CSAF-0.25/0000755000175000017500000000000014755634264011200 5ustar peppepeppeCSAF-0.25/t/0000755000175000017500000000000014755634263011442 5ustar peppepeppeCSAF-0.25/t/40-type.t0000644000175000017500000000126614615200470013016 0ustar peppepeppe#!perl use strict; use warnings; use Test::More; use CSAF::Type; my $TYPES = CSAF::Type::TYPE_CLASSES(); foreach my $name (sort keys %{$TYPES}) { subtest "'$name' type" => sub { SKIP: { eval { my $class = CSAF::Type->new(name => $name, value => {}); isa_ok($class, $TYPES->{$name}, "'$name' type using CSAF::Type->new"); }; skip "$name: $@", 1 if $@; eval { my $class = CSAF::Type->name($name, {}); isa_ok($class, $TYPES->{$name}, "'$name' type using CSAF::Type->name"); }; skip "$name: $@", 1 if $@; } }; } done_testing(); CSAF-0.25/t/10-mandatory-6.1.27.03.t0000644000175000017500000000224314704316755015013 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.3 Vulnerabilities # It MUST be tested that the element /vulnerabilities does not exist. # The relevant value for /document/category is: # csaf_informational_advisory # The relevant path for this test is: # /vulnerabilities # Fail test: # "vulnerabilities": [ # { # "title": "A vulnerability item that SHALL NOT exist" # } # ] my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.3'); $csaf->document->category('csaf_informational_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(title => 'A vulnerability item that SHALL NOT exist'); exec_validator_mandatory_test($csaf, '6.1.27.3'); done_testing; CSAF-0.25/t/10-mandatory-6.1.27.04.t0000644000175000017500000000230014704316755015006 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.4 Product Tree # It MUST be tested that the element /product_tree exists. # The relevant values for /document/category are: # csaf_security_advisory # csaf_vex # The relevant path for this test is: # /product_tree # Fail test: # { # "document": { # // ... # }, # "vulnerabilities": [ # // ... # ] # } my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.5'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(title => 'CSAF without product_tree'); foreach my $category (qw(csaf_security_advisory csaf_vex)) { $csaf->document->category($category); exec_validator_mandatory_test($csaf, '6.1.27.4'); } done_testing; CSAF-0.25/t/10-mandatory-6.1.28.t0000644000175000017500000000221314572605165014567 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.28 Translation # It MUST be tested that the given source language and document language are not the same. # The relevant path for this test is: # /document/lang # /document/source_lang # Fail test: # "document": { # // ... # "lang": "en-US", # // ... # "source_lang": "en-US", # // ... # } my $csaf = CSAF->new; $csaf->document->title('Mandatory test: Translator (failing example 1)'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher( category => 'translator', name => 'CSAF TC Translator', namespace => 'https://csaf.io/translator' ); $csaf->document->lang('en-US'); $csaf->document->source_lang('en-US'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); exec_validator_mandatory_test($csaf, '6.1.28'); done_testing; CSAF-0.25/t/10-mandatory-6.1.26.t0000644000175000017500000000422614572605165014573 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.26 Prohibited Document Category Name # It MUST be tested that the document category is not equal to the (case insensitive) name (without the prefix csaf_) or value of any other profile than "CSAF Base". Any occurrences of dash, whitespace, and underscore characters are removed from the values on both sides before the match. Also the value MUST NOT start with the reserved prefix csaf_ except if the value is csaf_base. # This test does only apply for CSAF documents with the profile "CSAF Base". Therefore, it MUST be skipped if the document category matches one of the values defined for the profile other than "CSAF Base". # For CSAF 2.0, the test must be skipped for the following values in /document/category: # csaf_base # csaf_security_incident_response # csaf_informational_advisory # csaf_security_advisory # csaf_vex # This is the only mandatory test related to the profile "CSAF Base" as the required fields SHALL be checked by validating the JSON schema. # The relevant path for this test is: # /document/category # Currently prohibited values: # Csaf_a # Informational Advisory # security-incident-response # Security Advisory # veX # V_eX # Fail test: # "category": "Security_Incident_Response" my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.26'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); my @categories = ( 'Security_Incident_Response', 'Csaf_a', 'Informational Advisory', 'security-incident-response', 'Security Advisory', 'veX', 'V_eX' ); foreach my $category (@categories) { $csaf->document->category($category); exec_validator_mandatory_test($csaf, '6.1.26'); } done_testing; CSAF-0.25/t/10-mandatory-6.1.09.t0000644000175000017500000000335014704316755014572 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); use CSAF::Validator::MandatoryTests; # 6.1.9 Invalid CVSS computation # It MUST be tested that the given CVSS object has the values computed correctly according to the definition. # The vectorString SHOULD take precedence. # The relevant paths for this test are: # /vulnerabilities[]/scores[]/cvss_v2/baseScore # /vulnerabilities[]/scores[]/cvss_v2/temporalScore # /vulnerabilities[]/scores[]/cvss_v2/environmentalScore # /vulnerabilities[]/scores[]/cvss_v3/baseScore # /vulnerabilities[]/scores[]/cvss_v3/baseSeverity # /vulnerabilities[]/scores[]/cvss_v3/temporalScore # /vulnerabilities[]/scores[]/cvss_v3/temporalSeverity # /vulnerabilities[]/scores[]/cvss_v3/environmentalScore # /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity # Fail test: # "cvss_v3": { # "version": "3.1", # "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", # "baseScore": 10.0, # "baseSeverity": "LOW" # } my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); $vuln->scores->add( products => ['CSAFPID-9080700'], cvss_v3 => {baseScore => 10.0, baseSeverity => 'LOW', vectorString => 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'} ); $vuln->scores->add( products => ['CSAFPID-9080700'], cvss_v2 => {baseScore => 10.0, vectorString => 'AV:N/AC:L/Au:N/C:C/I:C/A:C'} ); exec_validator_mandatory_test($csaf, '6.1.9'); done_testing; CSAF-0.25/t/10-optional-6.2.03.t0000644000175000017500000000252314704316755014415 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_optional_test); # 6.2.3 Missing Score # For each Product ID (type /$defs/product_id_t) in the Product Status groups Affected it MUST be tested that a score object exists which # covers this product. # The relevant paths for this test are: # /vulnerabilities[]/product_status/first_affected[] # /vulnerabilities[]/product_status/known_affected[] # /vulnerabilities[]/product_status/last_affected[] # Fail test: # "product_tree": { # "full_product_names": [ # { # "product_id": "CSAFPID-9080700", # "name": "Product A" # } # ] # }, # "vulnerabilities": [ # { # "product_status": { # "first_affected": [ # "CSAFPID-9080700" # ] # } # } # ] my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); $csaf->product_tree->full_product_names->add(name => 'Product B', product_id => 'CSAFPID-9080701'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); $vuln->product_status->first_affected(['CSAFPID-9080700']); exec_validator_optional_test($csaf, '6.2.3'); done_testing; CSAF-0.25/t/30-list.t0000644000175000017500000000155114615202156013007 0ustar peppepeppe#!perl use strict; use warnings; use Test::More; use CSAF::Util::List; my $collection = CSAF::Util::List->new(1, 2); subtest 'size' => sub { is($collection->size, 2, 'Test size #1'); $collection->add(3); is($collection->size, 3, 'Size #2'); }; is($collection->first, 1, 'Test first'); is($collection->last, 3, 'Test last'); subtest 'join' => sub { is($collection->join, '123', 'Test join #1'); is($collection->join(','), '1,2,3', 'Test join #2'); }; subtest 'to_array' => sub { isa_ok($collection->to_array, 'ARRAY', 'Test to_array #1'); isa_ok(\@{$collection}, 'ARRAY', 'Test to_array #2'); }; subtest 'each' => sub { is_deeply [$collection->each], [1, 2, 3], 'Test each #1'; my @test = (); $collection->each(sub { push @test, $_[0] }); is_deeply \@test, [1, 2, 3], 'Test each #2'; }; done_testing(); CSAF-0.25/t/10-mandatory-6.1.17.t0000644000175000017500000000200614572605165014565 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.17 Document Status Draft # It MUST be tested that document status is draft if the document version is 0 or 0.y.z or contains the pre-release part. # The relevant path for this test is: # /document/tracking/status # Fail test: # "tracking": { # // ... # "status": "final", # "version": "0.9.5" # } my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '0.9.5', initial_release_date => 'now', current_release_date => 'now' ); exec_validator_mandatory_test($csaf, '6.1.17'); done_testing; CSAF-0.25/t/10-mandatory-6.1.19.t0000644000175000017500000000300614572605166014571 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.19 Revision History Entries for Pre-release Versions # It MUST be tested that no item of the revision history has a number which includes pre-release information. # The relevant path for this test is: # /document/tracking/revision_history[]/number # Fail test: # "revision_history": [ # { # "date": "2021-04-22T10:00:00.000Z", # "number": "1.0.0-rc", # "summary": "Release Candidate for initial version." # }, # { # "date": "2021-04-23T10:00:00.000Z", # "number": "1.0.0", # "summary": "Initial version." # } # ] my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add( date => 'now', summary => 'Release Candidate for initial version.', number => '1.0.0-rc' ); $tracking->revision_history->add(date => 'now', summary => 'Initial version.', number => '1.0.0'); exec_validator_mandatory_test($csaf, '6.1.19'); done_testing; CSAF-0.25/t/10-mandatory-6.1.23.t0000644000175000017500000000147714572605166014576 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); # 6.1.23 Multiple Use of Same CVE # It MUST be tested that a CVE is not used in multiple vulnerability items. # The relevant path for this test is: # /vulnerabilities[]/cve # Fail test: # "vulnerabilities": [ # { # "cve": "CVE-2017-0145" # }, # { # "cve": "CVE-2017-0145" # } # ] my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); my $vulns = $csaf->vulnerabilities; $vulns->add(cve => 'CVE-2017-0145'); $vulns->add(cve => 'CVE-2017-0145'); exec_validator_mandatory_test($csaf, '6.1.23'); done_testing; CSAF-0.25/t/lib/0000755000175000017500000000000014755634263012210 5ustar peppepeppeCSAF-0.25/t/lib/Test/0000755000175000017500000000000014755634263013127 5ustar peppepeppeCSAF-0.25/t/lib/Test/CSAF.pm0000644000175000017500000000317414572605165014202 0ustar peppepeppepackage Test::CSAF; use 5.010001; use strict; use warnings; use Exporter 'import'; use CSAF; use CSAF::Validator::MandatoryTests; use CSAF::Validator::OptionalTests; use Test::More; our @EXPORT_OK = qw(base_csaf_security_advisory exec_validator_mandatory_test exec_validator_optional_test); sub base_csaf_security_advisory { my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add(date => 'now', summary => 'First release', number => '1'); return $csaf; } sub exec_validator_optional_test { my ($csaf, $test_id) = @_; my $v = CSAF::Validator::OptionalTests->new($csaf); $v->exec_test($test_id); foreach my $message (@{$v->messages}) { is($message->code, $test_id, "Message code: $test_id"); isa_ok($message, 'CSAF::Validator::Message'); diag($message); } } sub exec_validator_mandatory_test { my ($csaf, $test_id) = @_; my $v = CSAF::Validator::MandatoryTests->new($csaf); $v->exec_test($test_id); foreach my $message (@{$v->messages}) { is($message->code, $test_id, "Message code: $test_id"); isa_ok($message, 'CSAF::Validator::Message'); diag($message); } } 1; CSAF-0.25/t/10-mandatory-6.1.27.08.t0000644000175000017500000000230414704316755015016 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.8 Vulnerability ID # For each item in /vulnerabilities it MUST be tested that at least one of the elements cve or ids is present. # The relevant value for /document/category is: # csaf_vex # The relevant paths for this test are: # /vulnerabilities[]/cve # /vulnerabilities[]/ids # Fail test: # "vulnerabilities": [ # { # "title": "A vulnerability item without a CVE or ID" # } # ] my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.8'); $csaf->document->category('csaf_vex'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(title => 'A vulnerability item without a CVE or ID'); exec_validator_mandatory_test($csaf, '6.1.27.8'); done_testing; CSAF-0.25/t/10-mandatory-6.1.15.t0000644000175000017500000000235714572605165014574 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.15 Translator # It MUST be tested that /document/source_lang is present and set if the value translator is used for /document/publisher/category. # The relevant path for this test is: # /document/source_lang # Fail test: # "document": { # // ... # "publisher": { # "category": "translator", # "name": "CSAF TC Translator", # "namespace": "https://csaf.io/translator" # }, # "title": "Mandatory test: Translator (failing example 1)", # // ... # } my $csaf = CSAF->new; $csaf->document->title('Mandatory test: Translator (failing example 1)'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher( category => 'translator', name => 'CSAF TC Translator', namespace => 'https://csaf.io/translator' ); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); exec_validator_mandatory_test($csaf, '6.1.15'); done_testing; CSAF-0.25/t/10-optional-6.2.02.t0000644000175000017500000000300614704316755014411 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_optional_test); use CSAF::Validator::OptionalTests; # 6.2.2 Missing Remediation # For each Product ID (type /$defs/product_id_t) in the Product Status groups Affected and Under investigation it MUST be tested that a # remediation exists. # The remediation might be of the category none_available or no_fix_planned . # The relevant paths for this test are: # /vulnerabilities[]/product_status/first_affected[] # /vulnerabilities[]/product_status/known_affected[] # /vulnerabilities[]/product_status/last_affected[] # /vulnerabilities[]/product_status/under_investigation[] # Fail test: # "product_tree": { # "full_product_names": [ # { # "product_id": "CSAFPID-9080700", # "name": "Product A" # } # ] # }, # "vulnerabilities": [ # { # "product_status": { # "last_affected": [ # "CSAFPID-9080700" # ] # } # } # ] my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); $csaf->product_tree->full_product_names->add(name => 'Product B', product_id => 'CSAFPID-9080701'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); $vuln->product_status->last_affected(['CSAFPID-9080700']); exec_validator_optional_test($csaf, '6.2.2'); done_testing; CSAF-0.25/t/10-mandatory-6.1.07.t0000644000175000017500000000376714704316755014604 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); use CSAF::Validator::MandatoryTests; # 6.1.7 Multiple Scores with same Version per Product # For each item in /vulnerabilities it MUST be tested that the same Product ID is not member of more than one CVSS-Vectors with the same version. # The relevant path for this test is: # /vulnerabilities[]/scores[] # Fail test: # "product_tree": { # "full_product_names": [ # { # "product_id": "CSAFPID-9080700", # "name": "Product A" # } # ] # }, # "vulnerabilities": [ # { # "scores": [ # { # "products": [ # "CSAFPID-9080700" # ], # "cvss_v3": { # "version": "3.1", # "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", # "baseScore": 10, # "baseSeverity": "CRITICAL" # } # }, # { # "products": [ # "CSAFPID-9080700" # ], # "cvss_v3": { # "version": "3.1", # "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", # "baseScore": 6.5, # "baseSeverity": "MEDIUM" # } # } # ] # } # ] my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); $vuln->scores->add( products => ['CSAFPID-9080700'], cvss_v3 => {baseSeverity => 'CRITICAL', baseScore => 10, vectorString => 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'} ); $vuln->scores->add( products => ['CSAFPID-9080700'], cvss_v3 => {baseSeverity => 'CRITICAL', baseScore => 10, vectorString => 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'} ); exec_validator_mandatory_test($csaf, '6.1.7'); done_testing; CSAF-0.25/t/10-mandatory-6.1.27.05.t0000644000175000017500000000236214704316755015017 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.5 Vulnerability Notes # For each item in /vulnerabilities it MUST be tested that the element notes exists. # The relevant values for /document/category are: # csaf_security_advisory # csaf_vex # The relevant path for this test is: # /vulnerabilities[]/notes # Fail test: # "vulnerabilities": [ # { # "title": "A vulnerability item without a note" # } # ] my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.5'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(title => 'A vulnerability item without a note'); foreach my $category (qw(csaf_security_advisory csaf_vex)) { $csaf->document->category($category); exec_validator_mandatory_test($csaf, '6.1.27.5'); } done_testing; CSAF-0.25/t/10-mandatory-6.1.31.t0000644000175000017500000000221414572605165014562 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); use CSAF::Validator::MandatoryTests; # 6.1.31 Version Range in Product Version # For each element of type /$defs/branches_t with category of product_version it MUST be tested that the value of name does not contain a version range. # To implement this test it is deemed sufficient that, when converted to lower case, the value of name does not contain any of the following strings: # < # <= # > # >= # after # all # before # earlier # later # prior # versions # The relevant paths for this test are: # /product_tree/branches[](/branches[])*/name # Fail test: # "branches": [ # { # "category": "product_version", # "name": "prior to 4.2", # // ... # } # ] my $csaf = base_csaf_security_advisory(); my $branches = $csaf->product_tree->branches; $branches->add(category => 'product_version', name => 'prior to 4.2'); exec_validator_mandatory_test($csaf, '6.1.31'); done_testing; CSAF-0.25/t/90-official-testcases.t0000644000175000017500000000477214707012673015627 0ustar peppepeppe#!perl use strict; use warnings; use FindBin '$RealBin'; use Test::More; use CSAF::Util qw(file_read); use CSAF::Parser; use List::Util qw(first); use Cpanel::JSON::XS; use constant DEBUG => $ENV{CSAF_TEST_DEBUG}; my $testcases = Cpanel::JSON::XS->new->decode(file_read("$RealBin/official-testcases/testcases.json")); my @SKIP_TESTCASES = ( '6.2.10', # Missing TLP label (CSAF::Type::TLP have a default label) '6.2.12', # Missing Document Language (CSAF::Document have "en" for default language) '6.2.13', # Sorting (CSAF::Document is object not hash) #'6.2.20', # Additional Properties (in CSAF::Document isn't possible add new properties) # TODO '6.2.1', # !? '6.2.19', # Always fail !? # Unimplemented tests '6.3.6', '6.3.7', '6.3.8' ); foreach my $testcase (@{$testcases->{tests}}) { my $testcase_id = $testcase->{id}; my $testcase_group = $testcase->{group}; if (defined $ENV{TESTCASE}) { next unless ($testcase_id eq $ENV{TESTCASE}); diag "Test only $ENV{TESTCASE} testcase"; } if (first { $testcase_id eq $_ } @SKIP_TESTCASES) { diag "Testcase $testcase_id skipped"; next; } my @valid_testcases = @{$testcase->{valid} || []}; my @failures_testcases = @{$testcase->{failures} || []}; my @all_testcases = (@valid_testcases, @failures_testcases); foreach my $test (@all_testcases) { my $test_name = $test->{name}; my $is_valid = $test->{valid}; my $parser = CSAF::Parser->new(file => "$RealBin/official-testcases/$test_name"); my $csaf = $parser->parse; my $doc_title = $csaf->document->title; if ($testcase_group =~ /(optional|informative)/ && $doc_title =~ /failing/) { $is_valid = 0; } DEBUG and diag("[$testcase_id - $testcase_group] Test file: $test_name [valid => $is_valid]"); DEBUG and diag("[$testcase_id - $testcase_group] $doc_title"); my @messages = $csaf->validate; my $n_errors = 0; foreach my $message (@messages) { next if ($message->code ne $testcase_id); DEBUG and diag($message); $n_errors++; } if ($is_valid) { is($n_errors, 0, "$testcase_id - $n_errors validation message(s) detected for '$doc_title'"); } else { isnt($n_errors, 0, "$testcase_id - $n_errors validation message(s) detected for '$doc_title'"); } } } done_testing(); CSAF-0.25/t/10-mandatory-6.1.30.t0000644000175000017500000000306314572605165014564 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.30 Latest Document Version # It MUST be tested that all elements of type /$defs/version_t follow either integer versioning or semantic versioning homogeneously within the same document. # The relevant paths for this test are: # /document/tracking/revision_history[]/number # /document/tracking/version # Fail test: # "tracking": { # // ... # "revision_history": [ # { # "date": "2021-07-21T09:00:00.000Z", # "number": "1.0.0", # "summary": "Initial version." # }, # { # "date": "2021-07-21T10:00:00.000Z", # "number": "2", # "summary": "Second version." # } # ], # // ... # "version": "2" # } my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '2', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add(date => 'now', summary => 'Initial version.', number => '1.0.0'); $tracking->revision_history->add(date => 'now', summary => 'Second version.', number => '2'); exec_validator_mandatory_test($csaf, '6.1.30'); done_testing; CSAF-0.25/t/kwalitee.t0000644000175000017500000000045014572605165013427 0ustar peppepeppe#!perl use strict; use warnings; use Test::More; unless ($ENV{RELEASE_TESTING}) { plan(skip_all => "these tests are for release candidate testing"); } eval "use Test::Kwalitee 'kwalitee_ok'"; plan skip_all => 'Test::Kwalitee required to test kwalitee' if $@; kwalitee_ok(); done_testing; CSAF-0.25/t/official-testcases/0000755000175000017500000000000014755634263015212 5ustar peppepeppeCSAF-0.25/t/official-testcases/oasis_csaf_tc-csaf_2_0-2021-TEMPLATE.json0000644000175000017500000000125114567604632024047 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Template for generating CSAF files for Validator examples", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-TEMPLATE", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/README.md0000644000175000017500000000011414567606314016462 0ustar peppepeppeOfficial test case from CSAF repository (https://github.com/oasis-tcs/csaf) CSAF-0.25/t/official-testcases/mandatory/0000755000175000017500000000000014755634263017210 5ustar peppepeppeCSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-07-01.json0000644000175000017500000000212714567604632026030 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: VEX Product Status (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-07-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" } ] }, "vulnerabilities": [ { "product_status": { "first_fixed": [ "CSAFPID-9080700" ], "recommended": [ "CSAFPID-9080701" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-18.json0000644000175000017500000000350214567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 8)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-18", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "3", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "4", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "5", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "6", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "7", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "8", "summary": "Eighth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "9", "summary": "Ninth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "10", "summary": "Tenth version." } ], "status": "final", "version": "10" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-22-01.json0000644000175000017500000000150214567604632025573 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Definition in Revision History (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-22-01", "initial_release_date": "2021-07-20T10:00:00.000Z", "revision_history": [ { "date": "2021-07-20T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Some other changes." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-12.json0000644000175000017500000000236714567604632025607 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "after-eight", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A after-eight" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-11.json0000644000175000017500000000145414567604632025603 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 1)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-11", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-23T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-08.json0000644000175000017500000000237614567604632025614 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 8)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-08", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "4.2 and later", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 4.2 and later" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-04-01.json0000644000175000017500000000150314567604632026022 0ustar peppepeppe{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Product Tree (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-04-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "title": "A vulnerability item that can't reference any product as the product_tree does not exist." } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-06.json0000644000175000017500000000350314567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-06", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "3", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "4", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "5", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "6", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "7", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "8", "summary": "Eighth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "9", "summary": "Ninth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "10", "summary": "Tenth version." } ], "status": "final", "version": "9" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-02.json0000644000175000017500000000417614567604632026041 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "group_ids": [ "CSAFGID-0001" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-11.json0000644000175000017500000000132314567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "translator", "name": "OASIS CSAF TC Translator", "namespace": "https://csaf.io/translator" }, "source_lang": "de-DE", "title": "Mandatory test: Translator (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-15-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-17-01.json0000644000175000017500000000126714567604632025607 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Document Status Draft (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-17-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "0.9.5", "summary": "Initial draft version." } ], "status": "final", "version": "0.9.5" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-12.json0000644000175000017500000000147314567604632025603 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Missing Item in Revision History (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-21-12", "initial_release_date": "2021-04-22T10:00:00.000Z", "revision_history": [ { "date": "2021-03-22T10:00:00.000Z", "number": "0", "summary": "Draft version." }, { "date": "2021-04-22T10:00:00.000Z", "number": "1", "summary": "Initial public release." } ], "status": "draft", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-15.json0000644000175000017500000000145414567604632025611 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-15", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-05-01.json0000644000175000017500000000247514567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Definition of Product Group ID (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-05-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ], "product_groups": [ { "group_id": "CSAFGID-1020300", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] }, { "group_id": "CSAFGID-1020300", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080702" ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-07.json0000644000175000017500000000377014567604632025615 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 7)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-07", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.1.0", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.2.0", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.3.0", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.4.0", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.5.0", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.6.0", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.7.0", "summary": "Eighth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.8.0", "summary": "Ninth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.9.0", "summary": "Tenth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.10.0", "summary": "Eleventh version." } ], "status": "final", "version": "1.9.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-12.json0000644000175000017500000000135014567604632025600 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "translator", "name": "OASIS CSAF TC Translator", "namespace": "https://csaf.io/translator" }, "source_lang": "de-DE", "title": "Mandatory test: Translator (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-15-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-08.json0000644000175000017500000000146214567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 8)", "tracking": { "current_release_date": "2021-07-21T10:00:00.00010Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-08", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.00010Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-13.json0000644000175000017500000000411614567604632026035 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (valid example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-13", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-13-01.json0000644000175000017500000000160314567604632025575 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: PURL (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-13-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700", "product_identification_helper": { "purl": "pkg:maven/@1.3.4" } } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-30-01.json0000644000175000017500000000150014567604632025570 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Mixed Integer and Semantic Versioning (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-30-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-14.json0000644000175000017500000000145414567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 4)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-14", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-23T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-04-01.json0000644000175000017500000000212014567604632025570 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Missing Definition of Product Group ID (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-04-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "threats": [ { "category": "exploit_status", "details": "Reliable exploits integrated in Metasploit.", "group_ids": [ "CSAFGID-1020301" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-02.json0000644000175000017500000000145614567604632025607 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-02.json0000644000175000017500000000147214567604632025601 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Missing Item in Revision History (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-21-02", "initial_release_date": "2021-04-22T10:00:00.000Z", "revision_history": [ { "date": "2021-04-22T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "3", "summary": "Some other changes." } ], "status": "final", "version": "3" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-09.json0000644000175000017500000000237414567604632025613 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 9)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-09", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "3.X versions", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 3.X versions" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-16.json0000644000175000017500000001120414567604632026034 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (valid example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-16", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0143", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ] } ] }, { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080701", "CSAFPID-9080702" ] } ] }, { "cve": "CVE-2017-0146", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-01.json0000644000175000017500000000427414567604632026037 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "group_ids": [ "CSAFGID-0001" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-05.json0000644000175000017500000000147214567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 5)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-05", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." }, { "date": "2021-07-23T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "final", "version": "2.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-33-11.json0000644000175000017500000000342614567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Flags with VEX Justification Codes per Product (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-33-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "component_not_present", "group_ids": [ "CSAFGID-0001" ] } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } }, { "cve": "CVE-2020-44228", "flags": [ { "label": "vulnerable_code_cannot_be_controlled_by_adversary", "product_ids": [ "CSAFPID-9080700" ] } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-10-01.json0000644000175000017500000000273214567604632025576 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Inconsistent CVSS (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-10-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW" } } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-19-02.json0000644000175000017500000000155714567604632025614 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Revision History Entries for Pre-release Versions (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-19-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-04-23T10:00:00.000Z", "number": "1.0.0-rc", "summary": "Release Candidate for initial version." }, { "date": "2021-04-23T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "final", "version": "1.0.0" } } } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-10-01.json0000644000175000017500000000322114567604632026016 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Action Statement (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-10-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ], "summary": "EOL products" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "product_status": { "known_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "remediations": [ { "category": "no_fix_planned", "details": "These products are end-of-life. Therefore, no fix will be provided.", "group_ids": [ "CSAFGID-0001" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-02-01.json0000644000175000017500000000163314567604632025576 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Definition of Product ID (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-02-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080700", "name": "Product B" } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-13.json0000644000175000017500000000201414567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (valid example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-13", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "known_affected": [ "CSAFPID-9080700" ], "last_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-01.json0000644000175000017500000000215114567604632025576 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Definition in Involvements (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-24-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "involvements": [ { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "completed" }, { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "in_progress", "summary": "The vendor has released a mitigation and is working to fully resolve the issue." } ] } ] } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-02-01.json0000644000175000017500000000162714567604632026027 0ustar peppepeppe{ "document": { "category": "csaf_informational_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "category": "self", "summary": "The canonical URL.", "url": "https://example.com/security/data/csaf/2021/OASIS_CSAF_TC-CSAF_2_0-2021-6-1-27-02-01.json" } ], "title": "Mandatory test: Document References (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-02-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-03.json0000644000175000017500000000235614567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-03", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "<=4.1", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A <= 4.1" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-02.json0000644000175000017500000000145614567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 2)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-02", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-23T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-29-12.json0000644000175000017500000000176114567604632025613 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Remediation without Product Reference (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-29-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "product_status": { "known_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-17.json0000644000175000017500000000147014567604632025611 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 7)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-17", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "final", "version": "2.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-11.json0000644000175000017500000000147114567604632025600 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Missing Item in Revision History (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-21-11", "initial_release_date": "2021-04-22T10:00:00.000Z", "revision_history": [ { "date": "2021-04-22T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Some other changes." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-25-01.json0000644000175000017500000000255314567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Use of Same Hash Algorithm (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-25-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700", "product_identification_helper": { "hashes": [ { "file_hashes": [ { "algorithm": "sha256", "value": "026a37919b182ef7c63791e82c9645e2f897a3f0b73c7a6028c7febf62e93838" }, { "algorithm": "sha256", "value": "0a853ce2337f0608489ac596a308dc5b7b19d35a52b10bf31261586ac368b175" } ], "filename": "product_a.so" } ] } } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-13.json0000644000175000017500000000150714567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-13", "initial_release_date": "2021-07-21T09:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2.0.0+143D5", "summary": "Second version." } ], "status": "final", "version": "2.0.0+21AF26D3" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-19.json0000644000175000017500000000376714567604632025626 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 9)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-19", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.1.0", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.2.0", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.3.0", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.4.0", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.5.0", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.6.0", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.7.0", "summary": "Eighth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.8.0", "summary": "Ninth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.9.0", "summary": "Tenth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.10.0", "summary": "Eleventh version." } ], "status": "final", "version": "1.10.