-eg-1": "47",
+  "vulnerabilities-property-cwes-eg-2": "48",
+  "vulnerabilities-property-cwes-eg-3": "49",
+  "vulnerabilities-property-ids-eg-1": "50",
+  "vulnerabilities-property-ids-eg-2": "51",
+  "vulnerability-id-eg-1": "89",
+  "vulnerability-notes-eg-1": "86"
 }
\ No newline at end of file
diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json
index e5362adb2..9c806c9c8 100644
--- a/csaf_2.1/prose/edit/etc/section-display-to-label.json
+++ b/csaf_2.1/prose/edit/etc/section-display-to-label.json
@@ -85,18 +85,18 @@
   "3.2.4.1": "vulnerabilities-property-acknowledgments",
   "3.2.4.2": "vulnerabilities-property-cve",
   "3.2.4.3": "vulnerabilities-property-cwes",
-  "3.2.4.4": "vulnerabilities-property-discovery-date",
-  "3.2.4.5": "vulnerabilities-property-flags",
-  "3.2.4.6": "vulnerabilities-property-ids",
-  "3.2.4.7": "vulnerabilities-property-involvements",
-  "3.2.4.8": "vulnerabilities-property-metrics",
-  "3.2.4.8.1": "vulnerabilities-property-metrics-content",
-  "3.2.4.8.2": "vulnerabilities-property-metrics-products",
-  "3.2.4.8.3": "vulnerabilities-property-metrics-source",
-  "3.2.4.9": "vulnerabilities-property-notes",
-  "3.2.4.10": "vulnerabilities-property-product-status",
-  "3.2.4.11": "vulnerabilities-property-references",
-  "3.2.4.12": "vulnerabilities-property-release-date",
+  "3.2.4.4": "vulnerabilities-property-discosure-date",
+  "3.2.4.5": "vulnerabilities-property-discovery-date",
+  "3.2.4.6": "vulnerabilities-property-flags",
+  "3.2.4.7": "vulnerabilities-property-ids",
+  "3.2.4.8": "vulnerabilities-property-involvements",
+  "3.2.4.9": "vulnerabilities-property-metrics",
+  "3.2.4.9.1": "vulnerabilities-property-metrics-content",
+  "3.2.4.9.2": "vulnerabilities-property-metrics-products",
+  "3.2.4.9.3": "vulnerabilities-property-metrics-source",
+  "3.2.4.10": "vulnerabilities-property-notes",
+  "3.2.4.11": "vulnerabilities-property-product-status",
+  "3.2.4.12": "vulnerabilities-property-references",
   "3.2.4.13": "vulnerabilities-property-remediations",
   "3.2.4.13.1": "vulnerabilities-property-remediations-category",
   "3.2.4.13.2": "vulnerabilities-property-remediations-date",
@@ -176,6 +176,13 @@
   "6.1.40": "invalid-sharing-group-name",
   "6.1.41": "missing-sharing-group-name",
   "6.1.42": "purl-qualifiers",
+  "6.1.43": "use-of-multiple-stars-in-model-number",
+  "6.1.44": "use-of-multiple-stars-in-serial-number",
+  "6.1.45": "inconsistent-disclosure-date",
+  "6.1.46": "invalid-ssvc",
+  "6.1.47": "inconsistent-ssvc-id",
+  "6.1.48": "ssvc-decision-points",
+  "6.1.49": "inconsistent-ssvc-timestamp",
   "6.2": "optional-tests",
   "6.2.1": "unused-definition-of-product-id",
   "6.2.2": "missing-remediation",
@@ -209,6 +216,9 @@
   "6.2.30": "usage-of-sharing-group-on-tlp-clear",
   "6.2.31": "hardware-and-software",
   "6.2.32": "use-of-same-product-identification-helper-for-different-products",
+  "6.2.33": "disclosure-date-newer-than-revision-history",
+  "6.2.34": "usage-of-unknown-ssvc-decision-point-namespace",
+  "6.2.35": "usage-of-unknown-ssvc-role",
   "6.3": "informative-test",
   "6.3.1": "use-of-cvss-v2-as-the-only-scoring-system",
   "6.3.2": "use-of-cvss-v3-0",
@@ -222,6 +232,7 @@
   "6.3.10": "usage-of-product-version-range",
   "6.3.11": "usage-of-v-as-version-indicator",
   "6.3.12": "missing-cvss-v4-0",
+  "6.3.13": "usage-of-non-latest-ssvc-decision-point-version",
   "7": "distributing-csaf-documents",
   "7.1": "requirements",
   "7.1.1": "requirement-1-valid-csaf-document",
diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json
index 97d9f8eff..6617d5582 100644
--- a/csaf_2.1/prose/edit/etc/section-label-to-display.json
+++ b/csaf_2.1/prose/edit/etc/section-label-to-display.json
@@ -1,4 +1,4 @@
-{
+{  
   "acknowledgments": "Appendix A.",
   "acknowledgments-type": "3.1.1",
   "acknowledgments-type-example": "3.1.1.5",
@@ -58,6 +58,7 @@
   "date-and-time": "2.2",
   "definitions": "3.1",
   "design-considerations": "2",
+  "disclosure-date-newer-than-revision-history": "6.2.33",
   "discouraged-product-status-remediation-combination": "6.2.27",
   "distributing-csaf-documents": "7",
   "document-notes": "6.1.27.1",
@@ -115,12 +116,16 @@
   "hardware-and-software-within-the-product-tree": "5.6",
   "impact-statement": "6.1.27.9",
   "inconsistent-cvss": "6.1.10",
+  "inconsistent-disclosure-date": "6.1.45",
+  "inconsistent-ssvc-id": "6.1.47",
+  "inconsistent-ssvc-timestamp": "6.1.49",
   "informative-references": "1.4",
   "informative-test": "6.3",
   "introduction": "1",
   "invalid-cvss": "6.1.8",
   "invalid-cvss-computation": "6.1.9",
   "invalid-sharing-group-name": "6.1.40",
+  "invalid-ssvc": "6.1.46",
   "ipr-policy": "1.1",
   "language": "6.1.12",
   "language-type": "3.1.4",
@@ -227,6 +232,7 @@
   "separation-in-data-stream": "5.2",
   "sorted-revision-history": "6.1.14",
   "spell-check": "6.3.8",
+  "ssvc-decision-points": "6.1.48",
   "string-length": "C.3",
   "terminology": "1.2",
   "tests": "6",
@@ -242,14 +248,19 @@
   "usage-of-max-uuid": "6.2.28",
   "usage-of-nil-uuid": "6.2.29",
   "usage-of-non-latest-cwe-version": "6.2.24",
+  "usage-of-non-latest-ssvc-decision-point-version": "6.3.13",
   "usage-of-product-version-range": "6.3.10",
   "usage-of-sharing-group-on-tlp-clear": "6.2.30",
+  "usage-of-unknown-ssvc-decision-point-namespace": "6.2.34",
+  "usage-of-unknown-ssvc-role": "6.2.35",
   "usage-of-v-as-version-indicator": "6.3.11",
   "use-of-cvss-v2-as-the-only-scoring-system": "6.3.1",
   "use-of-cvss-v3-0": "6.3.2",
   "use-of-default-language": "6.2.15",
   "use-of-md5-as-the-only-hash-algorithm": "6.2.8",
   "use-of-non-self-referencing-urls-failing-to-resolve": "6.3.6",
+  "use-of-multiple-stars-in-model-number": "6.1.43",
+  "use-of-multiple-stars-in-serial-number": "6.1.44",
   "use-of-private-language": "6.2.14",
   "use-of-same-product-identification-helper-for-different-products": "6.2.32",
   "use-of-self-referencing-urls-failing-to-resolve": "6.3.7",
@@ -266,18 +277,18 @@
   "vulnerabilities-property-acknowledgments": "3.2.4.1",
   "vulnerabilities-property-cve": "3.2.4.2",
   "vulnerabilities-property-cwes": "3.2.4.3",
-  "vulnerabilities-property-discovery-date": "3.2.4.4",
-  "vulnerabilities-property-flags": "3.2.4.5",
-  "vulnerabilities-property-ids": "3.2.4.6",
-  "vulnerabilities-property-involvements": "3.2.4.7",
-  "vulnerabilities-property-metrics": "3.2.4.8",
-  "vulnerabilities-property-metrics-content": "3.2.4.8.1",
-  "vulnerabilities-property-metrics-products": "3.2.4.8.2",
-  "vulnerabilities-property-metrics-source": "3.2.4.8.3",
-  "vulnerabilities-property-notes": "3.2.4.9",
-  "vulnerabilities-property-product-status": "3.2.4.10",
-  "vulnerabilities-property-references": "3.2.4.11",
-  "vulnerabilities-property-release-date": "3.2.4.12",
+  "vulnerabilities-property-disclosure-date": "3.2.4.4",
+  "vulnerabilities-property-discovery-date": "3.2.4.5",
+  "vulnerabilities-property-flags": "3.2.4.6",
+  "vulnerabilities-property-ids": "3.2.4.7",
+  "vulnerabilities-property-involvements": "3.2.4.8",
+  "vulnerabilities-property-metrics": "3.2.4.9",
+  "vulnerabilities-property-metrics-content": "3.2.4.9.1",
+  "vulnerabilities-property-metrics-products": "3.2.4.9.2",
+  "vulnerabilities-property-metrics-source": "3.2.4.9.3",
+  "vulnerabilities-property-notes": "3.2.4.10",
+  "vulnerabilities-property-product-status": "3.2.4.11",
+  "vulnerabilities-property-references": "3.2.4.12",
   "vulnerabilities-property-remediations": "3.2.4.13",
   "vulnerabilities-property-remediations-category": "3.2.4.13.1",
   "vulnerabilities-property-remediations-date": "3.2.4.13.2",
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html
index c35880b44..cc5fe770e 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.html
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html
@@ -415,31 +415,31 @@ 
    
                     
                     
  • 3.2.4.3 Vulnerabilities Property - CWEs
                     
    • 
-                    
  • 3.2.4.4 Vulnerabilities Property - Discovery Date
+                    
  • 3.2.4.4 Vulnerabilities Property - Disclosure Date
                     
    • 
-                    
  • 3.2.4.5 Vulnerabilities Property - Flags
+                    
  • 3.2.4.5 Vulnerabilities Property - Discovery Date
                     
    • 
-                    
  • 3.2.4.6 Vulnerabilities Property - IDs
+                    
  • 3.2.4.6 Vulnerabilities Property - Flags
                     
    • 
-                    
  • 3.2.4.7 Vulnerabilities Property - Involvements
+                    
  • 3.2.4.7 Vulnerabilities Property - IDs
                     
    • 
-                    
  • 3.2.4.8 Vulnerabilities Property - Metrics
+                    
  • 3.2.4.8 Vulnerabilities Property - Involvements
+                    
    • 
+                    
  • 3.2.4.9 Vulnerabilities Property - Metrics
                       
                     
    • 
-                    
  • 3.2.4.9 Vulnerabilities Property - Notes
-                    
    • 
-                    
  • 3.2.4.10 Vulnerabilities Property - Product Status
+                    
  • 3.2.4.10 Vulnerabilities Property - Notes
                     
    • 
-                    
  • 3.2.4.11 Vulnerabilities Property - References
+                    
  • 3.2.4.11 Vulnerabilities Property - Product Status
                     
    • 
-                    
  • 3.2.4.12 Vulnerabilities Property - Release Date
+                    
  • 3.2.4.12 Vulnerabilities Property - References
                     
    • 
                     
  • 3.2.4.13 Vulnerabilities Property - Remediations
                       
             
    • 
             
  • 6.2 Optional Tests
@@ -681,6 +695,12 @@ 
    
                 
    • 
                 
  • 6.2.32 Use of same Product Identification Helper for different Products
                 
    • 
+                
  • 6.2.33 Disclosure Date newer than Revision History
+                
    • 
+                
  • 6.2.34 Usage of Unknown SSVC Decision Point Namespace
+                
    • 
+                
  • 6.2.35 Usage of Unknown SSVC Role
+                
    • 
               
             
             
  • 6.3 Informative Test
@@ -709,6 +729,8 @@ 
    
                 
    • 
                 
  • 6.3.12 Missing CVSS v4.0
                 
    • 
+                
  • 6.3.13 Usage of Non-Latest SSVC Decision Point Version
+                
    • 
               
             
           
@@ -1541,6 +1563,9 @@ 
    
     
    
       [SPDX301] The System Package Data Exchange® (SPDX®) Specification Version 3.0.1, Linux Foundation and its Contributors, 2024, https://spdx.github.io/spdx-spec/.
     
    
+    
    
+      [SSVC] SSVC: Stakeholder-Specific Vulnerability Categorization, CERT/CC, https://certcc.github.io/SSVC/reference/
+    
    
     
    
       [VERS] vers: a mostly universal version range specifier, Part of the purl GitHub Project, https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst.
     
    
@@ -1651,55 +1676,65 @@ 
    
       Delegation to industry best practices technologies is used in referencing schemas for:
     
    
     
      
-      
    • Platform Data:
+      
    • Classification for Document Distribution
+        
+      
      • 
+      
    • Platform Data
         
        
           
      • Common Platform Enumeration (CPE) Version 2.3 [CPE23-N]
           
        • 
         
      
       
      • 
-      
    • Vulnerability Scoring:
+      
    • Vulnerability Categorization
         
+      
      • 
+      
    • Vulnerability Classification
+        
+      
      • 
+      
    • Vulnerability Scoring
+        
-      
      • 
-      
    • Vulnerability Classification
-        
-      
      • 
-      
    • Classification for Document Distribution
-        
        
-          
      • Traffic Light Protocol (TLP)
+          
      • Common Vulnerability Scoring System (CVSS) Version 2.0 [CVSS2]
             
           
        • 
@@ -2372,13 +2407,20 @@ 
        
@@ -2453,9 +2495,22 @@ 
        
       3.1.3.3.7 Full Product Name Type - Product Identification Helper - SKUs 
     
        
@@ -2523,7 +2578,7 @@ 
        
       
        
     
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            de
     en
@@ -2597,7 +2652,7 @@ 
        
       Audience of note (audience) of value type string with 1 or more characters indicates who is intended to read it.
     
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            all
     executives
@@ -2641,7 +2696,7 @@ 
        
       Title of note (title) of value type string with 1 or more characters provides a concise description of what is contained in the text of the note.
     
        
     
        
-      Examples 2:
+      Examples 2:
     
        
     
            Details
     Executive summary
@@ -2658,7 +2713,7 @@ 
        
       // ...
     },
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            CSAFGID-0001
     CSAFGID-0002
@@ -2691,7 +2746,7 @@ 
        
       // ...
     },
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            CSAFPID-0004
     CSAFPID-0008
        
@@ -2784,7 +2839,7 @@ 
        
       A CSAF document MUST use only one versioning system.
     
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            1
     4
@@ -2806,7 +2861,7 @@ 
        
       
       
      • Version zero (0) is for initial development before the initial_release_date. The document status MUST be draft. Anything MAY change at any time. The document SHOULD NOT be considered stable.
       
        • 
-      
      • Version 1 defines the initial public release. Each new version where /document/tracking/status is final has a version number incremented by one.
+      
      • Version 1 defines the initial release to the specified target group. Each new version where /document/tracking/status is final has a version number incremented by one.
       
        • 
       
      • Pre-release versions (document status draft) MUST carry the new version number. Sole exception is before the initial release (see rule 2). The combination of document status draft and version 1 MAY be used to indicate that the content is unlikely to change.
       
        • 
@@ -2844,7 +2899,7 @@ 
        
       
       
      • 
         
        
-          Version 1.0.0 defines the initial public release. The way in which the version number is incremented after this release is dependent on the content and structure of the document and how it changes.
+          Version 1.0.0 defines the initial release to the specified target group. The way in which the version number is incremented after this release is dependent on the content and structure of the document and how it changes.
         
        
       
        • 
       
      • 
@@ -2909,7 +2964,7 @@ 
        
           zeroes. Pre-release versions have a lower precedence than the associated normal version. A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as denoted by its associated normal version.
         
        
         
        
-          Examples 1:
+          Examples 1:
         
        
         
        1.0.0-0.3.7
 1.0.0-alpha
@@ -2928,7 +2983,7 @@ 
        
           two versions that differ only in the build metadata, have the same precedence.
         
        
         
        
-          Examples 2:
+          Examples 2:
         
        
         
        1.0.0+20130313144700
 1.0.0+21AF26D3----117B344092BD
@@ -2950,7 +3005,7 @@ 
        
               Precedence is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically.
             
        
             
        
-              Example 3:
+              Example 3:
             
        
             
        1.0.0 < 2.0.0 < 2.1.0 < 2.1.1
        
           
        • 
@@ -2959,7 +3014,7 @@ 
        
               When major, minor, and patch are equal, a pre-release version has lower precedence than a normal version:
             
        
             
        
-              Example 4:
+              Example 4:
             
        
             
        1.0.0-alpha < 1.0.0
        
           
@@ -2978,7 +3033,7 @@ 
        
               
             
             
        
-              Example 5:
+              Example 5:
             
        
             
        1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0
        
           
@@ -2989,7 +3044,7 @@ 
        
       Note, that the following values do no conform the semantic versioning described above.
     
        
     
        
-      Examples 6 (which are invalid):
+      Examples 6 (which are invalid):
     
        
     
          1.16.13.14-Cor
   1.0.0-x-y-z.–
@@ -3097,7 +3152,7 @@ 
        
       The Text of aggregate severity (text) of value type string with 1 or more characters provides a severity which is independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).
     
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            Critical
     Important
@@ -3121,7 +3176,7 @@ 
        
       // ...
     }
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            csaf_base
     csaf_security_advisory
@@ -3158,7 +3213,7 @@ 
        
       If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. The Sharing Group SHALL be interpreted as specification to the TLP information. Therefore, the Sharing Group MAY also be used to convey special TLP restrictions:
     
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            E-ISAC members-only
     Only releasable to European Energy sector
@@ -3253,7 +3308,7 @@ 
        
       The Textual description (text) of value type string with 1 or more characters provides a textual description of additional constraints.
     
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            Copyright 2024, Example Company, All Rights Reserved.
     Distribute freely.
@@ -3301,7 +3356,7 @@ 
        
     
        
     
            https://www.first.org/tlp/
        
     
        
-      Examples 1:
+      Examples 1:
     
        
     
            https://www.us-cert.gov/tlp
     https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
        
@@ -3449,7 +3504,7 @@ 
        
       Contact details (contact_details) of value type string with 1 or more characters provides information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
     
        
     
        
-      Example 1:
+      Example 1:
     
        
     
            Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
        
     
        
@@ -3465,7 +3520,7 @@ 
        
       The Name of publisher (name) of value type string with 1 or more characters contains the name of the issuing party.
     
        
     
        
-      Example 1:
+      Example 1:
     
        
     
             BSI
      Cisco PSIRT
@@ -3494,7 +3549,7 @@ 
        
       
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
          https://csaf.io
     https://www.example.com
      
@@ -3529,7 +3584,7 @@ 
      
       Title of this document (title) of value type string with 1 or more characters SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
          Cisco IPv6 Crafted Packet Denial of Service Vulnerability
     Example Company Cross-Site-Scripting Vulnerability in Example Generator
      
@@ -3585,7 +3640,7 @@ 
      
       Every such Alternate Name of value type string with 1 or more characters specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.
     
      
     
      
-      Example 1:
+      Example 1:
     
      
     
          CVE-2019-12345
      
     
      
@@ -3634,7 +3689,7 @@ 
      
       Engine name (name) of value type string with 1 or more characters represents the name of the engine that generated the CSAF document.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
          Red Hat rhsa-to-cvrf
     Secvisogram
@@ -3648,7 +3703,7 @@ 
      
       
      
     
     
      
-      Examples 2:
+      Examples 2:
     
      
     
          0.6.0
     1.0.0-beta+exp.sha.a1c44f85
@@ -3672,7 +3727,7 @@ 
      
       The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
          Example Company - 2019-YH3234
     RHBA-2019:0024
@@ -3689,7 +3744,16 @@ 
      
       3.2.2.12.5 Document Property - Tracking - Initial Release Date 
     
      
     
      
-      Initial release date (initial_release_date) with value type string with format date-time holds the date when this document was first published.
+      Initial release date (initial_release_date) with value type string with format date-time holds the date when this document was first released to the specified target group.
+    
      
+    
      
+      
      
+        For TLP:CLEAR documents, this is usually the timestamp when the document was published. For TLP:GREEN and higher, this is the timestamp when it was first made available to the specific group. Note that the initial release date does not change after the initial release even if the document is later on released
+        to a broader audience.
+      
      
+    
      
+    
      
+      If the timestamp of the initial release date was set incorrectly, it MUST be corrected. This change MUST be tracked with a new entry in the revision history.
     
      
     
      
       3.2.2.12.6 Document Property - Tracking - Revision History 
@@ -3837,7 +3901,7 @@ 
      
       The summary of the product group (summary) of value type string with 1 or more characters gives a short, optional description of the group.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
          Products supporting Modbus.
     The x64 versions of the operating system.
      
@@ -3915,7 +3979,7 @@ 
      
       Relates to Product Reference (relates_to_product_reference) of value type Product ID (product_id_t) holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -3960,8 +4024,8 @@ 
      
     }
      
     
      
       The Vulnerability item of value type object with 1 or more properties is a container for the aggregation of all fields that are related to a single vulnerability in the document. Any vulnerability MAY provide the optional properties Acknowledgments (acknowledgments), Common Vulnerabilities and Exposures (CVE)
-      (cve), Common Weakness Enumeration (CWE) (cwes), Discovery Date (discovery_date), Flags (flags), IDs (ids), Involvements (involvements), Metrics (metrics), Notes (notes), Product Status (product_status), References
-      (references), Release Date (release_date), Remediations (remediations), Threats (threats), and Title (title).
+      (cve), Common Weakness Enumeration (CWE) (cwes), Disclosure Date (disclosure_date), Discovery Date (discovery_date), Flags (flags), IDs (ids), Involvements (involvements), Metrics (metrics), Notes (notes), Product Status
+      (product_status), References (references), Remediations (remediations), Threats (threats), and Title (title).
     
      
     
          "properties": {
       "acknowledgments": {
@@ -3973,6 +4037,9 @@ 
      
       "cwes": {
         // ...
       },
+      "disclosure_date": {
+        // ...
+      },
       "discovery_date": {
         // ...
       },
@@ -3997,9 +4064,6 @@ 
      
       "references": {
         // ...
       },
-      "release_date": {
-        // ...
-      },
       "remediations": {
         // ...
       },
@@ -4068,7 +4132,7 @@ 
      
       It holds the ID for the weakness associated.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
          CWE-22
     CWE-352
@@ -4077,7 +4141,7 @@ 
      
       The Weakness name (name) has value type string with 1 or more characters and holds the full name of the weakness as given in the CWE specification.
     
      
     
      
-      Examples 2:
+      Examples 2:
     
      
     
          Cross-Site Request Forgery (CSRF)
     Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
@@ -4090,21 +4154,31 @@ 
      
       It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
     
      
     
      
-      Examples 3:
+      Examples 3:
     
      
     
          "1.0",
     "3.4.1",
     "4.0",
     "4.11",
     "4.12"
      
-    
      
-      3.2.4.4 Vulnerabilities Property - Discovery Date 
+    
      
+      3.2.4.4 Vulnerabilities Property - Disclosure Date 
+    
      
+    
      
+      Disclosure date (disclosure_date) with value type string of format date-time holds the date and time the vulnerability was originally disclosed to the public.
+    
      
+    
      
+      For vulnerabilities not yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date for disclosure of the vulnerability. As disclosure dates may change during a vulnerability disclosure process, an issuing party SHOULD produce an updated CSAF document to confirm that the vulnerability was in fact
+      disclosed to the public at that time or update the disclosure_date with the new intended date in the future.
+    
      
+    
      
+      3.2.4.5 Vulnerabilities Property - Discovery Date 
     
      
     
      
       Discovery date (discovery_date) of value type string with format date-time holds the date and time the vulnerability was originally discovered.
     
      
-    
      
-      3.2.4.5 Vulnerabilities Property - Flags 
+    
      
+      3.2.4.6 Vulnerabilities Property - Flags 
     
      
     
      
       List of flags (flags) of value type array with 1 or more unique items (a set) of value type object contains a list of machine readable flags.
@@ -4188,8 +4262,8 @@ 
      
     
      
       Product IDs (product_ids) are of value type Products (products_t) and contain a list of Products the current flag item applies to.
     
      
-    
      
-      3.2.4.6 Vulnerabilities Property - IDs 
+    
      
+      3.2.4.7 Vulnerabilities Property - IDs 
     
      
     
      
       List of IDs (ids) of value type array with one or more unique ID items of value type object represents a list of unique labels or tracking IDs for the vulnerability (if such information exists).
@@ -4215,7 +4289,7 @@ 
      
       System name (system_name) of value type string with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
          Cisco Bug ID
     GitHub Issue
      
@@ -4223,7 +4297,7 @@ 
      
       Text (text) of value type string with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
     
      
     
      
-      Examples 2:
+      Examples 2:
     
      
     
          CSCso66472
     oasis-tcs/csaf#210
      
@@ -4245,8 +4319,8 @@ 
      
         The ID MAY be a vendor-specific value but is not to be used to publish the CVE tracking numbers (MITRE standard Common Vulnerabilities and Exposures), as these are specified inside the dedicated CVE element.
       
      
     
-    
      
-      3.2.4.7 Vulnerabilities Property - Involvements 
+    
      
+      3.2.4.8 Vulnerabilities Property - Involvements 
     
      
     
      
       List of involvements (involvements) of value type array with 1 or more unique items (a set) of value type object contains a list of involvements.
@@ -4330,8 +4404,8 @@ 
      
     
      
       Summary of involvement (summary) of value type string with 1 or more characters contains additional context regarding what is going on.
     
      
-    
      
-      3.2.4.8 Vulnerabilities Property - Metrics 
+    
      
+      3.2.4.9 Vulnerabilities Property - Metrics 
     
      
     
      
       List of metrics (metrics) of value type array with 1 or more unique items (a set) of value type object Contains metric objects for the current vulnerability.
@@ -4356,8 +4430,8 @@ 
      
             // ...
           }
         }
      
-    
      
-      3.2.4.8.1 Vulnerabilities Property - Metrics - Content 
+    
      
+      3.2.4.9.1 Vulnerabilities Property - Metrics - Content 
     
      
     
      
       Content (content) of value type object with the optional properties CVSS v2 (cvss_v2), CVSS v3 (cvss_v3) and CVSS v4 (cvss_v4) specifies information about (at least one) metric or score for the given products regarding the current vulnerability. A Content object has at
@@ -4374,6 +4448,9 @@ 
      
           },
           "cvss_v4": {
             // ...
+          },
+          "ssvc_v1": {
+            // ....
           }
         }
      
     
      
@@ -4385,15 +4462,19 @@ 
      
     
      
       The property CVSS v4 (cvss_v4) holding a CVSS v4.0 value abiding by the schema at https://www.first.org/cvss/cvss-v4.0.json.
     
      
-    
      
-      3.2.4.8.2 Vulnerabilities Property - Metrics - Products 
+    
      
+      The property SSVC v1 (ssvc_v1) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json.
+    
      
+    
      
+      3.2.4.9.2 Vulnerabilities Property - Metrics - Products 
     
      
     
      
       Product IDs (products) of value type products_t with 1 or more items indicates for which products the given content applies. A metric object SHOULD reflect the associated product's status (for example, a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score
       listed; the known affected versions of that product can list the vulnerability score as it applies to them).
     
      
-    
      
-      3.2.4.8.3 Vulnerabilities Property - Metrics - Source 
+    
      
+      3.2.4.9.3 Vulnerabilities Property - Metrics - Source 
     
      
     
      
       Source (source) of value type string with format uri contains the URL of the source that originally determined the metric. If no source is given, then the metric was assigned by the document author.
@@ -4403,8 +4484,8 @@ 
      
         For example, this could point to the vendor advisory, discoverer blog post, a multiplier's assessment or other sources that provide metric information.
       
      
     
-    
      
-      3.2.4.9 Vulnerabilities Property - Notes 
+    
      
+      3.2.4.10 Vulnerabilities Property - Notes 
     
      
     
      
       Vulnerability notes (notes) of value type Notes Type (notes_t) holds notes associated with this vulnerability item.
@@ -4465,8 +4546,8 @@ 
      
         
       
     
-    
      
-      3.2.4.10 Vulnerabilities Property - Product Status 
+    
      
+      3.2.4.11 Vulnerabilities Property - Product Status 
     
      
     
      
       Product status (product_status) of value type object with 1 or more properties contains different lists of product_ids which provide details on the status of the referenced product related to the current vulnerability. The eight defined properties are First affected (first_affected),
@@ -4536,8 +4617,8 @@ 
      
     
      
       Under investigation (under_investigation) of value type Products (products_t) represents that it is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.
     