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-06.json0000644000175000017500000000236314567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-06", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "all", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A all versions" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-05.json0000644000175000017500000000426714567604632026045 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (failing example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-05", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080701" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-03.json0000644000175000017500000000145614567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 3)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-03", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-23T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-14.json0000644000175000017500000000402014567604632026030 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (valid example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-14", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-11.json0000644000175000017500000000236714567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version_range", "name": "<4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A prior to 4.2" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-14.json0000644000175000017500000000233714567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (valid example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-14", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" } ] }, "vulnerabilities": [ { "product_status": { "first_fixed": [ "CSAFPID-9080701" ], "fixed": [ "CSAFPID-9080701" ], "recommended": [ "CSAFPID-9080700" ], "under_investigation": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-16.json0000644000175000017500000000145414567604632025612 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-16", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-01.json0000644000175000017500000000145614567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-01", "initial_release_date": "2021-07-21T09:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-08-01.json0000644000175000017500000000141014567604632026023 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Vulnerability ID (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-08-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "title": "A vulnerability item without a CVE or ID" } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-19.json0000644000175000017500000000146014567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 9)", "tracking": { "current_release_date": "2021-07-21T10:00:00.00010Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-19", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.00010Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-13.json0000644000175000017500000000145414567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 3)", "tracking": { "current_release_date": "2021-07-22T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-13", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-07-11.json0000644000175000017500000000300714567604632025601 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Scores with same Version per Product (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-07-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" } } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-28-01.json0000644000175000017500000000132014567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "source_lang": "en-US", "title": "Mandatory test: Translation (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-28-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-03-01.json0000644000175000017500000000216414567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Circular Definition of Product ID (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-03-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ], "relationships": [ { "category": "installed_on", "full_product_name": { "name": "Product B", "product_id": "CSAFPID-9080701" }, "product_reference": "CSAFPID-9080700", "relates_to_product_reference": "CSAFPID-9080701" } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-01.json0000644000175000017500000000202314567604632025574 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "known_affected": [ "CSAFPID-9080700" ], "known_not_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-11.json0000644000175000017500000000147014567604632025603 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-11", "initial_release_date": "2021-07-21T09:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." } ], "status": "final", "version": "2.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-28-11.json0000644000175000017500000000131614567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "source_lang": "en-GB", "title": "Mandatory test: Translation (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-28-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-12.json0000644000175000017500000000145414567604632025604 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 2)", "tracking": { "current_release_date": "2021-07-22T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-12", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-06.json0000644000175000017500000000350314567604632025604 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 6)", "tracking": { "current_release_date": "2021-07-22T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-06", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "3", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "4", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "5", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "6", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "7", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "8", "summary": "Eighth version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "9", "summary": "Ninth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "10", "summary": "Tenth version." } ], "status": "final", "version": "9" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-01.json0000644000175000017500000000127114567604632025600 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "translator", "name": "OASIS CSAF TC Translator", "namespace": "https://csaf.io/translator" }, "title": "Mandatory test: Translator (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-15-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-29-11.json0000644000175000017500000000235714567604632025614 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Remediation without Product Reference (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-29-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "product_status": { "known_affected": [ "CSAFPID-9080700" ] }, "remediations": [ { "category": "no_fix_planned", "details": "These products are end-of-life. Therefore, no fix will be provided.", "product_ids": [ "CSAFPID-9080700" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-12-01.json0000644000175000017500000000125614567604632025600 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "EZ", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Language (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-12-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-05.json0000644000175000017500000000275114567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (failing example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-05", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "product_status": { "first_affected": [ "CSAFPID-9080700" ], "first_fixed": [ "CSAFPID-9080702" ], "known_affected": [ "CSAFPID-9080700" ], "known_not_affected": [ "CSAFPID-9080701" ], "last_affected": [ "CSAFPID-9080702" ], "under_investigation": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-03-01.json0000644000175000017500000000143314567604632026023 0ustar peppepeppe{ "document": { "category": "csaf_informational_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Vulnerabilities (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-03-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "title": "A vulnerability item that SHALL NOT exist" } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-12.json0000644000175000017500000000222514567604632025602 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Definition in Involvements (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-24-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "involvements": [ { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "in_progress" } ] }, { "involvements": [ { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "in_progress", "summary": "The vendor has released a mitigation and is working to fully resolve the issue." } ] } ] } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-07.json0000644000175000017500000000237014567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 7)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-07", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "before 4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A before 4.2" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-04.json0000644000175000017500000000235214567604632025604 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (failing example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-04", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080701" ], "known_not_affected": [ "CSAFPID-9080701" ], "last_affected": [ "CSAFPID-9080700" ], "under_investigation": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-07-12.json0000644000175000017500000000252214567604632025603 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Scores with same Version per Product (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-07-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "baseScore": 5.5 }, "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM" } } ] } ] } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-16.json0000644000175000017500000000147014567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 6)", "tracking": { "current_release_date": "2021-07-22T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-16", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." } ], "status": "final", "version": "2.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-03.json0000644000175000017500000000406114567604632026033 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (failing example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-03", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080701", "CSAFPID-9080702" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-11-01.json0000644000175000017500000000150314567604632026020 0ustar peppepeppe{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Vulnerabilities (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-11-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-04.json0000644000175000017500000000147214567604632025607 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-04", "initial_release_date": "2021-07-21T09:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." } ], "status": "final", "version": "1.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-01-01.json0000644000175000017500000000157614567604632025603 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Missing Definition of Product ID (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-01-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "product_groups": [ { "group_id": "CSAFGID-1020300", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-29-01.json0000644000175000017500000000225314567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Remediation without Product Reference (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-29-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "product_status": { "known_affected": [ "CSAFPID-9080700" ] }, "remediations": [ { "category": "no_fix_planned", "details": "These products are end-of-life. Therefore, no fix will be provided." } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-02.json0000644000175000017500000000236314567604632025602 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "<4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A prior to 4.2" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-01-01.json0000644000175000017500000000167614567604632026032 0ustar peppepeppe{ "document": { "category": "csaf_security_incident_response", "csaf_version": "2.0", "notes": [ { "category": "legal_disclaimer", "text": "The CSAF document is provided to You \"AS IS\" and \"AS AVAILABLE\" and with all faults and defects without warranty of any kind.", "title": "Terms of Use" } ], "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Document Notes (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-01-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-11.json0000644000175000017500000000440014567604632026027 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ], "group_ids": [ "CSAFGID-0001" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-14.json0000644000175000017500000000145414567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-14", "initial_release_date": "2021-07-21T09:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-06-01.json0000644000175000017500000000143114567604632026024 0ustar peppepeppe{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Product Status (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-06-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "title": "A vulnerability item without a product status" } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-33-01.json0000644000175000017500000000315114567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Flags with VEX Justification Codes per Product (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-33-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "component_not_present", "group_ids": [ "CSAFGID-0001" ] }, { "label": "vulnerable_code_cannot_be_controlled_by_adversary", "product_ids": [ "CSAFPID-9080700" ] } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-20-01.json0000644000175000017500000000127614567604632025601 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Non-draft Document Version (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-20-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "interim", "version": "1.0.0-alpha" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-30-11.json0000644000175000017500000000150614567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Mixed Integer and Semantic Versioning (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-30-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." } ], "status": "final", "version": "2.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-05.json0000644000175000017500000000240214567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-05", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "4.1 and earlier", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 4.1 and earlier" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-07-01.json0000644000175000017500000000274314567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Scores with same Version per Product (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-07-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL" } }, { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" } } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-18-01.json0000644000175000017500000000145414567604632025606 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Released Revision History (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-18-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-04-17T10:00:00.000Z", "number": "0", "summary": "First draft" }, { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-23-01.json0000644000175000017500000000143314567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Use of Same CVE (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-23-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2017-0145" }, { "cve": "CVE-2017-0145" } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-04.json0000644000175000017500000000376314567604632026044 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (failing example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-04", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080701", "CSAFPID-9080702" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-17.json0000644000175000017500000000350214567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 7)", "tracking": { "current_release_date": "2021-07-22T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-17", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "3", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "4", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "5", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "6", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "7", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "8", "summary": "Eighth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "9", "summary": "Ninth version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "10", "summary": "Tenth version." } ], "status": "final", "version": "10" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-09-01.json0000644000175000017500000000224114567604632025601 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Invalid CVSS computation (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-09-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "LOW" } } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-05-01.json0000644000175000017500000000142414567604632026025 0ustar peppepeppe{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Vulnerability Notes (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-05-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "title": "A vulnerability item without a note" } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-18.json0000644000175000017500000000376714567604632025623 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 8)", "tracking": { "current_release_date": "2021-07-22T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-18", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.1.0", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.2.0", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.3.0", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.4.0", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.5.0", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.6.0", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.7.0", "summary": "Eighth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.8.0", "summary": "Ninth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.9.0", "summary": "Tenth version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "1.10.0", "summary": "Eleventh version." } ], "status": "final", "version": "1.10.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-02.json0000644000175000017500000000202314567604632025575 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "first_affected": [ "CSAFPID-9080700" ], "known_not_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-11-01.json0000644000175000017500000000143214567604632025573 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: CWE (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-11-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cwe": { "id": "CWE-79", "name": "Improper Input Validation" } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-11.json0000644000175000017500000000222314567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Definition in Involvements (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-24-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "involvements": [ { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "completed" } ] }, { "involvements": [ { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "in_progress", "summary": "The vendor has released a mitigation and is working to fully resolve the issue." } ] } ] } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-02.json0000644000175000017500000000215314567604632025601 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Multiple Definition in Involvements (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-24-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "involvements": [ { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "in_progress" }, { "date": "2021-04-23T10:00:00.000Z", "party": "vendor", "status": "in_progress", "summary": "The vendor has released a mitigation and is working to fully resolve the issue." } ] } ] } CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-03.json0000644000175000017500000000202214567604632025575 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (failing example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-03", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "known_not_affected": [ "CSAFPID-9080700" ], "last_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-15.json0000644000175000017500000000432414567604632026040 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (valid example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-15", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-12.json0000644000175000017500000000201514567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "first_affected": [ "CSAFPID-9080700" ], "known_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-26-01.json0000644000175000017500000000130614567604632025601 0ustar peppepeppe{ "document": { "category": "Security_Incident_Response", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Prohibited Document Category Name (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-26-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-07.json0000644000175000017500000000377014567604632025613 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 7)", "tracking": { "current_release_date": "2021-07-22T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-07", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.1.0", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.2.0", "summary": "Third version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.3.0", "summary": "Fourth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.4.0", "summary": "Fifth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.5.0", "summary": "Sixth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.6.0", "summary": "Seventh version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.7.0", "summary": "Eighth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.8.0", "summary": "Ninth version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "1.9.0", "summary": "Tenth version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.10.0", "summary": "Eleventh version." } ], "status": "final", "version": "1.9.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-01.json0000644000175000017500000000145614567604632025604 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 1)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-01", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-23T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-12.json0000644000175000017500000000150114567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-12", "initial_release_date": "2021-07-21T09:00:00.000Z", "revision_history": [ { "date": "2021-07-21T09:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." } ], "status": "final", "version": "2.0.0+21AF26D3" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-15.json0000644000175000017500000000147014567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (valid example 5)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-15", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-23T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." }, { "date": "2021-07-22T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "final", "version": "2.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-04.json0000644000175000017500000000235714567604632025607 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-04", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "<= 4.1", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A <= 4.1" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-32-01.json0000644000175000017500000000211114567604632025571 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Flag without Product Reference (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-32-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "product_status": { "known_not_affected": [ "CSAFPID-9080700" ] }, "flags": [ { "label": "component_not_present" } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-05.json0000644000175000017500000000147214567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-05", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "final", "version": "1.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-31.json0000644000175000017500000000146114567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (valid example 10)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-31", "initial_release_date": "2021-07-21T10:00:00.00000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.00000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-01.json0000644000175000017500000000147314567604632025601 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Missing Item in Revision History (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-21-01", "initial_release_date": "2021-04-22T10:00:00.000Z", "revision_history": [ { "date": "2021-04-22T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "3", "summary": "Some other changes." } ], "status": "final", "version": "3" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-03.json0000644000175000017500000000145614567604632025610 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-03", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-04.json0000644000175000017500000000147214567604632025605 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Sorted Revision History (failing example 4)", "tracking": { "current_release_date": "2021-07-23T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-14-04", "initial_release_date": "2021-07-22T10:00:00.000Z", "revision_history": [ { "date": "2021-07-22T10:00:00.000Z", "number": "2.0.0", "summary": "Second version." }, { "date": "2021-07-23T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "final", "version": "1.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-08-01.json0000644000175000017500000000216314567604632025603 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Invalid CVSS (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-08-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5 } } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-08.json0000644000175000017500000000146214567604632025612 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Latest Document Version (failing example 8)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-16-08", "initial_release_date": "2021-07-21T10:00:00.00000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.00000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-15.json0000644000175000017500000000272714567604632025614 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (valid example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-15", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "product_status": { "first_affected": [ "CSAFPID-9080700" ], "first_fixed": [ "CSAFPID-9080702" ], "fixed": [ "CSAFPID-9080702" ], "known_affected": [ "CSAFPID-9080700" ], "known_not_affected": [ "CSAFPID-9080701" ], "recommended": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-02.json0000644000175000017500000000131614567604632025601 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "translator", "name": "OASIS CSAF TC Translator", "namespace": "https://csaf.io/translator" }, "title": "Mandatory test: Translator (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-15-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-11.json0000644000175000017500000000201214567604632025573 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Contradicting Product Status (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-06-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "known_affected": [ "CSAFPID-9080700" ], "recommended": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-06.json0000644000175000017500000001114714567604632026041 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (failing example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-06", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0143", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ] } ] }, { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ] } ] }, { "cve": "CVE-2017-0146", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] }, "threats": [ { "category": "impact", "details": "The vulnerable code is not present in these products.", "product_ids": [ "CSAFPID-9080702" ] } ] } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-01.json0000644000175000017500000000237314567604632025602 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Version Range in Product Version (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-31-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "prior to 4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A prior to 4.2" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-12.json0000644000175000017500000000430214567604632026031 0ustar peppepeppe{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Impact Statement (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-27-09-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" }, { "product_id": "CSAFPID-9080701", "name": "Product B" }, { "product_id": "CSAFPID-9080702", "name": "Product C" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-9080700", "CSAFPID-9080701" ] } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-9080702" ], "group_ids": [ "CSAFGID-0001" ] } ], "notes": [ { "category": "description", "text": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148. ", "title": "CVE description" } ], "product_status": { "known_not_affected": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" ] } } ] }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-13.json0000644000175000017500000000150514567604632025600 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Missing Item in Revision History (valid example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-21-13", "initial_release_date": "2021-04-22T10:00:00.000Z", "revision_history": [ { "date": "2021-04-22T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." }, { "date": "2021-07-21T10:00:00.000Z", "number": "1.1.0", "summary": "Some other changes." } ], "status": "final", "version": "1.1.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-19-01.json0000644000175000017500000000155614567604632025612 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Revision History Entries for Pre-release Versions (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-19-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-04-22T10:00:00.000Z", "number": "1.0.0-rc", "summary": "Release Candidate for initial version." }, { "date": "2021-04-23T10:00:00.000Z", "number": "1.0.0", "summary": "Initial version." } ], "status": "final", "version": "1.0.0" } } }CSAF-0.25/t/official-testcases/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-32-11.json0000644000175000017500000000221514567604632025577 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Mandatory test: Flag without Product Reference (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-32-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-0145", "product_status": { "known_not_affected": [ "CSAFPID-9080700" ] }, "flags": [ { "label": "component_not_present", "product_ids": [ "CSAFPID-9080700" ] } ] } ] }CSAF-0.25/t/official-testcases/informative/0000755000175000017500000000000014755634263017535 5ustar peppepeppeCSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-12.json0000644000175000017500000000161714567604632026132 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CVE (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-03-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2019-0708", "title": "BlueKeep" }, { "cve": "CVE-2014-0160", "title": "Heartbleed" }, { "cve": "CVE-2017-0144", "title": "EternalBlue" } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-02.json0000644000175000017500000000152514567604632026127 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CVE (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-03-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "title": "BlueKeep" }, { "cve": "CVE-2014-0160", "title": "Heartbleed" }, { "title": "EternalBlue" } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-07-01.json0000644000175000017500000000167214567604632026135 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "category": "self", "summary": "A URL that does not resolve with HTTP status code in the interval between (including) 200 and (excluding) 400.", "url": "https://example.invalid" } ], "title": "Informative test: Use of self referencing URLs Failing to Resolve (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-07-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-11.json0000644000175000017500000000223514567604632026125 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v3.0 (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-02-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" } } ] } ] }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-02.json0000644000175000017500000000203414567604632026124 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CWE (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-04-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2019-0708", "title": "BlueKeep" }, { "cve": "CVE-2014-0160", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "title": "Heartbleed" }, { "cve": "CVE-2017-0144", "title": "EternalBlue" } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-01.json0000644000175000017500000000223714567604632026126 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v3.0 (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-02-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" } } ] } ] }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-10-01.json0000644000175000017500000000242714567604632026126 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Usage of Product Version Range (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-10-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version_range", "name": "vers:npm/>=2.2.0|<2.3.0", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A between 2.2.0 and 2.3.0" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-12.json0000644000175000017500000000231014567604632026122 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CWE (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-04-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2019-0708", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "title": "BlueKeep" }, { "cve": "CVE-2014-0160", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "title": "Heartbleed" }, { "cve": "CVE-2017-0144", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "title": "EternalBlue" } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-03.json0000644000175000017500000000276014567604632026140 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (failing example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-03", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "product_family", "name": "Example Company", "branches": [ { "category": "product_version", "name": "91", "branches": [ { "category": "product_name", "name": "Product A", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 91" } }, { "category": "product_name", "name": "Product B", "product": { "product_id": "CSAFPID-9080701", "name": "Example Company Product B 91" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-11.json0000644000175000017500000000252014567604632026121 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v2 as the only Scoring System (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-01-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10 }, "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL" } } ] } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-01.json0000644000175000017500000000134314567604632026124 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CVE (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-03-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "title": "BlueKeep" } ] }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-11-11.json0000644000175000017500000000235014567604632026123 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Usage of V as Version Indicator (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-11-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 4.2" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-06-01.json0000644000175000017500000000164214567604632026131 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "summary": "A URL that does not resolve with HTTP status code in the interval between (including) 200 and (excluding) 400.", "url": "https://example.invalid" } ], "title": "Informative test: Use of non-self referencing URLs Failing to Resolve (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-06-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-05.json0000644000175000017500000000651714567604632026146 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (failing example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-05", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "host_name", "name": "unknown-host", "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_version", "name": "91", "branches": [ { "category": "language", "name": "XYZ", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "architecture", "name": "x86", "branches": [ { "category": "service_pack", "name": "1", "branches": [ { "category": "patch_level", "name": "104", "product": { "product_id": "CSAFPID-9080700", "name": "unknown-host Example Company XYZ Product A x86 Version 91 SP1 Update 104" } } ] } ] }, { "category": "architecture", "name": "amd64", "branches": [ { "category": "service_pack", "name": "1", "branches": [ { "category": "patch_level", "name": "104", "product": { "product_id": "CSAFPID-9080701", "name": "unknown-host Example Company XYZ Product A amd64 Version 91 SP1 Update 104" } } ] } ] } ] } ] } ] } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-11-01.json0000644000175000017500000000235314567604632026125 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Usage of V as Version Indicator (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-11-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "v4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 4.2" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-08-01.json0000644000175000017500000000150614567604632026132 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en", "notes": [ { "category": "summary", "text": "Secruity researchers found multiple vulnerabilities in XYZ." } ], "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Spell check (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-08-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-10-11.json0000644000175000017500000000341114567604632026121 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Usage of Product Version Range (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-10-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "2.2.0", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 2.2.0" } }, { "category": "product_version", "name": "2.2.1", "product": { "product_id": "CSAFPID-9080701", "name": "Example Company Product A 2.2.1" } }, { "category": "product_version", "name": "2.2.2", "product": { "product_id": "CSAFPID-9080702", "name": "Example Company Product A 2.2.2" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-02.json0000644000175000017500000000347114567604632026130 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v3.0 (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-02-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.0", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM" } } ] } ] }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-11.json0000644000175000017500000000152214567604632026125 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CWE (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-04-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2019-0708", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "title": "BlueKeep" } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-05-01.json0000644000175000017500000000221414567604632026124 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of Short Hash (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-05-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700", "product_identification_helper": { "hashes": [ { "file_hashes": [ { "algorithm": "md4", "value": "3202b50e2e5b2fcd75e284c3d9d5f8d6" } ], "filename": "product_a.so" } ] } } ] } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-01.json0000644000175000017500000000217714567604632026130 