      
-    
      
-      3.2.4.11 Vulnerabilities Property - References 
+    
      
+      3.2.4.12 Vulnerabilities Property - References 
     
      
     
      
       Vulnerability references (references) of value type References Type (references_t) holds a list of references associated with this vulnerability item.
@@ -4545,12 +4626,6 @@ 
      
     
          "references": {
       // ...
     },
      
-    
      
-      3.2.4.12 Vulnerabilities Property - Release Date 
-    
      
-    
      
-      Release date (release_date) with value type string of format date-time holds the date and time the vulnerability was originally released into the wild.
-    
      
     
      
       3.2.4.13 Vulnerabilities Property - Remediations 
     
      
@@ -5554,7 +5629,7 @@ 
      
       
      • 
     
     
      
-      Examples 1:
+      Examples 1:
     
      
     
        cisco-sa-20190513-secureboot.json
   example_company_-_2019-yh3234.json
@@ -5565,7 +5640,7 @@ 
      
       
      
     
     
      
-      Examples 2:
+      Examples 2:
     
      
     
        cisco-sa-20190513-secureboot_invalid.json
   example_company_-_2019-yh3234_invalid.json
@@ -5620,7 +5695,7 @@ 
      
       If a product consists of hardware and software, the hardware part MUST be presented as one product in the product tree and the software part as another one. To form the overall product, both parts MUST be combined through a relationship.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
     
        "product_tree": {
     "branches": [
@@ -5774,7 +5849,7 @@ 
      
   /vulnerabilities[]/remediations[]/product_ids[]
   /vulnerabilities[]/threats[]/product_ids[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "product_groups": [
@@ -5805,7 +5880,7 @@ 
      
   /product_tree/full_product_names[]/product_id
   /product_tree/relationships[]/full_product_name/product_id
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -5841,7 +5916,7 @@ 
      
       
      
     
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -5880,7 +5955,7 @@ 
      
     
        /vulnerabilities[]/remediations[]/group_ids
   /vulnerabilities[]/threats[]/group_ids
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -5919,7 +5994,7 @@ 
      
     
      
     
          /product_tree/product_groups[]/group_id
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -6002,7 +6077,7 @@ 
      
       
      
     
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -6045,7 +6120,7 @@ 
      
     
      
     
          /vulnerabilities[]/metrics[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -6105,7 +6180,7 @@ 
      
   /vulnerabilities[]/metrics[]/content/cvss_v3
   /vulnerabilities[]/metrics[]/content/cvss_v4
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "cvss_v3": {
     "version": "3.1",
@@ -6152,7 +6227,7 @@ 
      
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalScore
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "cvss_v3": {
     "version": "3.1",
@@ -6183,7 +6258,7 @@ 
      
   /vulnerabilities[]/metrics[]/content/cvss_v3
   /vulnerabilities[]/metrics[]/content/cvss_v4
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "cvss_v3": {
     "version": "3.1",
@@ -6220,7 +6295,7 @@ 
      
     
      
     
          /vulnerabilities[]/cwes[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "cwes": [
     {
@@ -6246,7 +6321,7 @@ 
      
     
        /document/lang
   /document/source_lang
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "lang": "EZ"
      
     
      
@@ -6272,7 +6347,7 @@ 
      
   /product_tree/full_product_names[]/product_identification_helper/purls[]
   /product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -6303,7 +6378,7 @@ 
      
     
      
     
          /document/tracking/revision_history
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "revision_history": [
     {
@@ -6333,7 +6408,7 @@ 
      
     
      
     
          /document/source_lang
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     // ...
@@ -6362,7 +6437,7 @@ 
      
     
      
     
          /document/tracking/version
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "tracking": {
     // ...
@@ -6397,7 +6472,7 @@ 
      
     
      
     
          /document/tracking/status
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "tracking": {
       // ...
@@ -6420,7 +6495,7 @@ 
      
     
      
     
          /document/tracking/revision_history[]/number
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "tracking": {
       // ...
@@ -6455,7 +6530,7 @@ 
      
     
      
     
          /document/tracking/revision_history[]/number
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "revision_history": [
       {
@@ -6485,7 +6560,7 @@ 
      
     
      
     
          /document/tracking/version
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "tracking": {
       // ...
@@ -6509,7 +6584,7 @@ 
      
     
      
     
          /document/tracking/revision_history
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "revision_history": [
       {
@@ -6539,7 +6614,7 @@ 
      
     
      
     
          /document/tracking/revision_history
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
         "revision_history": [
       {
@@ -6569,7 +6644,7 @@ 
      
     
      
     
          /vulnerabilities[]/cve
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -6595,7 +6670,7 @@ 
      
     
      
     
          /vulnerabilities[]/involvements
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -6632,7 +6707,7 @@ 
      
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -6692,7 +6767,7 @@ 
      
     
      
     
        /document/category
      
     
      
-      Examples 1 (for currently prohibited values):
+      Examples 1 (for currently prohibited values):
     
      
     
        Csaf_a
   Informational Advisory
@@ -6701,7 +6776,7 @@ 
      
   veX
   V_eX
      
     
      
-      Example 2 (which fails the test):
+      Example 2 (which fails the test):
     
      
     
        "category": "Security_Incident_Response"
      
     
      
@@ -6736,7 +6811,7 @@ 
      
     
      
     
        /document/notes
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "notes": [
     {
@@ -6766,7 +6841,7 @@ 
      
     
      
     
        /document/references
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "references": [
     {
@@ -6795,7 +6870,7 @@ 
      
     
      
     
        /vulnerabilities
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -6828,7 +6903,7 @@ 
      
     
      
     
        /product_tree
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        {
     "document": {
@@ -6859,7 +6934,7 @@ 
      
     
      
     
        /vulnerabilities[]/notes
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -6886,7 +6961,7 @@ 
      
     
      
     
        /vulnerabilities[]/product_status
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -6916,7 +6991,7 @@ 
      
   /vulnerabilities[]/product_status/known_not_affected
   /vulnerabilities[]/product_status/under_investigation
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_status": {
     "first_fixed": [
@@ -6947,7 +7022,7 @@ 
      
     
        /vulnerabilities[]/cve
   /vulnerabilities[]/ids
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -6975,7 +7050,7 @@ 
      
     
        /vulnerabilities[]/flags
   /vulnerabilities[]/threats
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -7046,7 +7121,7 @@ 
      
     
      
     
        /vulnerabilities[]/remediations
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -7119,7 +7194,7 @@ 
      
     
      
     
        /vulnerabilities
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        {
     "document": {
@@ -7146,7 +7221,7 @@ 
      
     
        /document/lang
   /document/source_lang
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     // ...
@@ -7179,7 +7254,7 @@ 
      
     
      
     
        /vulnerabilities[]/remediations[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "remediations": [
         {
@@ -7209,7 +7284,7 @@ 
      
     
        /document/tracking/revision_history[]/number
   /document/tracking/version
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "tracking": {
       // ...
@@ -7277,7 +7352,7 @@ 
      
     
      
     
        /product_tree/branches[](/branches[])*/name
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
                  "branches": [
               {
@@ -7302,7 +7377,7 @@ 
      
     
      
     
        /vulnerabilities[]/flags[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "flags": [
         {
@@ -7318,7 +7393,7 @@ 
      
       6.1.33 Multiple Flags with VEX Justification Codes per Product 
     
      
     
      
-      For each item in /vulnerabilities[] it MUST be tested that a Product is not member of more than one Flag item with a VEX justification code (see section 3.2.4.5). This takes indirect relations through Product Groups into account.
+      For each item in /vulnerabilities[] it MUST be tested that a Product is not member of more than one Flag item with a VEX justification code (see section 3.2.4.6). This takes indirect relations through Product Groups into account.
     
      
     
      
       
      
@@ -7330,7 +7405,7 @@ 
      
     
      
     
        /vulnerabilities[]/flags
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -7395,7 +7470,7 @@ 
      
     
      
     
        /product_tree/branches[](/branches[])*/product
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "branches": [
@@ -7605,7 +7680,7 @@ 
      
     
      
     
        /vulnerabilities[]/remediations[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "remediations": [
         {
@@ -7645,7 +7720,7 @@ 
      
     
      
     
        /vulnerabilities[]/remediations[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "product_status": {
         "known_not_affected": [
@@ -7679,14 +7754,14 @@ 
      
   /document/tracking/generator/date
   /document/tracking/initial_release_date
   /document/tracking/revision_history[]/date
+  /vulnerabilities[]/disclosure_date
   /vulnerabilities[]/discovery_date
   /vulnerabilities[]/flags[]/date
-  /vulnerabilities[]/release_date
   /vulnerabilities[]/involvements[]/date
   /vulnerabilities[]/remediations[]/date
   /vulnerabilities[]/threats[]/date
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "current_release_date": "2024-01-24 10:00:00.000Z",
      
     
      
@@ -7705,7 +7780,7 @@ 
      
     
      
     
        /document/distribution/tlp/label
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "distribution": {
       "sharing_group": {
@@ -7737,7 +7812,7 @@ 
      
     
      
     
        /document/distribution/sharing_group/id
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "distribution": {
       "sharing_group": {
@@ -7768,7 +7843,7 @@ 
      
     
      
     
        /document/distribution/sharing_group/name
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "distribution": {
       "sharing_group": {
@@ -7798,7 +7873,7 @@ 
      
     
      
     
        /document/distribution/sharing_group/name
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "distribution": {
       "sharing_group": {
@@ -7829,7 +7904,7 @@ 
      
   /product_tree/full_product_names[]/product_identification_helper/purls[]
   /product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -7850,6 +7925,310 @@ 
      
         The two purls differ in the name component.
       
      
     
      
+    
      
+      6.1.43 Use of Multiple Stars in Model Number 
+    
      
+    
      
+      For each model number it MUST be tested that the it does not contain multiple unescaped stars.
+    
      
+    
      
+      
      
+        Multiple * that match zero or multiple characters within a model number introduce ambiguity and are therefore prohibited.
+      
      
+    
      
+    
      
+      The relevant paths for this test are:
+    
      
+    
        /product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/model_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/model_numbers[]
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
                "model_numbers": [
+            "P*A*"
+          ]
      
+    
      
+      
      
+        The model number contains two unescaped stars.
+      
      
+    
      
+    
      
+      6.1.44 Use of Multiple Stars in Serial Number 
+    
      
+    
      
+      For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
+    
      
+    
      
+      
      
+        Multiple * that match zero or multiple characters within a serial number introduce ambiguity and are therefore prohibited.
+      
      
+    
      
+    
      
+      The relevant paths for this test are:
+    
      
+    
        /product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/serial_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/serial_numbers[]
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
                "serial_numbers": [
+            "P*A*"
+          ]
      
+    
      
+      
      
+        The serial number contains two unescaped stars.
+      
      
+    
      
+    
      
+      6.1.45 Inconsistent Disclosure Date 
+    
      
+    
      
+      For each vulnerability, it MUST be tested that the disclosure_date is earlier or equal to the date of the newest item of the revision_history if the document is labeled TLP:CLEAR and the document status is final or interim. As the timestamps might use
+      different timezones, the sorting MUST take timezones into account.
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
          /vulnerabilities[]/disclosure_date
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
      
+    
      
+      
      
+        The document is labeled TLP:CLEAR and in status final but the disclosure_date is newer than the date of newest item in the revision_history.
+      
      
+    
      
+    
      
+      6.1.46 Invalid SSVC 
+    
      
+    
      
+      It MUST be tested that the given SSVC object is valid according to the referenced schema.
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
        /vulnerabilities[]/metrics[]/content/ssvc_v1
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "ssvc_v1": {
+    "id": "CVE-1900-0001",
+    "schemaVersion": "1-0-1",
+    "timestamp": "2024-01-24T10:00:00.000Z"
+  }
      
+    
      
+      
      
+        The required element selections is missing.
+      
      
+    
      
+    
      
+      
      
+        A tool MAY add the missing property id based on the values given in cve respectively ids[]/text as quick fix.
+      
      
+    
      
+    
      
+      6.1.47 Inconsistent SSVC ID 
+    
      
+    
      
+      For each ssvc_v1 object it MUST be tested that id is either the CVE of the vulnerability given in cve or the text of an item in the ids array. The test MUST fail, if the id equals the /document/tracking/id and the CSAF document contains more than
+      one vulnerability.
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
         /vulnerabilities[]/metrics[]/content/ssvc_v1/id
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0002",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
      
+    
      
+      
      
+        The SSVC ID does not match the CVE ID.
+      
      
+    
      
+    
      
+      6.1.48 SSVC Decision Points 
+    
      
+    
      
+      For each SSVC decision point given under selections with a registered namespace, it MUST be tested that given decision point exists, is valid and the items in values are ordered correctly.
+    
      
+    
      
+      
      
+        According to the SSVC project, the following values are currently registered:
+      
      
+      
        cvss
+  nciss
+  ssvc
      
+      
      
+        A list of all valid decision points including their values is available at the SSVC repository. The items in values need to have the same order as in their definition.
+      
      
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
         /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None",
+                    "Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
      
+    
      
+      
      
+        The SSVC decision point Mission Impact doesn't have the value Degraded in version 1.0.0.
+      
      
+    
      
+    
      
+      
      
+        If applicable, a tool MAY sort the items in values according to the order of their definition as a quick fix.
+      
      
+    
      
+    
      
+      6.1.49 Inconsistent SSVC Timestamp 
+    
      
+    
      
+      For each vulnerability, it MUST be tested that the SSVC timestamp is earlier or equal to the date of the newest item of the revision_history if the document status is final or interim. As the timestamps might use different timezones, the sorting MUST take timezones into
+      account.
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
          /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Active"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-07-13T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
      
+    
      
+      
      
+        The document is in status final but the SSVC timestamp is newer than the date of newest item in the revision_history.
+      
      
+    
      
     
      
       6.2 Optional Tests 
     
      
@@ -7872,7 +8251,7 @@ 
      
   /product_tree/full_product_names[]/product_id
   /product_tree/relationships[]/full_product_name/product_id
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -7911,7 +8290,7 @@ 
      
   /vulnerabilities[]/product_status/last_affected[]
   /vulnerabilities[]/product_status/under_investigation[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -7948,7 +8327,7 @@ 
      
   /vulnerabilities[]/product_status/known_affected[]
   /vulnerabilities[]/product_status/last_affected[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -7983,7 +8362,7 @@ 
      
     
      
     
          /document/tracking/revision_history[]/number
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "revision_history": [
       {
@@ -8008,7 +8387,7 @@ 
      
     
      
     
          /document/tracking/initial_release_date
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "tracking": {
       // ...
@@ -8043,7 +8422,7 @@ 
      
     
      
     
          /document/tracking/current_release_date
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "tracking": {
       "current_release_date": "2023-09-06T10:00:00.000Z",
@@ -8078,7 +8457,7 @@ 
      
     
      
     
          /vulnerabilities[]/involvements
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -8113,7 +8492,7 @@ 
      
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -8159,7 +8538,7 @@ 
      
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -8219,7 +8598,7 @@ 
      
     
      
     
        /document/references
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     // ...
@@ -8255,7 +8634,7 @@ 
      
     
      
     
        /document/lang
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     "category": "csaf_base",
@@ -8286,7 +8665,7 @@ 
      
     
      
     
        /
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     "csaf_version": "2.1",
@@ -8315,7 +8694,7 @@ 
      
     
        /document/lang
   /document/source_lang
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "lang": "qtx"
      
     
      
@@ -8340,7 +8719,7 @@ 
      
     
        /document/lang
   /document/source_lang
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "lang": "i-default"
      
     
      
@@ -8366,7 +8745,7 @@ 
      
   /product_tree/full_product_names[]
   /product_tree/relationships[]/full_product_name
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "full_product_names": [
       {
@@ -8395,7 +8774,7 @@ 
      
     
      
     
        /vulnerabilities[]/ids[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "ids": [
         {
@@ -8430,7 +8809,7 @@ 
      
     
      
     
        /product_tree/branches[](/branches[])*/name
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
                  "branches": [
               {
@@ -8457,7 +8836,7 @@ 
      
     
        /vulnerabilities[]/product_status/first_fixed[]
   /vulnerabilities[]/product_status/fixed[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -8517,7 +8896,7 @@ 
      
       
      
     
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     "category": "csaf_base",
@@ -8546,7 +8925,7 @@ 
      
     
      
     
        /document/tracking/revision_history[]/date
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "revision_history": [
     {
@@ -8576,7 +8955,7 @@ 
      
     
      
     
        /document/title
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
     "tracking": {
@@ -8605,7 +8984,7 @@ 
      
     
      
     
        /vulnerabilities[]/cwes[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
           "cwes": [
         {
@@ -8635,7 +9014,7 @@ 
      
     
      
     
        /vulnerabilities[]/cwes[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     // ...
@@ -8681,7 +9060,7 @@ 
      
     
      
     
        /vulnerabilities[]/cwes[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "cwes": [
         {
@@ -8711,7 +9090,7 @@ 
      
     
      
     
        /vulnerabilities[]/cwes[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "cwes": [
         {
@@ -8736,7 +9115,7 @@ 
      
     
      
     
        /vulnerabilities[]/remediations[]
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
            "product_status": {
         "known_not_affected": [
@@ -8768,7 +9147,7 @@ 
      
     
      
     
        /document/distribution/sharing_group/id
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "distribution": {
       "sharing_group": {
@@ -8798,7 +9177,7 @@ 
      
     
      
     
        /document/distribution/sharing_group/id
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "distribution": {
       "sharing_group": {
@@ -8828,7 +9207,7 @@ 
      
     
      
     
        /document/distribution/sharing_group
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "distribution": {
       "sharing_group": {
@@ -8868,7 +9247,7 @@ 
      
   /product_tree/full_product_names[]/product_id
   /product_tree/relationships[]/full_product_name/product_id
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "branches": [
@@ -8922,7 +9301,7 @@ 
      
   /product_tree/full_product_names[]/product_id/product_identification_helper
   /product_tree/relationships[]/full_product_name/product_id/product_identification_helper
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "branches": [
@@ -8971,6 +9350,143 @@ 
      
         Both products are identified by the same serial number 143-D-354.
       
      
     
      
+    
      
+      6.2.33 Disclosure Date newer than Revision History 
+    
      
+    
      
+      For each vulnerability, it MUST be tested that the disclosure_date is earlier or equal to the date of the newest item of the revision_history if the disclosure_date is in the past at the time of the test execution. As the timestamps might use different timezones, the sorting MUST take
+      timezones into account.
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
          /vulnerabilities[]/disclosure_date
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "GREEN"
+      }
+    },
+    // ...
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      // ...
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
      
+    
      
+      
      
+        The disclosure_date is in the past but newer than the date of newest item in the revision_history.
+      
      
+    
      
+    
      
+      6.2.34 Usage of Unknown SSVC Decision Point Namespace 
+    
      
+    
      
+      For each SSVC decision point given under selections, it MUST be tested the namespace is one of the case-sensitive registered namespaces.
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
         /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
      
+    
      
+      
      
+        The namespace an-yet-unknown-or-maybe-private-namespace is not a registered namespace. Its decision point definitions might therefore not be known to the reader of the document.
+      
      
+    
      
+    
      
+      6.2.35 Usage of Unknown SSVC Role 
+    
      
+    
      
+      For each SSVC object, it MUST be tested the role is one of the case-sensitive registered roles.
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
         /vulnerabilities[]/metrics[]/content/ssvc_v1/role
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
      
+    
      
+      
      
+        The namespace an-yet-unknown-or-maybe-private-namespace is not a registered namespace. Its decision point definitions might therefore not be known to the reader of the document.
+      
      
+    
      
     
      
       6.3 Informative Test 
     
      
@@ -8994,7 +9510,7 @@ 
      
     
      
     
          /vulnerabilities[]/metrics
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -9045,7 +9561,7 @@ 
      
     
        /vulnerabilities[]/metrics[]/content/cvss_v3/version
   /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "cvss_v3": {
     "version": "3.0",
@@ -9081,7 +9597,7 @@ 
      
     
      
     
        /vulnerabilities[]/cve
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -9110,7 +9626,7 @@ 
      
     
      
     
        /vulnerabilities[]/cwe
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "vulnerabilities": [
     {
@@ -9136,7 +9652,7 @@ 
      
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -9199,7 +9715,7 @@ 
      
   /vulnerabilities[]/references[]/url
   /vulnerabilities[]/remediations[]/url
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "references": [
       {
@@ -9229,7 +9745,7 @@ 
      
     
        /document/references[]/url
   /vulnerabilities[]/references[]/url
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "references": [
       {
@@ -9290,7 +9806,7 @@ 
      
   /vulnerabilities[]/threats[]/details
   /vulnerabilities[]/title
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "document": {
     // ...
@@ -9325,7 +9841,7 @@ 
      
     
      
     
        /product_tree/branches
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
          "branches": [
       {
@@ -9370,7 +9886,7 @@ 
      
     
      
     
        /product_tree/branches[](/branches[])*/category
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
                      "category": "product_version_range",
      
     
      
@@ -9395,7 +9911,7 @@ 
      
     
      
     
        /product_tree/branches[](/branches[])*/name
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
                  "branches": [
               {
@@ -9420,7 +9936,7 @@ 
      
     
      
     
          /vulnerabilities[]/metrics[]/content
      
     
      
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
      
     
        "product_tree": {
     "full_product_names": [
@@ -9454,6 +9970,56 @@ 
      
         There is no CVSS v4.0 score given for CSAFPID-9080700.
       
      
     
      
+    
      
+      6.3.13 Usage of Non-Latest SSVC Decision Point Version 
+    
      
+    
      
+      For each SSVC decision point given under selections with the namespace of ssvc, it MUST be tested the latest decision point version available at the time of the timestamp was used. The test SHALL fail if a later version was used.
+    
      
+    
      
+      
      
+        A list of all valid decision points including their values is available at the SSVC repository.
+      
      
+    
      
+    
      
+      The relevant path for this test is:
+    
      
+    
         /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
      
+    
      
+      Example 1 (which fails the test):
+    
      
+    
        "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Non-Essential Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
      
+    
      
+      
      
+        At the timestamp 2024-01-24T10:00:00.000Z version 2.0.0 of the SSVC decision point Mission Impact was already available.
+      
      
+    
      
     
      
     
      
       7. Distributing CSAF documents 
@@ -9554,7 +10120,7 @@ 
      
       
    
     
     
    
-      Example 1 (minimal with ROLIE document):
+      Example 1 (minimal with ROLIE document):
     
    
     
      {
     "canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
@@ -9613,7 +10179,7 @@ 
    
       
    
     
     
    
-      Examples 1:
+      Examples 1:
     
    
     
    CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
 CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
@@ -9631,7 +10197,7 @@ 
    
       details.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      https://www.example.com/.well-known/csaf/provider-metadata.json
    
     
    
@@ -9655,7 +10221,7 @@ 
    
       The CSAF documents MUST be located within folders named <YYYY> where <YYYY> is the year given in the value of /document/tracking/initial_release_date.
     
    
     
    
-      Examples 1:
+      Examples 1:
     
    
     
    2024
 2023
    
@@ -9666,7 +10232,7 @@ 
    
       The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
    2023/esa-2023-09953.json
 2022/esa-2022-02723.json
@@ -9690,7 +10256,7 @@ 
    
       
    
     
     
    
-      Example 1:
+      Example 1:
     
    
     
    2023/esa-2023-09953.json,2023-07-01T10:09:07Z
 2021/esa-2021-03676.json,2023-07-01T10:09:01Z
@@ -9726,7 +10292,7 @@ 
    
       MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "feed": {
@@ -9792,7 +10358,7 @@ 
    
       the filename service.json and reside next to the provider-metadata.json.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "service": {
@@ -9859,7 +10425,7 @@ 
    
           type of product
         
    
         
    
-          Examples 1:
+          Examples 1:
         
    
         
      CPU
   Firewall
@@ -9875,7 +10441,7 @@ 
    
           areas or sectors, the products are used in
         
    
         
    
-          Examples 2:
+          Examples 2:
         
    
         
      Chemical
   Commercial
@@ -9893,7 +10459,7 @@ 
    
       
     
     
    
-      Example 3:
+      Example 3:
     
    
     
      {
     "categories": {
@@ -9917,7 +10483,7 @@ 
    
       MD5 and SHA1 SHOULD NOT be used.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
    File name of CSAF document: esa-2022-02723.json
 File name of SHA-256 hash file: esa-2022-02723.json.sha256
@@ -9926,7 +10492,7 @@ 
    
       The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
     
    
     
    
-      Example 2:
+      Example 2:
     
    
     
    ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
    
     
    
@@ -9939,7 +10505,7 @@ 
    
       All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. This signature SHALL be presented as an ASCII armored file. See [RFC4880] for more details.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
    File name of CSAF document: esa-2022-02723.json
 File name of signature file: esa-2022-02723.json.asc
    
@@ -10005,7 +10571,7 @@ 
    
       The file aggregator.json SHOULD only list the latest version of the metadata of a CSAF provider.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "aggregator": {
@@ -10062,7 +10628,7 @@ 
    
       
     
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "aggregator": {
@@ -10583,6 +11149,9 @@ 
    
           
         
       
+      
  • 
+        /vulnerabilities[]/disclosure_date: If a vuln:ReleaseDate was given, the CVRF CSAF converter MUST convert its value into the disclosure_date element.
+      
    • 
       
  • 
         /vulnerabilities[]/ids: If a vuln:ID element is given, the CVRF CSAF converter converts it into the first item of the ids array.
       
    • 
@@ -10629,7 +11198,7 @@ 
    
                   Retrieve the CVSS version from the CVSS vector, if present.
                 
    
                 
    
-                  Example 1:
+                  Example 1:
                 
    
                 
      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
    
               
@@ -10638,7 +11207,7 @@ 
    
                   Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
                 
    
                 
    
-                  Example 2:
+                  Example 2:
                 
    
                 
      xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
   <!-- -->
@@ -10647,7 +11216,7 @@ 
    
                   is handled the same as
                 
    
                 
    
-                  Example 3:
+                  Example 3:
                 
    
                 
      <ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">
    
               
@@ -10657,7 +11226,7 @@ 
    
                   decision.
                 
    
                 
    
-                  Example 4:
+                  Example 4:
                 
    
                 
      xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
    
               
@@ -10797,6 +11366,11 @@ 
    
             
    
               suggest to publish a new version of the CSAF document with the document status final if the document status was interim and no new release has be done during the given threshold in the configuration (default: 6 weeks)
             
    
+            
    
+              
    
+                Note that the terms "publish", "publication" and their derived forms are used in this conformance profile independent of whether the specified target group is the public or a closed group.
+              
    
+            
    
           
           
  • 
             
    
@@ -11059,6 +11633,11 @@ 
    
       
  • does not use the same /document/tracking/id as the original document. The translated document can use a completely new /document/tracking/id or compute one by using the original /document/tracking/id as a prefix and adding an ID from the naming scheme of the issuer of the translated version. It
       SHOULD NOT use the original /document/tracking/id as a suffix. If an issuer uses a CSAF translator to publish his advisories in multiple languages they MAY use the combination of the original /document/tracking/id and translated /document/lang as a /document/tracking/id for the
       translated document.
+        
    
+          
    
+            Note that the term "publish" is used in this conformance profile independent of whether the specified target group is the public or a closed group.
+          
    
+        
    
       
    • 
       
  • provides the /document/lang property with a value matching the language of the translation.
       
    • 
@@ -11375,11 +11954,67 @@ 
    
           type /$defs/full_product_name_t/product_identification_helper/cpe: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
         
    
       
    • 
+      
  • 
+        
    
+          type /$defs/full_product_name_t/model_number:
+        
    
+        
      
+          
    • If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a * to the end and output a warning that a partial model number was detected and a star has been added. Such a warning MUST include the model number.
+          
      • 
+          
    • If the model number contains a \, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional \ before the character.
+          
      • 
+          
    • If the model number contains multiple unescaped * after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and output a warning that a model number with multiple stars was detected and removed. Such a warning MUST include the model number.
+          
      • 
+        
    
+        
    
+          
    
+            A tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
+          
    
+        
    
+        
    
+          
    
+            A tool MAY provide a non-default option to interpret the ? in all model numbers as part of the model number itself and therefore escape it.
+          
    
+        
    
+        
    
+          
    
+            A tool MAY provide a non-default option to interpret the * in all model numbers as part of the model number itself and therefore escape it.
+          
    
+        
    
+      
    • 
       
  • 
         
    
           type /$defs/full_product_name_t/product_identification_helper/purls: If a /$defs/full_product_name_t/product_identification_helper/purl is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item of the corresponding purls array.
         