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v2 as the only Scoring System (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-01-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10 } } ] } ] }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-01.json0000644000175000017500000000233614567604632026135 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "patch_level", "name": "91", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A Update 91" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-02.json0000644000175000017500000000275414567604632026142 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "product_family", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "91", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 91" } }, { "category": "product_version", "name": "92", "product": { "product_id": "CSAFPID-9080701", "name": "Example Company Product A 92" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-11.json0000644000175000017500000000233114567604632026131 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "91", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 91" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-11.json0000644000175000017500000000140014567604632026117 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CVE (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-03-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2019-0708", "title": "BlueKeep" } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-06-02.json0000644000175000017500000000163214567604632026131 0ustar peppepeppe{ "document": { "acknowledgments": [ { "summary": "A URL that does resolve with HTTP status code 400.", "urls": [ "https://github.com/oasis-tcs/csaf/not-available" ] } ], "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of non-self referencing URLs Failing to Resolve (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-06-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-06.json0000644000175000017500000000343414567604632026142 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (failing example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-06", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "host_name", "name": "unknown-hostname", "branches": [ { "category": "architecture", "name": "x86", "branches": [ { "category": "language", "name": "XYZ", "product": { "product_id": "CSAFPID-9080700", "name": "unknown-hostname x86 XYZ" } } ] }, { "category": "architecture", "name": "amd64", "branches": [ { "category": "service_pack", "name": "1", "branches": [ { "category": "patch_level", "name": "104", "product": { "product_id": "CSAFPID-9080701", "name": "unknown-hostname amd64 SP1 Update 104" } } ] } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-06-11.json0000644000175000017500000000163014567604632026127 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "summary": "A URL that does resolve with HTTP status code in the interval between (including) 200 and (excluding) 400.", "url": "https://example.net" } ], "title": "Informative test: Use of non-self referencing URLs Failing to Resolve (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-06-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-04.json0000644000175000017500000000275014567604632026140 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (failing example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-04", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_version", "name": "91", "branches": [ { "category": "product_name", "name": "Product A", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 91" } }, { "category": "product_name", "name": "Product B", "product": { "product_id": "CSAFPID-9080701", "name": "Example Company Product B 91" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-15.json0000644000175000017500000000773214567604632026147 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (valid example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-15", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "host_name", "name": "unknown-host", "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_family", "name": "ABC Products", "branches": [ { "category": "language", "name": "XYZ", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "architecture", "name": "x86", "branches": [ { "category": "product_version", "name": "91", "branches": [ { "category": "service_pack", "name": "1", "branches": [ { "category": "patch_level", "name": "104", "product": { "product_id": "CSAFPID-9080700", "name": "unknown-host Example Company ABC Products XYZ Product A x86 Version 91 SP1 Update 104" } } ] } ] } ] }, { "category": "architecture", "name": "amd64", "branches": [ { "category": "product_version", "name": "91", "branches": [ { "category": "service_pack", "name": "1", "branches": [ { "category": "patch_level", "name": "104", "product": { "product_id": "CSAFPID-9080701", "name": "unknown-host Example Company ABC Products XYZ Product A amd64 Version 91 SP1 Update 104" } } ] } ] } ] } ] } ] } ] } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-12.json0000644000175000017500000000443314567604632026127 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v2 as the only Scoring System (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-01-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "baseScore": 5.5 }, "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10 }, "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "baseScore": 4.3 }, "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW" } } ] } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-08-11.json0000644000175000017500000000150414567604632026131 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en", "notes": [ { "category": "summary", "text": "Security researchers found multiple vulnerabilities in XYZ." } ], "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Spell check (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-08-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-14.json0000644000175000017500000000315314567604632026137 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (valid example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-14", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "91", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 91" } } ] }, { "category": "product_name", "name": "Product B", "branches": [ { "category": "product_version", "name": "91", "product": { "product_id": "CSAFPID-9080701", "name": "Example Company Product B 91" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-13.json0000644000175000017500000000360314567604632026136 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (valid example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-13", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_family", "name": "ABC Products", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "91", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company ABC Products Product A 91" } } ] }, { "category": "product_name", "name": "Product B", "branches": [ { "category": "product_version", "name": "91", "product": { "product_id": "CSAFPID-9080701", "name": "Example Company ABC Products Product B 91" } } ] } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-07-11.json0000644000175000017500000000166014567604632026133 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "category": "self", "summary": "A URL that does resolve with HTTP status code in the interval between (including) 200 and (excluding) 400.", "url": "https://example.net" } ], "title": "Informative test: Use of self referencing URLs Failing to Resolve (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-07-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-02.json0000644000175000017500000000357614567604632026135 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v2 as the only Scoring System (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-01-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "baseScore": 5.5 } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10 }, "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v2": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "baseScore": 4.3 } } ] } ] } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-12.json0000644000175000017500000000346714567604632026136 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Use of CVSS v3.0 (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-02-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH" } } ] }, { "scores": [ { "products": [ "CSAFPID-9080700" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM" } } ] } ] }CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-12.json0000644000175000017500000000334214567604632026135 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Branch Categories (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-09-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_family", "name": "ABC Products", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "91", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company ABC Products Product A 91" } }, { "category": "product_version", "name": "92", "product": { "product_id": "CSAFPID-9080701", "name": "Example Company ABC Products Product A 92" } } ] } ] } ] } ] } } CSAF-0.25/t/official-testcases/informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-01.json0000644000175000017500000000140114567604632026120 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Informative test: Missing CWE (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-3-04-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2019-0708", "title": "BlueKeep" } ] }CSAF-0.25/t/official-testcases/testcases.json0000644000175000017500000010115414567604632020103 0ustar peppepeppe{ "$schema": "https://raw.githubusercontent.com/oasis-tcs/csaf/master/csaf_2.0/test/validator/testcases_json_schema.json", "testschema_version": "2.0", "tests": [ { "id": "6.1.1", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-01-01.json", "valid": false } ] }, { "id": "6.1.2", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-02-01.json", "valid": false } ] }, { "id": "6.1.3", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-03-01.json", "valid": false } ] }, { "id": "6.1.4", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-04-01.json", "valid": false } ] }, { "id": "6.1.5", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-05-01.json", "valid": false } ] }, { "id": "6.1.6", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-02.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-03.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-04.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-05.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-12.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-13.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-14.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-06-15.json", "valid": true } ] }, { "id": "6.1.7", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-07-01.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-07-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-07-12.json", "valid": true } ] }, { "id": "6.1.8", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-08-01.json", "valid": false } ] }, { "id": "6.1.9", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-09-01.json", "valid": false } ] }, { "id": "6.1.10", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-10-01.json", "valid": false } ] }, { "id": "6.1.11", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-11-01.json", "valid": false } ] }, { "id": "6.1.12", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-12-01.json", "valid": false } ] }, { "id": "6.1.13", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-13-01.json", "valid": false } ] }, { "id": "6.1.14", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-02.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-03.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-04.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-05.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-06.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-07.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-08.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-12.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-13.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-14.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-15.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-16.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-17.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-18.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-14-19.json", "valid": true } ] }, { "id": "6.1.15", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-02.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-15-12.json", "valid": true } ] }, { "id": "6.1.16", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-02.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-03.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-04.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-05.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-06.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-07.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-08.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-12.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-13.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-14.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-15.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-16.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-17.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-18.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-19.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-16-31.json", "valid": true } ] }, { "id": "6.1.17", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-17-01.json", "valid": false } ] }, { "id": "6.1.18", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-18-01.json", "valid": false } ] }, { "id": "6.1.19", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-19-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-19-02.json", "valid": false } ] }, { "id": "6.1.20", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-20-01.json", "valid": false } ] }, { "id": "6.1.21", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-02.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-12.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-21-13.json", "valid": true } ] }, { "id": "6.1.22", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-22-01.json", "valid": false } ] }, { "id": "6.1.23", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-23-01.json", "valid": false } ] }, { "id": "6.1.24", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-02.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-12.json", "valid": true } ] }, { "id": "6.1.25", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-25-01.json", "valid": false } ] }, { "id": "6.1.26", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-26-01.json", "valid": false } ] }, { "id": "6.1.27.1", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-01-01.json", "valid": false } ] }, { "id": "6.1.27.2", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-02-01.json", "valid": false } ] }, { "id": "6.1.27.3", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-03-01.json", "valid": false } ] }, { "id": "6.1.27.4", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-04-01.json", "valid": false } ] }, { "id": "6.1.27.5", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-05-01.json", "valid": false } ] }, { "id": "6.1.27.6", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-06-01.json", "valid": false } ] }, { "id": "6.1.27.7", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-07-01.json", "valid": false } ] }, { "id": "6.1.27.8", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-08-01.json", "valid": false } ] }, { "id": "6.1.27.9", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-02.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-03.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-04.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-05.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-06.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-12.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-13.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-14.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-15.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-09-16.json", "valid": true } ] }, { "id": "6.1.27.10", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-10-01.json", "valid": false } ] }, { "id": "6.1.27.11", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-27-11-01.json", "valid": false } ] }, { "id": "6.1.28", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-28-01.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-28-11.json", "valid": true } ] }, { "id": "6.1.29", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-29-01.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-29-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-29-12.json", "valid": true } ] }, { "id": "6.1.30", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-30-01.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-30-11.json", "valid": true } ] }, { "id": "6.1.31", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-01.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-02.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-03.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-04.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-05.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-06.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-07.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-08.json", "valid": false }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-09.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-11.json", "valid": true }, { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-31-12.json", "valid": true } ] }, { "id": "6.1.32", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-32-01.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-32-11.json", "valid": true } ] }, { "id": "6.1.33", "group": "mandatory", "failures": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-33-01.json", "valid": false } ], "valid": [ { "name": "mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-33-11.json", "valid": true } ] }, { "id": "6.2.1", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-01-01.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-01-11.json", "valid": true } ] }, { "id": "6.2.2", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-02-01.json", "valid": true } ] }, { "id": "6.2.3", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-03-01.json", "valid": true } ] }, { "id": "6.2.4", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-04-01.json", "valid": true } ] }, { "id": "6.2.5", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-05-01.json", "valid": true } ] }, { "id": "6.2.6", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-06-01.json", "valid": true } ] }, { "id": "6.2.7", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-07-01.json", "valid": true } ] }, { "id": "6.2.8", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-08-01.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-08-02.json", "valid": true } ] }, { "id": "6.2.9", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-09-01.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-09-02.json", "valid": true } ] }, { "id": "6.2.10", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-10-01.json", "valid": true } ] }, { "id": "6.2.11", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-11-01.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-11-11.json", "valid": true } ] }, { "id": "6.2.12", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-12-01.json", "valid": true } ] }, { "id": "6.2.13", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-13-01.json", "valid": true } ] }, { "id": "6.2.14", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-01.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-02.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-03.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-04.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-05.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-06.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-07.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-08.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-11.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-12.json", "valid": true } ] }, { "id": "6.2.15", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-15-01.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-15-02.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-15-11.json", "valid": true } ] }, { "id": "6.2.16", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-16-01.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-16-02.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-16-11.json", "valid": true } ] }, { "id": "6.2.17", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-17-01.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-17-11.json", "valid": true } ] }, { "id": "6.2.18", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-18-01.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-18-11.json", "valid": true } ] }, { "id": "6.2.19", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-01.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-02.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-03.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-04.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-05.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-06.json", "valid": true } ], "valid": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-11.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-12.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-13.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-14.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-15.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-16.json", "valid": true }, { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-17.json", "valid": true } ] }, { "id": "6.2.20", "group": "optional", "failures": [ { "name": "optional/oasis_csaf_tc-csaf_2_0-2021-6-2-20-01.json", "valid": true } ] }, { "id": "6.3.1", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-01.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-02.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-11.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-01-12.json", "valid": true } ] }, { "id": "6.3.2", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-01.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-02.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-11.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-02-12.json", "valid": true } ] }, { "id": "6.3.3", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-01.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-02.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-11.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-03-12.json", "valid": true } ] }, { "id": "6.3.4", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-01.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-02.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-11.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-04-12.json", "valid": true } ] }, { "id": "6.3.5", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-05-01.json", "valid": true } ] }, { "id": "6.3.6", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-06-01.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-06-02.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-06-11.json", "valid": true } ] }, { "id": "6.3.7", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-07-01.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-07-11.json", "valid": true } ] }, { "id": "6.3.8", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-08-01.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-08-11.json", "valid": true } ] }, { "id": "6.3.9", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-01.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-02.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-03.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-04.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-05.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-06.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-11.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-12.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-13.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-14.json", "valid": true }, { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-09-15.json", "valid": true } ] }, { "id": "6.3.10", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-10-01.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-10-11.json", "valid": true } ] }, { "id": "6.3.11", "group": "informative", "failures": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-11-01.json", "valid": true } ], "valid": [ { "name": "informative/oasis_csaf_tc-csaf_2_0-2021-6-3-11-11.json", "valid": true } ] } ] }CSAF-0.25/t/official-testcases/optional/0000755000175000017500000000000014755634263017037 5ustar peppepeppeCSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-01.json0000644000175000017500000000127514567604632025433 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "qtx", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Private Language (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-16-01.json0000644000175000017500000000171314567604632025432 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing Product Identification Helper (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-16-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-15-02.json0000644000175000017500000000133514567604632025432 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "source_lang": "i-default", "title": "Optional test: Use of Default Language (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-15-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-17-01.json0000644000175000017500000000150114567604632025426 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVE in field IDs (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-17-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "ids": [ { "system_name": "CVE Project", "text": "CVE-2021-44228" } ] } ] }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-16-02.json0000644000175000017500000000256114567604632025435 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing Product Identification Helper (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-16-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version", "name": "6.7", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A 6.7" } } ] } ] } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] } } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-17.json0000644000175000017500000000240714567604632025445 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (valid example 7)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-17", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "known_affected": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-02-01.json0000644000175000017500000000170114567604632025422 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing Remediation (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-02-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "last_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-05.json0000644000175000017500000000240614567604632025441 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (failing example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-05", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "first_fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-16-11.json0000644000175000017500000000211114567604632025424 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing Product Identification Helper (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-16-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A", "product_identification_helper": { "serial_numbers": [ "98765?43210-BCD*" ] } } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] } } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-02.json0000644000175000017500000000132714567604632025432 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "source_lang": "qcb", "title": "Optional test: Use of Private Language (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-05-01.json0000644000175000017500000000150614567604632025430 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Older Initial Release Date than Revision History (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-05-01", "initial_release_date": "2021-04-22T10:00:00.000Z", "revision_history": [ { "date": "2021-05-06T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T11:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-15-01.json0000644000175000017500000000130314567604632025424 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "i-default", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Default Language (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-15-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-06.json0000644000175000017500000000130214567604632025427 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-Qabc", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Private Language (failing example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-06", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-08-02.json0000644000175000017500000000244614567604632025440 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of MD5 as the only Hash Algorithm (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-08-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700", "product_identification_helper": { "hashes": [ { "file_hashes": [ { "algorithm": "md5", "value": "6ae24620ea9656230f49234efd078935" }, { "algorithm": "md5", "value": "e1b027e19683bf1c3c8df2d62fc500cf" } ], "filename": "product_a.so" } ] } } ] } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-18-11.json0000644000175000017500000000241014567604632025430 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Product Version Range without vers (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-18-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version_range", "name": "vers:generic/>4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A later than 4.2" } } ] } ] } ] } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-18-01.json0000644000175000017500000000237414567604632025440 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Product Version Range without vers (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-18-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Example Company", "branches": [ { "category": "product_name", "name": "Product A", "branches": [ { "category": "product_version_range", "name": ">4.2", "product": { "product_id": "CSAFPID-9080700", "name": "Example Company Product A later than 4.2" } } ] } ] } ] } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-02.json0000644000175000017500000000254414567604632025441 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-01-01.json0000644000175000017500000000150214567604632025420 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Unused Definition of Product ID (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-01-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-13-01.json0000644000175000017500000000123214567604632025423 0ustar peppepeppe{ "document": { "csaf_version": "2.0", "category": "csaf_base", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Sorting (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-13-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-04.json0000644000175000017500000000130014567604632025423 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-QM", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Private Language (failing example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-04", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-12-01.json0000644000175000017500000000125414567604632025426 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing Document Language (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-12-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-04.json0000644000175000017500000000231014567604632025432 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (failing example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-04", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v2": { "baseScore": 6.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-11.json0000644000175000017500000000127614567604632025435 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Private Language (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-06.json0000644000175000017500000000254414567604632025445 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (failing example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-06", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-01-11.json0000644000175000017500000000215314567604632025424 0ustar peppepeppe{ "document": { "category": "csaf_informational_advisory", "csaf_version": "2.0", "notes": [ { "category": "summary", "text": "A summary of the informational advisory." } ], "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "category": "external", "summary": "A valid reference.", "url": "https://example.net" } ], "title": "Optional test: Unused Definition of Product ID (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-01-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700" } ] } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-08-01.json0000644000175000017500000000223514567604632025433 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of MD5 as the only Hash Algorithm (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-08-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700", "product_identification_helper": { "hashes": [ { "file_hashes": [ { "algorithm": "md5", "value": "6ae24620ea9656230f49234efd078935" } ], "filename": "product_a.so" } ] } } ] } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-20-01.json0000644000175000017500000000130614572605400025411 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "custom_property": "any", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Additional Properties (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-20-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-07-01.json0000644000175000017500000000151214567604632025427 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing Date in Involvements (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-07-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "involvements": [ { "party": "vendor", "status": "in_progress" } ] } ] }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-03-01.json0000644000175000017500000000167414567604632025434 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing Score (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-03-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "first_affected": [ "CSAFPID-9080700" ] } } ] }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-12.json0000644000175000017500000000133214567604632025427 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "source_lang": "de-DE", "title": "Optional test: Use of Private Language (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-08.json0000644000175000017500000000130014567604632025427 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "fr-ZZ", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Private Language (failing example 8)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-08", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-14.json0000644000175000017500000000231314567604632025436 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (valid example 4)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-14", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v2": { "baseScore": 6.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:C/TD:N", "version": "2.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-15.json0000644000175000017500000000242314567604632025441 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (valid example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-15", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "first_fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/MC:N/MI:N/MA:N", "version": "3.