    
       
    • 
+      
  • 
+        
    
+          type /$defs/full_product_name_t/serial_number:
+        
    
+        
      
+          
    • If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a * to the end and output a warning that a partial serial number was detected and a star has been added. Such a warning MUST include the serial number.
+          
      • 
+          
    • If the serial number contains a \, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional \ before the character.
+          
      • 
+          
    • If the serial number contains multiple unescaped * after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and output a warning that a serial number with multiple stars was detected and removed. Such a warning MUST include the serial number.
+          
      • 
+        
    
+        
    
+          
    
+            A tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
+          
    
+        
    
+        
    
+          
    
+            A tool MAY provide a non-default option to interpret the ? in all serial numbers as part of the serial number itself and therefore escape it.
+          
    
+        
    
+        
    
+          
    
+            A tool MAY provide a non-default option to interpret the * in all serial numbers as part of the serial number itself and therefore escape it.
+          
    
+        
    
+      
    • 
       
  • 
         
    
           /$schema: The CSAF 2.0 to CSAF 2.1 converter MUST set property with the value prescribed by the schema.
@@ -11478,6 +12113,19 @@ 
    
           The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
         
    
       
    • 
+      
  • 
+        
    
+          /vulnerabilities[]/disclosure_date: If a release_date was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as disclosure_date.
+        
    
+      
    • 
+      
  • 
+        
    
+          /vulnerabilities[]/metrics/ssvc_v1: If a SSVC vector or decision points of an SSVC vector are given in an item of notes of the current vulnerability using the title SSVC and the category other, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into
+          the ssvc_v1 object within the current vulnerability. If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid object without loosing any information, the corresponding notes item SHALL be removed. If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid object with the information
+          given, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the invalid ssvc_v1 object, keep the original item of notes and output a warning that the automatic conversion of the SSVC data failed. If the CSAF 2.0 to CSAF 2.1 converter would loose information during the conversion, the CSAF 2.0 to CSAF 2.1
+          converter SHALL remove the ssvc_v1 object, keep the original item of notes and output a warning that the automatic conversion of the SSVC data would lead to loosing information.
+        
    
+      
    • 
       
  • 
         
    
           /vulnerabilities[]/remediations[]:
@@ -11499,6 +12147,11 @@ 
    
           
    • 
         
       
+      
  • 
+        
    
+          The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning.
+        
    
+      
    • 
     
     
    
       
    
@@ -13211,6 +13864,12 @@ 
    
           
  • 
             /vulnerabilities[]/ids
           
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/selections
+          
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values
+          
    • 
           
  • 
             /vulnerabilities[]/remediations[]/entitlements
           
    • 
@@ -13596,6 +14255,24 @@ 
    
           
  • 
             /vulnerabilities[]/metrics[]/content/cvss_v4/vectorString
           
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/id
+          
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/role
+          
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name
+          
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
+          
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]
+          
    • 
+          
  • 
+            /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version
+          
    • 
           
  • 
             /vulnerabilities[]/metrics[]/products[]
           
    • 
@@ -13759,6 +14436,9 @@ 
    
       
  • 
         /document/tracking/revision_history[]/date
       
    • 
+      
  • 
+        /vulnerabilities[]/disclosure_date
+      
    • 
       
  • 
         /vulnerabilities[]/discovery_date
       
    • 
@@ -13769,7 +14449,7 @@ 
    
         /vulnerabilities[]/involvements[]/date
       
       
  • 
-        /vulnerabilities[]/release_date
+        /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
       
    • 
       
  • 
         /vulnerabilities[]/remediations[]/date
@@ -14068,6 +14748,9 @@ 
    
       
  • 
         /vulnerabilities[]/metrics[]/content/cvss_v4/vulnIntegrityImpact (4)
       
    • 
+      
  • 
+        /vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion (5)
+      
    • 
       
  • 
         /vulnerabilities[]/notes[]/category (16)
       
    • 
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index 02b0f47b4..d5f732463 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -188,18 +188,18 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 			3.2.4.1 [Vulnerabilities Property - Acknowledgments](#vulnerabilities-property-acknowledgments)  
 			3.2.4.2 [Vulnerabilities Property - CVE](#vulnerabilities-property-cve)  
 			3.2.4.3 [Vulnerabilities Property - CWEs](#vulnerabilities-property-cwes)  
-			3.2.4.4 [Vulnerabilities Property - Discovery Date](#vulnerabilities-property-discovery-date)  
-			3.2.4.5 [Vulnerabilities Property - Flags](#vulnerabilities-property-flags)  
-			3.2.4.6 [Vulnerabilities Property - IDs](#vulnerabilities-property-ids)  
-			3.2.4.7 [Vulnerabilities Property - Involvements](#vulnerabilities-property-involvements)  
-			3.2.4.8 [Vulnerabilities Property - Metrics](#vulnerabilities-property-metrics)  
-				3.2.4.8.1 [Vulnerabilities Property - Metrics - Content](#vulnerabilities-property-metrics-content)  
-				3.2.4.8.2 [Vulnerabilities Property - Metrics - Products](#vulnerabilities-property-metrics-products)  
-				3.2.4.8.3 [Vulnerabilities Property - Metrics - Source](#vulnerabilities-property-metrics-source)  
-			3.2.4.9 [Vulnerabilities Property - Notes](#vulnerabilities-property-notes)  
-			3.2.4.10 [Vulnerabilities Property - Product Status](#vulnerabilities-property-product-status)  
-			3.2.4.11 [Vulnerabilities Property - References](#vulnerabilities-property-references)  
-			3.2.4.12 [Vulnerabilities Property - Release Date](#vulnerabilities-property-release-date)  
+			3.2.4.4 [Vulnerabilities Property - Disclosure Date](#vulnerabilities-property-disclosure-date)  
+			3.2.4.5 [Vulnerabilities Property - Discovery Date](#vulnerabilities-property-discovery-date)  
+			3.2.4.6 [Vulnerabilities Property - Flags](#vulnerabilities-property-flags)  
+			3.2.4.7 [Vulnerabilities Property - IDs](#vulnerabilities-property-ids)  
+			3.2.4.8 [Vulnerabilities Property - Involvements](#vulnerabilities-property-involvements)  
+			3.2.4.9 [Vulnerabilities Property - Metrics](#vulnerabilities-property-metrics)  
+				3.2.4.9.1 [Vulnerabilities Property - Metrics - Content](#vulnerabilities-property-metrics-content)  
+				3.2.4.9.2 [Vulnerabilities Property - Metrics - Products](#vulnerabilities-property-metrics-products)  
+				3.2.4.9.3 [Vulnerabilities Property - Metrics - Source](#vulnerabilities-property-metrics-source)  
+			3.2.4.10 [Vulnerabilities Property - Notes](#vulnerabilities-property-notes)  
+			3.2.4.11 [Vulnerabilities Property - Product Status](#vulnerabilities-property-product-status)  
+			3.2.4.12 [Vulnerabilities Property - References](#vulnerabilities-property-references)  
 			3.2.4.13 [Vulnerabilities Property - Remediations](#vulnerabilities-property-remediations)  
 				3.2.4.13.1 [Vulnerabilities Property - Remediations - Category](#vulnerabilities-property-remediations-category)  
 				3.2.4.13.2 [Vulnerabilities Property - Remediations - Date](#vulnerabilities-property-remediations-date)  
@@ -279,6 +279,13 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.1.40 [Invalid Sharing Group Name](#invalid-sharing-group-name)  
 		6.1.41 [Missing Sharing Group Name](#missing-sharing-group-name)  
 		6.1.42 [PURL Qualifiers](#purl-qualifiers)  
+		6.1.43 [Use of Multiple Stars in Model Number](#use-of-multiple-stars-in-model-number)  
+		6.1.44 [Use of Multiple Stars in Serial Number](#use-of-multiple-stars-in-serial-number)  
+		6.1.45 [Inconsistent Disclosure Date](#inconsistent-disclosure-date)  
+		6.1.46 [Invalid SSVC](#invalid-ssvc)  
+		6.1.47 [Inconsistent SSVC ID](#inconsistent-ssvc-id)  
+		6.1.48 [SSVC Decision Points](#ssvc-decision-points)  
+		6.1.49 [Inconsistent SSVC Timestamp](#inconsistent-ssvc-timestamp)  
 	6.2 [Optional Tests](#optional-tests)  
 		6.2.1 [Unused Definition of Product ID](#unused-definition-of-product-id)  
 		6.2.2 [Missing Remediation](#missing-remediation)  
@@ -312,6 +319,9 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.2.30 [Usage of Sharing Group on TLP:CLEAR](#usage-of-sharing-group-on-tlp-clear)  
 		6.2.31 [Hardware and Software](#hardware-and-software)  
 		6.2.32 [Use of same Product Identification Helper for different Products](#use-of-same-product-identification-helper-for-different-products)  
+		6.2.33 [Disclosure Date newer than Revision History](#disclosure-date-newer-than-revision-history)  
+		6.2.34 [Usage of Unknown SSVC Decision Point Namespace](#usage-of-unknown-ssvc-decision-point-namespace)  
+		6.2.35 [Usage of Unknown SSVC Role](#usage-of-unknown-ssvc-role)  
 	6.3 [Informative Test](#informative-test)  
 		6.3.1 [Use of CVSS v2 as the only Scoring System](#use-of-cvss-v2-as-the-only-scoring-system)  
 		6.3.2 [Use of CVSS v3.0](#use-of-cvss-v3-0)  
@@ -325,6 +335,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.3.10 [Usage of Product Version Range](#usage-of-product-version-range)  
 		6.3.11 [Usage of V as Version Indicator](#usage-of-v-as-version-indicator)  
 		6.3.12 [Missing CVSS v4.0](#missing-cvss-v4-0)  
+		6.3.13 [Usage of Non-Latest SSVC Decision Point Version](#usage-of-non-latest-ssvc-decision-point-version)  
 7. [Distributing CSAF documents](#distributing-csaf-documents)  
 	7.1 [Requirements](#requirements)  
 		7.1.1 [Requirement 1: Valid CSAF document](#requirement-1-valid-csaf-document)  
@@ -712,6 +723,8 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[****SPDX301\]** _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, .
 
+**\[****SSVC\]** _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, 
+
 **\[****VERS\]** _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, .
 
 **\[****VEX\]** _Vulnerability-Exploitability eXchange (VEX) - An Overview_, VEX sub-group of the Framing Working Group in the NTIA SBOM initiative, 27 September 2021, .
@@ -811,23 +824,26 @@ Proven and intended usage patterns from practice are given where possible.
 
 Delegation to industry best practices technologies is used in referencing schemas for:
 
-* Platform Data:
+* Classification for Document Distribution
+  * Traffic Light Protocol (TLP)
+    * Default Definition: https://www.first.org/tlp/
+* Platform Data
   * Common Platform Enumeration (CPE) Version 2.3 \[[CPE23-N](#CPE23-N)\]
-* Vulnerability Scoring:
+* Vulnerability Categorization
+  * Stakeholder-Specific Vulnerability Categorization \[[SSVC](#SSVC)\]
+    * JSON Schema Reference: https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
+* Vulnerability Classification
+  * Common Weakness Enumeration (CWE) \[[CWE](#CWE)\]
+    * CWE List: http://cwe.mitre.org/data/index.html
+* Vulnerability Scoring
   * Common Vulnerability Scoring System (CVSS) Version 4.0 \[[CVSS40](#CVSS40)\]
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v4.0.json
   * Common Vulnerability Scoring System (CVSS) Version 3.1 \[[CVSS31](#CVSS31)\]
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.1.json
   * Common Vulnerability Scoring System (CVSS) Version 3.0 \[[CVSS30](#CVSS30)\]
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.0.json
   * Common Vulnerability Scoring System (CVSS) Version 2.0 \[[CVSS2](#CVSS2)\]
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v2.0.json
-* Vulnerability Classification
-  * Common Weakness Enumeration (CWE) \[[CWE](#CWE)\]
-    * CWE List: http://cwe.mitre.org/data/index.html
-* Classification for Document Distribution
-  * Traffic Light Protocol (TLP)
-    * Default Definition: https://www.first.org/tlp/
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v2.0.json
 
 Even though the JSON schema does not prohibit specifically additional properties and custom keywords,
 it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC's GitHub.
@@ -843,7 +859,6 @@ Section [7](#distributing-csaf-documents) states how to distribute and where to
 Safety, Security and Data Protection are considered in section [8](#safety-security-and-data-protection-considerations).
 Finally, a set of conformance targets describes tools in the ecosystem.
 
-
 ## 2.2 Date and Time 
 
 This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1.
@@ -1481,13 +1496,19 @@ the component to identify.
 > Often it is abbreviated as "MN", M/N" or "model no.".
 
 If a part of a model number of the component to identify is given,
-it SHOULD begin with the first character of the model number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).  
-Two `*` MUST NOT follow each other.
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
+This applies also to the first character.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the model number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+
+> Note: A backslash MUST be escaped itself in a JSON string.
 
 *Examples 1:*
 
 ```
+    *-G109A/EU?
+    2024-*
     6RA8096-4MV62-0AA0
     6RA801?-??V62-0AA0
     IC25T060ATCS05-0
@@ -1570,9 +1591,23 @@ Any given serial number of value type `string` with at least 1 character represe
 abbreviated (partial) serial number of the component to identify.
 
 If a part of a serial number of the component to identify is given,
-it SHOULD begin with the first character of the serial number and stop at any point.
-Characters which SHOULD NOT be matched MUST be replaced by either `?` (for a single character) or `*` (for zero or more characters).  
-Two `*` MUST NOT follow each other.
+it MUST begin at the first and end at the last character position of the string representing the targeted component.
+The wildcard characters `?` (for a single character) and `*` (for zero or more characters) signal exclusion of characters at these positions from matching.
+This applies also to the first character.
+An unescaped `*` MUST be the only `*` wildcard in the string.
+As part of the serial number, the special characters `?`, `*` and `\` MUST be escaped with `\`.
+
+> Note: A backslash MUST be escaped itself in a JSON string.
+
+*Examples 1:*
+
+```
+    *RF8R71YR???
+    11S45N0249Z1ZS9*
+    DSEP147100
+    L15-VM-???
+    L234.696.30.044.712
+```
 
 ##### 3.1.3.3.7 Full Product Name Type - Product Identification Helper - SKUs 
 
@@ -1639,7 +1674,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
 
 > These elements can be used to reference a specific component from an SBOM:
 
-*Example 1 (linking a component from a CycloneDX SBOM using the bomlink mechanism):*
+*Example 1 (linking a component from a CycloneDX SBOM using the bomlink mechanism):*
 
 ```
           "x_generic_uris": [
@@ -1650,7 +1685,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
           ]
 ```
 
-*Example 2 (linking a component from an SPDX SBOM):*
+*Example 2 (linking a component from an SPDX SBOM):*
 
 ```
           "x_generic_uris": [
@@ -1676,7 +1711,7 @@ See IETF language registry:  Even though the private use language tags are supported they should not be used to ensure readability across the ecosystem.
 > It is recommended to follow the conventions for the capitalization of the subtags even though it is not mandatory as most users are used to that.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     de
@@ -1722,7 +1757,7 @@ A Note `object` MAY provide the optional properties `audience` and `title`.
 
 Audience of note (`audience`) of value type `string` with 1 or more characters indicates who is intended to read it.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     all
@@ -1769,7 +1804,7 @@ Content varies depending on type.
 Title of note (`title`) of value type `string` with 1 or more characters provides a concise description of what
 is contained in the text of the note.
 