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-11.json0000644000175000017500000000241514567604632025436 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/MC:N/MI:N/MA:N", "version": "3.1" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-09-02.json0000644000175000017500000000247214567604632025440 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of SHA-1 as the only Hash Algorithm (failing example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-09-02", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700", "product_identification_helper": { "hashes": [ { "file_hashes": [ { "algorithm": "sha1", "value": "e067035314dd8673fe1c9fc6b01414fe0950fdc4" }, { "algorithm": "sha1", "value": "0ea8daf2551fdd075aefa894e8c51b99b71e1be0" } ], "filename": "product_a.so" } ] } } ] } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-11-11.json0000644000175000017500000000157414567604632025433 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "category": "self", "summary": "A canonical URL.", "url": "https://example.com/security/data/csaf/2021/oasis_csaf_tc-csaf_2_0-2021-6-2-11-11.json" } ], "title": "Optional test: Missing Canonical URL (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-11-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-07.json0000644000175000017500000000130014567604632025426 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-AA", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Private Language (failing example 7)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-07", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-03.json0000644000175000017500000000236114567604632025437 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (failing example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-03", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v2": { "baseScore": 6.8, "targetDistribution": "LOW", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-11-01.json0000644000175000017500000000160414567604632025424 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "references": [ { "category": "self", "summary": "A non-canonical URL.", "url": "https://example.com/security/data/csaf/2021/OASIS_CSAF_TC-CSAF_2.0-2021-6-2-11-01_1.json" } ], "title": "Optional test: Missing Canonical URL (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-11-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-01.json0000644000175000017500000000237714567604632025444 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-9080700" ] } ] } ] }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-17-11.json0000644000175000017500000000152414567604632025434 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVE in field IDs (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-17-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "ids": [ { "system_name": "GitHub Issue", "text": "csaf-tools/CVRF-CSAF-Converter#78" } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-04-01.json0000644000175000017500000000131514567604632025425 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Build Metadata in Revision History (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-04-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-04-23T10:00:00.000Z", "number": "1.0.0+exp.sha.ac00785", "summary": "Initial version." } ], "status": "final", "version": "1.0.0" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-10-01.json0000644000175000017500000000134414567604632025424 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "text": "Distribute freely." }, "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Missing TLP label (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-10-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-15-11.json0000644000175000017500000000127314567604632025433 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Default Language (valid example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-15-11", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-12.json0000644000175000017500000000262414567604632025441 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (valid example 2)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-12", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-05.json0000644000175000017500000000130014567604632025424 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "en-XP", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of Private Language (failing example 5)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-05", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-13.json0000644000175000017500000000236014567604632025437 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (valid example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-13", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v2": { "baseScore": 6.8, "targetDistribution": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-06-01.json0000644000175000017500000000150614567604632025431 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Older Current Release Date than Revision History (failing example 1)", "tracking": { "current_release_date": "2021-05-06T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-06-01", "initial_release_date": "2021-05-06T10:00:00.000Z", "revision_history": [ { "date": "2021-05-06T10:00:00.000Z", "number": "1", "summary": "Initial version." }, { "date": "2021-07-21T11:00:00.000Z", "number": "2", "summary": "Second version." } ], "status": "final", "version": "2" } } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-19-16.json0000644000175000017500000000262414567604632025445 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: CVSS for Fixed Products (valid example 6)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-19-16", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-9080700", "name": "Product A" } ] }, "vulnerabilities": [ { "product_status": { "fixed": [ "CSAFPID-9080700" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-9080700" ] } ] } ] } CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-09-01.json0000644000175000017500000000225014567604632025431 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "title": "Optional test: Use of SHA-1 as the only Hash Algorithm (failing example 1)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-09-01", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } }, "product_tree": { "full_product_names": [ { "name": "Product A", "product_id": "CSAFPID-9080700", "product_identification_helper": { "hashes": [ { "file_hashes": [ { "algorithm": "sha1", "value": "e067035314dd8673fe1c9fc6b01414fe0950fdc4" } ], "filename": "product_a.so" } ] } } ] } }CSAF-0.25/t/official-testcases/optional/oasis_csaf_tc-csaf_2_0-2021-6-2-14-03.json0000644000175000017500000000133014567604632025425 0ustar peppepeppe{ "document": { "category": "csaf_base", "csaf_version": "2.0", "lang": "qdq", "publisher": { "category": "other", "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, "source_lang": "qcb", "title": "Optional test: Use of Private Language (failing example 3)", "tracking": { "current_release_date": "2021-07-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-2-14-03", "initial_release_date": "2021-07-21T10:00:00.000Z", "revision_history": [ { "date": "2021-07-21T10:00:00.000Z", "number": "1", "summary": "Initial version." } ], "status": "final", "version": "1" } } } CSAF-0.25/t/10-mandatory-6.1.27.11.t0000644000175000017500000000213514572605165015011 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.11 Vulnerabilities # It MUST be tested that the element /vulnerabilities exists. # The relevant values for /document/category are: # csaf_security_advisory # csaf_vex # The relevant path for this test is: # /vulnerabilities # Fail test: # { # "document": { # // ... # }, # "product_tree": [ # // ... # ] # } my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.11'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); foreach my $category (qw(csaf_security_advisory csaf_vex)) { $csaf->document->category($category); exec_validator_mandatory_test($csaf, '6.1.27.11'); } done_testing; CSAF-0.25/t/10-optional-6.2.04.t0000644000175000017500000000231714704316755014417 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use CSAF; use Test::CSAF qw(exec_validator_optional_test); # 6.2.4 Build Metadata in Revision History # For each item in revision history it MUST be tested that number does not include build metadata. # The relevant path for this test is: # /document/tracking/revision_history[]/number # Fail test: # "revision_history": [ # { # "date": "2021-04-23T10:00:00.000Z", # "number": "1.0.0+exp.sha.ac00785", # "summary": "Initial version." # } # ] my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add(date => 'now', summary => 'Initial version.', number => '1.0.0+exp.sha.ac00785"'); exec_validator_optional_test($csaf, '6.2.4'); done_testing; CSAF-0.25/t/10-optional-6.2.14.t0000644000175000017500000000151614572605165014417 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_optional_test); use CSAF::Validator::OptionalTests; # 6.2.14 Use of Private Language # For each element of type /$defs/language_t it MUST be tested that the language code does not contain subtags reserved for private use. # The relevant paths for this test are: # /document/lang # /document/source_lang # Fail test: # "document": { # // ... # "lang": "qtx", # // ... # } # The language code qtx is reserved for private use. # A tool MAY remove such subtag as a quick fix. my $csaf = base_csaf_security_advisory(); $csaf->document->lang('qtx'); $csaf->document->source_lang('qtx'); exec_validator_optional_test($csaf, '6.2.14'); done_testing; CSAF-0.25/t/pod.t0000644000175000017500000000052014572605165012402 0ustar peppepeppe#!perl -T use strict; use warnings; use Test::More; unless ($ENV{RELEASE_TESTING}) { plan(skip_all => "Author tests not required for installation"); } # Ensure a recent version of Test::Pod my $min_tp = 1.22; eval "use Test::Pod $min_tp"; plan skip_all => "Test::Pod $min_tp required for testing POD" if $@; all_pod_files_ok(); CSAF-0.25/t/10-mandatory-6.1.27.02.t0000644000175000017500000000302714704316755015013 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.2 Document References # It MUST be tested that at least one item in /document/references exists that has links to an external source. # The relevant values for /document/category are: # csaf_informational_advisory # csaf_security_incident_response # The relevant path for this test is: # /document/references # Fail test: # "references": [ # { # "category": "self", # "summary": "The canonical URL.", # "url": "https://example.com/security/data/csaf/2021/OASIS_CSAF_TC-CSAF_2_0-2021-6-1-27-02-01.json" # } # ] my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.2'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $csaf->document->references->add( url => 'https://example.com/security/data/csaf/2021/OASIS_CSAF_TC-CSAF_2_0-2021-6-1-27-02-01.json', summary => 'The canonical URL.', category => 'self' ); foreach my $category (qw(csaf_informational_advisory csaf_security_incident_response)) { $csaf->document->category($category); exec_validator_mandatory_test($csaf, '6.1.27.2'); } done_testing; CSAF-0.25/t/10-mandatory-6.1.16.t0000644000175000017500000000314714572605165014573 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.16 Latest Document Version # It MUST be tested that document version has the same value as the the number in the last item of Revision History when it is sorted ascending by date. Build metadata is ignored in the comparison. Any pre-release part is also ignored if the document status is draft. # The relevant path for this test is: # /document/tracking/version # Fail test: # "tracking": { # // ... # "revision_history": [ # { # "date": "2021-07-21T09:00:00.000Z", # "number": "1", # "summary": "Initial version." # }, # { # "date": "2021-07-21T10:00:00.000Z", # "number": "2", # "summary": "Second version." # } # ], # // ... # "version": "1" # } my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add(date => 'now', summary => 'Initial version.', number => '1'); $tracking->revision_history->add(date => 'now', summary => 'Second version.', number => '2'); exec_validator_mandatory_test($csaf, '6.1.16'); done_testing; CSAF-0.25/t/10-mandatory-6.1.18.t0000644000175000017500000000303314572605165014567 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.18 Released Revision History # It MUST be tested that no item of the revision history has a number of 0 or 0.y.z when the document status is final or interim. # The relevant path for this test is: # /document/tracking/revision_history[]/number # Fail test: # "tracking": { # // ... # "revision_history": [ # { # "date": "2021-05-17T10:00:00.000Z", # "number": "0", # "summary": "First draft" # }, # { # "date": "2021-07-21T10:00:00.000Z", # "number": "1", # "summary": "Initial version." # } # ], # "status": "final", # "version": "1" # } my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add(date => 'now', summary => 'First draft', number => '0'); $tracking->revision_history->add(date => 'now', summary => 'Initial version.', number => '1'); exec_validator_mandatory_test($csaf, '6.1.18'); done_testing; CSAF-0.25/t/00-load.t0000644000175000017500000000034114615202172012742 0ustar peppepeppe#!perl use strict; use warnings; use Test::More; use_ok('CSAF'); use_ok('CSAF::Util'); use_ok('CSAF::Type'); use_ok('CSAF::Builder'); use_ok('CSAF::Validator'); done_testing(); diag("CSAF $CSAF::VERSION, Perl $], $^X"); CSAF-0.25/t/20-parser.t0000644000175000017500000000306214615202151013321 0ustar peppepeppe#!perl use strict; use warnings; use Test::More; use FindBin '$RealBin'; use CSAF::Parser; subtest 'Parse file' => sub { my $validation_errors = 0; my $parser = CSAF::Parser->new(file => "$RealBin/examples/cisco-sa-20180328-smi2.json"); my $csaf = $parser->parse; isa_ok($csaf, 'CSAF'); is( $csaf->document->title, 'Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability', 'Test title' ); is($csaf->document->category, 'Cisco Security Advisory', 'Test category'); }; subtest 'Parse string' => sub { my $parser = CSAF::Parser->new(content => <parse; isa_ok($csaf, 'CSAF'); is($csaf->document->title, 'Template for generating CSAF files for Validator examples', 'Test title'); is($csaf->document->category, 'csaf_base', 'Test category'); }; done_testing(); CSAF-0.25/t/10-mandatory-6.1.27.06.t0000644000175000017500000000231114704316755015012 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.6 Product Status # For each item in /vulnerabilities it MUST be tested that the element product_status exists. # The relevant value for /document/category is: # csaf_security_advisory # The relevant path for this test is: # /vulnerabilities[]/product_status # Fail test: # "vulnerabilities": [ # { # "title": "A vulnerability item without a product status" # } # ] my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.6'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(title => 'A vulnerability item without a product status'); exec_validator_mandatory_test($csaf, '6.1.27.6'); done_testing; CSAF-0.25/t/10-mandatory-6.1.06.t0000644000175000017500000000377214704316755014577 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); use CSAF::Validator::MandatoryTests; # 6.1.6 Contradicting Product Status # For each item in /vulnerabilities it MUST be tested that the same Product ID is not member of contradicting product status groups. The sets formed by the contradicting groups within one vulnerability item MUST be pairwise disjoint. # Contradiction groups are: # Affected: # /vulnerabilities[]/product_status/first_affected[] # /vulnerabilities[]/product_status/known_affected[] # /vulnerabilities[]/product_status/last_affected[] # Not affected: # /vulnerabilities[]/product_status/known_not_affected[] # Fixed: # /vulnerabilities[]/product_status/first_fixed[] # /vulnerabilities[]/product_status/fixed[] # Under investigation: # /vulnerabilities[]/product_status/under_investigation[] # Note: An issuer might recommend (/vulnerabilities[]/product_status/recommended) a product version from any group - also from the affected group, i.e. if it was discovered that fixed versions introduce a more severe vulnerability. # Fail test: # "product_tree": { # "full_product_names": [ # { # "product_id": "CSAFPID-9080700", # "name": "Product A" # } # ] # }, # "vulnerabilities": [ # { # "product_status": { # "known_affected": [ # "CSAFPID-9080700" # ], # "known_not_affected": [ # "CSAFPID-9080700" # ] # } # } # ] my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); $vuln->product_status->first_affected(['CSAFPID-9080700']); $vuln->product_status->under_investigation(['CSAFPID-9080700']); exec_validator_mandatory_test($csaf, '6.1.6'); done_testing; CSAF-0.25/t/examples/0000755000175000017500000000000014755634263013260 5ustar peppepeppeCSAF-0.25/t/examples/rhsa-2021_5217.json0000644000175000017500000001560314567456343016157 0ustar peppepeppe{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis is an asynchronous patch for Red Hat Single Sign-On 7.5, and includes one security fix.\n\nSecurity Fix:\n\n* keycloak: Incorrect authorization allows unpriviledged users to create other users (CVE-2021-4133)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5217", "url": "https://access.redhat.com/errata/RHSA-2021:5217" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=core.service.rhsso&version=7.5", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=core.service.rhsso&version=7.5" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/beta/2021/rhsa-2021_5217.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.0 security update", "tracking": { "current_release_date": "2021-12-20T16:16:00Z", "generator": { "date": "2022-03-23T20:31:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.4.3" } }, "id": "RHSA-2021:5217", "initial_release_date": "2021-12-20T16:16:00Z", "revision_history": [ { "date": "2021-12-20T16:16:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_family", "name": "Red Hat Single Sign-On", "product": { "name": "Red Hat Single Sign-On", "product_id": "Red Hat Single Sign-On" } } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Grzegorz Soba\u0144ski" ], "organization": "MLabs" } ], "cve": "CVE-2021-4133", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "discovery_date": "2021-12-17T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602" } ], "notes": [ { "category": "general", "text": "Keycloak: Incorrect authorization allows unpriviledged users to create other users", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On" ] }, "references": [ { "category": "external", "summary": "https://github.com/keycloak/keycloak/issues/9247", "url": "https://github.com/keycloak/keycloak/issues/9247" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487" }, { "category": "external", "summary": "CVE-2021-4133", "url": "https://access.redhat.com/security/cve/CVE-2021-4133" }, { "category": "external", "summary": "bz#2033602: CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602" } ], "release_date": "2021-12-16T17:05:00Z", "remediations": [ { "category": "vendor_fix", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On" ], "url": "https://access.redhat.com/errata/RHSA-2021:5217" } ], "threats": [ { "category": "impact", "date": "2021-12-17T00:00:00Z", "details": "Important" } ], "title": "CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users" } ] } CSAF-0.25/t/examples/rhsa-2021_5186.json0000644000175000017500000003437514567456335016174 0ustar peppepeppe{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5186", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/beta/2021/rhsa-2021_5186.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2021-12-16T22:34:00Z", "generator": { "date": "2022-03-23T20:31:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.4.3" } }, "id": "RHSA-2021:5186", "initial_release_date": "2021-12-16T22:34:00Z", "revision_history": [ { "date": "2021-12-16T22:34:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1", "product_id": "openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1" } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595", "product": { "name": "openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595", "product_id": "openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595" } }, { "category": "product_version", "name": "openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream", "product": { "name": "openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream", "product_id": "openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream" } } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595" }, "product_reference": "openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream" }, "product_reference": "openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "notes": [ { "category": "general", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595" ] }, "references": [ { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" }, { "category": "external", "summary": "CVE-2021-4104", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "bz#2031667: CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "release_date": "2021-12-10T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595" ], "url": "https://access.redhat.com/errata/RHSA-2021:5186" } ], "threats": [ { "category": "impact", "date": "2021-12-13T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" } ], "notes": [ { "category": "general", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595" ] }, "references": [ { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "CVE-2021-4125", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "bz#2033121: CVE-2021-4125 kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" } ], "release_date": "2021-12-16T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle:v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator:v4.6.0-202112161349.p0.gd74112d.assembly.art3595" ], "url": "https://access.redhat.com/errata/RHSA-2021:5186" } ], "threats": [ { "category": "impact", "date": "2021-12-16T00:00:00Z", "details": "Critical" } ], "title": "CVE-2021-4125 kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] } CSAF-0.25/t/examples/rhsa-2019_1862.json0000644000175000017500000000722214567456314016164 0ustar peppepeppe{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_informational_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "This is the one-month notification for the end of the maintenance phase for Red Hat OpenShift Enterprise 3.6 and 3.7. This notification applies only to customers with subscriptions for Red Hat OpenShift Enterprise 3.6 and 3.7.", "title": "Topic" }, { "category": "general", "text": "As part of the maintenance phase, qualified security patches of Critical or Important impact, as well as select mission-critical bug-fix patches, were released for Red Hat OpenShift Enterprise 3.6 and 3.7.\n\nAfter July 31st, 2019, customers will not receive those updates.\n\nRed Hat OpenShift Container Platform Life Cycle Policy can be found under:\n\nhttps://access.redhat.com/support/policy/updates/openshift", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2019:1862", "url": "https://access.redhat.com/errata/RHSA-2019:1862" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/articles/3532971", "url": "https://access.redhat.com/articles/3532971" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/beta/2019/rhsa-2019_1862.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Enterprise one-month end-of-life notice", "tracking": { "current_release_date": "2019-07-26T06:38:00Z", "generator": { "date": "2022-05-17T17:18:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.5.0" } }, "id": "RHSA-2019:1862", "initial_release_date": "2019-07-26T06:38:00Z", "revision_history": [ { "date": "2019-07-26T06:38:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_family", "name": "Red Hat OpenShift Enterprise", "product": { "name": "Red Hat OpenShift Enterprise", "product_id": "Red Hat OpenShift Enterprise" } } ], "category": "vendor", "name": "Red Hat" } ] } }CSAF-0.25/t/examples/rhsa-2022_0011.json0000644000175000017500000004315414567456351016144 0ustar peppepeppe{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2022 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for telnet is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Telnet is a popular protocol for logging in to remote systems over the Internet. The telnet-server packages include a telnet service that supports remote logins into the host machine. The telnet service is disabled by default.\n\nSecurity Fix(es):\n\n* telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code (CVE-2020-10188)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0011", "url": "https://access.redhat.com/errata/RHSA-2022:0011" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/beta/2022/rhsa-2022_0011.json" } ], "title": "Red Hat Security Advisory: telnet security update", "tracking": { "current_release_date": "2022-01-04T08:38:00Z", "generator": { "date": "2022-03-23T20:31:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.4.3" } }, "id": "RHSA-2022:0011", "initial_release_date": "2022-01-04T08:38:00Z", "revision_history": [ { "date": "2022-01-04T08:38:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "telnet-1:0.17-65.el7_6.src", "product": { "name": "telnet-1:0.17-65.el7_6.src", "product_id": "telnet-1:0.17-65.el7_6.src" } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "telnet-1:0.17-65.el7_6.x86_64", "product": { "name": "telnet-1:0.17-65.el7_6.x86_64", "product_id": "telnet-1:0.17-65.el7_6.x86_64" } }, { "category": "product_version", "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", "product": { "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", "product_id": "telnet-debuginfo-1:0.17-65.el7_6.x86_64" } }, { "category": "product_version", "name": "telnet-server-1:0.17-65.el7_6.x86_64", "product": { "name": "telnet-server-1:0.17-65.el7_6.x86_64", "product_id": "telnet-server-1:0.17-65.el7_6.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "telnet-1:0.17-65.el7_6.ppc64le", "product": { "name": "telnet-1:0.17-65.el7_6.ppc64le", "product_id": "telnet-1:0.17-65.el7_6.ppc64le" } }, { "category": "product_version", "name": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le", "product": { "name": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le", "product_id": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le" } }, { "category": "product_version", "name": "telnet-server-1:0.17-65.el7_6.ppc64le", "product": { "name": "telnet-server-1:0.17-65.el7_6.ppc64le", "product_id": "telnet-server-1:0.17-65.el7_6.ppc64le" } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "telnet-1:0.17-65.el7_6.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.src" }, "product_reference": "telnet-1:0.17-65.el7_6.src", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-server-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:telnet-server-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-server-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-1:0.17-65.el7_6.ppc64le as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.ppc64le" }, "product_reference": "telnet-1:0.17-65.el7_6.ppc64le", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-1:0.17-65.el7_6.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.src" }, "product_reference": "telnet-1:0.17-65.el7_6.src", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.ppc64le" }, "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-server-1:0.17-65.el7_6.ppc64le as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.ppc64le" }, "product_reference": "telnet-server-1:0.17-65.el7_6.ppc64le", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-server-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-server-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-1:0.17-65.el7_6.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.src" }, "product_reference": "telnet-1:0.17-65.el7_6.src", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "telnet-server-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:telnet-server-1:0.17-65.el7_6.x86_64" }, "product_reference": "telnet-server-1:0.17-65.el7_6.x86_64", "relates_to_product_reference": "7Server-7.6.TUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-10188", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "discovery_date": "2020-03-06T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1811673" } ], "notes": [ { "category": "general", "text": "telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.src", "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.x86_64", "7Server-7.6.AUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64", "7Server-7.6.AUS:telnet-server-1:0.17-65.el7_6.x86_64", "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.ppc64le", "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.src", "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.x86_64", "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.ppc64le", "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.x86_64", "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.ppc64le", "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.x86_64", "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.src", "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.x86_64", "7Server-7.6.TUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64", "7Server-7.6.TUS:telnet-server-1:0.17-65.el7_6.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-10188", "url": "https://access.redhat.com/security/cve/CVE-2020-10188" }, { "category": "external", "summary": "bz#1811673: CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811673" } ], "release_date": "2020-02-28T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.src", "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.x86_64", "7Server-7.6.AUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64", "7Server-7.6.AUS:telnet-server-1:0.17-65.el7_6.x86_64", "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.ppc64le", "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.src", "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.x86_64", "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.ppc64le", "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.x86_64", "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.ppc64le", "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.x86_64", "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.src", "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.x86_64", "7Server-7.6.TUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64", "7Server-7.6.TUS:telnet-server-1:0.17-65.el7_6.x86_64" ], "url": "https://access.redhat.com/errata/RHSA-2022:0011" } ], "threats": [ { "category": "impact", "date": "2020-03-06T00:00:00Z", "details": "Important" } ], "title": "CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code" } ] } CSAF-0.25/t/examples/cisco-sa-20180328-smi2.json0000644000175000017500000037543314567456270017451 0ustar peppepeppe{ "document": { "title": "Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability", "category": "Cisco Security Advisory", "csaf_version": "2.0", "publisher": { "category": "vendor", "contact_details": "Emergency Support:\n+1 877 228 7302 (toll-free within North America)\n+1 408 525 6532 (International direct-dial)\nNon-emergency Support:\nEmail: psirt@cisco.com\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.", "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\nMore information can be found in Cisco Security Vulnerability Policy available at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html", "name": "Cisco PSIRT", "namespace": "https://www.cisco.com" }, "tracking": { "id": "cisco-sa-20180328-smi2", "status": "final", "version": "3.0.0", "revision_history": [ { "number": "1.0.0", "date": "2018-03-28T15:17:05Z", "summary": "Initial public release." }, { "number": "1.1.0", "date": "2018-03-29T17:13:23Z", "summary": "Added the researcher's company name." }, { "number": "1.2.0", "date": "2018-04-02T13:18:01Z", "summary": "Metadata update." }, { "number": "1.3.0", "date": "2018-04-06T19:35:44Z", "summary": "Added more details to the Workarounds section." }, { "number": "1.4.0", "date": "2018-04-09T14:20:12Z", "summary": "Emphasized that Smart Install is enabled by default. Added a link to the list of devices that support Smart Install." }, { "number": "2.0.0", "date": "2018-04-16T18:21:34Z", "summary": "Updated IOS Software Checker with products found to be non-vulnerable." }, { "number": "3.0.0", "date": "2018-04-17T15:08:41Z", "summary": "Updated IOS Software Checker with products found to be vulnerable." } ], "initial_release_date": "2018-03-28T16:00:00Z", "current_release_date": "2018-04-17T15:08:41Z", "generator": { "engine": { "name": "TVCE" } } }, "notes": [ { "title": "Summary", "category": "summary", "text": "A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.\n\nThe vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:\n\nTriggering a reload of the device\nAllowing the attacker to execute arbitrary code on the device\nCausing an indefinite loop on the affected device that triggers a watchdog crash\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nSmart Install client functionality is enabled by default on switches that are running Cisco IOS Software releases that have not been updated to address Cisco bug ID CSCvd36820 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd36820\"].\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2 [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2\"]\n\nThis advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication [\"https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-66682\"]." }, { "title": "Vulnerable Products", "category": "general", "text": "This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE Software and have the Smart Install client feature enabled.\n\nOnly Smart Install client switches are affected by the vulnerability that is described in this advisory. Cisco devices that are configured as a Smart Install director are not affected by this vulnerability.\n\nFor a list of devices that support Smart Install, see Smart Install Configuration Guide - Supported Devices [\"https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/supported_devices.html\"].\n\nFor information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software [\"#fixed\"] section of this advisory.\n Notes Regarding Specific Releases\nSmart Install client functionality is enabled by default on switches that are running Cisco IOS Software releases that have not been updated to address Cisco bug ID CSCvd36820 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd36820\"].\n\nSwitches that are running releases earlier than Cisco IOS Software Release 12.2(52)SE are not capable of running Smart Install, but they can be Smart Install clients if they support the archive download-sw privileged EXEC command.\n Determining Whether the Smart Install Client Feature Is Enabled\nTo determine whether a device is configured with the Smart Install client feature enabled, use the show vstack config privileged EXEC command on the Smart Install client. An output of Role: Client and Oper Mode: Enabled or Role: Client (SmartInstall enabled) from the show vstack config command confirms that the feature is enabled on the device.\n\nThe following examples show the output of the show vstack config command on Cisco Catalyst Switches that are configured as Smart Install clients:\n\n\nswitch1# show vstack config\nRole: Client (SmartInstall enabled)\n.\n.\n.\n\nswitch2# show vstack config\nCapability: Client\nOper Mode: Enabled\nRole: Client\n.\n.\n.\nDetermining the Cisco IOS Software Release\nTo determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.\n\nThe following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M:\n\n\nRouter> show version\n Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team . . .\n\nFor information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide [\"https://www.cisco.com/c/en/us/about/security-center/ios-nx-os-reference-guide.html\"].\nDetermining the Cisco IOS XE Software Release\nTo determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.\n\nThe following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:\n\n\nios-xe-device# show version\n Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . .\n\nFor information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide [\"https://www.cisco.com/c/en/us/about/security-center/ios-nx-os-reference-guide.html\"]." }, { "title": "Products Confirmed Not Vulnerable", "category": "general", "text": "No other Cisco products are currently known to be affected by this vulnerability.\n\nCisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software." }, { "title": "Details", "category": "general", "text": "Cisco Smart Install is a ?plug-and-play? configuration and image-management feature that provides zero-touch deployment for new (typically access layer) switches. The feature allows a customer to ship a Cisco switch to any location, install it in the network, and power it on without additional configuration requirements. The Smart Install feature incorporates no authentication by design.\n\nA Smart Install network consists of exactly one Smart Install director switch or router, also known as an integrated branch director (IBD), and one or more Smart Install client switches, also known as integrated branch clients (IBCs). A client switch does not need to be directly connected to the director; the client switch can be up to seven hops away.\n\nThe director provides a single management point for images and configuration of client switches. When a client switch is first installed in the network, the director automatically detects the new switch and identifies the correct Cisco IOS Software image and the configuration file for downloading. The director can also allocate an IP address and hostname to a client." }, { "title": "Workarounds", "category": "general", "text": "There are no workarounds that address this vulnerability for customers who require the use of Cisco Smart Install. For customers not requiring Cisco Smart Install, the feature can be disabled with the no vstack command. In software releases that are associated with Cisco Bug ID CSCvd36820 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd36820\"], Cisco Smart Install will auto-disable if not in use.\n\nAdministrators are encouraged to consult the informational security advisory on Cisco Smart Install Protocol Misuse [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi\"] and the Smart Install Configuration Guide [\"http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355\"]." }, { "title": "Fixed Software", "category": "general", "text": "Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:\nhttps://www.cisco.com/c/en/us/products/end-user-license-agreement.html [\"https://www.cisco.com/c/en/us/products/end-user-license-agreement.html\"]\n\nAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.\n\nWhen considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\n\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\n\nCustomers Without Service Contracts\n\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:\nhttps://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]\n\nCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\n Cisco IOS and IOS XE Software\nTo help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker [\"https://tools.cisco.com/security/center/softwarechecker.x\"], that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?).\n\nCustomers can use this tool to perform the following tasks:\n\nInitiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse\nEnter the output of the show version command for the tool to parse\nCreate a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication\n\nTo determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker [\"https://tools.cisco.com/security/center/softwarechecker.x\"] on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field:\n\n\n\n\n\nFor a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes [\"https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/2/release/notes/rnasr21/rnasr21_gen.html#wp3000032\"], Cisco IOS XE 3S Release Notes [\"https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes/asr1k_rn_3s_sys_req.html#wp3069754\"], or Cisco IOS XE 3SG Release Notes [\"https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_24726.html#pgfId-2570252\"], depending on the Cisco IOS XE Software release." }, { "title": "Vulnerability Policy", "category": "general", "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco." }, { "title": "Exploitation and Public Announcements", "category": "general", "text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory." }, { "title": "Source", "category": "general", "text": "Cisco would like to thank George Nosenko from Embedi for reporting this vulnerability via GeekPwn." }, { "title": "Legal Disclaimer", "category": "legal_disclaimer", "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products." } ], "references": [ { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2", "summary": "Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability" }, { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityBundle/cisco-sa-20180328-bundle", "summary": "Summary of the Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, March 28, 2018" }, { "url": "http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-66682", "summary": "Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication" }, { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityBundle/cisco-sa-20180328-bundle", "summary": "Summary of the Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, March 28, 2018" }, { "url": "http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-66682", "summary": "Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication" } ] }, "product_tree": { "branches": [ { "name": "Cisco", "category": "vendor", "branches": [ { "name": "IOS", "category": "product_name", "branches": [ { "name": "12.2SE", "category": "product_version", "branches": [ { "name": "12.2(55)SE", "category": "service_pack", "product": { "product_id": "CVRFPID-103763", "name": "Cisco IOS 12.2SE 12.2(55)SE" } }, { "name": "12.2(55)SE3", "category": "service_pack", "product": { "product_id": "CVRFPID-105394", "name": "Cisco IOS 12.2SE 12.2(55)SE3" } }, { "name": "12.2(55)SE2", "category": "service_pack", "product": { "product_id": "CVRFPID-105689", "name": "Cisco IOS 12.2SE 12.2(55)SE2" } }, { "name": "12.2(58)SE", "category": "service_pack", "product": { "product_id": "CVRFPID-105987", "name": "Cisco IOS 12.2SE 12.2(58)SE" } }, { "name": "12.2(55)SE1", "category": "service_pack", "product": { "product_id": "CVRFPID-106029", "name": "Cisco IOS 12.2SE 12.2(55)SE1" } }, { "name": "12.2(58)SE1", "category": "service_pack", "product": { "product_id": "CVRFPID-109098", "name": "Cisco IOS 12.2SE 12.2(58)SE1" } }, { "name": "12.2(55)SE4", "category": "service_pack", "product": { "product_id": "CVRFPID-109439", "name": "Cisco IOS 12.2SE 12.2(55)SE4" } }, { "name": "12.2(58)SE2", "category": "service_pack", "product": { "product_id": "CVRFPID-109808", "name": "Cisco IOS 12.2SE 12.2(58)SE2" } }, { "name": "12.2(55)SE5", "category": "service_pack", "product": { "product_id": "CVRFPID-111674", "name": "Cisco IOS 12.2SE 12.2(55)SE5" } }, { "name": "12.2(55)SE6", "category": "service_pack", "product": { "product_id": "CVRFPID-114665", "name": "Cisco IOS 12.2SE 12.2(55)SE6" } }, { "name": "12.2(55)SE7", "category": "service_pack", "product": { "product_id": "CVRFPID-184125", "name": "Cisco IOS 12.2SE 12.2(55)SE7" } }, { "name": "12.2(55)SE8", "category": "service_pack", "product": { "product_id": "CVRFPID-189187", "name": "Cisco IOS 12.2SE 12.2(55)SE8" } }, { "name": "12.2(55)SE9", "category": "service_pack", "product": { "product_id": "CVRFPID-192911", "name": "Cisco IOS 12.2SE 12.2(55)SE9" } }, { "name": "12.2(55)SE10", "category": "service_pack", "product": { "product_id": "CVRFPID-198542", "name": "Cisco IOS 12.2SE 12.2(55)SE10" } }, { "name": "12.2(55)SE11", "category": "service_pack", "product": { "product_id": "CVRFPID-210732", "name": "Cisco IOS 12.2SE 12.2(55)SE11" } }, { "name": "12.2(55)SE12", "category": "service_pack", "product": { "product_id": "CVRFPID-228057", "name": "Cisco IOS 12.2SE 12.2(55)SE12" } }, { "name": "12.2(55)SE13", "category": "service_pack", "product": { "product_id": "CVRFPID-230962", "name": "Cisco IOS 12.2SE 12.2(55)SE13" } } ] }, { "name": "12.2EX", "category": "product_version", "branches": [ { "name": "12.2(55)EX", "category": "service_pack", "product": { "product_id": "CVRFPID-106674", "name": "Cisco IOS 12.2EX 12.2(55)EX" } }, { "name": "12.2(55)EX1", "category": "service_pack", "product": { "product_id": "CVRFPID-108306", "name": "Cisco IOS 12.2EX 12.2(55)EX1" } }, { "name": "12.2(55)EX2", "category": "service_pack", "product": { "product_id": "CVRFPID-109760", "name": "Cisco IOS 12.2EX 12.2(55)EX2" } }, { "name": "12.2(55)EX3", "category": "service_pack", "product": { "product_id": "CVRFPID-111019", "name": "Cisco IOS 12.2EX 12.2(55)EX3" } } ] }, { "name": "12.2EY", "category": "product_version", "branches": [ { "name": "12.2(55)EY", "category": "service_pack", "product": { "product_id": "CVRFPID-103559", "name": "Cisco IOS 12.2EY 12.2(55)EY" } } ] }, { "name": "12.2EZ", "category": "product_version", "branches": [ { "name": "12.2(55)EZ", "category": "service_pack", "product": { "product_id": "CVRFPID-107283", "name": "Cisco IOS 12.2EZ 12.2(55)EZ" } } ] }, { "name": "15.0EY", "category": "product_version", "branches": [ { "name": "15.0(1)EY", "category": "service_pack", "product": { "product_id": "CVRFPID-104376", "name": "Cisco IOS 15.0EY 15.0(1)EY" } }, { "name": "15.0(1)EY2", "category": "service_pack", "product": { "product_id": "CVRFPID-187269", "name": "Cisco IOS 15.0EY 15.0(1)EY2" } } ] }, { "name": "15.1M", "category": "product_version", "branches": [ { "name": "15.1(4)M12c", "category": "service_pack", "product": { "product_id": "CVRFPID-233143", "name": "Cisco IOS 15.1M 15.1(4)M12c" } } ] }, { "name": "15.0SE", "category": "product_version", "branches": [ { "name": "15.0(1)SE", "category": "service_pack", "product": { "product_id": "CVRFPID-105660", "name": "Cisco IOS 15.0SE 15.0(1)SE" } }, { "name": "15.0(2)SE", "category": "service_pack", "product": { "product_id": "CVRFPID-107852", "name": "Cisco IOS 15.0SE 15.0(2)SE" } }, { "name": "15.0(1)SE1", "category": "service_pack", "product": { "product_id": "CVRFPID-111010", "name": "Cisco IOS 15.0SE 15.0(1)SE1" } }, { "name": "15.0(1)SE2", "category": "service_pack", "product": { "product_id": "CVRFPID-113961", "name": "Cisco IOS 15.0SE 15.0(1)SE2" } }, { "name": "15.0(1)SE3", "category": "service_pack", "product": { "product_id": "CVRFPID-115832", "name": "Cisco IOS 15.0SE 15.0(1)SE3" } }, { "name": "15.0(2)SE1", "category": "service_pack", "product": { "product_id": "CVRFPID-115939", "name": "Cisco IOS 15.0SE 15.0(2)SE1" } }, { "name": "15.0(2)SE2", "category": "service_pack", "product": { "product_id": "CVRFPID-116083", "name": "Cisco IOS 15.0SE 15.0(2)SE2" } }, { "name": "15.0(2)SE3", "category": "service_pack", "product": { "product_id": "CVRFPID-189455", "name": "Cisco IOS 15.0SE 15.0(2)SE3" } }, { "name": "15.0(2)SE4", "category": "service_pack", "product": { "product_id": "CVRFPID-190635", "name": "Cisco IOS 15.0SE 15.0(2)SE4" } }, { "name": "15.0(2)SE5", "category": "service_pack", "product": { "product_id": "CVRFPID-192706", "name": "Cisco IOS 15.0SE 15.0(2)SE5" } }, { "name": "15.0(2)SE6", "category": "service_pack", "product": { "product_id": "CVRFPID-195770", "name": "Cisco IOS 15.0SE 15.0(2)SE6" } }, { "name": "15.0(2)SE7", "category": "service_pack", "product": { "product_id": "CVRFPID-204097", "name": "Cisco IOS 15.0SE 15.0(2)SE7" } }, { "name": "15.0(2)SE8", "category": "service_pack", "product": { "product_id": "CVRFPID-209028", "name": "Cisco IOS 15.0SE 15.0(2)SE8" } }, { "name": "15.0(2)SE9", "category": "service_pack", "product": { "product_id": "CVRFPID-209029", "name": "Cisco IOS 15.0SE 15.0(2)SE9" } }, { "name": "15.0(2a)SE9", "category": "service_pack", "product": { "product_id": "CVRFPID-212329", "name": "Cisco IOS 15.0SE 15.0(2a)SE9" } }, { "name": "15.0(2)SE10", "category": "service_pack", "product": { "product_id": "CVRFPID-213788", "name": "Cisco IOS 15.0SE 15.0(2)SE10" } }, { "name": "15.0(2)SE11", "category": "service_pack", "product": { "product_id": "CVRFPID-220466", "name": "Cisco IOS 15.0SE 15.0(2)SE11" } }, { "name": "15.0(2)SE10a", "category": "service_pack", "product": { "product_id": "CVRFPID-222342", "name": "Cisco IOS 15.0SE 15.0(2)SE10a" } }, { "name": "15.0(2)SE12", "category": "service_pack", "product": { "product_id": "CVRFPID-234926", "name": "Cisco IOS 15.0SE 15.0(2)SE12" } } ] }, { "name": "15.1SG", "category": "product_version", "branches": [ { "name": "15.1(2)SG", "category": "service_pack", "product": { "product_id": "CVRFPID-115477", "name": "Cisco IOS 15.1SG 15.1(2)SG" } }, { "name": "15.1(2)SG1", "category": "service_pack", "product": { "product_id": "CVRFPID-188035", "name": "Cisco IOS 15.1SG 15.1(2)SG1" } }, { "name": "15.1(2)SG2", "category": "service_pack", "product": { "product_id": "CVRFPID-193283", "name": "Cisco IOS 15.1SG 15.1(2)SG2" } }, { "name": "15.1(2)SG3", "category": "service_pack", "product": { "product_id": "CVRFPID-194741", "name": "Cisco IOS 15.1SG 15.1(2)SG3" } }, { "name": "15.1(2)SG4", "category": "service_pack", "product": { "product_id": "CVRFPID-195489", "name": "Cisco IOS 15.1SG 15.1(2)SG4" } }, { "name": "15.1(2)SG5", "category": "service_pack", "product": { "product_id": "CVRFPID-197465", "name": "Cisco IOS 15.1SG 15.1(2)SG5" } }, { "name": "15.1(2)SG6", "category": "service_pack", "product": { "product_id": "CVRFPID-204187", "name": "Cisco IOS 15.1SG 15.1(2)SG6" } }, { "name": "15.1(2)SG7", "category": "service_pack", "product": { "product_id": "CVRFPID-209034", "name": "Cisco IOS 15.1SG 15.1(2)SG7" } }, { "name": "15.1(2)SG8", "category": "service_pack", "product": { "product_id": "CVRFPID-214992", "name": "Cisco IOS 15.1SG 15.1(2)SG8" } }, { "name": "15.1(2)SG8a", "category": "service_pack", "product": { "product_id": "CVRFPID-233796", "name": "Cisco IOS 15.1SG 15.1(2)SG8a" } } ] }, { "name": "15.0EX", "category": "product_version", "branches": [ { "name": "15.0(2)EX", "category": "service_pack", "product": { "product_id": "CVRFPID-189064", "name": "Cisco IOS 15.0EX 15.0(2)EX" } }, { "name": "15.0(2)EX1", "category": "service_pack", "product": { "product_id": "CVRFPID-189115", "name": "Cisco IOS 15.0EX 15.0(2)EX1" } }, { "name": "15.0(2)EX2", "category": "service_pack", "product": { "product_id": "CVRFPID-192910", "name": "Cisco IOS 15.0EX 15.0(2)EX2" } }, { "name": "15.0(2)EX3", "category": "service_pack", "product": { "product_id": "CVRFPID-194540", "name": "Cisco IOS 15.0EX 15.0(2)EX3" } }, { "name": "15.0(2)EX4", "category": "service_pack", "product": { "product_id": "CVRFPID-194913", "name": "Cisco IOS 15.0EX 15.0(2)EX4" } }, { "name": "15.0(2)EX5", "category": "service_pack", "product": { "product_id": "CVRFPID-195943", "name": "Cisco IOS 15.0EX 15.0(2)EX5" } }, { "name": "15.0(2)EX6", "category": "service_pack", "product": { "product_id": "CVRFPID-200496", "name": "Cisco IOS 15.0EX 15.0(2)EX6" } }, { "name": "15.0(2)EX7", "category": "service_pack", "product": { "product_id": "CVRFPID-201366", "name": "Cisco IOS 15.0EX 15.0(2)EX7" } }, { "name": "15.0(2)EX8", "category": "service_pack", "product": { "product_id": "CVRFPID-204831", "name": "Cisco IOS 15.0EX 15.0(2)EX8" } }, { "name": "15.0(2a)EX5", "category": "service_pack", "product": { "product_id": "CVRFPID-205064", "name": "Cisco IOS 15.0EX 15.0(2a)EX5" } }, { "name": "15.0(2)EX10", "category": "service_pack", "product": { "product_id": "CVRFPID-211570", "name": "Cisco IOS 15.0EX 15.0(2)EX10" } }, { "name": "15.0(2)EX11", "category": "service_pack", "product": { "product_id": "CVRFPID-214797", "name": "Cisco IOS 15.0EX 15.0(2)EX11" } }, { "name": "15.0(2)EX13", "category": "service_pack", "product": { "product_id": "CVRFPID-225160", "name": "Cisco IOS 15.0EX 15.0(2)EX13" } }, { "name": "15.0(2)EX12", "category": "service_pack", "product": { "product_id": "CVRFPID-230965", "name": "Cisco IOS 15.0EX 15.0(2)EX12" } } ] }, { "name": "15.1SY", "category": "product_version", "branches": [ { "name": "15.1(1)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-112489", "name": "Cisco IOS 15.1SY 15.1(1)SY" } }, { "name": "15.1(1)SY1", "category": "service_pack", "product": { "product_id": "CVRFPID-115285", "name": "Cisco IOS 15.1SY 15.1(1)SY1" } }, { "name": "15.1(2)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-184932", "name": "Cisco IOS 15.1SY 15.1(2)SY" } }, { "name": "15.1(2)SY1", "category": "service_pack", "product": { "product_id": "CVRFPID-188061", "name": "Cisco IOS 15.1SY 15.1(2)SY1" } }, { "name": "15.1(2)SY2", "category": "service_pack", "product": { "product_id": "CVRFPID-189219", "name": "Cisco IOS 15.1SY 15.1(2)SY2" } }, { "name": "15.1(1)SY2", "category": "service_pack", "product": { "product_id": "CVRFPID-191635", "name": "Cisco IOS 15.1SY 15.1(1)SY2" } }, { "name": "15.1(1)SY3", "category": "service_pack", "product": { "product_id": "CVRFPID-194944", "name": "Cisco IOS 15.1SY 15.1(1)SY3" } }, { "name": "15.1(2)SY3", "category": "service_pack", "product": { "product_id": "CVRFPID-198059", "name": "Cisco IOS 15.1SY 15.1(2)SY3" } }, { "name": "15.1(1)SY4", "category": "service_pack", "product": { "product_id": "CVRFPID-198426", "name": "Cisco IOS 15.1SY 15.1(1)SY4" } }, { "name": "15.1(2)SY4", "category": "service_pack", "product": { "product_id": "CVRFPID-201019", "name": "Cisco IOS 15.1SY 15.1(2)SY4" } }, { "name": "15.1(1)SY5", "category": "service_pack", "product": { "product_id": "CVRFPID-204109", "name": "Cisco IOS 15.1SY 15.1(1)SY5" } }, { "name": "15.1(2)SY5", "category": "service_pack", "product": { "product_id": "CVRFPID-204110", "name": "Cisco IOS 15.1SY 15.1(2)SY5" } }, { "name": "15.1(2)SY4a", "category": "service_pack", "product": { "product_id": "CVRFPID-204832", "name": "Cisco IOS 15.1SY 15.1(2)SY4a" } }, { "name": "15.1(1)SY6", "category": "service_pack", "product": { "product_id": "CVRFPID-209043", "name": "Cisco IOS 15.1SY 15.1(1)SY6" } }, { "name": "15.1(2)SY6", "category": "service_pack", "product": { "product_id": "CVRFPID-209044", "name": "Cisco IOS 15.1SY 15.1(2)SY6" } }, { "name": "15.1(2)SY7", "category": "service_pack", "product": { "product_id": "CVRFPID-210406", "name": "Cisco IOS 15.1SY 15.1(2)SY7" } }, { "name": "15.1(2)SY8", "category": "service_pack", "product": { "product_id": "CVRFPID-214052", "name": "Cisco IOS 15.1SY 15.1(2)SY8" } }, { "name": "15.1(2)SY9", "category": "service_pack", "product": { "product_id": "CVRFPID-220440", "name": "Cisco IOS 15.1SY 15.1(2)SY9" } }, { "name": "15.1(2)SY10", "category": "service_pack", "product": { "product_id": "CVRFPID-222650", "name": "Cisco IOS 15.1SY 15.1(2)SY10" } }, { "name": "15.1(2)SY11", "category": "service_pack", "product": { "product_id": "CVRFPID-227307", "name": "Cisco IOS 15.1SY 15.1(2)SY11" } } ] }, { "name": "12.4JAN", "category": "product_version", "branches": [ { "name": "12.4(25e)JAN2", "category": "service_pack", "product": { "product_id": "CVRFPID-192702", "name": "Cisco IOS 12.4JAN 12.4(25e)JAN2" } } ] }, { "name": "15.2E", "category": "product_version", "branches": [ { "name": "15.2(1)E", "category": "service_pack", "product": { "product_id": "CVRFPID-183811", "name": "Cisco IOS 15.2E 15.2(1)E" } }, { "name": "15.2(2)E", "category": "service_pack", "product": { "product_id": "CVRFPID-187057", "name": "Cisco IOS 15.2E 15.2(2)E" } }, { "name": "15.2(1)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-195469", "name": "Cisco IOS 15.2E 15.2(1)E1" } }, { "name": "15.2(3)E", "category": "service_pack", "product": { "product_id": "CVRFPID-197483", "name": "Cisco IOS 15.2E 15.2(3)E" } }, { "name": "15.2(1)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-198060", "name": "Cisco IOS 15.2E 15.2(1)E2" } }, { "name": "15.2(1)E3", "category": "service_pack", "product": { "product_id": "CVRFPID-200488", "name": "Cisco IOS 15.2E 15.2(1)E3" } }, { "name": "15.2(2)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-201074", "name": "Cisco IOS 15.2E 15.2(2)E1" } }, { "name": "15.2(2b)E", "category": "service_pack", "product": { "product_id": "CVRFPID-204102", "name": "Cisco IOS 15.2E 15.2(2b)E" } }, { "name": "15.2(4)E", "category": "service_pack", "product": { "product_id": "CVRFPID-204108", "name": "Cisco IOS 15.2E 15.2(4)E" } }, { "name": "15.2(3)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-204186", "name": "Cisco IOS 15.2E 15.2(3)E1" } }, { "name": "15.2(2)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-204228", "name": "Cisco IOS 15.2E 15.2(2)E2" } }, { "name": "15.2(2a)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-204818", "name": "Cisco IOS 15.2E 15.2(2a)E1" } }, { "name": "15.2(2)E3", "category": "service_pack", "product": { "product_id": "CVRFPID-205672", "name": "Cisco IOS 15.2E 15.2(2)E3" } }, { "name": "15.2(2a)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-209045", "name": "Cisco IOS 15.2E 15.2(2a)E2" } }, { "name": "15.2(3)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-209046", "name": "Cisco IOS 15.2E 15.2(3)E2" } }, { "name": "15.2(3a)E", "category": "service_pack", "product": { "product_id": "CVRFPID-209047", "name": "Cisco IOS 15.2E 15.2(3a)E" } }, { "name": "15.2(3)E3", "category": "service_pack", "product": { "product_id": "CVRFPID-209358", "name": "Cisco IOS 15.2E 15.2(3)E3" } }, { "name": "15.2(3m)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-209359", "name": "Cisco IOS 15.2E 15.2(3m)E2" } }, { "name": "15.2(4)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-209887", "name": "Cisco IOS 15.2E 15.2(4)E1" } }, { "name": "15.2(2)E4", "category": "service_pack", "product": { "product_id": "CVRFPID-210766", "name": "Cisco IOS 15.2E 15.2(2)E4" } }, { "name": "15.2(2)E5", "category": "service_pack", "product": { "product_id": "CVRFPID-211296", "name": "Cisco IOS 15.2E 15.2(2)E5" } }, { "name": "15.2(4)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-213610", "name": "Cisco IOS 15.2E 15.2(4)E2" } }, { "name": "15.2(4m)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-214072", "name": "Cisco IOS 15.2E 15.2(4m)E1" } }, { "name": "15.2(3)E4", "category": "service_pack", "product": { "product_id": "CVRFPID-214078", "name": "Cisco IOS 15.2E 15.2(3)E4" } }, { "name": "15.2(5)E", "category": "service_pack", "product": { "product_id": "CVRFPID-214556", "name": "Cisco IOS 15.2E 15.2(5)E" } }, { "name": "15.2(3m)E7", "category": "service_pack", "product": { "product_id": "CVRFPID-216295", "name": "Cisco IOS 15.2E 15.2(3m)E7" } }, { "name": "15.2(4)E3", "category": "service_pack", "product": { "product_id": "CVRFPID-217805", "name": "Cisco IOS 15.2E 15.2(4)E3" } }, { "name": "15.2(2)E6", "category": "service_pack", "product": { "product_id": "CVRFPID-218891", "name": "Cisco IOS 15.2E 15.2(2)E6" } }, { "name": "15.2(5a)E", "category": "service_pack", "product": { "product_id": "CVRFPID-218995", "name": "Cisco IOS 15.2E 15.2(5a)E" } }, { "name": "15.2(5)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-220441", "name": "Cisco IOS 15.2E 15.2(5)E1" } }, { "name": "15.2(5b)E", "category": "service_pack", "product": { "product_id": "CVRFPID-220457", "name": "Cisco IOS 15.2E 15.2(5b)E" } }, { "name": "15.2(4m)E3", "category": "service_pack", "product": { "product_id": "CVRFPID-220664", "name": "Cisco IOS 15.2E 15.2(4m)E3" } }, { "name": "15.2(3m)E8", "category": "service_pack", "product": { "product_id": "CVRFPID-220689", "name": "Cisco IOS 15.2E 15.2(3m)E8" } }, { "name": "15.2(2)E5a", "category": "service_pack", "product": { "product_id": "CVRFPID-221033", "name": "Cisco IOS 15.2E 15.2(2)E5a" } }, { "name": "15.2(5c)E", "category": "service_pack", "product": { "product_id": "CVRFPID-221137", "name": "Cisco IOS 15.2E 15.2(5c)E" } }, { "name": "15.2(3)E5", "category": "service_pack", "product": { "product_id": "CVRFPID-222275", "name": "Cisco IOS 15.2E 15.2(3)E5" } }, { "name": "15.2(2)E5b", "category": "service_pack", "product": { "product_id": "CVRFPID-222436", "name": "Cisco IOS 15.2E 15.2(2)E5b" } }, { "name": "15.2(4n)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-222500", "name": "Cisco IOS 15.2E 15.2(4n)E2" } }, { "name": "15.2(4o)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-222924", "name": "Cisco IOS 15.2E 15.2(4o)E2" } }, { "name": "15.2(5a)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-223143", "name": "Cisco IOS 15.2E 15.2(5a)E1" } }, { "name": "15.2(4)E4", "category": "service_pack", "product": { "product_id": "CVRFPID-224553", "name": "Cisco IOS 15.2E 15.2(4)E4" } }, { "name": "15.2(2)E7", "category": "service_pack", "product": { "product_id": "CVRFPID-224868", "name": "Cisco IOS 15.2E 15.2(2)E7" } }, { "name": "15.2(5)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-225740", "name": "Cisco IOS 15.2E 15.2(5)E2" } }, { "name": "15.2(4p)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-226077", "name": "Cisco IOS 15.2E 15.2(4p)E1" } }, { "name": "15.2(6)E", "category": "service_pack", "product": { "product_id": "CVRFPID-227598", "name": "Cisco IOS 15.2E 15.2(6)E" } }, { "name": "15.2(5)E2b", "category": "service_pack", "product": { "product_id": "CVRFPID-227754", "name": "Cisco IOS 15.2E 15.2(5)E2b" } }, { "name": "15.2(4)E5", "category": "service_pack", "product": { "product_id": "CVRFPID-227959", "name": "Cisco IOS 15.2E 15.2(4)E5" } }, { "name": "15.2(5)E2c", "category": "service_pack", "product": { "product_id": "CVRFPID-228151", "name": "Cisco IOS 15.2E 15.2(5)E2c" } }, { "name": "15.2(4m)E2", "category": "service_pack", "product": { "product_id": "CVRFPID-230588", "name": "Cisco IOS 15.2E 15.2(4m)E2" } }, { "name": "15.2(4o)E3", "category": "service_pack", "product": { "product_id": "CVRFPID-230589", "name": "Cisco IOS 15.2E 15.2(4o)E3" } }, { "name": "15.2(4q)E1", "category": "service_pack", "product": { "product_id": "CVRFPID-230590", "name": "Cisco IOS 15.2E 15.2(4q)E1" } }, { "name": "15.2(6)E0a", "category": "service_pack", "product": { "product_id": "CVRFPID-230591", "name": "Cisco IOS 15.2E 15.2(6)E0a" } }, { "name": "15.2(6)E0b", "category": "service_pack", "product": { "product_id": "CVRFPID-230623", "name": "Cisco IOS 15.2E 15.2(6)E0b" } }, { "name": "15.2(2)E7b", "category": "service_pack", "product": { "product_id": "CVRFPID-230990", "name": "Cisco IOS 15.2E 15.2(2)E7b" } }, { "name": "15.2(4)E5a", "category": "service_pack", "product": { "product_id": "CVRFPID-231074", "name": "Cisco IOS 15.2E 15.2(4)E5a" } }, { "name": "15.2(6)E0c", "category": "service_pack", "product": { "product_id": "CVRFPID-231245", "name": "Cisco IOS 15.2E 15.2(6)E0c" } } ] }, { "name": "15.0EZ", "category": "product_version", "branches": [ { "name": "15.0(2)EZ", "category": "service_pack", "product": { "product_id": "CVRFPID-190637", "name": "Cisco IOS 15.0EZ 15.0(2)EZ" } } ] }, { "name": "15.2EY", "category": "product_version", "branches": [ { "name": "15.2(1)EY", "category": "service_pack", "product": { "product_id": "CVRFPID-191928", "name": "Cisco IOS 15.2EY 15.2(1)EY" } } ] }, { "name": "15.0EJ", "category": "product_version", "branches": [ { "name": "15.0(2)EJ", "category": "service_pack", "product": { "product_id": "CVRFPID-191948", "name": "Cisco IOS 15.0EJ 15.0(2)EJ" } }, { "name": "15.0(2)EJ1", "category": "service_pack", "product": { "product_id": "CVRFPID-197471", "name": "Cisco IOS 15.0EJ 15.0(2)EJ1" } } ] }, { "name": "15.2SY", "category": "product_version", "branches": [ { "name": "15.2(1)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-192726", "name": "Cisco IOS 15.2SY 15.2(1)SY" } }, { "name": "15.2(1)SY1", "category": "service_pack", "product": { "product_id": "CVRFPID-204828", "name": "Cisco IOS 15.2SY 15.2(1)SY1" } }, { "name": "15.2(1)SY0a", "category": "service_pack", "product": { "product_id": "CVRFPID-209063", "name": "Cisco IOS 15.2SY 15.2(1)SY0a" } }, { "name": "15.2(1)SY2", "category": "service_pack", "product": { "product_id": "CVRFPID-209064", "name": "Cisco IOS 15.2SY 15.2(1)SY2" } }, { "name": "15.2(2)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-209065", "name": "Cisco IOS 15.2SY 15.2(2)SY" } }, { "name": "15.2(1)SY1a", "category": "service_pack", "product": { "product_id": "CVRFPID-209439", "name": "Cisco IOS 15.2SY 15.2(1)SY1a" } }, { "name": "15.2(2)SY1", "category": "service_pack", "product": { "product_id": "CVRFPID-211976", "name": "Cisco IOS 15.2SY 15.2(2)SY1" } }, { "name": "15.2(2)SY2", "category": "service_pack", "product": { "product_id": "CVRFPID-214053", "name": "Cisco IOS 15.2SY 15.2(2)SY2" } }, { "name": "15.2(1)SY3", "category": "service_pack", "product": { "product_id": "CVRFPID-216259", "name": "Cisco IOS 15.2SY 15.2(1)SY3" } }, { "name": "15.2(1)SY4", "category": "service_pack", "product": { "product_id": "CVRFPID-222651", "name": "Cisco IOS 15.2SY 15.2(1)SY4" } }, { "name": "15.2(2)SY3", "category": "service_pack", "product": { "product_id": "CVRFPID-227285", "name": "Cisco IOS 15.2SY 15.2(2)SY3" } }, { "name": "15.2(1)SY5", "category": "service_pack", "product": { "product_id": "CVRFPID-227308", "name": "Cisco IOS 15.2SY 15.2(1)SY5" } } ] }, { "name": "15.2EX", "category": "product_version", "branches": [ { "name": "15.2(5)EX", "category": "service_pack", "product": { "product_id": "CVRFPID-222530", "name": "Cisco IOS 15.2EX 15.2(5)EX" } } ] }, { "name": "15.1SVG", "category": "product_version", "branches": [ { "name": "15.1(3)SVG3d", "category": "service_pack", "product": { "product_id": "CVRFPID-232957", "name": "Cisco IOS 15.1SVG 15.1(3)SVG3d" } } ] }, { "name": "15.2EB", "category": "product_version", "branches": [ { "name": "15.2(2)EB", "category": "service_pack", "product": { "product_id": "CVRFPID-197462", "name": "Cisco IOS 15.2EB 15.2(2)EB" } }, { "name": "15.2(2)EB1", "category": "service_pack", "product": { "product_id": "CVRFPID-209839", "name": "Cisco IOS 15.2EB 15.2(2)EB1" } }, { "name": "15.2(2)EB2", "category": "service_pack", "product": { "product_id": "CVRFPID-214218", "name": "Cisco IOS 15.2EB 15.2(2)EB2" } } ] }, { "name": "15.3SY", "category": "product_version", "branches": [ { "name": "15.3(1)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-209532", "name": "Cisco IOS 15.3SY 15.3(1)SY" } }, { "name": "15.3(0)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-212701", "name": "Cisco IOS 15.3SY 15.3(0)SY" } }, { "name": "15.3(1)SY1", "category": "service_pack", "product": { "product_id": "CVRFPID-216258", "name": "Cisco IOS 15.3SY 15.3(1)SY1" } }, { "name": "15.3(1)SY2", "category": "service_pack", "product": { "product_id": "CVRFPID-220444", "name": "Cisco IOS 15.3SY 15.3(1)SY2" } }, { "name": "15.3(1)SY3", "category": "service_pack", "product": { "product_id": "CVRFPID-230607", "name": "Cisco IOS 15.3SY 15.3(1)SY3" } } ] }, { "name": "15.6SP", "category": "product_version", "branches": [ { "name": "15.6(2)SP3b", "category": "service_pack", "product": { "product_id": "CVRFPID-231824", "name": "Cisco IOS 15.6SP 15.6(2)SP3b" } } ] }, { "name": "15.2EC", "category": "product_version", "branches": [ { "name": "15.2(4)EC1", "category": "service_pack", "product": { "product_id": "CVRFPID-220461", "name": "Cisco IOS 15.2EC 15.2(4)EC1" } }, { "name": "15.2(4)EC2", "category": "service_pack", "product": { "product_id": "CVRFPID-223086", "name": "Cisco IOS 15.2EC 15.2(4)EC2" } } ] }, { "name": "15.4SY", "category": "product_version", "branches": [ { "name": "15.4(1)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-217807", "name": "Cisco IOS 15.4SY 15.4(1)SY" } }, { "name": "15.4(1)SY1", "category": "service_pack", "product": { "product_id": "CVRFPID-220594", "name": "Cisco IOS 15.4SY 15.4(1)SY1" } }, { "name": "15.4(1)SY2", "category": "service_pack", "product": { "product_id": "CVRFPID-224611", "name": "Cisco IOS 15.4SY 15.4(1)SY2" } }, { "name": "15.4(1)SY3", "category": "service_pack", "product": { "product_id": "CVRFPID-228056", "name": "Cisco IOS 15.4SY 15.4(1)SY3" } } ] }, { "name": "15.5SY", "category": "product_version", "branches": [ { "name": "15.5(1)SY", "category": "service_pack", "product": { "product_id": "CVRFPID-225786", "name": "Cisco IOS 15.5SY 15.5(1)SY" } } ] } ] }, { "name": "Cisco IOS XE Software", "category": "product_name", "branches": [ { "name": "3.2SE", "category": "product_version", "branches": [ { "name": "3.2.0SE", "category": "service_pack", "product": { "product_id": "CVRFPID-196216", "name": "Cisco IOS XE Software 3.2SE 3.2.0SE" } }, { "name": "3.2.1SE", "category": "service_pack", "product": { "product_id": "CVRFPID-196221", "name": "Cisco IOS XE Software 3.2SE 3.2.1SE" } }, { "name": "3.2.2SE", "category": "service_pack", "product": { "product_id": "CVRFPID-196222", "name": "Cisco IOS XE Software 3.2SE 3.2.2SE" } }, { "name": "3.2.3SE", "category": "service_pack", "product": { "product_id": "CVRFPID-196223", "name": "Cisco IOS XE Software 3.2SE 3.2.3SE" } } ] }, { "name": "3.3SE", "category": "product_version", "branches": [ { "name": "3.3.0SE", "category": "service_pack", "product": { "product_id": "CVRFPID-196218", "name": "Cisco IOS XE Software 3.3SE 3.3.0SE" } }, { "name": "3.3.1SE", "category": "service_pack", "product": { "product_id": "CVRFPID-196925", "name": "Cisco IOS XE Software 3.3SE 3.3.1SE" } }, { "name": "3.3.2SE", "category": "service_pack", "product": { "product_id": "CVRFPID-206200", "name": "Cisco IOS XE Software 3.3SE 3.3.2SE" } }, { "name": "3.3.3SE", "category": "service_pack", "product": { "product_id": "CVRFPID-206201", "name": "Cisco IOS XE Software 3.3SE 3.3.3SE" } }, { "name": "3.3.4SE", "category": "service_pack", "product": { "product_id": "CVRFPID-206202", "name": "Cisco IOS XE Software 3.3SE 3.3.4SE" } }, { "name": "3.3.5SE", "category": "service_pack", "product": { "product_id": "CVRFPID-206203", "name": "Cisco IOS XE Software 3.3SE 3.3.5SE" } } ] }, { "name": "3.3XO", "category": "product_version", "branches": [ { "name": "3.3.0XO", "category": "service_pack", "product": { "product_id": "CVRFPID-196220", "name": "Cisco IOS XE Software 3.3XO 3.3.0XO" } }, { "name": "3.3.1XO", "category": "service_pack", "product": { "product_id": "CVRFPID-206163", "name": "Cisco IOS XE Software 3.3XO 3.3.1XO" } }, { "name": "3.3.2XO", "category": "service_pack", "product": { "product_id": "CVRFPID-206164", "name": "Cisco IOS XE Software 3.3XO 3.3.2XO" } } ] }, { "name": "3.4SG", "category": "product_version", "branches": [ { "name": "3.4.0SG", "category": "service_pack", "product": { "product_id": "CVRFPID-196230", "name": "Cisco IOS XE Software 3.4SG 3.4.0SG" } }, { "name": "3.4.2SG", "category": "service_pack", "product": { "product_id": "CVRFPID-196231", "name": "Cisco IOS XE Software 3.4SG 3.4.2SG" } }, { "name": "3.4.1SG", "category": "service_pack", "product": { "product_id": "CVRFPID-196288", "name": "Cisco IOS XE Software 3.4SG 3.4.1SG" } }, { "name": "3.4.3SG", "category": "service_pack", "product": { "product_id": "CVRFPID-206165", "name": "Cisco IOS XE Software 3.4SG 3.4.3SG" } }, { "name": "3.4.4SG", "category": "service_pack", "product": { "product_id": "CVRFPID-206166", "name": "Cisco IOS XE Software 3.4SG 3.4.4SG" } }, { "name": "3.4.5SG", "category": "service_pack", "product": { "product_id": "CVRFPID-206167", "name": "Cisco IOS XE Software 3.4SG 3.4.5SG" } }, { "name": "3.4.6SG", "category": "service_pack", "product": { "product_id": "CVRFPID-210070", "name": "Cisco IOS XE Software 3.4SG 3.4.6SG" } }, { "name": "3.4.7SG", "category": "service_pack", "product": { "product_id": "CVRFPID-213785", "name": "Cisco IOS XE Software 3.4SG 3.4.7SG" } }, { "name": "3.4.8SG", "category": "service_pack", "product": { "product_id": "CVRFPID-221185", "name": "Cisco IOS XE Software 3.4SG 3.4.8SG" } } ] }, { "name": "3.5E", "category": "product_version", "branches": [ { "name": "3.5.0E", "category": "service_pack", "product": { "product_id": "CVRFPID-197145", "name": "Cisco IOS XE Software 3.5E 3.5.0E" } }, { "name": "3.5.1E", "category": "service_pack", "product": { "product_id": "CVRFPID-206168", "name": "Cisco IOS XE Software 3.5E 3.5.1E" } }, { "name": "3.5.2E", "category": "service_pack", "product": { "product_id": "CVRFPID-206169", "name": "Cisco IOS XE Software 3.5E 3.5.2E" } }, { "name": "3.5.3E", "category": "service_pack", "product": { "product_id": "CVRFPID-206170", "name": "Cisco IOS XE Software 3.5E 3.5.3E" } } ] }, { "name": "3.6E", "category": "product_version", "branches": [ { "name": "3.6.0E", "category": "service_pack", "product": { "product_id": "CVRFPID-206172", "name": "Cisco IOS XE Software 3.6E 3.6.0E" } }, { "name": "3.6.1E", "category": "service_pack", "product": { "product_id": "CVRFPID-206173", "name": "Cisco IOS XE Software 3.6E 3.6.1E" } }, { "name": "3.6.0aE", "category": "service_pack", "product": { "product_id": "CVRFPID-210073", "name": "Cisco IOS XE Software 3.6E 3.6.0aE" } }, { "name": "3.6.0bE", "category": "service_pack", "product": { "product_id": "CVRFPID-210074", "name": "Cisco IOS XE Software 3.6E 3.6.0bE" } }, { "name": "3.6.2aE", "category": "service_pack", "product": { "product_id": "CVRFPID-210075", "name": "Cisco IOS XE Software 3.6E 3.6.2aE" } }, { "name": "3.6.2E", "category": "service_pack", "product": { "product_id": "CVRFPID-210264", "name": "Cisco IOS XE Software 3.6E 3.6.2E" } }, { "name": "3.6.3E", "category": "service_pack", "product": { "product_id": "CVRFPID-212674", "name": "Cisco IOS XE Software 3.6E 3.6.3E" } }, { "name": "3.6.4E", "category": "service_pack", "product": { "product_id": "CVRFPID-213790", "name": "Cisco IOS XE Software 3.6E 3.6.4E" } }, { "name": "3.6.5E", "category": "service_pack", "product": { "product_id": "CVRFPID-217279", "name": "Cisco IOS XE Software 3.6E 3.6.5E" } }, { "name": "3.6.6E", "category": "service_pack", "product": { "product_id": "CVRFPID-220357", "name": "Cisco IOS XE Software 3.6E 3.6.6E" } }, { "name": "3.6.5aE", "category": "service_pack", "product": { "product_id": "CVRFPID-221108", "name": "Cisco IOS XE Software 3.6E 3.6.5aE" } }, { "name": "3.6.5bE", "category": "service_pack", "product": { "product_id": "CVRFPID-222435", "name": "Cisco IOS XE Software 3.6E 3.6.5bE" } }, { "name": "3.6.7E", "category": "service_pack", "product": { "product_id": "CVRFPID-224840", "name": "Cisco IOS XE Software 3.6E 3.6.7E" } }, { "name": "3.6.7aE", "category": "service_pack", "product": { "product_id": "CVRFPID-230240", "name": "Cisco IOS XE Software 3.6E 3.6.7aE" } }, { "name": "3.6.7bE", "category": "service_pack", "product": { "product_id": "CVRFPID-230998", "name": "Cisco IOS XE Software 3.6E 3.6.7bE" } } ] }, { "name": "3.7E", "category": "product_version", "branches": [ { "name": "3.7.0E", "category": "service_pack", "product": { "product_id": "CVRFPID-206211", "name": "Cisco IOS XE Software 3.7E 3.7.0E" } }, { "name": "3.7.1E", "category": "service_pack", "product": { "product_id": "CVRFPID-210076", "name": "Cisco IOS XE Software 3.7E 3.7.1E" } }, { "name": "3.7.2E", "category": "service_pack", "product": { "product_id": "CVRFPID-210077", "name": "Cisco IOS XE Software 3.7E 3.7.2E" } }, { "name": "3.7.3E", "category": "service_pack", "product": { "product_id": "CVRFPID-213797", "name": "Cisco IOS XE Software 3.7E 3.7.3E" } }, { "name": "3.7.4E", "category": "service_pack", "product": { "product_id": "CVRFPID-217280", "name": "Cisco IOS XE Software 3.7E 3.7.4E" } }, { "name": "3.7.5E", "category": "service_pack", "product": { "product_id": "CVRFPID-220290", "name": "Cisco IOS XE Software 3.7E 3.7.5E" } } ] }, { "name": "16.1", "category": "product_version", "branches": [ { "name": "16.1.1", "category": "service_pack", "product": { "product_id": "CVRFPID-212436", "name": "Cisco IOS XE Software 16.1 16.1.1" } }, { "name": "16.1.2", "category": "service_pack", "product": { "product_id": "CVRFPID-213100", "name": "Cisco IOS XE Software 16.1 16.1.2" } }, { "name": "16.1.3", "category": "service_pack", "product": { "product_id": "CVRFPID-214993", "name": "Cisco IOS XE Software 16.1 16.1.3" } } ] }, { "name": "3.2JA", "category": "product_version", "branches": [ { "name": "3.2.0JA", "category": "service_pack", "product": { "product_id": "CVRFPID-213783", "name": "Cisco IOS XE Software 3.2JA 3.2.0JA" } } ] }, { "name": "16.2", "category": "product_version", "branches": [ { "name": "16.2.1", "category": "service_pack", "product": { "product_id": "CVRFPID-213809", "name": "Cisco IOS XE Software 16.2 16.2.1" } }, { "name": "16.2.2", "category": "service_pack", "product": { "product_id": "CVRFPID-217253", "name": "Cisco IOS XE Software 16.2 16.2.2" } } ] }, { "name": "3.8E", "category": "product_version", "branches": [ { "name": "3.8.0E", "category": "service_pack", "product": { "product_id": "CVRFPID-213811", "name": "Cisco IOS XE Software 3.8E 3.8.0E" } }, { "name": "3.8.1E", "category": "service_pack", "product": { "product_id": "CVRFPID-213812", "name": "Cisco IOS XE Software 3.8E 3.8.1E" } }, { "name": "3.8.2E", "category": "service_pack", "product": { "product_id": "CVRFPID-217283", "name": "Cisco IOS XE Software 3.8E 3.8.2E" } }, { "name": "3.8.3E", "category": "service_pack", "product": { "product_id": "CVRFPID-220489", "name": "Cisco IOS XE Software 3.8E 3.8.3E" } }, { "name": "3.8.4E", "category": "service_pack", "product": { "product_id": "CVRFPID-222695", "name": "Cisco IOS XE Software 3.8E 3.8.4E" } }, { "name": "3.8.5E", "category": "service_pack", "product": { "product_id": "CVRFPID-226331", "name": "Cisco IOS XE Software 3.8E 3.8.5E" } }, { "name": "3.8.5aE", "category": "service_pack", "product": { "product_id": "CVRFPID-231004", "name": "Cisco IOS XE Software 3.8E 3.8.5aE" } } ] }, { "name": "16.3", "category": "product_version", "branches": [ { "name": "16.3.1", "category": "service_pack", "product": { "product_id": "CVRFPID-213960", "name": "Cisco IOS XE Software 16.3 16.3.1" } }, { "name": "16.3.2", "category": "service_pack", "product": { "product_id": "CVRFPID-217255", "name": "Cisco IOS XE Software 16.3 16.3.2" } }, { "name": "16.3.3", "category": "service_pack", "product": { "product_id": "CVRFPID-217256", "name": "Cisco IOS XE Software 16.3 16.3.3" } }, { "name": "16.3.1a", "category": "service_pack", "product": { "product_id": "CVRFPID-220802", "name": "Cisco IOS XE Software 16.3 16.3.1a" } }, { "name": "16.3.4", "category": "service_pack", "product": { "product_id": "CVRFPID-222711", "name": "Cisco IOS XE Software 16.3 16.3.4" } }, { "name": "16.3.5", "category": "service_pack", "product": { "product_id": "CVRFPID-229124", "name": "Cisco IOS XE Software 16.3 16.3.5" } }, { "name": "16.3.5b", "category": "service_pack", "product": { "product_id": "CVRFPID-231187", "name": "Cisco IOS XE Software 16.3 16.3.5b" } } ] }, { "name": "16.4", "category": "product_version", "branches": [ { "name": "16.4.1", "category": "service_pack", "product": { "product_id": "CVRFPID-214051", "name": "Cisco IOS XE Software 16.4 16.4.1" } } ] }, { "name": "16.5", "category": "product_version", "branches": [ { "name": "16.5.1", "category": "service_pack", "product": { "product_id": "CVRFPID-217259", "name": "Cisco IOS XE Software 16.5 16.5.1" } }, { "name": "16.5.1a", "category": "service_pack", "product": { "product_id": "CVRFPID-225784", "name": "Cisco IOS XE Software 16.5 16.5.1a" } } ] }, { "name": "3.9E", "category": "product_version", "branches": [ { "name": "3.9.0E", "category": "service_pack", "product": { "product_id": "CVRFPID-217282", "name": "Cisco IOS XE Software 3.9E 3.9.0E" } }, { "name": "3.9.1E", "category": "service_pack", "product": { "product_id": "CVRFPID-222483", "name": "Cisco IOS XE Software 3.9E 3.9.1E" } }, { "name": "3.9.2E", "category": "service_pack", "product": { "product_id": "CVRFPID-226158", "name": "Cisco IOS XE Software 3.9E 3.9.2E" } }, { "name": "3.9.2bE", "category": "service_pack", "product": { "product_id": "CVRFPID-227755", "name": "Cisco IOS XE Software 3.9E 3.9.2bE" } } ] }, { "name": "16.6", "category": "product_version", "branches": [ { "name": "16.6.1", "category": "service_pack", "product": { "product_id": "CVRFPID-218901", "name": "Cisco IOS XE Software 16.6 16.6.1" } }, { "name": "16.6.4", "category": "service_pack", "product": { "product_id": "CVRFPID-233155", "name": "Cisco IOS XE Software 16.6 16.6.4" } } ] }, { "name": "16.8", "category": "product_version", "branches": [ { "name": "16.8.1s", "category": "service_pack", "product": { "product_id": "CVRFPID-236834", "name": "Cisco IOS XE Software 16.8 16.8.1s" } } ] }, { "name": "3.10E", "category": "product_version", "branches": [ { "name": "3.10.0E", "category": "service_pack", "product": { "product_id": "CVRFPID-227555", "name": "Cisco IOS XE Software 3.10E 3.10.0E" } }, { "name": "3.10.0cE", "category": "service_pack", "product": { "product_id": "CVRFPID-231246", "name": "Cisco IOS XE Software 3.10E 3.10.0cE" } } ] } ] } ] } ] }, "vulnerabilities": [ { "title": "Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability", "ids": [ { "system_name": "Cisco Bug ID", "text": "CSCvg76186" } ], "notes": [ { "title": "Summary", "category": "summary", "text": "A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.\n\n\n\nThe vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:\n\n\n Triggering a reload of the device\n Allowing the attacker to execute arbitrary code on the device\n Causing an indefinite loop on the affected device that triggers a watchdog crash" }, { "title": "Cisco Bug IDs", "category": "other", "text": "CSCvg76186" } ], "cve": "CVE-2018-0171", "product_status": { "known_affected": [ "CVRFPID-103559", "CVRFPID-103763", "CVRFPID-104376", "CVRFPID-105394", "CVRFPID-105660", "CVRFPID-105689", "CVRFPID-105987", "CVRFPID-106029", "CVRFPID-106674", "CVRFPID-107283", "CVRFPID-107852", "CVRFPID-108306", "CVRFPID-109098", "CVRFPID-109439", "CVRFPID-109760", "CVRFPID-109808", "CVRFPID-111010", "CVRFPID-111019", "CVRFPID-111674", "CVRFPID-112489", "CVRFPID-113961", "CVRFPID-114665", "CVRFPID-115285", "CVRFPID-115477", "CVRFPID-115832", "CVRFPID-115939", "CVRFPID-116083", "CVRFPID-183811", "CVRFPID-184125", "CVRFPID-184932", "CVRFPID-187057", "CVRFPID-187269", "CVRFPID-188035", "CVRFPID-188061", "CVRFPID-189064", "CVRFPID-189115", "CVRFPID-189187", "CVRFPID-189219", "CVRFPID-189455", "CVRFPID-190635", "CVRFPID-190637", "CVRFPID-191635", "CVRFPID-191928", "CVRFPID-191948", "CVRFPID-192702", "CVRFPID-192706", "CVRFPID-192726", "CVRFPID-192910", "CVRFPID-192911", "CVRFPID-193283", "CVRFPID-194540", "CVRFPID-194741", "CVRFPID-194913", "CVRFPID-194944", "CVRFPID-195469", "CVRFPID-195489", "CVRFPID-195770", "CVRFPID-195943", "CVRFPID-197462", "CVRFPID-197465", "CVRFPID-197471", "CVRFPID-197483", "CVRFPID-198059", "CVRFPID-198060", "CVRFPID-198426", "CVRFPID-198542", "CVRFPID-200488", "CVRFPID-200496", "CVRFPID-201019", "CVRFPID-201074", "CVRFPID-201366", "CVRFPID-204097", "CVRFPID-204102", "CVRFPID-204108", "CVRFPID-204109", "CVRFPID-204110", "CVRFPID-204186", "CVRFPID-204187", "CVRFPID-204228", "CVRFPID-204818", "CVRFPID-204828", "CVRFPID-204831", "CVRFPID-204832", "CVRFPID-205064", "CVRFPID-205672", "CVRFPID-209028", "CVRFPID-209029", "CVRFPID-209034", "CVRFPID-209043", "CVRFPID-209044", "CVRFPID-209045", "CVRFPID-209046", "CVRFPID-209047", "CVRFPID-209063", "CVRFPID-209064", "CVRFPID-209065", "CVRFPID-209358", "CVRFPID-209359", "CVRFPID-209439", "CVRFPID-209532", "CVRFPID-209839", "CVRFPID-209887", "CVRFPID-210406", "CVRFPID-210732", "CVRFPID-210766", "CVRFPID-211296", "CVRFPID-211570", "CVRFPID-211976", "CVRFPID-212329", "CVRFPID-212701", "CVRFPID-213610", "CVRFPID-213788", "CVRFPID-214052", "CVRFPID-214053", "CVRFPID-214072", "CVRFPID-214078", "CVRFPID-214218", "CVRFPID-214556", "CVRFPID-214797", "CVRFPID-214992", "CVRFPID-216258", "CVRFPID-216259", "CVRFPID-216295", "CVRFPID-217805", "CVRFPID-217807", "CVRFPID-218891", "CVRFPID-218995", "CVRFPID-220440", "CVRFPID-220441", "CVRFPID-220444", "CVRFPID-220457", "CVRFPID-220461", "CVRFPID-220466", "CVRFPID-220594", "CVRFPID-220664", "CVRFPID-220689", "CVRFPID-221033", "CVRFPID-221137", "CVRFPID-222275", "CVRFPID-222342", "CVRFPID-222436", "CVRFPID-222500", "CVRFPID-222530", "CVRFPID-222650", "CVRFPID-222651", "CVRFPID-222924", "CVRFPID-223086", "CVRFPID-223143", "CVRFPID-224553", "CVRFPID-224611", "CVRFPID-224868", "CVRFPID-225160", "CVRFPID-225740", "CVRFPID-225786", "CVRFPID-226077", "CVRFPID-227285", "CVRFPID-227307", "CVRFPID-227308", "CVRFPID-227598", "CVRFPID-227754", "CVRFPID-227959", "CVRFPID-228056", "CVRFPID-228057", "CVRFPID-228151", "CVRFPID-230588", "CVRFPID-230589", "CVRFPID-230590", "CVRFPID-230591", "CVRFPID-230607", "CVRFPID-230623", "CVRFPID-230962", "CVRFPID-230965", "CVRFPID-230990", "CVRFPID-231074", "CVRFPID-231245", "CVRFPID-231824", "CVRFPID-232957", "CVRFPID-233143", "CVRFPID-233796", "CVRFPID-234926", "CVRFPID-196216", "CVRFPID-196218", "CVRFPID-196220", "CVRFPID-196221", "CVRFPID-196222", "CVRFPID-196223", "CVRFPID-196230", "CVRFPID-196231", "CVRFPID-196288", "CVRFPID-196925", "CVRFPID-197145", "CVRFPID-206163", "CVRFPID-206164", "CVRFPID-206165", "CVRFPID-206166", "CVRFPID-206167", "CVRFPID-206168", "CVRFPID-206169", "CVRFPID-206170", "CVRFPID-206172", "CVRFPID-206173", "CVRFPID-206200", "CVRFPID-206201", "CVRFPID-206202", "CVRFPID-206203", "CVRFPID-206211", "CVRFPID-210070", "CVRFPID-210073", "CVRFPID-210074", "CVRFPID-210075", "CVRFPID-210076", "CVRFPID-210077", "CVRFPID-210264", "CVRFPID-212436", "CVRFPID-212674", "CVRFPID-213100", "CVRFPID-213783", "CVRFPID-213785", "CVRFPID-213790", "CVRFPID-213797", "CVRFPID-213809", "CVRFPID-213811", "CVRFPID-213812", "CVRFPID-213960", "CVRFPID-214051", "CVRFPID-214993", "CVRFPID-217253", "CVRFPID-217255", "CVRFPID-217256", "CVRFPID-217259", "CVRFPID-217279", "CVRFPID-217280", "CVRFPID-217282", "CVRFPID-217283", "CVRFPID-218901", "CVRFPID-220290", "CVRFPID-220357", "CVRFPID-220489", "CVRFPID-220802", "CVRFPID-221108", "CVRFPID-221185", "CVRFPID-222435", "CVRFPID-222483", "CVRFPID-222695", "CVRFPID-222711", "CVRFPID-224840", "CVRFPID-225784", "CVRFPID-226158", "CVRFPID-226331", "CVRFPID-227555", "CVRFPID-227755", "CVRFPID-229124", "CVRFPID-230240", "CVRFPID-230998", "CVRFPID-231004", "CVRFPID-231187", "CVRFPID-231246", "CVRFPID-233155", "CVRFPID-236834" ] }, "scores": [ { "products": [ "CVRFPID-103559", "CVRFPID-103763", "CVRFPID-104376", "CVRFPID-105394", "CVRFPID-105660", "CVRFPID-105689", "CVRFPID-105987", "CVRFPID-106029", "CVRFPID-106674", "CVRFPID-107283", "CVRFPID-107852", "CVRFPID-108306", "CVRFPID-109098", "CVRFPID-109439", "CVRFPID-109760", "CVRFPID-109808", "CVRFPID-111010", "CVRFPID-111019", "CVRFPID-111674", "CVRFPID-112489", "CVRFPID-113961", "CVRFPID-114665", "CVRFPID-115285", "CVRFPID-115477", "CVRFPID-115832", "CVRFPID-115939", "CVRFPID-116083", "CVRFPID-183811", "CVRFPID-184125", "CVRFPID-184932", "CVRFPID-187057", "CVRFPID-187269", "CVRFPID-188035", "CVRFPID-188061", "CVRFPID-189064", "CVRFPID-189115", "CVRFPID-189187", "CVRFPID-189219", "CVRFPID-189455", "CVRFPID-190635", "CVRFPID-190637", "CVRFPID-191635", "CVRFPID-191928", "CVRFPID-191948", "CVRFPID-192702", "CVRFPID-192706", "CVRFPID-192726", "CVRFPID-192910", "CVRFPID-192911", "CVRFPID-193283", "CVRFPID-194540", "CVRFPID-194741", "CVRFPID-194913", "CVRFPID-194944", "CVRFPID-195469", "CVRFPID-195489", "CVRFPID-195770", "CVRFPID-195943", "CVRFPID-197462", "CVRFPID-197465", "CVRFPID-197471", "CVRFPID-197483", "CVRFPID-198059", "CVRFPID-198060", "CVRFPID-198426", "CVRFPID-198542", "CVRFPID-200488", "CVRFPID-200496", "CVRFPID-201019", "CVRFPID-201074", "CVRFPID-201366", "CVRFPID-204097", "CVRFPID-204102", "CVRFPID-204108", "CVRFPID-204109", "CVRFPID-204110", "CVRFPID-204186", "CVRFPID-204187", "CVRFPID-204228", "CVRFPID-204818", "CVRFPID-204828", "CVRFPID-204831", "CVRFPID-204832", "CVRFPID-205064", "CVRFPID-205672", "CVRFPID-209028", "CVRFPID-209029", "CVRFPID-209034", "CVRFPID-209043", "CVRFPID-209044", "CVRFPID-209045", "CVRFPID-209046", "CVRFPID-209047", "CVRFPID-209063", "CVRFPID-209064", "CVRFPID-209065", "CVRFPID-209358", "CVRFPID-209359", "CVRFPID-209439", "CVRFPID-209532", "CVRFPID-209839", "CVRFPID-209887", "CVRFPID-210406", "CVRFPID-210732", "CVRFPID-210766", "CVRFPID-211296", "CVRFPID-211570", "CVRFPID-211976", "CVRFPID-212329", "CVRFPID-212701", "CVRFPID-213610", "CVRFPID-213788", "CVRFPID-214052", "CVRFPID-214053", "CVRFPID-214072", "CVRFPID-214078", "CVRFPID-214218", "CVRFPID-214556", "CVRFPID-214797", "CVRFPID-214992", "CVRFPID-216258", "CVRFPID-216259", "CVRFPID-216295", "CVRFPID-217805", "CVRFPID-217807", "CVRFPID-218891", "CVRFPID-218995", "CVRFPID-220440", "CVRFPID-220441", "CVRFPID-220444", "CVRFPID-220457", "CVRFPID-220461", "CVRFPID-220466", "CVRFPID-220594", "CVRFPID-220664", "CVRFPID-220689", "CVRFPID-221033", "CVRFPID-221137", "CVRFPID-222275", "CVRFPID-222342", "CVRFPID-222436", "CVRFPID-222500", "CVRFPID-222530", "CVRFPID-222650", "CVRFPID-222651", "CVRFPID-222924", "CVRFPID-223086", "CVRFPID-223143", "CVRFPID-224553", "CVRFPID-224611", "CVRFPID-224868", "CVRFPID-225160", "CVRFPID-225740", "CVRFPID-225786", "CVRFPID-226077", "CVRFPID-227285", "CVRFPID-227307", "CVRFPID-227308", "CVRFPID-227598", "CVRFPID-227754", "CVRFPID-227959", "CVRFPID-228056", "CVRFPID-228057", "CVRFPID-228151", "CVRFPID-230588", "CVRFPID-230589", "CVRFPID-230590", "CVRFPID-230591", "CVRFPID-230607", "CVRFPID-230623", "CVRFPID-230962", "CVRFPID-230965", "CVRFPID-230990", "CVRFPID-231074", "CVRFPID-231245", "CVRFPID-231824", "CVRFPID-232957", "CVRFPID-233143", "CVRFPID-233796", "CVRFPID-234926", "CVRFPID-196216", "CVRFPID-196218", "CVRFPID-196220", "CVRFPID-196221", "CVRFPID-196222", "CVRFPID-196223", "CVRFPID-196230", "CVRFPID-196231", "CVRFPID-196288", "CVRFPID-196925", "CVRFPID-197145", "CVRFPID-206163", "CVRFPID-206164", "CVRFPID-206165", "CVRFPID-206166", "CVRFPID-206167", "CVRFPID-206168", "CVRFPID-206169", "CVRFPID-206170", "CVRFPID-206172", "CVRFPID-206173", "CVRFPID-206200", "CVRFPID-206201", "CVRFPID-206202", "CVRFPID-206203", "CVRFPID-206211", "CVRFPID-210070", "CVRFPID-210073", "CVRFPID-210074", "CVRFPID-210075", "CVRFPID-210076", "CVRFPID-210077", "CVRFPID-210264", "CVRFPID-212436", "CVRFPID-212674", "CVRFPID-213100", "CVRFPID-213783", "CVRFPID-213785", "CVRFPID-213790", "CVRFPID-213797", "CVRFPID-213809", "CVRFPID-213811", "CVRFPID-213812", "CVRFPID-213960", "CVRFPID-214051", "CVRFPID-214993", "CVRFPID-217253", "CVRFPID-217255", "CVRFPID-217256", "CVRFPID-217259", "CVRFPID-217279", "CVRFPID-217280", "CVRFPID-217282", "CVRFPID-217283", "CVRFPID-218901", "CVRFPID-220290", "CVRFPID-220357", "CVRFPID-220489", "CVRFPID-220802", "CVRFPID-221108", "CVRFPID-221185", "CVRFPID-222435", "CVRFPID-222483", "CVRFPID-222695", "CVRFPID-222711", "CVRFPID-224840", "CVRFPID-225784", "CVRFPID-226158", "CVRFPID-226331", "CVRFPID-227555", "CVRFPID-227755", "CVRFPID-229124", "CVRFPID-230240", "CVRFPID-230998", "CVRFPID-231004", "CVRFPID-231187", "CVRFPID-231246", "CVRFPID-233155", "CVRFPID-236834" ], "cvss_v3": { "version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } } ], "remediations": [ { "details": "There are no workarounds that address this vulnerability for customers who require the use of Cisco Smart Install. For customers not requiring Cisco Smart Install, the feature can be disabled with the no vstack command. In software releases that are associated with Cisco Bug ID CSCvd36820 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd36820\"], Cisco Smart Install will auto-disable if not in use.