-*Examples 2:*
+*Examples 2:*
 
 ```
     Details
@@ -1791,7 +1826,7 @@ a product group in the context of the current document.
     },
 ```
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     CSAFGID-0001
@@ -1829,7 +1864,7 @@ the current document.
     },
 ```
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     CSAFPID-0004
@@ -1922,7 +1957,7 @@ There are two options how it can be used:
 
 A CSAF document MUST use only one versioning system.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     1
@@ -1947,7 +1982,7 @@ The following rules apply:
    Any modifications MUST be released as a new version.
 2. Version zero (0) is for initial development before the `initial_release_date`.
    The document status MUST be `draft`. Anything MAY change at any time. The document SHOULD NOT be considered stable.
-3. Version 1 defines the initial public release.
+3. Version 1 defines the initial release to the specified target group.
    Each new version where `/document/tracking/status` is `final` has a version number incremented by one.
 4. Pre-release versions (document status `draft`) MUST carry the new version number.
    Sole exception is before the initial release (see rule 2).
@@ -1978,7 +2013,7 @@ This results in the following rules:
    tracked in this stage with (0.y.z) by incrementing the minor version y instead.
    Changes that would increment the minor or patch version according to rule 6 or 5 are both tracked in this stage with
    (0.y.z) by incrementing the patch version z instead.
-4. Version 1.0.0 defines the initial public release.
+4. Version 1.0.0 defines the initial release to the specified target group.
    The way in which the version number is incremented after this release is dependent on the content and structure of
    the document and how it changes.
 5. Patch version Z (x.y.Z | x > 0) MUST be incremented if only backwards compatible bug fixes are introduced.
@@ -2012,7 +2047,7 @@ This results in the following rules:
    A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as
    denoted by its associated normal version.
 
-   *Examples 1:*
+   *Examples 1:*
 
    ```
    1.0.0-0.3.7
@@ -2028,7 +2063,7 @@ This results in the following rules:
     Identifiers MUST NOT be empty. Build metadata MUST be ignored when determining version precedence.
     Thus two versions that differ only in the build metadata, have the same precedence.
 
-    *Examples 2:*
+    *Examples 2:*
 
     ```
     1.0.0+20130313144700
@@ -2044,7 +2079,7 @@ This results in the following rules:
     2. Precedence is determined by the first difference when comparing each of these identifiers from left to right as follows:
        Major, minor, and patch versions are always compared numerically.
 
-       *Example 3:*
+       *Example 3:*
 
        ```
        1.0.0 < 2.0.0 < 2.1.0 < 2.1.1
@@ -2052,7 +2087,7 @@ This results in the following rules:
 
     3. When major, minor, and patch are equal, a pre-release version has lower precedence than a normal version:
 
-       *Example 4:*
+       *Example 4:*
 
        ```
        1.0.0-alpha < 1.0.0
@@ -2066,7 +2101,7 @@ This results in the following rules:
        3. Numeric identifiers always have lower precedence than non-numeric identifiers.
        4. A larger set of pre-release fields has a higher precedence than a smaller set, if all of the preceding identifiers are equal.
 
-       *Example 5:*
+       *Example 5:*
 
        ```
        1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0
@@ -2074,7 +2109,7 @@ This results in the following rules:
 
 Note, that the following values do no conform the semantic versioning described above.
 
-*Examples 6 (which are invalid):*
+*Examples 6 (which are invalid):*
 
 ```
   1.16.13.14-Cor
@@ -2192,7 +2227,7 @@ The Namespace of aggregate severity (`namespace`) of value type `string` with fo
 The Text of aggregate severity (`text`) of value type `string` with 1 or more characters provides a severity which is
 independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Critical
@@ -2218,7 +2253,7 @@ Document category defines a short canonical name, chosen by the document produce
     }
 ```
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     csaf_base
@@ -2262,7 +2297,7 @@ If multiple values are present, the TLP information SHOULD be preferred as this
 The Sharing Group SHALL be interpreted as specification to the TLP information.
 Therefore, the Sharing Group MAY also be used to convey special TLP restrictions:
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     E-ISAC members-only
@@ -2338,7 +2373,7 @@ However, the following values are reserved for the conditions below:
 
 The Textual description (`text`) of value type `string` with 1 or more characters provides a textual description of additional constraints.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Copyright 2024, Example Company, All Rights Reserved.
@@ -2393,7 +2428,7 @@ The default value is the URL to the definition by FIRST:
     https://www.first.org/tlp/
 ```
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     https://www.us-cert.gov/tlp
@@ -2502,7 +2537,7 @@ open source projects as well as product resellers and distributors, including au
 Contact details (`contact_details`) of value type `string` with 1 or more characters provides information on how to contact the publisher,
 possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
 
-*Example 1:*
+*Example 1:*
 
 ```
     Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
@@ -2517,7 +2552,7 @@ the authority of the issuing party to release the document, in particular, the p
 
 The Name of publisher (`name`) of value type `string` with 1 or more characters contains the name of the issuing party.
 
-*Example 1:*
+*Example 1:*
 
 ```
      BSI
@@ -2544,7 +2579,7 @@ an incremented (patch) version which has no other changes than:
 * the updated item in `/document/references[]` which points to the new version of the CSAF document
 * an added item in `/document/references[]` which points to the previous version of the CSAF document (if the URL changed)
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     https://csaf.io
@@ -2579,7 +2614,7 @@ The property SHALL NOT be present if the document was not translated.
 Title of this document (`title`) of value type `string` with 1 or more characters SHOULD be a canonical name for the document,
 and sufficiently unique to distinguish it from similar documents.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Cisco IPv6 Crafted Packet Denial of Service Vulnerability
@@ -2642,7 +2677,7 @@ list of alternate names for the same document.
 Every such Alternate Name of value type `string` with 1 or more characters specifies a non-empty string that represents a
 distinct optional alternative ID used to refer to the document.
 
-*Example 1:*
+*Example 1:*
 
 ```
     CVE-2019-12345
@@ -2696,7 +2731,7 @@ optional property Engine version (`version`) contains information about the engi
 
 Engine name (`name`) of value type `string` with 1 or more characters represents the name of the engine that generated the CSAF document.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Red Hat rhsa-to-cvrf
@@ -2709,7 +2744,7 @@ Engine version (`version`) of value type `string` with 1 or more characters cont
 > Although it is not formally required, the TC suggests to use a versioning which is compatible with Semantic Versioning as described in
 > the external specification [SemVer]. This could help the end user to identify when CSAF consumers have to be updated.
 
-*Examples 2:*
+*Examples 2:*
 
 ```
     0.6.0
@@ -2732,7 +2767,7 @@ Unique identifier for the document holds the Identifier.
 The ID is a simple label that provides for a wide range of numbering values, types, and schemes.
 Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Example Company - 2019-YH3234
@@ -2746,7 +2781,14 @@ This value is also used to determine the filename for the CSAF document (cf. sec
 
 ##### 3.2.2.12.5 Document Property - Tracking - Initial Release Date 
 
-Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first published.
+Initial release date (`initial_release_date`) with value type `string` with format `date-time` holds the date when this document was first released to the specified target group.
+
+> For `TLP:CLEAR` documents, this is usually the timestamp when the document was published.
+> For `TLP:GREEN` and higher, this is the timestamp when it was first made available to the specific group.
+> Note that the initial release date does not change after the initial release even if the document is later on released to a broader audience.
+
+If the timestamp of the initial release date was set incorrectly, it MUST be corrected.
+This change MUST be tracked with a new entry in the revision history.
 
 ##### 3.2.2.12.6 Document Property - Tracking - Revision History 
 
@@ -2900,7 +2942,7 @@ the optional Summary (`summary`) property.
 
 The summary of the product group (`summary`) of value type `string` with 1 or more characters gives a short, optional description of the group.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Products supporting Modbus.
@@ -2989,7 +3031,7 @@ which is referenced as the first element of the relationship.
 Relates to Product Reference (`relates_to_product_reference`) of value type Product ID (`product_id_t`) holds a Product ID that refers to
 the Full Product Name element, which is referenced as the second element of the relationship.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
   "product_tree": {
@@ -3040,8 +3082,8 @@ properties represents a list of all relevant vulnerability information items.
 The Vulnerability item of value type `object` with 1 or more properties is a container for the aggregation of all fields that are related to
 a single vulnerability in the document.
 Any vulnerability MAY provide the optional properties Acknowledgments (`acknowledgments`), Common Vulnerabilities and Exposures (CVE) (`cve`),
-Common Weakness Enumeration (CWE) (`cwes`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`), Involvements (`involvements`),
-Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`), Release Date (`release_date`),
+Common Weakness Enumeration (CWE) (`cwes`), Disclosure Date (`disclosure_date`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`),
+Involvements (`involvements`), Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`),
 Remediations (`remediations`), Threats (`threats`), and Title (`title`).
 
 ```
@@ -3055,6 +3097,9 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
       "cwes": {
         // ...
       },
+      "disclosure_date": {
+        // ...
+      },
       "discovery_date": {
         // ...
       },
@@ -3079,9 +3124,6 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
       "references": {
         // ...
       },
-      "release_date": {
-        // ...
-      },
       "remediations": {
         // ...
       },
@@ -3155,7 +3197,7 @@ The Weakness ID (`id`) has value type `string` with `pattern` (regular expressio
 
 It holds the ID for the weakness associated.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     CWE-22
@@ -3166,7 +3208,7 @@ It holds the ID for the weakness associated.
 The Weakness name (`name`) has value type `string` with 1 or more characters and holds the full name of the weakness as given
 in the CWE specification.
 
-*Examples 2:*
+*Examples 2:*
 
 ```
     Cross-Site Request Forgery (CSRF)
@@ -3183,7 +3225,7 @@ The CWE version (`version`) has value type `string` with `pattern` (regular expr
 It holds the version string of the CWE specification this weakness was extracted from.
 When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
 
-*Examples 3:*
+*Examples 3:*
 
 ```
     "1.0",
@@ -3193,11 +3235,20 @@ When creating or modifying a CSAF document, the latest published version of the
     "4.12"
 ```
 
-#### 3.2.4.4 Vulnerabilities Property - Discovery Date 
+#### 3.2.4.4 Vulnerabilities Property - Disclosure Date 
+
+Disclosure date (`disclosure_date`) with value type `string` of format `date-time` holds the date and time
+the vulnerability was originally disclosed to the public.
+
+For vulnerabilities not yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date for disclosure of the vulnerability.
+As disclosure dates may change during a vulnerability disclosure process, an issuing party SHOULD produce an updated CSAF document to confirm that the
+vulnerability was in fact disclosed to the public at that time or update the `disclosure_date` with the new intended date in the future.
+
+#### 3.2.4.5 Vulnerabilities Property - Discovery Date 
 
 Discovery date (`discovery_date`) of value type `string` with format `date-time` holds the date and time the vulnerability was originally discovered.
 
-#### 3.2.4.5 Vulnerabilities Property - Flags 
+#### 3.2.4.6 Vulnerabilities Property - Flags 
 
 List of flags (`flags`) of value type `array` with 1 or more unique items (a set) of value type `object` contains a list of machine readable flags.
 
@@ -3266,7 +3317,7 @@ The given values reflect the VEX not affected justifications. See [VEX-Justifica
 
 Product IDs (`product_ids`) are of value type Products (`products_t`) and contain a list of Products the current flag item applies to.
 
-#### 3.2.4.6 Vulnerabilities Property - IDs 
+#### 3.2.4.7 Vulnerabilities Property - IDs 
 
 List of IDs (`ids`) of value type `array` with one or more unique ID items of value type `object` represents a list of unique labels or
 tracking IDs for the vulnerability (if such information exists).
@@ -3296,7 +3347,7 @@ tracking ID for the vulnerability.
 
 System name (`system_name`) of value type `string` with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Cisco Bug ID
@@ -3305,7 +3356,7 @@ System name (`system_name`) of value type `string` with 1 or more characters ind
 
 Text (`text`) of value type `string` with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
 
-*Examples 2:*
+*Examples 2:*
 
 ```
     CSCso66472
@@ -3322,7 +3373,7 @@ Text (`text`) of value type `string` with 1 or more characters is unique label o
 > The ID MAY be a vendor-specific value but is not to be used to publish the CVE tracking numbers
 > (MITRE standard Common Vulnerabilities and Exposures), as these are specified inside the dedicated CVE element.
 
-#### 3.2.4.7 Vulnerabilities Property - Involvements 
+#### 3.2.4.8 Vulnerabilities Property - Involvements 
 
 List of involvements (`involvements`) of value type `array` with 1 or more unique items (a set) of value type `object` contains a list of involvements.
 
@@ -3417,7 +3468,7 @@ The use of this status by a vendor indicates that future updates from the vendor
 
 Summary of involvement (`summary`) of value type `string` with 1 or more characters contains additional context regarding what is going on.
 
-#### 3.2.4.8 Vulnerabilities Property - Metrics 
+#### 3.2.4.9 Vulnerabilities Property - Metrics 
 
 List of metrics (`metrics`) of value type `array` with 1 or more unique items (a set) of value type `object` Contains metric objects for the current vulnerability.
 
@@ -3446,7 +3497,7 @@ Every Metric item of value type `object` with the mandatory properties `content`
         }
 ```
 
-##### 3.2.4.8.1 Vulnerabilities Property - Metrics - Content 
+##### 3.2.4.9.1 Vulnerabilities Property - Metrics - Content 
 
 Content (`content`) of value type `object` with the optional properties CVSS v2 (`cvss_v2`), CVSS v3 (`cvss_v3`) and CVSS v4 (`cvss_v4`) specifies information about (at least one) metric or score for the given products regarding the current vulnerability.
 A Content object has at least 1 property.
@@ -3463,6 +3514,9 @@ A Content object has at least 1 property.
           },
           "cvss_v4": {
             // ...
+          },
+          "ssvc_v1": {
+            // ....
           }
         }
 ```
@@ -3477,21 +3531,24 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
 The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at
 [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
 
-##### 3.2.4.8.2 Vulnerabilities Property - Metrics - Products 
+The property SSVC v1 (`ssvc_v1`) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at
+[https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json](https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json).
+
+##### 3.2.4.9.2 Vulnerabilities Property - Metrics - Products 
 
 Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given content applies.
 A metric object SHOULD reflect the associated product's status (for example,
 a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed;
 the known affected versions of that product can list the vulnerability score as it applies to them).
 
-##### 3.2.4.8.3 Vulnerabilities Property - Metrics - Source 
+##### 3.2.4.9.3 Vulnerabilities Property - Metrics - Source 
 
 Source (`source`) of value type `string` with format `uri` contains the URL of the source that originally determined the metric.
 If no source is given, then the metric was assigned by the document author.
 
 > For example, this could point to the vendor advisory, discoverer blog post, a multiplier's assessment or other sources that provide metric information.
 
-#### 3.2.4.9 Vulnerabilities Property - Notes 
+#### 3.2.4.10 Vulnerabilities Property - Notes 
 
 Vulnerability notes (`notes`) of value type Notes Type (`notes_t`) holds notes associated with this vulnerability item.
 
@@ -3509,7 +3566,7 @@ The following combinations of `category` and `title` have a special meaning and
 | `description` | Preconditions | Contains a description of the preconditions that have to be fulfilled to be able to exploit the vulnerability, e.g. user account or physical access. |
 | `summary` | Vulnerability Summary | Contains a summary of the vulnerability which is not the official CVE description. |
 
-#### 3.2.4.10 Vulnerabilities Property - Product Status 
+#### 3.2.4.11 Vulnerabilities Property - Product Status 
 
 Product status (`product_status`) of value type `object` with 1 or more properties contains different lists of `product_ids` which
 provide details on the status of the referenced product related to the current vulnerability.
@@ -3583,7 +3640,7 @@ Under investigation (`under_investigation`) of value type Products (`products_t`
 are not affected by the vulnerability.
 However, it is still under investigation - the result will be provided in a later release of the document.
 
-#### 3.2.4.11 Vulnerabilities Property - References 
+#### 3.2.4.12 Vulnerabilities Property - References 
 
 Vulnerability references (`references`) of value type References Type (`references_t`) holds a
 list of references associated with this vulnerability item.
@@ -3594,11 +3651,6 @@ list of references associated with this vulnerability item.
     },
 ```
 
-#### 3.2.4.12 Vulnerabilities Property - Release Date 
-
-Release date (`release_date`) with value type `string` of format `date-time` holds the date and time
-the vulnerability was originally released into the wild.
-
 #### 3.2.4.13 Vulnerabilities Property - Remediations 
 
 List of remediations (`remediations`) of value type `array` with 1 or more Remediation items of value type `object` contains a list of remediations.
@@ -4084,7 +4136,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
    > As a result, a `/document/tracking/id` with the value `2022_#01-A` is converted into `2022_01-a` instead of `2022__01-a`.
 3. The file extension `.json` MUST be appended.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
   cisco-sa-20190513-secureboot.json
@@ -4095,7 +4147,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
 > It is currently considered best practice to indicate that a CSAF document is invalid by
 > inserting `_invalid` into the filename in front of the file extension.
 