\n\nAdministrators are encouraged to consult the informational security advisory on Cisco Smart Install Protocol Misuse [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi\"] and the Smart Install Configuration Guide [\"http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355\"].", "category": "workaround", "product_ids": [ "CVRFPID-103559", "CVRFPID-103763", "CVRFPID-104376", "CVRFPID-105394", "CVRFPID-105660", "CVRFPID-105689", "CVRFPID-105987", "CVRFPID-106029", "CVRFPID-106674", "CVRFPID-107283", "CVRFPID-107852", "CVRFPID-108306", "CVRFPID-109098", "CVRFPID-109439", "CVRFPID-109760", "CVRFPID-109808", "CVRFPID-111010", "CVRFPID-111019", "CVRFPID-111674", "CVRFPID-112489", "CVRFPID-113961", "CVRFPID-114665", "CVRFPID-115285", "CVRFPID-115477", "CVRFPID-115832", "CVRFPID-115939", "CVRFPID-116083", "CVRFPID-183811", "CVRFPID-184125", "CVRFPID-184932", "CVRFPID-187057", "CVRFPID-187269", "CVRFPID-188035", "CVRFPID-188061", "CVRFPID-189064", "CVRFPID-189115", "CVRFPID-189187", "CVRFPID-189219", "CVRFPID-189455", "CVRFPID-190635", "CVRFPID-190637", "CVRFPID-191635", "CVRFPID-191928", "CVRFPID-191948", "CVRFPID-192702", "CVRFPID-192706", "CVRFPID-192726", "CVRFPID-192910", "CVRFPID-192911", "CVRFPID-193283", "CVRFPID-194540", "CVRFPID-194741", "CVRFPID-194913", "CVRFPID-194944", "CVRFPID-195469", "CVRFPID-195489", "CVRFPID-195770", "CVRFPID-195943", "CVRFPID-197462", "CVRFPID-197465", "CVRFPID-197471", "CVRFPID-197483", "CVRFPID-198059", "CVRFPID-198060", "CVRFPID-198426", "CVRFPID-198542", "CVRFPID-200488", "CVRFPID-200496", "CVRFPID-201019", "CVRFPID-201074", "CVRFPID-201366", "CVRFPID-204097", "CVRFPID-204102", "CVRFPID-204108", "CVRFPID-204109", "CVRFPID-204110", "CVRFPID-204186", "CVRFPID-204187", "CVRFPID-204228", "CVRFPID-204818", "CVRFPID-204828", "CVRFPID-204831", "CVRFPID-204832", "CVRFPID-205064", "CVRFPID-205672", "CVRFPID-209028", "CVRFPID-209029", "CVRFPID-209034", "CVRFPID-209043", "CVRFPID-209044", "CVRFPID-209045", "CVRFPID-209046", "CVRFPID-209047", "CVRFPID-209063", "CVRFPID-209064", "CVRFPID-209065", "CVRFPID-209358", "CVRFPID-209359", "CVRFPID-209439", "CVRFPID-209532", "CVRFPID-209839", "CVRFPID-209887", "CVRFPID-210406", "CVRFPID-210732", "CVRFPID-210766", "CVRFPID-211296", "CVRFPID-211570", "CVRFPID-211976", "CVRFPID-212329", "CVRFPID-212701", "CVRFPID-213610", "CVRFPID-213788", "CVRFPID-214052", "CVRFPID-214053", "CVRFPID-214072", "CVRFPID-214078", "CVRFPID-214218", "CVRFPID-214556", "CVRFPID-214797", "CVRFPID-214992", "CVRFPID-216258", "CVRFPID-216259", "CVRFPID-216295", "CVRFPID-217805", "CVRFPID-217807", "CVRFPID-218891", "CVRFPID-218995", "CVRFPID-220440", "CVRFPID-220441", "CVRFPID-220444", "CVRFPID-220457", "CVRFPID-220461", "CVRFPID-220466", "CVRFPID-220594", "CVRFPID-220664", "CVRFPID-220689", "CVRFPID-221033", "CVRFPID-221137", "CVRFPID-222275", "CVRFPID-222342", "CVRFPID-222436", "CVRFPID-222500", "CVRFPID-222530", "CVRFPID-222650", "CVRFPID-222651", "CVRFPID-222924", "CVRFPID-223086", "CVRFPID-223143", "CVRFPID-224553", "CVRFPID-224611", "CVRFPID-224868", "CVRFPID-225160", "CVRFPID-225740", "CVRFPID-225786", "CVRFPID-226077", "CVRFPID-227285", "CVRFPID-227307", "CVRFPID-227308", "CVRFPID-227598", "CVRFPID-227754", "CVRFPID-227959", "CVRFPID-228056", "CVRFPID-228057", "CVRFPID-228151", "CVRFPID-230588", "CVRFPID-230589", "CVRFPID-230590", "CVRFPID-230591", "CVRFPID-230607", "CVRFPID-230623", "CVRFPID-230962", "CVRFPID-230965", "CVRFPID-230990", "CVRFPID-231074", "CVRFPID-231245", "CVRFPID-231824", "CVRFPID-232957", "CVRFPID-233143", "CVRFPID-233796", "CVRFPID-234926", "CVRFPID-196216", "CVRFPID-196218", "CVRFPID-196220", "CVRFPID-196221", "CVRFPID-196222", "CVRFPID-196223", "CVRFPID-196230", "CVRFPID-196231", "CVRFPID-196288", "CVRFPID-196925", "CVRFPID-197145", "CVRFPID-206163", "CVRFPID-206164", "CVRFPID-206165", "CVRFPID-206166", "CVRFPID-206167", "CVRFPID-206168", "CVRFPID-206169", "CVRFPID-206170", "CVRFPID-206172", "CVRFPID-206173", "CVRFPID-206200", "CVRFPID-206201", "CVRFPID-206202", "CVRFPID-206203", "CVRFPID-206211", "CVRFPID-210070", "CVRFPID-210073", "CVRFPID-210074", "CVRFPID-210075", "CVRFPID-210076", "CVRFPID-210077", "CVRFPID-210264", "CVRFPID-212436", "CVRFPID-212674", "CVRFPID-213100", "CVRFPID-213783", "CVRFPID-213785", "CVRFPID-213790", "CVRFPID-213797", "CVRFPID-213809", "CVRFPID-213811", "CVRFPID-213812", "CVRFPID-213960", "CVRFPID-214051", "CVRFPID-214993", "CVRFPID-217253", "CVRFPID-217255", "CVRFPID-217256", "CVRFPID-217259", "CVRFPID-217279", "CVRFPID-217280", "CVRFPID-217282", "CVRFPID-217283", "CVRFPID-218901", "CVRFPID-220290", "CVRFPID-220357", "CVRFPID-220489", "CVRFPID-220802", "CVRFPID-221108", "CVRFPID-221185", "CVRFPID-222435", "CVRFPID-222483", "CVRFPID-222695", "CVRFPID-222711", "CVRFPID-224840", "CVRFPID-225784", "CVRFPID-226158", "CVRFPID-226331", "CVRFPID-227555", "CVRFPID-227755", "CVRFPID-229124", "CVRFPID-230240", "CVRFPID-230998", "CVRFPID-231004", "CVRFPID-231187", "CVRFPID-231246", "CVRFPID-233155", "CVRFPID-236834" ] } ], "references": [ { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2", "summary": "Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability" } ] } ] }CSAF-0.25/t/examples/bsi-2022-0001.json0000644000175000017500000001507714567456232015702 0ustar peppepeppe{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "publisher": { "category": "coordinator", "name": "Bundesamt für Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "title": "CVRF-CSAF-Converter: XML External Entities Vulnerability", "tracking": { "current_release_date": "2022-03-17T13:03:42.105Z", "generator": { "date": "2022-03-17T13:09:42.105Z", "engine": { "name": "Secvisogram", "version": "1.12.1" } }, "id": "BSI-2022-0001", "initial_release_date": "2022-03-17T13:03:42.105Z", "revision_history": [ { "date": "2022-03-17T13:03:42.105Z", "number": "1", "summary": "Initial revision" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "1.0.0-alpha", "product": { "name": "CSAF Tools CVRF-CSAF-Converter 1.0.0-alpha", "product_id": "CSAFPID-0001", "product_identification_helper": { "cpe": "cpe:/a:csaf-tools:cvrf-csaf-converter:1.0.0-alpha" } } }, { "category": "product_version", "name": "1.0.0-dev1", "product": { "name": "CSAF Tools CVRF-CSAF-Converter 1.0.0-dev1", "product_id": "CSAFPID-0002", "product_identification_helper": { "cpe": "cpe:/a:csaf-tools:cvrf-csaf-converter:1.0.0-dev1" } } }, { "category": "product_version", "name": "1.0.0-dev2", "product": { "name": "CSAF Tools CVRF-CSAF-Converter 1.0.0-dev2", "product_id": "CSAFPID-0003", "product_identification_helper": { "cpe": "cpe:/a:csaf-tools:cvrf-csaf-converter:1.0.0-dev2" } } }, { "category": "product_version", "name": "1.0.0-dev3", "product": { "name": "CSAF Tools CVRF-CSAF-Converter 1.0.0-dev3", "product_id": "CSAFPID-0004", "product_identification_helper": { "cpe": "cpe:/a:csaf-tools:cvrf-csaf-converter:1.0.0-dev3" } } }, { "category": "product_version", "name": "1.0.0-rc1", "product": { "name": "CSAF Tools CVRF-CSAF-Converter 1.0.0-rc1", "product_id": "CSAFPID-0005", "product_identification_helper": { "cpe": "cpe:/a:csaf-tools:cvrf-csaf-converter:1.0.0-rc1" } } }, { "category": "product_version", "name": "1.0.0-rc2", "product": { "name": "CSAF Tools CVRF-CSAF-Converter 1.0.0-rc2", "product_id": "CSAFPID-0006", "product_identification_helper": { "cpe": "cpe:/a:csaf-tools:cvrf-csaf-converter:1.0.0-rc2" } } } ], "category": "product_name", "name": "CVRF-CSAF-Converter" } ], "category": "vendor", "name": "CSAF Tools" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Damian Pfammatter" ], "organization": "Cyber-Defense Campus", "summary": "Finding and reporting the vulnerability" } ], "cve": "CVE-2022-27193", "cwe": { "id": "CWE-611", "name": "Improper Restriction of XML External Entity Reference" }, "ids": [ { "system_name": "Github Issue", "text": "csaf-tools/CVRF-CSAF-Converter#78" } ], "notes": [ { "category": "description", "text": "CSAF Tools CVRF-CSAF-Converter 1.0.0-rc1 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.", "title": "Vulnerability description" } ], "product_status": { "first_fixed": [ "CSAFPID-0006" ], "fixed": [ "CSAFPID-0006" ], "known_affected": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004", "CSAFPID-0005" ] }, "remediations": [ { "category": "vendor_fix", "date": "2022-03-14T13:10:55.000+01:00", "details": "Update to the latest version of the product. At least version 1.0.0-rc2", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004", "CSAFPID-0005" ], "url": "https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "FUNCTIONAL", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004", "CSAFPID-0005" ] } ] } ] }CSAF-0.25/t/manifest.t0000644000175000017500000000045214572605164013431 0ustar peppepeppe#!perl -T use strict; use warnings; use Test::More; unless ($ENV{RELEASE_TESTING}) { plan(skip_all => "Author tests not required for installation"); } my $min_tcm = 0.9; eval "use Test::CheckManifest $min_tcm"; plan skip_all => "Test::CheckManifest $min_tcm required" if $@; ok_manifest(); CSAF-0.25/t/10-mandatory-6.1.22.t0000644000175000017500000000263014572605164014563 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.22 Multiple Definition in Revision History # It MUST be tested that items of the revision history do not contain the same version number. # The relevant path for this test is: # /document/tracking/revision_history # Fail test: # "revision_history": [ # { # "date": "2021-07-20T10:00:00.000Z", # "number": "1", # "summary": "Initial version." # }, # { # "date": "2021-07-21T10:00:00.000Z", # "number": "1", # "summary": "Some other changes." # } # ] my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add(date => 'now', summary => 'Initial version.', number => '1'); $tracking->revision_history->add(date => 'now', summary => 'Some other changes.', number => '1'); exec_validator_mandatory_test($csaf, '6.1.22'); done_testing; CSAF-0.25/t/pod-coverage.t0000644000175000017500000000122214572605164014172 0ustar peppepeppe#!perl -T use strict; use warnings; use Test::More; unless ($ENV{RELEASE_TESTING}) { plan(skip_all => "Author tests not required for installation"); } # Ensure a recent version of Test::Pod::Coverage my $min_tpc = 1.08; eval "use Test::Pod::Coverage $min_tpc"; plan skip_all => "Test::Pod::Coverage $min_tpc required for testing POD coverage" if $@; # Test::Pod::Coverage doesn't require a minimum Pod::Coverage version, # but older versions don't recognize some common documentation styles my $min_pc = 0.18; eval "use Pod::Coverage $min_pc"; plan skip_all => "Pod::Coverage $min_pc required for testing POD coverage" if $@; all_pod_coverage_ok(); CSAF-0.25/t/10-mandatory-6.1.13.t0000644000175000017500000000220514572605164014561 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); # 6.1.13 PURL # It MUST be tested that given PURL is valid. # The relevant paths for this test are: # /product_tree/branches[](/branches[])*/product/product_identification_helper/purl # /product_tree/full_product_names[]/product_identification_helper/purl # /product_tree/relationships[]/full_product_name/product_identification_helper/purl # Fail test: # "product_tree": { # "full_product_names": [ # { # "name": "Product A", # "product_id": "CSAFPID-9080700", # "product_identification_helper": { # "purl": "pkg:maven/@1.3.4" # } # } # ] # } my $csaf = base_csaf_security_advisory(); my $product = $csaf->product_tree->full_product_names->add( name => 'Product A', product_id => 'CSAFPID-9080700', product_identification_helper => {purl => 'pkg:maven/@1.3.4'} ); exec_validator_mandatory_test($csaf, '6.1.13'); done_testing; CSAF-0.25/t/10-mandatory-6.1.11.t0000644000175000017500000000142114572605165014557 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); # 6.1.11 CWE # It MUST be tested that given CWE exists and is valid. # The relevant path for this test is: # /vulnerabilities[]/cwe # Fail test: # "cwe": { # "id": "CWE-79", # "name": "Improper Input Validation" # } my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); $vuln->cwe(id => 'CWE-79', name => 'Improper Input Validation'); exec_validator_mandatory_test($csaf, '6.1.11'); done_testing; CSAF-0.25/t/10-mandatory-6.1.20.t0000644000175000017500000000216714572605165014567 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.20 Non-draft Document Version # It MUST be tested that document version does not contain a pre-release part if the document status is final or interim. # The relevant path for this test is: # /document/tracking/version # Fail test: # "tracking": { # // ... # "status": "interim", # "version": "1.0.0-alpha" # } foreach my $status (qw(interim final)) { my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => $status, version => '1.0.0-alpha', initial_release_date => 'now', current_release_date => 'now' ); exec_validator_mandatory_test($csaf, '6.1.20'); } done_testing; CSAF-0.25/t/10-mandatory-6.1.27.01.t0000644000175000017500000000317614704316755015017 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.1 Document Notes # It MUST be tested that at least one item in /document/notes exists which has a category of description, details, general or summary. # The relevant values for /document/category are: # csaf_informational_advisory # csaf_security_incident_response # The relevant path for this test is: # /document/notes # Fail test: # "notes": [ # { # "category": "legal_disclaimer", # "text": "The CSAF document is provided to You \"AS IS\" and \"AS AVAILABLE\" and with all faults and defects without warranty of any kind.", # "title": "Terms of Use" # } # ] my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.1'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $csaf->document->notes->add( category => 'legal_disclaimer', title => 'Terms of Use', text => 'The CSAF document is provided to You \"AS IS\" and \"AS AVAILABLE\" and with all faults and defects without warranty of any kind.', ); foreach my $category (qw(csaf_informational_advisory csaf_security_incident_response)) { $csaf->document->category($category); exec_validator_mandatory_test($csaf, '6.1.27.1'); } done_testing; CSAF-0.25/t/10-mandatory-6.1.08.t0000644000175000017500000000212614704316755014571 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test); use CSAF::Validator::MandatoryTests; # 6.1.8 Invalid CVSS # It MUST be tested that the given CVSS object is valid according to the referenced schema. # The relevant paths for this test are: # /vulnerabilities[]/scores[]/cvss_v2 # /vulnerabilities[]/scores[]/cvss_v3 # Fail test: # "cvss_v3": { # "version": "3.1", # "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", # "baseScore": 6.5 # } my $csaf = base_csaf_security_advisory(); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); # Check CVSS (2.0 and 3.x) JSON Schema $vuln->scores->add( products => ['CSAFPID-9080700'], cvss_v2 => {baseScore => 6.5, vectorString => 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'} ); exec_validator_mandatory_test($csaf, '6.1.8'); done_testing; CSAF-0.25/t/10-mandatory-6.1.27.07.t0000644000175000017500000000316514704316755015023 0ustar peppepeppe#!perl use 5.010001; use strict; use warnings; use Test::More; use FindBin '$RealBin'; use lib "$RealBin/lib"; use Test::CSAF qw(exec_validator_mandatory_test); use CSAF; # 6.1.27.7 VEX Product Status # For each item in /vulnerabilities it MUST be tested that at least one of the elements fixed, known_affected, known_not_affected, or under_investigation is present in product_status. # The relevant value for /document/category is: # csaf_vex # The relevant paths for this test are: # /vulnerabilities[]/product_status/fixed # /vulnerabilities[]/product_status/known_affected # /vulnerabilities[]/product_status/known_not_affected # /vulnerabilities[]/product_status/under_investigation # Fail test: # "product_status": { # "first_fixed": [ # // ... # ], # "recommended": [ # // ... # ] # } my $csaf = CSAF->new; $csaf->document->title('Mandatory test: 6.1.27.7'); $csaf->document->category('csaf_vex'); $csaf->document->publisher(category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io'); my $tracking = $csaf->document->tracking( id => 'CSAF:2023-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700'); my $vulns = $csaf->vulnerabilities; my $vuln = $vulns->add(cve => 'CVE-2023-00000'); $vuln->product_status->first_fixed(['CSAFPID-9080700']); $vuln->product_status->recommended(['CSAFPID-9080700']); exec_validator_mandatory_test($csaf, '6.1.27.7'); done_testing; CSAF-0.25/README.md0000644000175000017500000000440614704316755012457 0ustar peppepeppe[![Release](https://img.shields.io/github/release/giterlizzi/perl-CSAF.svg)](https://github.com/giterlizzi/perl-CSAF/releases) [![Actions Status](https://github.com/giterlizzi/perl-CSAF/workflows/linux/badge.svg)](https://github.com/giterlizzi/perl-CSAF/actions) [![License](https://img.shields.io/github/license/giterlizzi/perl-CSAF.svg)](https://github.com/giterlizzi/perl-CSAF) [![Starts](https://img.shields.io/github/stars/giterlizzi/perl-CSAF.svg)](https://github.com/giterlizzi/perl-CSAF) [![Forks](https://img.shields.io/github/forks/giterlizzi/perl-CSAF.svg)](https://github.com/giterlizzi/perl-CSAF) [![Issues](https://img.shields.io/github/issues/giterlizzi/perl-CSAF.svg)](https://github.com/giterlizzi/perl-CSAF/issues) [![Coverage Status](https://coveralls.io/repos/github/giterlizzi/perl-CSAF/badge.svg)](https://coveralls.io/github/giterlizzi/perl-CSAF) # CSAF Perl Toolkit ## Synopsis ```.pl use CSAF; my $csaf = CSAF->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher( category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io' ); my $tracking = $csaf->document->tracking( id => 'CSAF:2024-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add( date => 'now', summary => 'First release', number => '1' ); my @errors = $csaf->validate; if (@errors) { say $_ for (@errors); Carp::croak "Validation errors"; } # Save CSAF documents using the $csaf->writer(directory => '/var/www/html/csaf')->write; ``` ## Command-Line Utility - `csaf-downloader`, Download CSAF documents - `csaf-rolie`, Create ROLIE feed - `csaf-validator`, Validate a CSAF document - `csaf2html`, Convert CSAF documents in HTML ## Install Using Makefile.PL: To install `CSAF` distribution, run the following commands. perl Makefile.PL make make test make install Using App::cpanminus: cpanm CSAF ## Documentation - `perldoc CSAF` - https://metacpan.org/release/CSAF - https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html ## Copyright - Copyright 2023-2024 © Giuseppe Di Terlizzi CSAF-0.25/META.json0000644000175000017500000000372314755634264012626 0ustar peppepeppe{ "abstract" : "Common Security Advisory Framework", "author" : [ "Giuseppe Di Terlizzi " ], "dynamic_config" : 1, "generated_by" : "ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version 2.150010", "license" : [ "artistic_2" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", "version" : 2 }, "name" : "CSAF", "no_index" : { "directory" : [ "t", "inc" ] }, "prereqs" : { "build" : { "requires" : { "ExtUtils::MakeMaker" : "0" } }, "configure" : { "requires" : { "ExtUtils::MakeMaker" : "0" } }, "runtime" : { "requires" : { "CVSS" : "0", "Cpanel::JSON::XS" : "0", "Digest::SHA" : "0", "File::Basename" : "0", "File::Path" : "0", "File::Spec::Functions" : "0", "GnuPG::Interface" : "0", "JSON::Validator" : "0", "LWP::UserAgent" : "0", "List::MoreUtils" : "0", "List::Util" : "0", "Log::Any" : "0", "Moo" : "0", "Parallel::ForkManager" : "0", "Template" : "0", "Tie::File" : "0", "Time::Piece" : "0", "URI::PackageURL" : "0", "YAML::XS" : "0", "perl" : "5.010" } }, "test" : { "requires" : { "Test::More" : "0" } } }, "release_status" : "stable", "resources" : { "bugtracker" : { "web" : "https://github.com/giterlizzi/perl-CSAF/issues" }, "repository" : { "type" : "git", "url" : "git://github.com/giterlizzi/perl-CSAF", "web" : "https://github.com/giterlizzi/perl-CSAF" } }, "version" : "0.25", "x_purl" : "pkg:cpan/GDT/CSAF", "x_serialization_backend" : "JSON::PP version 4.16" } CSAF-0.25/Changes0000644000175000017500000000161714755634147012500 0ustar peppepeppeRevision history for CSAF. 0.25 2025-02-20 - FIX typo in ROLIE (GH#4) - Removed space before the ":" in JSON (GH#3) - FIX Invalid CVSS computation (6.1.9) test (GH#2) 0.24 2024-10-26 - Improved default HTML template - Improved "6.1.9 Invalid CVSS computation" (mandatory test) - Added "6.3.9 Branch Categories" (informative test) - Added "6.3.10 Usage of Product Version Range" (informative test) 0.23 2024-10-18 - Added "CVSS" module prerequisite - Added "csaf2html(1)" command - Improved Mandatory tests (6.1.9 and 6.1.10) - Improved "CSAF::Downloader" - Added "--before" and "--after" for "csaf-downloader(1)" - Added "before_date" and "after_date" option in "CSAF::Options::Downloader" - Follow ROLIE feed URLs in "provider-metadata.json" - Added date-range downloads support 0.22 2024-04-23 - First public release of CSAF CSAF-0.25/LICENSE0000644000175000017500000002141314267754747012215 0ustar peppepeppe The Artistic License 2.0 Copyright (c) 2000-2006, The Perl Foundation. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble This license establishes the terms under which a given free software Package may be copied, modified, distributed, and/or redistributed. The intent is that the Copyright Holder maintains some artistic control over the development of that Package while still keeping the Package available as open source and free software. You are always permitted to make arrangements wholly outside of this license directly with the Copyright Holder of a given Package. If the terms of this license do not permit the full use that you propose to make of the Package, you should contact the Copyright Holder and seek a different licensing arrangement. Definitions "Copyright Holder" means the individual(s) or organization(s) named in the copyright notice for the entire Package. "Contributor" means any party that has contributed code or other material to the Package, in accordance with the Copyright Holder's procedures. "You" and "your" means any person who would like to copy, distribute, or modify the Package. "Package" means the collection of files distributed by the Copyright Holder, and derivatives of that collection and/or of those files. A given Package may consist of either the Standard Version, or a Modified Version. "Distribute" means providing a copy of the Package or making it accessible to anyone else, or in the case of a company or organization, to others outside of your company or organization. "Distributor Fee" means any fee that you charge for Distributing this Package or providing support for this Package to another party. It does not mean licensing fees. "Standard Version" refers to the Package if it has not been modified, or has been modified only in ways explicitly requested by the Copyright Holder. "Modified Version" means the Package, if it has been changed, and such changes were not explicitly requested by the Copyright Holder. "Original License" means this Artistic License as Distributed with the Standard Version of the Package, in its current version or as it may be modified by The Perl Foundation in the future. "Source" form means the source code, documentation source, and configuration files for the Package. "Compiled" form means the compiled bytecode, object code, binary, or any other form resulting from mechanical transformation or translation of the Source form. Permission for Use and Modification Without Distribution (1) You are permitted to use the Standard Version and create and use Modified Versions for any purpose without restriction, provided that you do not Distribute the Modified Version. Permissions for Redistribution of the Standard Version (2) You may Distribute verbatim copies of the Source form of the Standard Version of this Package in any medium without restriction, either gratis or for a Distributor Fee, provided that you duplicate all of the original copyright notices and associated disclaimers. At your discretion, such verbatim copies may or may not include a Compiled form of the Package. (3) You may apply any bug fixes, portability changes, and other modifications made available from the Copyright Holder. The resulting Package will still be considered the Standard Version, and as such will be subject to the Original License. Distribution of Modified Versions of the Package as Source (4) You may Distribute your Modified Version as Source (either gratis or for a Distributor Fee, and with or without a Compiled form of the Modified Version) provided that you clearly document how it differs from the Standard Version, including, but not limited to, documenting any non-standard features, executables, or modules, and provided that you do at least ONE of the following: (a) make the Modified Version available to the Copyright Holder of the Standard Version, under the Original License, so that the Copyright Holder may include your modifications in the Standard Version. (b) ensure that installation of your Modified Version does not prevent the user installing or running the Standard Version. In addition, the Modified Version must bear a name that is different from the name of the Standard Version. (c) allow anyone who receives a copy of the Modified Version to make the Source form of the Modified Version available to others under (i) the Original License or (ii) a license that permits the licensee to freely copy, modify and redistribute the Modified Version using the same licensing terms that apply to the copy that the licensee received, and requires that the Source form of the Modified Version, and of any works derived from it, be made freely available in that license fees are prohibited but Distributor Fees are allowed. Distribution of Compiled Forms of the Standard Version or Modified Versions without the Source (5) You may Distribute Compiled forms of the Standard Version without the Source, provided that you include complete instructions on how to get the Source of the Standard Version. Such instructions must be valid at the time of your distribution. If these instructions, at any time while you are carrying out such distribution, become invalid, you must provide new instructions on demand or cease further distribution. If you provide valid instructions or cease distribution within thirty days after you become aware that the instructions are invalid, then you do not forfeit any of your rights under this license. (6) You may Distribute a Modified Version in Compiled form without the Source, provided that you comply with Section 4 with respect to the Source of the Modified Version. Aggregating or Linking the Package (7) You may aggregate the Package (either the Standard Version or Modified Version) with other packages and Distribute the resulting aggregation provided that you do not charge a licensing fee for the Package. Distributor Fees are permitted, and licensing fees for other components in the aggregation are permitted. The terms of this license apply to the use and Distribution of the Standard or Modified Versions as included in the aggregation. (8) You are permitted to link Modified and Standard Versions with other works, to embed the Package in a larger work of your own, or to build stand-alone binary or bytecode versions of applications that include the Package, and Distribute the result without restriction, provided the result does not expose a direct interface to the Package. Items That are Not Considered Part of a Modified Version (9) Works (including, but not limited to, modules and scripts) that merely extend or make use of the Package, do not, by themselves, cause the Package to be a Modified Version. In addition, such works are not considered parts of the Package itself, and are not subject to the terms of this license. General Provisions (10) Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license. (11) If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license. (12) This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder. (13) This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed. (14) Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. CSAF-0.25/lib/0000755000175000017500000000000014755634263011745 5ustar peppepeppeCSAF-0.25/lib/CSAF/0000755000175000017500000000000014755634263012461 5ustar peppepeppeCSAF-0.25/lib/CSAF/Options/0000755000175000017500000000000014755634263014114 5ustar peppepeppeCSAF-0.25/lib/CSAF/Options/ROLIE.pm0000644000175000017500000000647114612023627015320 0ustar peppepeppepackage CSAF::Options::ROLIE; use 5.010001; use strict; use warnings; use utf8; use Moo; with 'CSAF::Util::Options'; use constant TRUE => !!1; use constant FALSE => !!0; has csaf_directory => (is => 'rw'); has base_url => (is => 'rw', trigger => 1, default => 'https://psirt.domain.tld/advisories/csaf'); has feed_filename => (is => 'rw', default => 'csaf-feed-tlp-white.json'); has feed_id => (is => 'rw', trigger => 1, default => 'csaf-feed-tlp-white'); has feed_link => (is => 'rw', default => sub { [] }); has feed_title => (is => 'rw', default => 'CSAF feed (TLP:WHITE)'); has tlp_label => (is => 'rw', trigger => 1, default => 'WHITE', coerce => sub { uc $_[0] }); sub _trigger_base_url { my $self = shift; $self->feed_link([{rel => 'self', href => $self->feed_url}]); } sub _trigger_tlp_label { my $self = shift; $self->feed_id('csaf-feed-tlp-' . lc($self->tlp_label)); $self->feed_title('CSAF feed (TLP:' . $self->tlp_label . ')'); } sub _trigger_feed_id { my $self = shift; $self->feed_filename($self->feed_id . '.json'); $self->feed_link([{rel => 'self', href => $self->feed_url}]); } sub feed_url { my $self = shift; return join('/', $self->base_url, $self->feed_filename); } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Options::ROLIE - CSAF::ROLIE::Feed configurator =head1 SYNOPSIS use CSAF::Options::ROLIE; my $options = CSAF::Options::ROLIE->new( ); $options->options->configure( feed_id => 'acme-csaf-feed-tlp-white', feed_title => 'ACME Security Advisory CSAF feed (TLP:WHITE)' base_url => 'https://security.acme.tld/advisories/csaf' ); =head1 DESCRIPTION L is a configurator of L. =head2 METHODS L inherits all methods from L. =head2 ATTRIBUTES =over =item csaf_directory CSAF documents base directory. =item base_url The base URL for ROLIE feed (default C). =item feed_filename ROLIE feed filename (default C). =item feed_id ROLIE feed ID (default C or C). =item feed_link ROLIE feed link (default C<[ rel => 'self', href => feed_url ]>) =item feed_title ROLIE feed title (default C or C). =item feed_url ROLIE feed URL (default C) =item tlp_label TLP (Traffic Light Protocol) label (default C). =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Options/Common.pm0000644000175000017500000000326214612023627015671 0ustar peppepeppepackage CSAF::Options::Common; use 5.010001; use strict; use warnings; use utf8; use Moo; with 'CSAF::Util::Options'; use constant TRUE => !!1; use constant FALSE => !!0; has publisher_category => (is => 'rw'); has publisher_name => (is => 'rw'); has publisher_namespace => (is => 'rw'); has publisher_contact_details => (is => 'rw'); 1; __END__ =encoding utf-8 =head1 NAME CSAF::Options::Common - CSAF::Common configurator =head1 SYNOPSIS use CSAF::Options::Common; my $options = CSAF::Options::Common->new( ); $options->configure( ); =head1 DESCRIPTION L is a configurator of L. =head2 METHODS L inherits all methods from L. =head2 ATTRIBUTES =over =item publisher_category =item publisher_name =item publisher_namespace =item publisher_contact_details =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Options/Downloader.pm0000644000175000017500000000610514704316755016547 0ustar peppepeppepackage CSAF::Options::Downloader; use 5.010001; use strict; use warnings; use utf8; use CSAF::Util qw(parse_datetime); use Moo; with 'CSAF::Util::Options'; use constant TRUE => !!1; use constant FALSE => !!0; has directory => ( is => 'rw', default => '.', coerce => sub { my $dir = $_[0]; $dir =~ s{\$}{}; return $dir }, isa => sub { Carp::croak 'Unknown directory' unless -e -d $_[0] } ); has exclude_pattern => (is => 'rw', default => FALSE); has include_pattern => (is => 'rw', default => FALSE); has validate => (is => 'rw', default => FALSE); has integrity_check => (is => 'rw', default => FALSE); has signature_check => (is => 'rw', default => FALSE); has parallel_downloads => (is => 'rw', default => 4, isa => sub { Carp::croak "$_[0] is not a number" unless $_[0] =~ /^\d+$/ }); # TODO has timeout_after_download => (is => 'rw' => default => 0, isa => sub { Carp::croak "$_[0] is not a number" unless $_[0] =~ /^\d+$/ }); has url => (is => 'rw'); has insecure => (is => 'rw', default => FALSE); has after_date => ( is => 'rw', coerce => \&parse_datetime, isa => sub { Carp::croak 'MUST BE an instance of "Time::Piece"' unless ref($_[0]) eq 'Time::Piece' } ); has before_date => ( is => 'rw', coerce => \&parse_datetime, isa => sub { Carp::croak 'MUST BE an instance of "Time::Piece"' unless ref($_[0]) eq 'Time::Piece' } ); 1; __END__ =encoding utf-8 =head1 NAME CSAF::Options::Downloader - CSAF::Downloader configurator =head1 SYNOPSIS use CSAF::Options::Downloader; my $options = CSAF::Options::Downloader->new( ); $options->configure( url => 'https://security.acme.tld/advisories/csaf/index.txt', insecure => 1, directory => './csaf-acme-advisories', include_pattern => qr{acme-sa-2024-\d+\.json} ); =head1 DESCRIPTION L is a configurator of L. =head2 METHODS L inherits all methods from L. =head2 ATTRIBUTES =over =item directory =item exclude_pattern =item include_pattern =item insecure =item integrity_check =item parallel_downloads =item signature_check =item url =item validate =item after_date =item before_date =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Options/Writer.pm0000644000175000017500000000521014612023627015710 0ustar peppepeppepackage CSAF::Options::Writer; use 5.010001; use strict; use warnings; use utf8; use Moo; with 'CSAF::Util::Options'; use constant TRUE => !!1; use constant FALSE => !!0; has update_index => (is => 'rw', default => TRUE); has update_changes => (is => 'rw', default => TRUE); has create_sha256_integrity => (is => 'rw', default => TRUE); has create_sha512_integrity => (is => 'rw', default => TRUE); has create_gpg_signature => (is => 'rw', default => FALSE); has gpg_passphrase => (is => 'rw'); has gpg_key => (is => 'rw'); 1; __END__ =encoding utf-8 =head1 NAME CSAF::Options::Writer - CSAF::Writer configurator =head1 SYNOPSIS use CSAF::Options::Writer; my $options = CSAF::Options::Writer->new( ); $options->configure( create_sha256_integrity => 0, create_gpg_signature => 1, update_index => 1, update_changes => 1 ); if (my $passphrase = get_passphrase_from_stdin) { $options->gpg_passphrase($passphrase); } =head1 DESCRIPTION L is a configurator of L. =head2 METHODS L inherits all methods from L. =head2 ATTRIBUTES =over =item update_index Create and update the C file (default C). =item update_changes Create and update the C file (default C). =item create_sha256_integrity Create SHA256 integrity file C<*.sha256> for the provided CSAF document (default C). =item create_sha512_integrity Create SHA512 integrity file C<*.sha512> for the provided CSAF document (default C). =item create_gpg_signature Sign the CSAF document with GPG and create signature file C<*.sha256> (default C). =item gpg_key Specify the default GPG key. =item gpg_passphrase Specify the passphrase for the provided GPG key. =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/resources/0000755000175000017500000000000014755634263014473 5ustar peppepeppeCSAF-0.25/lib/CSAF/resources/template/0000755000175000017500000000000014755634263016306 5ustar peppepeppeCSAF-0.25/lib/CSAF/resources/template/default.tt20000644000175000017500000003541514705022237020360 0ustar peppepeppe [% # CSAF Document Template (based on secvisogram template) # https://github.com/secvisogram/secvisogram/blob/main/app/lib/app/SecvisogramPage/View/shared/HTMLTemplate/Template.html # %] [% USE dumper %] [% BLOCK document_note %] [% IF note.title %]