-*Examples 2:*
+*Examples 2:*
 
 ```
   cisco-sa-20190513-secureboot_invalid.json
@@ -4149,7 +4201,7 @@ The `/product_tree` uses a nested structure for `branches`. Along a single path
 If a product consists of hardware and software, the hardware part MUST be presented as one product in the product tree and the software part as another one.
 To form the overall product, both parts MUST be combined through a relationship.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
   "product_tree": {
@@ -4307,7 +4359,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/threats[]/product_ids[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4338,7 +4390,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4372,7 +4424,7 @@ The relevant path for this test is:
 > a Product ID defined in a relationship item is used as `product_reference` or `relates_to_product_reference`.
 > Only for those which fulfill this condition it is necessary to run the full check following the references.
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4411,7 +4463,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/threats[]/group_ids
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4450,7 +4502,7 @@ The relevant path for this test is:
     /product_tree/product_groups[]/group_id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4526,7 +4578,7 @@ Contradiction groups are:
 > Note: An issuer might recommend (`/vulnerabilities[]/product_status/recommended`) a product version from any group - also from the affected group,
 > i.e. if it was discovered that fixed versions introduce a more severe vulnerability.
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4565,7 +4617,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4624,7 +4676,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -4665,7 +4717,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -4692,7 +4744,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -4726,7 +4778,7 @@ The relevant path for this test is:
     /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cwes": [
@@ -4751,7 +4803,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "lang": "EZ"
@@ -4773,7 +4825,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4805,7 +4857,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "revision_history": [
@@ -4834,7 +4886,7 @@ The relevant path for this test is:
     /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -4865,7 +4917,7 @@ The relevant path for this test is:
     /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "tracking": {
@@ -4899,7 +4951,7 @@ The relevant path for this test is:
     /document/tracking/status
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -4921,7 +4973,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -4955,7 +5007,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "revision_history": [
@@ -4984,7 +5036,7 @@ The relevant path for this test is:
     /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -5010,7 +5062,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "revision_history": [
@@ -5039,7 +5091,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
    "revision_history": [
@@ -5068,7 +5120,7 @@ The relevant path for this test is:
     /vulnerabilities[]/cve
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5093,7 +5145,7 @@ The relevant path for this test is:
     /vulnerabilities[]/involvements
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5129,7 +5181,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5189,7 +5241,7 @@ The relevant path for this test is:
   /document/category
 ```
 
-*Examples 1 (for currently prohibited values):*
+*Examples 1 (for currently prohibited values):*
 
 ```
   Csaf_a
@@ -5200,7 +5252,7 @@ The relevant path for this test is:
   V_eX
 ```
 
-*Example 2 (which fails the test):*
+*Example 2 (which fails the test):*
 
 ```
   "category": "Security_Incident_Response"
@@ -5234,7 +5286,7 @@ The relevant path for this test is:
   /document/notes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "notes": [
@@ -5265,7 +5317,7 @@ The relevant path for this test is:
   /document/references
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "references": [
@@ -5295,7 +5347,7 @@ The relevant path for this test is:
   /vulnerabilities
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5326,7 +5378,7 @@ The relevant path for this test is:
   /product_tree
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   {
@@ -5358,7 +5410,7 @@ The relevant path for this test is:
   /vulnerabilities[]/notes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5386,7 +5438,7 @@ The relevant path for this test is:
   /vulnerabilities[]/product_status
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5418,7 +5470,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/under_investigation
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_status": {
@@ -5450,7 +5502,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/ids
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5481,7 +5533,7 @@ The relevant path for this test is:
   /vulnerabilities[]/threats
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5553,7 +5605,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5626,7 +5678,7 @@ The relevant path for this test is:
   /vulnerabilities
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   {
@@ -5652,7 +5704,7 @@ The relevant path for this test is:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -5680,7 +5732,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "remediations": [
@@ -5707,7 +5759,7 @@ The relevant paths for this test are:
   /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -5768,7 +5820,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
             "branches": [
@@ -5792,7 +5844,7 @@ The relevant path for this test is:
   /vulnerabilities[]/flags[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "flags": [
@@ -5807,7 +5859,7 @@ The relevant path for this test is:
 ### 6.1.33 Multiple Flags with VEX Justification Codes per Product 
 
 For each item in `/vulnerabilities[]` it MUST be tested that a Product is not member of more than one Flag item with
-a VEX justification code (see section [3.2.4.5](#vulnerabilities-property-flags)).
+a VEX justification code (see section [3.2.4.6](#vulnerabilities-property-flags)).
 This takes indirect relations through Product Groups into account.
 
 > Additional flags with a different purpose might be provided in later versions of CSAF.
@@ -5819,7 +5871,7 @@ The relevant path for this test is:
   /vulnerabilities[]/flags
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5884,7 +5936,7 @@ The relevant path for this test is:
   /product_tree/branches[](/branches[])*/product
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6094,7 +6146,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "remediations": [
@@ -6133,7 +6185,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "product_status": {
@@ -6165,15 +6217,15 @@ The relevant path for this test is:
   /document/tracking/generator/date
   /document/tracking/initial_release_date
   /document/tracking/revision_history[]/date
+  /vulnerabilities[]/disclosure_date
   /vulnerabilities[]/discovery_date
   /vulnerabilities[]/flags[]/date
-  /vulnerabilities[]/release_date
   /vulnerabilities[]/involvements[]/date
   /vulnerabilities[]/remediations[]/date
   /vulnerabilities[]/threats[]/date
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "current_release_date": "2024-01-24 10:00:00.000Z",
@@ -6191,7 +6243,7 @@ The relevant path for this test is:
   /document/distribution/tlp/label
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "distribution": {
@@ -6220,7 +6272,7 @@ The relevant path for this test is:
   /document/distribution/sharing_group/id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "distribution": {
@@ -6247,7 +6299,7 @@ The relevant path for this test is:
   /document/distribution/sharing_group/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "distribution": {
@@ -6273,7 +6325,7 @@ The relevant path for this test is:
   /document/distribution/sharing_group/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "distribution": {
@@ -6300,7 +6352,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6321,6 +6373,293 @@ The relevant paths for this test are:
 
 > The two purls differ in the name component.
 
+### 6.1.43 Use of Multiple Stars in Model Number 
+
+For each model number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a model number introduce ambiguity and are therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+  /product_tree/branches[](/branches[])*/product/product_identification_helper/model_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/model_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/model_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+          "model_numbers": [
+            "P*A*"
+          ]
+```
+
+> The model number contains two unescaped stars.
+
+### 6.1.44 Use of Multiple Stars in Serial Number 
+
+For each serial number it MUST be tested that the it does not contain multiple unescaped stars.
+
+> Multiple `*` that match zero or multiple characters within a serial number introduce ambiguity and are therefore prohibited.
+
+The relevant paths for this test are:
+
+```
+  /product_tree/branches[](/branches[])*/product/product_identification_helper/serial_numbers[]
+  /product_tree/full_product_names[]/product_id/product_identification_helper/serial_numbers[]
+  /product_tree/relationships[]/full_product_name/product_id/product_identification_helper/serial_numbers[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+          "serial_numbers": [
+            "P*A*"
+          ]
+```
+
+> The serial number contains two unescaped stars.
+
+### 6.1.45 Inconsistent Disclosure Date 
+
+For each vulnerability, it MUST be tested that the `disclosure_date` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document is labeled `TLP:CLEAR` and the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/disclosure_date
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+```
+
+> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the `date` of newest item in the `revision_history`.
+
+### 6.1.46 Invalid SSVC 
+
+It MUST be tested that the given SSVC object is valid according to the referenced schema.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/metrics[]/content/ssvc_v1
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "ssvc_v1": {
+    "id": "CVE-1900-0001",
+    "schemaVersion": "1-0-1",
+    "timestamp": "2024-01-24T10:00:00.000Z"
+  }
+```
+
+> The required element `selections` is missing.
+
+> A tool MAY add the missing property `id` based on the values given in `cve` respectively `ids[]/text` as quick fix.
+
+### 6.1.47 Inconsistent SSVC ID 
+
+For each `ssvc_v1` object it MUST be tested that `id` is either the CVE of the vulnerability given in `cve` or the `text` of an item in the `ids` array.
+The test MUST fail, if the `id` equals the `/document/tracking/id` and the CSAF document contains more than one vulnerability.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/id
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0002",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The SSVC ID does not match the CVE ID.
+
+### 6.1.48 SSVC Decision Points 
+
+For each SSVC decision point given under `selections` with a registered `namespace`, it MUST be tested that given decision point exists, is valid and the items in `values` are ordered correctly.
+
+> According to the SSVC project, the following values are currently registered:
+>
+> ```
+>   cvss
+>   nciss
+>   ssvc
+> ```
+>
+> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
+> The items in `values` need to have the same order as in their definition.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None",
+                    "Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The SSVC decision point `Mission Impact` doesn't have the value `Degraded` in version `1.0.0`.
+
+> If applicable, a tool MAY sort the items in `values` according to the order of their definition as a quick fix.
+
+### 6.1.49 Inconsistent SSVC Timestamp 
+
+For each vulnerability, it MUST be tested that the SSVC `timestamp` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Active"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-07-13T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The document is in status `final` but the SSVC `timestamp` is newer than the `date` of newest item in the `revision_history`.
+
 ## 6.2 Optional Tests 
 
 Optional tests SHOULD NOT fail at a valid CSAF document without a good reason. Failing such a test does not make the CSAF document invalid.
@@ -6342,7 +6681,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6375,7 +6714,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/under_investigation[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6412,7 +6751,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/last_affected[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6446,7 +6785,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "revision_history": [
@@ -6471,7 +6810,7 @@ The relevant path for this test is:
     /document/tracking/initial_release_date
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -6507,7 +6846,7 @@ The relevant path for this test is:
     /document/tracking/current_release_date
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -6542,7 +6881,7 @@ The relevant path for this test is:
     /vulnerabilities[]/involvements
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -6574,7 +6913,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6617,7 +6956,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6666,7 +7005,7 @@ The relevant path for this test is:
   /document/references
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6701,7 +7040,7 @@ The relevant path for this test is:
   /document/lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6731,7 +7070,7 @@ The relevant path for this test is:
   /
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6756,7 +7095,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "lang": "qtx"
@@ -6777,7 +7116,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "lang": "i-default"
@@ -6799,7 +7138,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "full_product_names": [
@@ -6824,7 +7163,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/ids[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "ids": [
@@ -6857,7 +7196,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
             "branches": [
@@ -6885,7 +7224,7 @@ The relevant path for this test is:
   /vulnerabilities[]/product_status/fixed[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6941,7 +7280,7 @@ The relevant path for this test is:
 > To implement this test it is deemed sufficient to validate the CSAF document against a "strict" version schema that
 > sets `additionalProperties` to `false` for every key of type `object`.
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6967,7 +7306,7 @@ The relevant path for this test is:
   /document/tracking/revision_history[]/date
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "revision_history": [
@@ -6996,7 +7335,7 @@ The relevant path for this test is:
   /document/title
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
@@ -7022,7 +7361,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
      "cwes": [
@@ -7049,7 +7388,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -7089,7 +7428,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "cwes": [
@@ -7116,7 +7455,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "cwes": [
@@ -7142,7 +7481,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "product_status": {
@@ -7173,7 +7512,7 @@ The relevant path for this test is:
   /document/distribution/sharing_group/id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "distribution": {
@@ -7199,7 +7538,7 @@ The relevant path for this test is:
   /document/distribution/sharing_group/id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "distribution": {
@@ -7225,7 +7564,7 @@ The relevant path for this test is:
   /document/distribution/sharing_group
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "distribution": {
@@ -7260,7 +7599,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -7313,7 +7652,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id/product_identification_helper
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -7362,6 +7701,143 @@ The relevant paths for this test are:
 
 > Both products are identified by the same serial number `143-D-354`.
 
+### 6.2.33 Disclosure Date newer than Revision History 
+
+For each vulnerability, it MUST be tested that the `disclosure_date` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the `disclosure_date` is in the past at the time of the test execution.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/disclosure_date
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "GREEN"
+      }
+    },
+    // ...
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      // ...
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+```
+
+> The `disclosure_date` is in the past but newer than the date of newest item in the `revision_history`.
+
+### 6.2.34 Usage of Unknown SSVC Decision Point Namespace 
+
+For each SSVC decision point given under `selections`, it MUST be tested the `namespace` is one of the case-sensitive registered namespaces.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The namespace `an-yet-unknown-or-maybe-private-namespace` is not a registered namespace.
+> Its decision point definitions might therefore not be known to the reader of the document.
+
+### 6.2.35 Usage of Unknown SSVC Role 
+
+For each SSVC object, it MUST be tested the `role` is one of the case-sensitive registered roles.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/role
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Technical Impact",
+                  "namespace": "an-yet-unknown-or-maybe-private-namespace",
+                  "values": [
+                    "Total"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The namespace `an-yet-unknown-or-maybe-private-namespace` is not a registered namespace.
+> Its decision point definitions might therefore not be known to the reader of the document.
+
 ## 6.3 Informative Test 
 
 Informative tests provide insights in common mistakes and bad practices.
@@ -7384,7 +7860,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -7432,7 +7908,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -7464,7 +7940,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cve
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -7492,7 +7968,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwe
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -7517,7 +7993,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -7578,7 +8054,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/remediations[]/url
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "references": [
@@ -7607,7 +8083,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/references[]/url
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "references": [
@@ -7668,7 +8144,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/title
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -7700,7 +8176,7 @@ The relevant paths for this test are:
   /product_tree/branches
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "branches": [
@@ -7742,7 +8218,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/category
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
                 "category": "product_version_range",
@@ -7767,7 +8243,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
             "branches": [
@@ -7791,7 +8267,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics[]/content
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -7825,6 +8301,53 @@ The relevant path for this test is:
 
 > There is no CVSS v4.0 score given for `CSAFPID-9080700`.
 
+### 6.3.13 Usage of Non-Latest SSVC Decision Point Version 
+
+For each SSVC decision point given under `selections` with the `namespace` of `ssvc`, it MUST be tested the latest decision point `version` available at the time of the `timestamp` was used.
+The test SHALL fail if a later `version` was used.
+
+> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Non-Essential Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> At the timestamp `2024-01-24T10:00:00.000Z` version `2.0.0` of the SSVC decision point `Mission Impact` was already available.
+
 -------
 
 # 7. Distributing CSAF documents 
@@ -7901,7 +8424,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA
 > * https://psirt.domain.tld/advisories/csaf/provider-metadata.json
 > * https://domain.tld/security/csaf/provider-metadata.json
 
-*Example 1 (minimal with ROLIE document):*
+*Example 1 (minimal with ROLIE document):*
 
 ```
   {
@@ -7963,7 +8486,7 @@ See \[[SECURITY-TXT](#SECURITY-TXT)\] for more details.
 > The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022.
 > The `CSAF` field was officially added through the IANA registry.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
 CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
@@ -7983,7 +8506,7 @@ The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of
 the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more details.
 