[% note.title %]

[% END %] [% IF note.audience %][% note.audience %][% END %] [% IF note.text %]

[% note.text | html_line_break %]

[% END %] [% END %] [% BLOCK vulnerability_note %] [% IF note.title %][% note.title %][% END %] [% IF note.audience %] ([% note.audience %])[% END %] [% IF note.text %]

[% note.text | html_line_break %]

[% END %] [% END %] [% BLOCK product_status_header %] Product CVSS-Vector CVSS Base Score [% END %] [% BLOCK product_status_row %] [% product_id FILTER product_name %] [% FOREACH score IN vulnerability.scores.each %] [% FOREACH score_product_id IN score.products %] [% IF score_product_id == product_id %] [% score.cvss_v3.vectorString %] [% score.cvss_v3.baseScore %] [% END %] [% END %] [% END %] [% END %] [% BLOCK reference %]
  • [% reference.summary %] ([% reference.category %]) [% PROCESS link url=reference.url %]
    • [% END %] [% BLOCK link %] [% label || url %] [% label = undef url = undef %] [% END %] [% BLOCK acknowledgment %]
  • [% acknowledgment.names.join(', ') %] [% IF acknowledgment.organization %] [% IF acknowledgment.names.size %] from [% END %] [% acknowledgment.organization %] [% END %] [% IF acknowledgment.summary %] for [% acknowledgment.summary %] [% END %] [% IF acknowledgment.urls.size %] (see: [% acknowledgment.urls.join(', ') %]) [% # TODO convert URL to hyperlink %] [% END %]
    • [% END %] [% BLOCK remediation %]
    [% remediation.category.replace('_', ' ').ucfirst %] [% IF remediation.date %] [% remediation.date.datetime() %] [% END %]

    [% remediation.details %]

    [% IF remediation.product_ids.size %]
    For products:
      [% FOREACH product_id IN remediation.product_ids %]
    • [% product_id | product_name %]
      • [% END %]
    [% END %] [% IF remediation.group_ids.size %]
    For groups:
      [% FOREACH group_id IN remediation.group_ids %]
    • [% group_id %]
      • [% END %]
    [% END %] [% IF remediation.url %]

    [% PROCESS link url = remediation.url %]

    [% END %] [% IF remediation.entitlements.size %] [% FOREACH entitlement IN remediation.entitlements %]

    [% entitlement %]

    [% END %] [% END %] [% IF remediation.restart_required %] Restart required: [% remediation.restart_required.category.replace('_', ' ').ucfirst %]

    [% remediation.restart_required.details %]

    [% END %] [% END %] [% BLOCK threat %]
    [% threat.category.replace('_', ' ').ucfirst %] [% IF threat.date %] [% threat.date.datetime() %] [% END %]

    [% threat.details %]

    [% IF threat.product_ids.size %]
    For products:
      [% FOREACH product_id IN threat.product_ids %]
    • [% product_id | product_name %]
      • [% END %]
    [% END %] [% IF threat.group_ids.size %]
    For groups:
      [% FOREACH group_id IN threat.group_ids %]
    • [% group_id %]
      • [% END %]
    [% END %] [% END %] [% IF document.tracking.id %][% document.tracking.id %]: [% END %] [% document.title %]

    [% IF document.tracking.id %][% document.tracking.id %]: [% END %] [% document.title %]

    Publisher: [% document.publisher.name %] Document category: [% document.category %]
    Initial release date: [% document.tracking.initial_release_date.datetime() %] Engine: [% "${document.tracking.generator.engine.name} ${document.tracking.generator.engine.version}" %]
    Current release date: [% document.tracking.current_release_date.datetime() %] Build Date: [% document.tracking.generator.date.datetime() %]
    Current version: [% document.tracking.version %] Status: [% document.tracking.status %]
    CVSSv3.1 Base Score: [% max_base_score %] Severity: [% IF document.aggregate_severity.text %] [% IF document.aggregate_severity.namespace %] [% PROCESS link url=document.aggregate_severity.namespace label=document.aggregate_severity.text %] [% ELSE %] [% document.aggregate_severity.text %] [% END %] [% END %]
    Original language: [% document.source_lang %] Language: [% document.lang %]
    Also referred to: [% document.tracking.aliases.join(', ') %]
    [% FOREACH note IN document.notes.get_category('summary') %][% PROCESS document_note %][% END %] [% FOREACH note IN document.notes.get_category('details') %][% PROCESS document_note %][% END %] [% FOREACH note IN document.notes.get_category('general') %][% PROCESS document_note %][% END %] [% FOREACH note IN document.notes.get_category('description') %][% PROCESS document_note %][% END %] [% FOREACH note IN document.notes.get_category('faq') %][% PROCESS document_note %][% END %] [% FOREACH note IN document.notes.get_category('unknown') %][% PROCESS document_note %][% END %] [% IF product_tree.product_groups.size %]

    Product groups

    {{#product_tree.product_groups}} {{#summary}}{{.}}{{/summary}}{{^summary}}{{group_id}}{{/summary}}
      {{#product_ids}}
    • {{name}}
      • {{/product_ids}}
    {{/product_tree.product_groups}} [% END %] [% IF vulnerabilities.size %]

    Vulnerabilities

    [% FOREACH vulnerability IN vulnerabilities.each %]

    [% vulnerability.title %][% IF vulnerability.cve %] ([% vulnerability.cve %])[% END %]

    [% FOREACH note IN vulnerability.notes.get_category('summary') %][% PROCESS vulnerability_note %][% END %] [% FOREACH note IN vulnerability.notes.get_category('details') %][% PROCESS vulnerability_note %][% END %] [% FOREACH note IN vulnerability.notes.get_category('general') %][% PROCESS vulnerability_note %][% END %] [% FOREACH note IN vulnerability.notes.get_category('description') %][% PROCESS vulnerability_note %][% END %] [% FOREACH note IN vulnerability.notes.get_category('faq') %][% PROCESS vulnerability_note %][% END %] [% FOREACH note IN vulnerability.notes.get_category('unknown') %][% PROCESS vulnerability_note %][% END %] [% IF vulnerability.cwe.id %] [% END %] [% FOREACH id IN vulnerability.ids.each %] [% END %] [% IF vulnerability.discovery_date %] [% END %] [% IF vulnerability.release_date %] [% END %]
    CWE: [% vulnerability.cwe.id %] : [% vulnerability.cwe.name %]
    ID: [% id.text %] ([% id.system_name %])
    Discovery date: [% vulnerability.discovery_date.datetime() %]
    Release date: [% vulnerability.release_date.datetime() %]

    Product status

    [% IF vulnerability.product_status.known_affected.size %]
    Known affected
    [% PROCESS product_status_header %] [% FOREACH product_id IN vulnerability.product_status.known_affected %] [% PROCESS product_status_row %] [% END %]
    [% END %] [% IF vulnerability.product_status.first_affected.size %]
    First affected
    [% PROCESS product_status_header %] [% FOREACH product_id IN vulnerability.product_status.first_affected %] [% PROCESS product_status_row %] [% END %]
    [% END %] [% IF vulnerability.product_status.last_affected.size %]
    Last affected
    [% PROCESS product_status_header %] [% FOREACH product_id IN vulnerability.product_status.last_affected %] [% PROCESS product_status_row %] [% END %]
    [% END %] [% IF vulnerability.product_status.known_not_affected.size %]
    Known not affected
      [% FOREACH product_id IN vulnerability.product_status.known_not_affected %]
    • [% product_id | product_name %]
      • [% END %]
    [% END %] [% IF vulnerability.product_status.recommended.size %]
    Recommended
      [% FOREACH product_id IN vulnerability.product_status.recommended %]
    • [% product_id | product_name %]
      • [% END %]
    [% END %] [% IF vulnerability.product_status.fixed.size %]
    Fixed
      [% FOREACH product_id IN vulnerability.product_status.fixed %]
    • [% product_id | product_name %]
      • [% END %]
    [% END %] [% IF vulnerability.product_status.first_fixed.size %]
    First fixed
      [% FOREACH product_id IN vulnerability.product_status.first_fixed %]
    • [% product_id | product_name %]
      • [% END %]
    [% END %] [% IF vulnerability.product_status.under_investigation.size %]
    Under investgation
      [% FOREACH product_id IN vulnerability.product_status.under_investigation %]
    • [% product_id | product_name %]
      • [% END %]
    [% END %] [% IF vulnerability.remediations.size %]

    Remediations

    [% FOREACH remediation IN vulnerability.remediations.get_category('vendor_fix') %][% PROCESS remediation %][% END %] [% FOREACH remediation IN vulnerability.remediations.get_category('mitigation') %][% PROCESS remediation %][% END %] [% FOREACH remediation IN vulnerability.remediations.get_category('workaround') %][% PROCESS remediation %][% END %] [% FOREACH remediation IN vulnerability.remediations.get_category('none_available') %][% PROCESS remediation %][% END %] [% FOREACH remediation IN vulnerability.remediations.get_category('no_fix_planned') %][% PROCESS remediation %][% END %] [% FOREACH remediation IN vulnerability.remediations.get_category('unknown') %][% PROCESS remediation %][% END %] [% END %] [% IF vulnerability.acknowledgments.size %]

    Acknowledgments

      [% FOREACH acknowledgment IN vulnerability.acknowledgments.each %] [% PROCESS acknowledgment %] [% END %]
    [% END %] [% IF vulnerability.involvements.size %]

    Involvement

      [% FOREACH involvement IN vulnerability.involvements.each %]
    • [% IF involvement.date %][% involvement.date.datetime() %][% END %] [% involment.party.upper %] [% IF involvement.status %][% involment.status.replace('_', ' ') %][% END %] [% IF involment.summary %]: [% involment.summary %][% END %]
      • [% END %]
    [% END %] [% IF vulnerability.references.size %]

    References

      [% FOREACH reference IN vulnerability.references.each %] [% PROCESS reference %] [% END %]
    [% END %] [% IF vulnerability.threats.size %]

    Threats

    [% FOREACH threat IN vulnerability.threats.get_category('exploit_status') %][% PROCESS threat %][% END %] [% FOREACH threat IN vulnerability.threats.get_category('impact') %][% PROCESS threat %][% END %] [% FOREACH threat IN vulnerability.threats.get_category('target_set') %][% PROCESS threat %][% END %] [% FOREACH threat IN vulnerability.threats.get_category('unknown') %][% PROCESS threat %][% END %] [% END %] [% END %] [% END %] [% IF document.acknowledgments.size %]

    Acknowledgments

    [% document.publisher.name %] thanks the following parties for their efforts:
      [% FOREACH acknowledgment IN document.acknowledgments.each %] [% PROCESS acknowledgment %] [% END %]
    [% END %] [% FOREACH note IN document.notes.get_category('other') %][% PROCESS document_note %][% END %]

    [% document.publisher.name %]

    Namespace: [% document.publisher.namespace %]

    [% document.publisher.contact_details %]

    [% document.publisher.issuing_authority %]

    [% IF document.references.size %]

    References

      [% FOREACH reference IN document.references.each %] [% PROCESS reference %] [% END %]
    [% END %]

    Revision history

    [% FOREACH revision_history IN document.tracking.revision_history.each %] [% END %]
    Version Date of the revision Summary of the revision
    [% revision_history.number %] [% revision_history.date %] [% revision_history.summary %]

    Sharing rules

    [% IF document.distribution.tlp %] TLP:[% document.distribution.tlp.label %]
    For the TLP version see: [% INCLUDE link url=(document.distribution.tlp.url || "https://www.first.org/tlp/") xlabel=(document.distribution.tlp.url || "https://www.first.org/tlp/") %] [% END %]

    [% document.distribution.text %]