-*Example 1:*
+*Example 1:*
 
 ```
   https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -8005,7 +8528,7 @@ The use of the scheme "HTTPS" is required.
 The CSAF documents MUST be located within folders named `` where `` is the year given in the
 value of `/document/tracking/initial_release_date`.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
 2024
@@ -8016,7 +8539,7 @@ value of `/document/tracking/initial_release_date`.
 
 The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
 
-*Example 1:*
+*Example 1:*
 
 ```
 2023/esa-2023-09953.json
@@ -8037,7 +8560,7 @@ The `changes.csv` SHALL be a valid comma separated values format as defined by \
 > Note: As a consequence of section [sec](#requirement-2-filename) Requirement 2 for filenames and section [sec](#requirement-11-one-folder-per-year)
 > Requirement for directory names, there must not be any characters within the `changes.csv` that would require quoting.
 
-*Example 1:*
+*Example 1:*
 
 ```
 2023/esa-2023-09953.json,2023-07-01T10:09:07Z
@@ -8066,7 +8589,7 @@ At least one of the feeds
 MUST exist.
 Each ROLIE feed document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\].
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -8135,7 +8658,7 @@ If it is used, each ROLIE service document MUST be a JSON file that conforms wit
 Additionally, it can also list the corresponding ROLIE category documents.
 The ROLIE service document SHOULD use the filename `service.json` and reside next to the `provider-metadata.json`.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -8179,7 +8702,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
   * `product_version`
 * type of product
 
-  *Examples 1:*
+  *Examples 1:*
 
   ```
     CPU
@@ -8194,7 +8717,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * areas or sectors, the products are used in
 
-  *Examples 2:*
+  *Examples 2:*
 
   ```
     Chemical
@@ -8209,7 +8732,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * any other categorization useful to the consumers
 
-*Example 3:*
+*Example 3:*
 
 ```
   {
@@ -8233,7 +8756,7 @@ to ensure their integrity. The filename is constructed by appending the file ext
 
 MD5 and SHA1 SHOULD NOT be used.
 
-*Example 1:*
+*Example 1:*
 
 ```
 File name of CSAF document: esa-2022-02723.json
@@ -8244,7 +8767,7 @@ File name of SHA-512 hash file: esa-2022-02723.json.sha512
 The file content SHALL start with the first byte of the hexadecimal hash value.
 Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
 
-*Example 2:*
+*Example 2:*
 
 ```
 ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
@@ -8259,7 +8782,7 @@ extended by the appropriate extension.
 This signature SHALL be presented as an ASCII armored file.
 See \[[RFC4880](#RFC4880)\] for more details.
 
-*Example 1:*
+*Example 1:*
 
 ```
 File name of CSAF document: esa-2022-02723.json
@@ -8305,7 +8828,7 @@ It MUST NOT be stored adjacent to a `provider-metadata.json`.
 
 The file `aggregator.json` SHOULD only list the latest version of the metadata of a CSAF provider.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -8361,7 +8884,7 @@ Each such folder MUST at least:
 * provide a `provider-metadata.json` for the current issuing party.
 * provide the ROLIE feed document according to requirement 15 which links to the local copy of the CSAF document.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -8754,6 +9277,7 @@ Secondly, the program fulfills the following for all items of:
     been removed.
   * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
     warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
+* `/vulnerabilities[]/disclosure_date`: If a `vuln:ReleaseDate` was given, the CVRF CSAF converter MUST convert its value into the `disclosure_date` element.
 * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
 * `/vulnerabilities[]/remediations[]`:
   * If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under
@@ -8792,7 +9316,7 @@ Secondly, the program fulfills the following for all items of:
     the CVRF CSAF converter uses the following steps:
     1. Retrieve the CVSS version from the CVSS vector, if present.
 
-        *Example 1:*
+        *Example 1:*
 
         ```
           CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -8801,7 +9325,7 @@ Secondly, the program fulfills the following for all items of:
     2. Retrieve the CVSS version from the CVSS element's namespace, if present.
        The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
 
-        *Example 2:*
+        *Example 2:*
 
         ```
           xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
@@ -8811,7 +9335,7 @@ Secondly, the program fulfills the following for all items of:
 
         is handled the same as
 
-        *Example 3:*
+        *Example 3:*
 
         ```
           
@@ -8822,7 +9346,7 @@ Secondly, the program fulfills the following for all items of:
        If more than one CVSS namespace is present and the element is not clearly defined via the namespace,
        this step MUST be skipped without a decision.
 
-        *Example 4:*
+        *Example 4:*
 
         ```
           xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -8864,6 +9388,8 @@ A CSAF content management system satisfies the "CSAF content management system"
     the configuration (default: 3 weeks)
   * suggest to publish a new version of the CSAF document with the document status `final` if the document status was
     `interim` and no new release has be done during the given threshold in the configuration (default: 6 weeks)
+    > Note that the terms "publish", "publication" and their derived forms are used in this conformance profile independent of
+      whether the specified target group is the public or a closed group.
   * support the following workflows:
 
     * "New Advisory": create a new advisory, request a review, provide review comments or approve it, resolve review comments;
@@ -8980,6 +9506,8 @@ The resulting translated document:
   It SHOULD NOT use the original `/document/tracking/id` as a suffix.
   If an issuer uses a CSAF translator to publish his advisories in multiple languages they MAY use the combination of
   the original `/document/tracking/id` and translated `/document/lang` as a `/document/tracking/id` for the translated document.
+  > Note that the term "publish" is used in this conformance profile independent of whether the specified target group is the public
+    or a closed group.
 * provides the `/document/lang` property with a value matching the language of the translation.
 * provides the `/document/source_lang` to contain the language of the original document (and SHOULD only be set by CSAF translators).
 * has the value `translator` set in `/document/publisher/category`
@@ -9146,8 +9674,38 @@ Secondly, the program fulfills the following for all items of:
 
 * type `/$defs/full_product_name_t/product_identification_helper/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the
   invalid value and output a warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+* type `/$defs/full_product_name_t/model_number`:
+  * If a model number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+    warning that a partial model number was detected and a star has been added.
+    Such a warning MUST include the model number.
+  * If the model number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+  * If the model number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+    output a warning that a model number with multiple stars was detected and removed.
+    Such a warning MUST include the model number.
+
+  > A tool MAY provide a non-default option to interpret all model numbers as complete and therefore does not add any stars.
+
+  > A tool MAY provide a non-default option to interpret the `?` in all model numbers as part of the model number itself and therefore escape it.
+
+  > A tool MAY provide a non-default option to interpret the `*` in all model numbers as part of the model number itself and therefore escape it.
+
 * type `/$defs/full_product_name_t/product_identification_helper/purls`: If a `/$defs/full_product_name_t/product_identification_helper/purl` is given,
   the CSAF 2.0 to CSAF 2.1 converter MUST convert it into the first item of the corresponding `purls` array.
+* type `/$defs/full_product_name_t/serial_number`:
+  * If a serial number is given that does not end on a star, the CSAF 2.0 to CSAF 2.1 converter SHOULD add a `*` to the end and output a
+    warning that a partial serial number was detected and a star has been added.
+    Such a warning MUST include the serial number.
+  * If the serial number contains a `\`, the CSAF 2.0 to CSAF 2.1 converter MUST escape it by inserting an additional `\` before the character.
+  * If the serial number contains multiple unescaped `*` after the conversion, the CSAF 2.0 to CSAF 2.1 converter MUST remove the entry and
+    output a warning that a serial number with multiple stars was detected and removed.
+    Such a warning MUST include the serial number.
+
+  > A tool MAY provide a non-default option to interpret all serial numbers as complete and therefore does not add any stars.
+
+  > A tool MAY provide a non-default option to interpret the `?` in all serial numbers as part of the serial number itself and therefore escape it.
+
+  > A tool MAY provide a non-default option to interpret the `*` in all serial numbers as part of the serial number itself and therefore escape it.
+
 * `/$schema`: The CSAF 2.0 to CSAF 2.1 converter MUST set property with the value prescribed by the schema.
 * `/document/csaf_version`: The CSAF 2.0 to CSAF 2.1 converter MUST update the value to `2.1`.
 * `/document/distribution/tlp/label`: If a TLP label is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it according to the table below:
@@ -9179,6 +9737,16 @@ Secondly, the program fulfills the following for all items of:
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
+* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as `disclosure_date`.
+* `/vulnerabilities[]/metrics/ssvc_v1`: If a SSVC vector or decision points of an SSVC vector are given in an item of `notes` of the current
+  vulnerability using the `title` `SSVC` and the `category` `other`, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into the `ssvc_v1`
+  object within the current vulnerability.
+  If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid object without loosing any information, the corresponding `notes` item SHALL
+  be removed.
+  If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid object with the information given, the CSAF 2.0 to CSAF 2.1 converter SHALL
+  remove the invalid `ssvc_v1` object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data failed.
+  If the CSAF 2.0 to CSAF 2.1 converter would loose information during the conversion, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the `ssvc_v1`
+  object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data would lead to loosing information.
 * `/vulnerabilities[]/remediations[]`:
   * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
     if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
@@ -9196,6 +9764,7 @@ Secondly, the program fulfills the following for all items of:
   * In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`.
   * The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
     including the products it was changed for.
+* The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning.
 
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
 
@@ -9492,6 +10061,8 @@ An array SHOULD NOT have more than:
   * `/vulnerabilities[]/acknowledgments[]/urls`
   * `/vulnerabilities[]/cwes`
   * `/vulnerabilities[]/ids`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values`
   * `/vulnerabilities[]/remediations[]/entitlements`
 
 * 40 000 items for
@@ -9620,6 +10191,12 @@ A string SHOULD NOT have a length greater than:
   * `/vulnerabilities[]/metrics[]/content/cvss_v2/vectorString`
   * `/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString`
   * `/vulnerabilities[]/metrics[]/content/cvss_v4/vectorString`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/id`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/role`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version`
   * `/vulnerabilities[]/metrics[]/products[]`
   * `/vulnerabilities[]/notes[]/audience`
   * `/vulnerabilities[]/notes[]/title`
@@ -9675,10 +10252,11 @@ The maximum length of strings representing a temporal value is given by the form
 * `/document/tracking/generator/date`
 * `/document/tracking/initial_release_date`
 * `/document/tracking/revision_history[]/date`
+* `/vulnerabilities[]/disclosure_date`
 * `/vulnerabilities[]/discovery_date`
 * `/vulnerabilities[]/flags[]/date`
 * `/vulnerabilities[]/involvements[]/date`
-* `/vulnerabilities[]/release_date`
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp`
 * `/vulnerabilities[]/remediations[]/date`
 * `/vulnerabilities[]/threats[]/date`
 
@@ -9696,6 +10274,7 @@ It seems to be safe to assume that the length of this value is not greater than
 
 For all other values, it seems to be safe to assume that the length of each value is not greater than 50.
 This applies to:
+
 * `/document/csaf_version` (3)
 * `/document/distribution/tlp/label` (12)
 * `/document/notes[]/category` (16)
@@ -9785,6 +10364,7 @@ This applies to:
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnConfidentialityImpact` (4)
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnerabilityResponseEffort` (11)
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion` (5)
 * `/vulnerabilities[]/notes[]/category` (16)
 * `/vulnerabilities[]/references[]/category` (8)
 * `/vulnerabilities[]/remediations[]/category` (14)

From f1d5bf35a9dd1f9c1804314d3bb12b9b8dfae269 Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Tue, 4 Mar 2025 20:32:05 +0100
Subject: [PATCH 68/69] Further review discussion results

Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
---
 csaf_2.1/prose/edit/src/conformance.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index cd76bc960..1cf36c510 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -606,7 +606,7 @@ Secondly, the program fulfills the following for all items of:
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
-* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as `disclosure_date`.
+* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert its value as value into the `disclosure_date` element.
 * `/vulnerabilities[]/metrics/ssvc_v1`: If a SSVC vector or decision points of an SSVC vector are given in an item of `notes` of the current
   vulnerability using the `title` `SSVC` and the `category` `other`, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into the `ssvc_v1`
   object within the current vulnerability.

From 4d909c6a25053708d24deaaa6c4a54c23c31276a Mon Sep 17 00:00:00 2001
From: Stefan Hagen 
Date: Tue, 4 Mar 2025 20:33:59 +0100
Subject: [PATCH 69/69] Updated user facing delivery items

- included fix of a nit around key value semantics in json

Signed-off-by: Stefan Hagen 
---
 csaf_2.1/prose/share/csaf-v2.1-draft.html | 2 +-
 csaf_2.1/prose/share/csaf-v2.1-draft.md   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html
index cc5fe770e..5f1a97476 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.html
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html
@@ -12115,7 +12115,7 @@ 
    
       
    • 
       
  • 
         
    
-          /vulnerabilities[]/disclosure_date: If a release_date was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as disclosure_date.
+          /vulnerabilities[]/disclosure_date: If a release_date was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert its value as value into the disclosure_date element.
         
    
       
    • 
       
  • 
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index d5f732463..8ffd3be7e 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -9737,7 +9737,7 @@ Secondly, the program fulfills the following for all items of:
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
-* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as `disclosure_date`.
+* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert its value as value into the `disclosure_date` element.
 * `/vulnerabilities[]/metrics/ssvc_v1`: If a SSVC vector or decision points of an SSVC vector are given in an item of `notes` of the current
   vulnerability using the `title` `SSVC` and the `category` `other`, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into the `ssvc_v1`
   object within the current vulnerability.