    [% FOREACH note IN document.notes.get_category('legal_disclaimer') %][% PROCESS document_note %][% END %] CSAF-0.25/lib/CSAF/resources/cache/0000755000175000017500000000000014755634263015536 5ustar peppepeppeCSAF-0.25/lib/CSAF/resources/cache/6616ab5b335e47cd27e701999bd8eb3a0000644000175000017500000001664414610514476022055 0ustar peppepeppe{ "license": [ "Copyright (c) 2021, FIRST.ORG, INC.", "All rights reserved.", "", "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", "following conditions are met:", "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", " disclaimer.", "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", " following disclaimer in the documentation and/or other materials provided with the distribution.", "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", " products derived from this software without specific prior written permission.", "", "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." ], "$schema": "http://json-schema.org/draft-07/schema#", "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", "$id": "https://www.first.org/cvss/cvss-v3.1.json?20211103", "type": "object", "definitions": { "attackVectorType": { "type": "string", "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] }, "modifiedAttackVectorType": { "type": "string", "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] }, "attackComplexityType": { "type": "string", "enum": [ "HIGH", "LOW" ] }, "modifiedAttackComplexityType": { "type": "string", "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] }, "privilegesRequiredType": { "type": "string", "enum": [ "HIGH", "LOW", "NONE" ] }, "modifiedPrivilegesRequiredType": { "type": "string", "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] }, "userInteractionType": { "type": "string", "enum": [ "NONE", "REQUIRED" ] }, "modifiedUserInteractionType": { "type": "string", "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] }, "scopeType": { "type": "string", "enum": [ "UNCHANGED", "CHANGED" ] }, "modifiedScopeType": { "type": "string", "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] }, "ciaType": { "type": "string", "enum": [ "NONE", "LOW", "HIGH" ] }, "modifiedCiaType": { "type": "string", "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] }, "exploitCodeMaturityType": { "type": "string", "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] }, "remediationLevelType": { "type": "string", "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] }, "confidenceType": { "type": "string", "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] }, "ciaRequirementType": { "type": "string", "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] }, "scoreType": { "type": "number", "minimum": 0, "maximum": 10 }, "severityType": { "type": "string", "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] } }, "properties": { "version": { "description": "CVSS Version", "type": "string", "enum": [ "3.1" ] }, "vectorString": { "type": "string", "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" }, "attackVector": { "$ref": "#/definitions/attackVectorType" }, "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, "userInteraction": { "$ref": "#/definitions/userInteractionType" }, "scope": { "$ref": "#/definitions/scopeType" }, "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, "integrityImpact": { "$ref": "#/definitions/ciaType" }, "availabilityImpact": { "$ref": "#/definitions/ciaType" }, "baseScore": { "$ref": "#/definitions/scoreType" }, "baseSeverity": { "$ref": "#/definitions/severityType" }, "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, "reportConfidence": { "$ref": "#/definitions/confidenceType" }, "temporalScore": { "$ref": "#/definitions/scoreType" }, "temporalSeverity": { "$ref": "#/definitions/severityType" }, "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, "environmentalScore": { "$ref": "#/definitions/scoreType" }, "environmentalSeverity": { "$ref": "#/definitions/severityType" } }, "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] } CSAF-0.25/lib/CSAF/resources/cache/803157887dabfefc7425634a877ed27a0000644000175000017500000001664314610514476022006 0ustar peppepeppe{ "license": [ "Copyright (c) 2017, FIRST.ORG, INC.", "All rights reserved.", "", "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", "following conditions are met:", "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", " disclaimer.", "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", " following disclaimer in the documentation and/or other materials provided with the distribution.", "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", " products derived from this software without specific prior written permission.", "", "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." ], "$schema": "http://json-schema.org/draft-04/schema#", "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", "id": "https://www.first.org/cvss/cvss-v3.0.json?20170531", "type": "object", "definitions": { "attackVectorType": { "type": "string", "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] }, "modifiedAttackVectorType": { "type": "string", "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] }, "attackComplexityType": { "type": "string", "enum": [ "HIGH", "LOW" ] }, "modifiedAttackComplexityType": { "type": "string", "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] }, "privilegesRequiredType": { "type": "string", "enum": [ "HIGH", "LOW", "NONE" ] }, "modifiedPrivilegesRequiredType": { "type": "string", "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] }, "userInteractionType": { "type": "string", "enum": [ "NONE", "REQUIRED" ] }, "modifiedUserInteractionType": { "type": "string", "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] }, "scopeType": { "type": "string", "enum": [ "UNCHANGED", "CHANGED" ] }, "modifiedScopeType": { "type": "string", "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] }, "ciaType": { "type": "string", "enum": [ "NONE", "LOW", "HIGH" ] }, "modifiedCiaType": { "type": "string", "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] }, "exploitCodeMaturityType": { "type": "string", "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] }, "remediationLevelType": { "type": "string", "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] }, "confidenceType": { "type": "string", "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] }, "ciaRequirementType": { "type": "string", "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] }, "scoreType": { "type": "number", "minimum": 0, "maximum": 10 }, "severityType": { "type": "string", "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] } }, "properties": { "version": { "description": "CVSS Version", "type": "string", "enum": [ "3.0" ] }, "vectorString": { "type": "string", "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" }, "attackVector": { "$ref": "#/definitions/attackVectorType" }, "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, "userInteraction": { "$ref": "#/definitions/userInteractionType" }, "scope": { "$ref": "#/definitions/scopeType" }, "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, "integrityImpact": { "$ref": "#/definitions/ciaType" }, "availabilityImpact": { "$ref": "#/definitions/ciaType" }, "baseScore": { "$ref": "#/definitions/scoreType" }, "baseSeverity": { "$ref": "#/definitions/severityType" }, "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, "reportConfidence": { "$ref": "#/definitions/confidenceType" }, "temporalScore": { "$ref": "#/definitions/scoreType" }, "temporalSeverity": { "$ref": "#/definitions/severityType" }, "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, "environmentalScore": { "$ref": "#/definitions/scoreType" }, "environmentalSeverity": { "$ref": "#/definitions/severityType" } }, "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] } CSAF-0.25/lib/CSAF/resources/cache/efea8b3a7512905f5aa6affa56ea3a680000644000175000017500000001303614610514476022334 0ustar peppepeppe{ "license": [ "Copyright (c) 2017, FIRST.ORG, INC.", "All rights reserved.", "", "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", "following conditions are met:", "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", " disclaimer.", "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", " following disclaimer in the documentation and/or other materials provided with the distribution.", "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", " products derived from this software without specific prior written permission.", "", "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." ], "$schema": "http://json-schema.org/draft-04/schema#", "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", "id": "https://www.first.org/cvss/cvss-v2.0.json?20170531", "type": "object", "definitions": { "accessVectorType": { "type": "string", "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL" ] }, "accessComplexityType": { "type": "string", "enum": [ "HIGH", "MEDIUM", "LOW" ] }, "authenticationType": { "type": "string", "enum": [ "MULTIPLE", "SINGLE", "NONE" ] }, "ciaType": { "type": "string", "enum": [ "NONE", "PARTIAL", "COMPLETE" ] }, "exploitabilityType": { "type": "string", "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] }, "remediationLevelType": { "type": "string", "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] }, "reportConfidenceType": { "type": "string", "enum": [ "UNCONFIRMED", "UNCORROBORATED", "CONFIRMED", "NOT_DEFINED" ] }, "collateralDamagePotentialType": { "type": "string", "enum": [ "NONE", "LOW", "LOW_MEDIUM", "MEDIUM_HIGH", "HIGH", "NOT_DEFINED" ] }, "targetDistributionType": { "type": "string", "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] }, "ciaRequirementType": { "type": "string", "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] }, "scoreType": { "type": "number", "minimum": 0, "maximum": 10 } }, "properties": { "version": { "description": "CVSS Version", "type": "string", "enum": [ "2.0" ] }, "vectorString": { "type": "string", "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" }, "accessVector": { "$ref": "#/definitions/accessVectorType" }, "accessComplexity": { "$ref": "#/definitions/accessComplexityType" }, "authentication": { "$ref": "#/definitions/authenticationType" }, "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, "integrityImpact": { "$ref": "#/definitions/ciaType" }, "availabilityImpact": { "$ref": "#/definitions/ciaType" }, "baseScore": { "$ref": "#/definitions/scoreType" }, "exploitability": { "$ref": "#/definitions/exploitabilityType" }, "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, "reportConfidence": { "$ref": "#/definitions/reportConfidenceType" }, "temporalScore": { "$ref": "#/definitions/scoreType" }, "collateralDamagePotential": { "$ref": "#/definitions/collateralDamagePotentialType" }, "targetDistribution": { "$ref": "#/definitions/targetDistributionType" }, "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, "environmentalScore": { "$ref": "#/definitions/scoreType" } }, "required": [ "version", "vectorString", "baseScore" ] } CSAF-0.25/lib/CSAF/resources/cache/bb7795e241f5997c83fb4fc8fa2783680000644000175000017500000016223614610514736022026 0ustar peppepeppe{ "$defs": { "acknowledgments_t": { "description": "Contains a list of acknowledgment elements.", "items": { "additionalProperties": false, "description": "Acknowledges contributions by describing those that contributed.", "minProperties": 1, "properties": { "names": { "description": "Contains the names of contributors being recognized.", "items": { "description": "Contains the name of a single contributor being recognized.", "examples": [ "Albert Einstein", "Johann Sebastian Bach" ], "minLength": 1, "title": "Name of the contributor", "type": "string" }, "minItems": 1, "title": "List of acknowledged names", "type": "array" }, "organization": { "description": "Contains the name of a contributing organization being recognized.", "examples": [ "CISA", "Google Project Zero", "Talos" ], "minLength": 1, "title": "Contributing organization", "type": "string" }, "summary": { "description": "SHOULD represent any contextual details the document producers wish to make known about the acknowledgment or acknowledged parties.", "examples": [ "First analysis of Coordinated Multi-Stream Attack (CMSA)" ], "minLength": 1, "title": "Summary of the acknowledgment", "type": "string" }, "urls": { "description": "Specifies a list of URLs or location of the reference to be acknowledged.", "items": { "description": "Contains the URL or location of the reference to be acknowledged.", "format": "uri", "title": "URL of acknowledgment", "type": "string" }, "minItems": 1, "title": "List of URLs", "type": "array" } }, "title": "Acknowledgment", "type": "object" }, "minItems": 1, "title": "List of acknowledgments", "type": "array" }, "branches_t": { "description": "Contains branch elements as children of the current element.", "items": { "additionalProperties": false, "description": "Is a part of the hierarchical structure of the product tree.", "maxProperties": 3, "minProperties": 3, "properties": { "branches": { "$ref": "#/$defs/branches_t" }, "category": { "description": "Describes the characteristics of the labeled branch.", "enum": [ "architecture", "host_name", "language", "legacy", "patch_level", "product_family", "product_name", "product_version", "product_version_range", "service_pack", "specification", "vendor" ], "title": "Category of the branch", "type": "string" }, "name": { "description": "Contains the canonical descriptor or 'friendly name' of the branch.", "examples": [ "10", "365", "Microsoft", "Office", "PCS 7", "SIMATIC", "Siemens", "Windows" ], "minLength": 1, "title": "Name of the branch", "type": "string" }, "product": { "$ref": "#/$defs/full_product_name_t" } }, "required": [ "category", "name" ], "title": "Branch", "type": "object" }, "minItems": 1, "title": "List of branches", "type": "array" }, "full_product_name_t": { "additionalProperties": false, "description": "Specifies information about the product and assigns the product_id.", "properties": { "name": { "description": "The value should be the product\u2019s full canonical name, including version number and other attributes, as it would be used in a human-friendly document.", "examples": [ "Cisco AnyConnect Secure Mobility Client 2.3.185", "Microsoft Host Integration Server 2006 Service Pack 1" ], "minLength": 1, "title": "Textual description of the product", "type": "string" }, "product_id": { "$ref": "#/$defs/product_id_t" }, "product_identification_helper": { "additionalProperties": false, "description": "Provides at least one method which aids in identifying the product in an asset database.", "minProperties": 1, "properties": { "cpe": { "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.", "minLength": 5, "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$", "title": "Common Platform Enumeration representation", "type": "string" }, "hashes": { "description": "Contains a list of cryptographic hashes usable to identify files.", "items": { "additionalProperties": false, "description": "Contains all information to identify a file based on its cryptographic hash values.", "properties": { "file_hashes": { "description": "Contains a list of cryptographic hashes for this file.", "items": { "additionalProperties": false, "description": "Contains one hash value and algorithm of the file to be identified.", "properties": { "algorithm": { "default": "sha256", "description": "Contains the name of the cryptographic hash algorithm used to calculate the value.", "examples": [ "blake2b512", "sha256", "sha3-512", "sha384", "sha512" ], "minLength": 1, "title": "Algorithm of the cryptographic hash", "type": "string" }, "value": { "description": "Contains the cryptographic hash value in hexadecimal representation.", "examples": [ "37df33cb7464da5c7f077f4d56a32bc84987ec1d85b234537c1c1a4d4fc8d09dc29e2e762cb5203677bf849a2855a0283710f1f5fe1d6ce8d5ac85c645d0fcb3", "4775203615d9534a8bfca96a93dc8b461a489f69124a130d786b42204f3341cc", "9ea4c8200113d49d26505da0e02e2f49055dc078d1ad7a419b32e291c7afebbb84badfbd46dec42883bea0b2a1fa697c" ], "minLength": 32, "pattern": "^[0-9a-fA-F]{32,}$", "title": "Value of the cryptographic hash", "type": "string" } }, "required": [ "algorithm", "value" ], "title": "File hash", "type": "object" }, "minItems": 1, "title": "List of file hashes", "type": "array" }, "filename": { "description": "Contains the name of the file which is identified by the hash values.", "examples": [ "WINWORD.EXE", "msotadddin.dll", "sudoers.so" ], "minLength": 1, "title": "Filename", "type": "string" } }, "required": [ "file_hashes", "filename" ], "title": "Cryptographic hashes", "type": "object" }, "minItems": 1, "title": "List of hashes", "type": "array" }, "model_numbers": { "description": "Contains a list of full or abbreviated (partial) model numbers.", "items": { "description": "Contains a full or abbreviated (partial) model number of the component to identify.", "minLength": 1, "title": "Model number", "type": "string" }, "minItems": 1, "title": "List of models", "type": "array", "uniqueItems": true }, "purl": { "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.", "format": "uri", "minLength": 7, "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+", "title": "package URL representation", "type": "string" }, "sbom_urls": { "description": "Contains a list of URLs where SBOMs for this product can be retrieved.", "items": { "description": "Contains a URL of one SBOM for this product.", "format": "uri", "title": "SBOM URL", "type": "string" }, "minItems": 1, "title": "List of SBOM URLs", "type": "array" }, "serial_numbers": { "description": "Contains a list of full or abbreviated (partial) serial numbers.", "items": { "description": "Contains a full or abbreviated (partial) serial number of the component to identify.", "minLength": 1, "title": "Serial number", "type": "string" }, "minItems": 1, "title": "List of serial numbers", "type": "array", "uniqueItems": true }, "skus": { "description": "Contains a list of full or abbreviated (partial) stock keeping units.", "items": { "description": "Contains a full or abbreviated (partial) stock keeping unit (SKU) which is used in the ordering process to identify the component.", "minLength": 1, "title": "Stock keeping unit", "type": "string" }, "minItems": 1, "title": "List of stock keeping units", "type": "array" }, "x_generic_uris": { "description": "Contains a list of identifiers which are either vendor-specific or derived from a standard not yet supported.", "items": { "additionalProperties": false, "description": "Provides a generic extension point for any identifier which is either vendor-specific or derived from a standard not yet supported.", "properties": { "namespace": { "description": "Refers to a URL which provides the name and knowledge about the specification used or is the namespace in which these values are valid.", "format": "uri", "title": "Namespace of the generic URI", "type": "string" }, "uri": { "description": "Contains the identifier itself.", "format": "uri", "title": "URI", "type": "string" } }, "required": [ "namespace", "uri" ], "title": "Generic URI", "type": "object" }, "minItems": 1, "title": "List of generic URIs", "type": "array" } }, "title": "Helper to identify the product", "type": "object" } }, "required": [ "name", "product_id" ], "title": "Full product name", "type": "object" }, "lang_t": { "description": "Identifies a language, corresponding to IETF BCP 47 / RFC 5646. See IETF language registry: https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry", "examples": [ "de", "en", "fr", "frc", "jp" ], "pattern": "^(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?|[A-Za-z]{4,8})(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3}))*(-[A-WY-Za-wy-z0-9](-[A-Za-z0-9]{2,8})+)*(-[Xx](-[A-Za-z0-9]{1,8})+)?|[Xx](-[A-Za-z0-9]{1,8})+|[Ii]-[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-[Mm][Ii][Nn][Gg][Oo])$", "title": "Language type", "type": "string" }, "notes_t": { "description": "Contains notes which are specific to the current context.", "items": { "additionalProperties": false, "description": "Is a place to put all manner of text blobs related to the current context.", "properties": { "audience": { "description": "Indicates who is intended to read it.", "examples": [ "all", "executives", "operational management and system administrators", "safety engineers" ], "minLength": 1, "title": "Audience of note", "type": "string" }, "category": { "description": "Contains the information of what kind of note this is.", "enum": [ "description", "details", "faq", "general", "legal_disclaimer", "other", "summary" ], "title": "Note category", "type": "string" }, "text": { "description": "Holds the content of the note. Content varies depending on type.", "minLength": 1, "title": "Note content", "type": "string" }, "title": { "description": "Provides a concise description of what is contained in the text of the note.", "examples": [ "Details", "Executive summary", "Technical summary", "Impact on safety systems" ], "minLength": 1, "title": "Title of note", "type": "string" } }, "required": [ "category", "text" ], "title": "Note", "type": "object" }, "minItems": 1, "title": "List of notes", "type": "array" }, "product_group_id_t": { "description": "Token required to identify a group of products so that it can be referred to from other parts in the document. There is no predefined or required format for the product_group_id as long as it uniquely identifies a group in the context of the current document.", "examples": [ "CSAFGID-0001", "CSAFGID-0002", "CSAFGID-0020" ], "minLength": 1, "title": "Reference token for product group instance", "type": "string" }, "product_groups_t": { "description": "Specifies a list of product_group_ids to give context to the parent item.", "items": { "$ref": "#/$defs/product_group_id_t" }, "minItems": 1, "title": "List of product_group_ids", "type": "array", "uniqueItems": true }, "product_id_t": { "description": "Token required to identify a full_product_name so that it can be referred to from other parts in the document. There is no predefined or required format for the product_id as long as it uniquely identifies a product in the context of the current document.", "examples": [ "CSAFPID-0004", "CSAFPID-0008" ], "minLength": 1, "title": "Reference token for product instance", "type": "string" }, "products_t": { "description": "Specifies a list of product_ids to give context to the parent item.", "items": { "$ref": "#/$defs/product_id_t" }, "minItems": 1, "title": "List of product_ids", "type": "array", "uniqueItems": true }, "references_t": { "description": "Holds a list of references.", "items": { "additionalProperties": false, "description": "Holds any reference to conferences, papers, advisories, and other resources that are related and considered related to either a surrounding part of or the entire document and to be of value to the document consumer.", "properties": { "category": { "default": "external", "description": "Indicates whether the reference points to the same document or vulnerability in focus (depending on scope) or to an external resource.", "enum": [ "external", "self" ], "title": "Category of reference", "type": "string" }, "summary": { "description": "Indicates what this reference refers to.", "minLength": 1, "title": "Summary of the reference", "type": "string" }, "url": { "description": "Provides the URL for the reference.", "format": "uri", "title": "URL of reference", "type": "string" } }, "required": [ "summary", "url" ], "title": "Reference", "type": "object" }, "minItems": 1, "title": "List of references", "type": "array" }, "version_t": { "description": "Specifies a version string to denote clearly the evolution of the content of the document. Format must be either integer or semantic versioning.", "examples": [ "1", "4", "0.9.0", "1.4.3", "2.40.0+21AF26D3" ], "pattern": "^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$", "title": "Version", "type": "string" } }, "$id": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Representation of security advisory information as a JSON document.", "properties": { "document": { "additionalProperties": false, "description": "Captures the meta-data about this document describing a particular set of security advisories.", "properties": { "acknowledgments": { "$ref": "#/$defs/acknowledgments_t", "description": "Contains a list of acknowledgment elements associated with the whole document.", "title": "Document acknowledgments" }, "aggregate_severity": { "additionalProperties": false, "description": "Is a vehicle that is provided by the document producer to convey the urgency and criticality with which the one or more vulnerabilities reported should be addressed. It is a document-level metric and applied to the document as a whole \u2014 not any specific vulnerability. The range of values in this field is defined according to the document producer's policies and procedures.", "properties": { "namespace": { "description": "Points to the namespace so referenced.", "format": "uri", "title": "Namespace of aggregate severity", "type": "string" }, "text": { "description": "Provides a severity which is independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).", "examples": [ "Critical", "Important", "Moderate" ], "minLength": 1, "title": "Text of aggregate severity", "type": "string" } }, "required": [ "text" ], "title": "Aggregate severity", "type": "object" }, "category": { "description": "Defines a short canonical name, chosen by the document producer, which will inform the end user as to the category of document.", "examples": [ "csaf_base", "csaf_security_advisory", "csaf_vex", "Example Company Security Notice" ], "minLength": 1, "pattern": "^[^\\s\\-_\\.](.*[^\\s\\-_\\.])?$", "title": "Document category", "type": "string" }, "csaf_version": { "description": "Gives the version of the CSAF specification which the document was generated for.", "enum": [ "2.0" ], "title": "CSAF version", "type": "string" }, "distribution": { "additionalProperties": false, "description": "Describe any constraints on how this document might be shared.", "minProperties": 1, "properties": { "text": { "description": "Provides a textual description of additional constraints.", "examples": [ "Copyright 2021, Example Company, All Rights Reserved.", "Distribute freely.", "Share only on a need-to-know-basis only." ], "minLength": 1, "title": "Textual description", "type": "string" }, "tlp": { "additionalProperties": false, "description": "Provides details about the TLP classification of the document.", "properties": { "label": { "description": "Provides the TLP label of the document.", "enum": [ "AMBER", "GREEN", "RED", "WHITE" ], "title": "Label of TLP", "type": "string" }, "url": { "default": "https://www.first.org/tlp/", "description": "Provides a URL where to find the textual description of the TLP version which is used in this document. Default is the URL to the definition by FIRST.", "examples": [ "https://www.us-cert.gov/tlp", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf" ], "format": "uri", "title": "URL of TLP version", "type": "string" } }, "required": [ "label" ], "title": "Traffic Light Protocol (TLP)", "type": "object" } }, "title": "Rules for sharing document", "type": "object" }, "lang": { "$ref": "#/$defs/lang_t", "description": "Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646.", "title": "Document language" }, "notes": { "$ref": "#/$defs/notes_t", "description": "Holds notes associated with the whole document.", "title": "Document notes" }, "publisher": { "additionalProperties": false, "description": "Provides information about the publisher of the document.", "properties": { "category": { "description": "Provides information about the category of publisher releasing the document.", "enum": [ "coordinator", "discoverer", "other", "translator", "user", "vendor" ], "title": "Category of publisher", "type": "string" }, "contact_details": { "description": "Information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.", "examples": [ "Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact." ], "minLength": 1, "title": "Contact details", "type": "string" }, "issuing_authority": { "description": "Provides information about the authority of the issuing party to release the document, in particular, the party's constituency and responsibilities or other obligations.", "minLength": 1, "title": "Issuing authority", "type": "string" }, "name": { "description": "Contains the name of the issuing party.", "examples": [ "BSI", "Cisco PSIRT", "Siemens ProductCERT" ], "minLength": 1, "title": "Name of publisher", "type": "string" }, "namespace": { "description": "Contains a URL which is under control of the issuing party and can be used as a globally unique identifier for that issuing party.", "examples": [ "https://csaf.io", "https://www.example.com" ], "format": "uri", "title": "Namespace of publisher", "type": "string" } }, "required": [ "category", "name", "namespace" ], "title": "Publisher", "type": "object" }, "references": { "$ref": "#/$defs/references_t", "description": "Holds a list of references associated with the whole document.", "title": "Document references" }, "source_lang": { "$ref": "#/$defs/lang_t", "description": "If this copy of the document is a translation then the value of this property describes from which language this document was translated.", "title": "Source language" }, "title": { "description": "This SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.", "examples": [ "Cisco IPv6 Crafted Packet Denial of Service Vulnerability", "Example Company Cross-Site-Scripting Vulnerability in Example Generator" ], "minLength": 1, "title": "Title of this document", "type": "string" }, "tracking": { "additionalProperties": false, "description": "Is a container designated to hold all management attributes necessary to track a CSAF document as a whole.", "properties": { "aliases": { "description": "Contains a list of alternate names for the same document.", "items": { "description": "Specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.", "examples": [ "CVE-2019-12345" ], "minLength": 1, "title": "Alternate name", "type": "string" }, "minItems": 1, "title": "Aliases", "type": "array", "uniqueItems": true }, "current_release_date": { "description": "The date when the current revision of this document was released", "format": "date-time", "title": "Current release date", "type": "string" }, "generator": { "additionalProperties": false, "description": "Is a container to hold all elements related to the generation of the document. These items will reference when the document was actually created, including the date it was generated and the entity that generated it.", "properties": { "date": { "description": "This SHOULD be the current date that the document was generated. Because documents are often generated internally by a document producer and exist for a nonzero amount of time before being released, this field MAY be different from the Initial Release Date and Current Release Date.", "format": "date-time", "title": "Date of document generation", "type": "string" }, "engine": { "additionalProperties": false, "description": "Contains information about the engine that generated the CSAF document.", "properties": { "name": { "description": "Represents the name of the engine that generated the CSAF document.", "examples": [ "Red Hat rhsa-to-cvrf", "Secvisogram", "TVCE" ], "minLength": 1, "title": "Engine name", "type": "string" }, "version": { "description": "Contains the version of the engine that generated the CSAF document.", "examples": [ "0.6.0", "1.0.0-beta+exp.sha.a1c44f85", "2" ], "minLength": 1, "title": "Engine version", "type": "string" } }, "required": [ "name" ], "title": "Engine of document generation", "type": "object" } }, "required": [ "engine" ], "title": "Document generator", "type": "object" }, "id": { "description": "The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority.", "examples": [ "Example Company - 2019-YH3234", "RHBA-2019:0024", "cisco-sa-20190513-secureboot" ], "minLength": 1, "pattern": "^[\\S](.*[\\S])?$", "title": "Unique identifier for the document", "type": "string" }, "initial_release_date": { "description": "The date when this document was first published.", "format": "date-time", "title": "Initial release date", "type": "string" }, "revision_history": { "description": "Holds one revision item for each version of the CSAF document, including the initial one.", "items": { "additionalProperties": false, "description": "Contains all the information elements required to track the evolution of a CSAF document.", "properties": { "date": { "description": "The date of the revision entry", "format": "date-time", "title": "Date of the revision", "type": "string" }, "legacy_version": { "description": "Contains the version string used in an existing document with the same content.", "minLength": 1, "title": "Legacy version of the revision", "type": "string" }, "number": { "$ref": "#/$defs/version_t" }, "summary": { "description": "Holds a single non-empty string representing a short description of the changes.", "examples": [ "Initial version." ], "minLength": 1, "title": "Summary of the revision", "type": "string" } }, "required": [ "date", "number", "summary" ], "title": "Revision", "type": "object" }, "minItems": 1, "title": "Revision history", "type": "array" }, "status": { "description": "Defines the draft status of the document.", "enum": [ "draft", "final", "interim" ], "title": "Document status", "type": "string" }, "version": { "$ref": "#/$defs/version_t" } }, "required": [ "current_release_date", "id", "initial_release_date", "revision_history", "status", "version" ], "title": "Tracking", "type": "object" } }, "required": [ "category", "csaf_version", "publisher", "title", "tracking" ], "title": "Document level meta-data", "type": "object" }, "product_tree": { "additionalProperties": false, "description": "Is a container for all fully qualified product names that can be referenced elsewhere in the document.", "minProperties": 1, "properties": { "branches": { "$ref": "#/$defs/branches_t" }, "full_product_names": { "description": "Contains a list of full product names.", "items": { "$ref": "#/$defs/full_product_name_t" }, "minItems": 1, "title": "List of full product names", "type": "array" }, "product_groups": { "description": "Contains a list of product groups.", "items": { "additionalProperties": false, "description": "Defines a new logical group of products that can then be referred to in other parts of the document to address a group of products with a single identifier.", "properties": { "group_id": { "$ref": "#/$defs/product_group_id_t" }, "product_ids": { "description": "Lists the product_ids of those products which known as one group in the document.", "items": { "$ref": "#/$defs/product_id_t" }, "minItems": 2, "title": "List of Product IDs", "type": "array", "uniqueItems": true }, "summary": { "description": "Gives a short, optional description of the group.", "examples": [ "Products supporting Modbus.", "The x64 versions of the operating system." ], "minLength": 1, "title": "Summary of the product group", "type": "string" } }, "required": [ "group_id", "product_ids" ], "title": "Product group", "type": "object" }, "minItems": 1, "title": "List of product groups", "type": "array" }, "relationships": { "description": "Contains a list of relationships.", "items": { "additionalProperties": false, "description": "Establishes a link between two existing full_product_name_t elements, allowing the document producer to define a combination of two products that form a new full_product_name entry.", "properties": { "category": { "description": "Defines the category of relationship for the referenced component.", "enum": [ "default_component_of", "external_component_of", "installed_on", "installed_with", "optional_component_of" ], "title": "Relationship category", "type": "string" }, "full_product_name": { "$ref": "#/$defs/full_product_name_t" }, "product_reference": { "$ref": "#/$defs/product_id_t", "description": "Holds a Product ID that refers to the Full Product Name element, which is referenced as the first element of the relationship.", "title": "Product reference" }, "relates_to_product_reference": { "$ref": "#/$defs/product_id_t", "description": "Holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.", "title": "Relates to product reference" } }, "required": [ "category", "full_product_name", "product_reference", "relates_to_product_reference" ], "title": "Relationship", "type": "object" }, "minItems": 1, "title": "List of relationships", "type": "array" } }, "title": "Product tree", "type": "object" }, "vulnerabilities": { "description": "Represents a list of all relevant vulnerability information items.", "items": { "additionalProperties": false, "description": "Is a container for the aggregation of all fields that are related to a single vulnerability in the document.", "minProperties": 1, "properties": { "acknowledgments": { "$ref": "#/$defs/acknowledgments_t", "description": "Contains a list of acknowledgment elements associated with this vulnerability item.", "title": "Vulnerability acknowledgments" }, "cve": { "description": "Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.", "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$", "title": "CVE", "type": "string" }, "cwe": { "additionalProperties": false, "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.", "properties": { "id": { "description": "Holds the ID for the weakness associated.", "examples": [ "CWE-22", "CWE-352", "CWE-79" ], "pattern": "^CWE-[1-9]\\d{0,5}$", "title": "Weakness ID", "type": "string" }, "name": { "description": "Holds the full name of the weakness as given in the CWE specification.", "examples": [ "Cross-Site Request Forgery (CSRF)", "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" ], "minLength": 1, "title": "Weakness name", "type": "string" } }, "required": [ "id", "name" ], "title": "CWE", "type": "object" }, "discovery_date": { "description": "Holds the date and time the vulnerability was originally discovered.", "format": "date-time", "title": "Discovery date", "type": "string" }, "flags": { "description": "Contains a list of machine readable flags.", "items": { "additionalProperties": false, "description": "Contains product specific information in regard to this vulnerability as a single machine readable flag.", "properties": { "date": { "description": "Contains the date when assessment was done or the flag was assigned.", "format": "date-time", "title": "Date of the flag", "type": "string" }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "label": { "description": "Specifies the machine readable label.", "enum": [ "component_not_present", "inline_mitigations_already_exist", "vulnerable_code_cannot_be_controlled_by_adversary", "vulnerable_code_not_in_execute_path", "vulnerable_code_not_present" ], "title": "Label of the flag", "type": "string" }, "product_ids": { "$ref": "#/$defs/products_t" } }, "required": [ "label" ], "title": "Flag", "type": "object" }, "minItems": 1, "title": "List of flags", "type": "array", "uniqueItems": true }, "ids": { "description": "Represents a list of unique labels or tracking IDs for the vulnerability (if such information exists).", "items": { "additionalProperties": false, "description": "Contains a single unique label or tracking ID for the vulnerability.", "properties": { "system_name": { "description": "Indicates the name of the vulnerability tracking or numbering system.", "examples": [ "Cisco Bug ID", "GitHub Issue" ], "minLength": 1, "title": "System name", "type": "string" }, "text": { "description": "Is unique label or tracking ID for the vulnerability (if such information exists).", "examples": [ "CSCso66472", "oasis-tcs/csaf#210" ], "minLength": 1, "title": "Text", "type": "string" } }, "required": [ "system_name", "text" ], "title": "ID", "type": "object" }, "minItems": 1, "title": "List of IDs", "type": "array", "uniqueItems": true }, "involvements": { "description": "Contains a list of involvements.", "items": { "additionalProperties": false, "description": "Is a container, that allows the document producers to comment on the level of involvement (or engagement) of themselves or third parties in the vulnerability identification, scoping, and remediation process.", "properties": { "date": { "description": "Holds the date and time of the involvement entry.", "format": "date-time", "title": "Date of involvement", "type": "string" }, "party": { "description": "Defines the category of the involved party.", "enum": [ "coordinator", "discoverer", "other", "user", "vendor" ], "title": "Party category", "type": "string" }, "status": { "description": "Defines contact status of the involved party.", "enum": [ "completed", "contact_attempted", "disputed", "in_progress", "not_contacted", "open" ], "title": "Party status", "type": "string" }, "summary": { "description": "Contains additional context regarding what is going on.", "minLength": 1, "title": "Summary of the involvement", "type": "string" } }, "required": [ "party", "status" ], "title": "Involvement", "type": "object" }, "minItems": 1, "title": "List of involvements", "type": "array", "uniqueItems": true }, "notes": { "$ref": "#/$defs/notes_t", "description": "Holds notes associated with this vulnerability item.", "title": "Vulnerability notes" }, "product_status": { "additionalProperties": false, "description": "Contains different lists of product_ids which provide details on the status of the referenced product related to the current vulnerability. ", "minProperties": 1, "properties": { "first_affected": { "$ref": "#/$defs/products_t", "description": "These are the first versions of the releases known to be affected by the vulnerability.", "title": "First affected" }, "first_fixed": { "$ref": "#/$defs/products_t", "description": "These versions contain the first fix for the vulnerability but may not be the recommended fixed versions.", "title": "First fixed" }, "fixed": { "$ref": "#/$defs/products_t", "description": "These versions contain a fix for the vulnerability but may not be the recommended fixed versions.", "title": "Fixed" }, "known_affected": { "$ref": "#/$defs/products_t", "description": "These versions are known to be affected by the vulnerability.", "title": "Known affected" }, "known_not_affected": { "$ref": "#/$defs/products_t", "description": "These versions are known not to be affected by the vulnerability.", "title": "Known not affected" }, "last_affected": { "$ref": "#/$defs/products_t", "description": "These are the last versions in a release train known to be affected by the vulnerability. Subsequently released versions would contain a fix for the vulnerability.", "title": "Last affected" }, "recommended": { "$ref": "#/$defs/products_t", "description": "These versions have a fix for the vulnerability and are the vendor-recommended versions for fixing the vulnerability.", "title": "Recommended" }, "under_investigation": { "$ref": "#/$defs/products_t", "description": "It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.", "title": "Under investigation" } }, "title": "Product status", "type": "object" }, "references": { "$ref": "#/$defs/references_t", "description": "Holds a list of references associated with this vulnerability item.", "title": "Vulnerability references" }, "release_date": { "description": "Holds the date and time the vulnerability was originally released into the wild.", "format": "date-time", "title": "Release date", "type": "string" }, "remediations": { "description": "Contains a list of remediations.", "items": { "additionalProperties": false, "description": "Specifies details on how to handle (and presumably, fix) a vulnerability.", "properties": { "category": { "description": "Specifies the category which this remediation belongs to.", "enum": [ "mitigation", "no_fix_planned", "none_available", "vendor_fix", "workaround" ], "title": "Category of the remediation", "type": "string" }, "date": { "description": "Contains the date from which the remediation is available.", "format": "date-time", "title": "Date of the remediation", "type": "string" }, "details": { "description": "Contains a thorough human-readable discussion of the remediation.", "minLength": 1, "title": "Details of the remediation", "type": "string" }, "entitlements": { "description": "Contains a list of entitlements.", "items": { "description": "Contains any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.", "minLength": 1, "title": "Entitlement of the remediation", "type": "string" }, "minItems": 1, "title": "List of entitlements", "type": "array" }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "product_ids": { "$ref": "#/$defs/products_t" }, "restart_required": { "additionalProperties": false, "description": "Provides information on category of restart is required by this remediation to become effective.", "properties": { "category": { "description": "Specifies what category of restart is required by this remediation to become effective.", "enum": [ "connected", "dependencies", "machine", "none", "parent", "service", "system", "vulnerable_component", "zone" ], "title": "Category of restart", "type": "string" }, "details": { "description": "Provides additional information for the restart. This can include details on procedures, scope or impact.", "minLength": 1, "title": "Additional restart information", "type": "string" } }, "required": [ "category" ], "title": "Restart required by remediation", "type": "object" }, "url": { "description": "Contains the URL where to obtain the remediation.", "format": "uri", "title": "URL to the remediation", "type": "string" } }, "required": [ "category", "details" ], "title": "Remediation", "type": "object" }, "minItems": 1, "title": "List of remediations", "type": "array" }, "scores": { "description": "Contains score objects for the current vulnerability.", "items": { "additionalProperties": false, "description": "Specifies information about (at least one) score of the vulnerability and for which products the given value applies.", "minProperties": 2, "properties": { "cvss_v2": { "$ref": "https://www.first.org/cvss/cvss-v2.0.json" }, "cvss_v3": { "oneOf": [ { "$ref": "https://www.first.org/cvss/cvss-v3.0.json" }, { "$ref": "https://www.first.org/cvss/cvss-v3.1.json" } ] }, "products": { "$ref": "#/$defs/products_t" } }, "required": [ "products" ], "title": "Score", "type": "object" }, "minItems": 1, "title": "List of scores", "type": "array" }, "threats": { "description": "Contains information about a vulnerability that can change with time.", "items": { "additionalProperties": false, "description": "Contains the vulnerability kinetic information. This information can change as the vulnerability ages and new information becomes available.", "properties": { "category": { "description": "Categorizes the threat according to the rules of the specification.", "enum": [ "exploit_status", "impact", "target_set" ], "title": "Category of the threat", "type": "string" }, "date": { "description": "Contains the date when the assessment was done or the threat appeared.", "format": "date-time", "title": "Date of the threat", "type": "string" }, "details": { "description": "Represents a thorough human-readable discussion of the threat.", "minLength": 1, "title": "Details of the threat", "type": "string" }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "product_ids": { "$ref": "#/$defs/products_t" } }, "required": [ "category", "details" ], "title": "Threat", "type": "object" }, "minItems": 1, "title": "List of threats", "type": "array" }, "title": { "description": "Gives the document producer the ability to apply a canonical name or title to the vulnerability.", "minLength": 1, "title": "Title", "type": "string" } }, "title": "Vulnerability", "type": "object" }, "minItems": 1, "title": "Vulnerabilities", "type": "array" } }, "required": [ "document" ], "title": "Common Security Advisory Framework", "type": "object" } CSAF-0.25/lib/CSAF/resources/cache/09c932cd025cb0f5110be89389cfe6fc0000644000175000017500000015750014610514351022114 0ustar peppepeppe{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json", "title": "Common Security Advisory Framework", "description": "Representation of security advisory information as a JSON document.", "type": "object", "$defs": { "acknowledgments_t": { "title": "List of acknowledgments", "description": "Contains a list of acknowledgment elements.", "type": "array", "minItems": 1, "items": { "title": "Acknowledgment", "description": "Acknowledges contributions by describing those that contributed.", "type": "object", "minProperties": 1, "properties": { "names": { "title": "List of acknowledged names", "description": "Contains the names of contributors being recognized.", "type": "array", "minItems": 1, "items": { "title": "Name of the contributor", "description": "Contains the name of a single contributor being recognized.", "type": "string", "minLength": 1, "examples": [ "Albert Einstein", "Johann Sebastian Bach" ] } }, "organization": { "title": "Contributing organization", "description": "Contains the name of a contributing organization being recognized.", "type": "string", "minLength": 1, "examples": [ "CISA", "Google Project Zero", "Talos" ] }, "summary": { "title": "Summary of the acknowledgment", "description": "SHOULD represent any contextual details the document producers wish to make known about the acknowledgment or acknowledged parties.", "type": "string", "minLength": 1, "examples": [ "First analysis of Coordinated Multi-Stream Attack (CMSA)" ] }, "urls": { "title": "List of URLs", "description": "Specifies a list of URLs or location of the reference to be acknowledged.", "type": "array", "minItems": 1, "items": { "title": "URL of acknowledgment", "description": "Contains the URL or location of the reference to be acknowledged.", "type": "string", "format": "uri" } } } } }, "branches_t": { "title": "List of branches", "description": "Contains branch elements as children of the current element.", "type": "array", "minItems": 1, "items": { "title": "Branch", "description": "Is a part of the hierarchical structure of the product tree.", "type": "object", "maxProperties": 3, "minProperties": 3, "required": [ "category", "name" ], "properties": { "branches": { "$ref": "#/$defs/branches_t" }, "category": { "title": "Category of the branch", "description": "Describes the characteristics of the labeled branch.", "type": "string", "enum": [ "architecture", "host_name", "language", "legacy", "patch_level", "product_family", "product_name", "product_version", "product_version_range", "service_pack", "specification", "vendor" ] }, "name": { "title": "Name of the branch", "description": "Contains the canonical descriptor or 'friendly name' of the branch.", "type": "string", "minLength": 1, "examples": [ "10", "365", "Microsoft", "Office", "PCS 7", "SIMATIC", "Siemens", "Windows" ] }, "product": { "$ref": "#/$defs/full_product_name_t" } } } }, "full_product_name_t": { "title": "Full product name", "description": "Specifies information about the product and assigns the product_id.", "type": "object", "required": [ "name", "product_id" ], "properties": { "name": { "title": "Textual description of the product", "description": "The value should be the product’s full canonical name, including version number and other attributes, as it would be used in a human-friendly document.", "type": "string", "minLength": 1, "examples": [ "Cisco AnyConnect Secure Mobility Client 2.3.185", "Microsoft Host Integration Server 2006 Service Pack 1" ] }, "product_id": { "$ref": "#/$defs/product_id_t" }, "product_identification_helper": { "title": "Helper to identify the product", "description": "Provides at least one method which aids in identifying the product in an asset database.", "type": "object", "minProperties": 1, "properties": { "cpe": { "title": "Common Platform Enumeration representation", "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.", "type": "string", "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$", "minLength": 5 }, "hashes": { "title": "List of hashes", "description": "Contains a list of cryptographic hashes usable to identify files.", "type": "array", "minItems": 1, "items": { "title": "Cryptographic hashes", "description": "Contains all information to identify a file based on its cryptographic hash values.", "type": "object", "required": [ "file_hashes", "filename" ], "properties": { "file_hashes": { "title": "List of file hashes", "description": "Contains a list of cryptographic hashes for this file.", "type": "array", "minItems": 1, "items": { "title": "File hash", "description": "Contains one hash value and algorithm of the file to be identified.", "type": "object", "required": [ "algorithm", "value" ], "properties": { "algorithm": { "title": "Algorithm of the cryptographic hash", "description": "Contains the name of the cryptographic hash algorithm used to calculate the value.", "type": "string", "default": "sha256", "minLength": 1, "examples": [ "blake2b512", "sha256", "sha3-512", "sha384", "sha512" ] }, "value": { "title": "Value of the cryptographic hash", "description": "Contains the cryptographic hash value in hexadecimal representation.", "type": "string", "pattern": "^[0-9a-fA-F]{32,}$", "minLength": 32, "examples": [ "37df33cb7464da5c7f077f4d56a32bc84987ec1d85b234537c1c1a4d4fc8d09dc29e2e762cb5203677bf849a2855a0283710f1f5fe1d6ce8d5ac85c645d0fcb3", "4775203615d9534a8bfca96a93dc8b461a489f69124a130d786b42204f3341cc", "9ea4c8200113d49d26505da0e02e2f49055dc078d1ad7a419b32e291c7afebbb84badfbd46dec42883bea0b2a1fa697c" ] } } } }, "filename": { "title": "Filename", "description": "Contains the name of the file which is identified by the hash values.", "type": "string", "minLength": 1, "examples": [ "WINWORD.EXE", "msotadddin.dll", "sudoers.so" ] } } } }, "model_numbers": { "title": "List of models", "description": "Contains a list of full or abbreviated (partial) model numbers.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Model number", "description": "Contains a full or abbreviated (partial) model number of the component to identify.", "type": "string", "minLength": 1 } }, "purl": { "title": "package URL representation", "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.", "type": "string", "format": "uri", "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+", "minLength": 7 }, "sbom_urls": { "title": "List of SBOM URLs", "description": "Contains a list of URLs where SBOMs for this product can be retrieved.", "type": "array", "minItems": 1, "items": { "title": "SBOM URL", "description": "Contains a URL of one SBOM for this product.", "type": "string", "format": "uri" } }, "serial_numbers": { "title": "List of serial numbers", "description": "Contains a list of full or abbreviated (partial) serial numbers.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Serial number", "description": "Contains a full or abbreviated (partial) serial number of the component to identify.", "type": "string", "minLength": 1 } }, "skus": { "title": "List of stock keeping units", "description": "Contains a list of full or abbreviated (partial) stock keeping units.", "type": "array", "minItems": 1, "items": { "title": "Stock keeping unit", "description": "Contains a full or abbreviated (partial) stock keeping unit (SKU) which is used in the ordering process to identify the component.", "type": "string", "minLength": 1 } }, "x_generic_uris": { "title": "List of generic URIs", "description": "Contains a list of identifiers which are either vendor-specific or derived from a standard not yet supported.", "type": "array", "minItems": 1, "items": { "title": "Generic URI", "description": "Provides a generic extension point for any identifier which is either vendor-specific or derived from a standard not yet supported.", "type": "object", "required": [ "namespace", "uri" ], "properties": { "namespace": { "title": "Namespace of the generic URI", "description": "Refers to a URL which provides the name and knowledge about the specification used or is the namespace in which these values are valid.", "type": "string", "format": "uri" }, "uri": { "title": "URI", "description": "Contains the identifier itself.", "type": "string", "format": "uri" } } } } } } } }, "lang_t": { "title": "Language type", "description": "Identifies a language, corresponding to IETF BCP 47 / RFC 5646. See IETF language registry: https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry", "type": "string", "pattern": "^(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?|[A-Za-z]{4,8})(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3}))*(-[A-WY-Za-wy-z0-9](-[A-Za-z0-9]{2,8})+)*(-[Xx](-[A-Za-z0-9]{1,8})+)?|[Xx](-[A-Za-z0-9]{1,8})+|[Ii]-[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-[Mm][Ii][Nn][Gg][Oo])$", "examples": [ "de", "en", "fr", "frc", "jp" ] }, "notes_t": { "title": "List of notes", "description": "Contains notes which are specific to the current context.", "type": "array", "minItems": 1, "items": { "title": "Note", "description": "Is a place to put all manner of text blobs related to the current context.", "type": "object", "required": [ "category", "text" ], "properties": { "audience": { "title": "Audience of note", "description": "Indicates who is intended to read it.", "type": "string", "minLength": 1, "examples": [ "all", "executives", "operational management and system administrators", "safety engineers" ] }, "category": { "title": "Note category", "description": "Contains the information of what kind of note this is.", "type": "string", "enum": [ "description", "details", "faq", "general", "legal_disclaimer", "other", "summary" ] }, "text": { "title": "Note content", "description": "Holds the content of the note. Content varies depending on type.", "type": "string", "minLength": 1 }, "title": { "title": "Title of note", "description": "Provides a concise description of what is contained in the text of the note.", "type": "string", "minLength": 1, "examples": [ "Details", "Executive summary", "Technical summary", "Impact on safety systems" ] } } } }, "product_group_id_t": { "title": "Reference token for product group instance", "description": "Token required to identify a group of products so that it can be referred to from other parts in the document. There is no predefined or required format for the product_group_id as long as it uniquely identifies a group in the context of the current document.", "type": "string", "minLength": 1, "examples": [ "CSAFGID-0001", "CSAFGID-0002", "CSAFGID-0020" ] }, "product_groups_t": { "title": "List of product_group_ids", "description": "Specifies a list of product_group_ids to give context to the parent item.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "$ref": "#/$defs/product_group_id_t" } }, "product_id_t": { "title": "Reference token for product instance", "description": "Token required to identify a full_product_name so that it can be referred to from other parts in the document. There is no predefined or required format for the product_id as long as it uniquely identifies a product in the context of the current document.", "type": "string", "minLength": 1, "examples": [ "CSAFPID-0004", "CSAFPID-0008" ] }, "products_t": { "title": "List of product_ids", "description": "Specifies a list of product_ids to give context to the parent item.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "$ref": "#/$defs/product_id_t" } }, "references_t": { "title": "List of references", "description": "Holds a list of references.", "type": "array", "minItems": 1, "items": { "title": "Reference", "description": "Holds any reference to conferences, papers, advisories, and other resources that are related and considered related to either a surrounding part of or the entire document and to be of value to the document consumer.", "type": "object", "required": [ "summary", "url" ], "properties": { "category": { "title": "Category of reference", "description": "Indicates whether the reference points to the same document or vulnerability in focus (depending on scope) or to an external resource.", "type": "string", "default": "external", "enum": [ "external", "self" ] }, "summary": { "title": "Summary of the reference", "description": "Indicates what this reference refers to.", "type": "string", "minLength": 1 }, "url": { "title": "URL of reference", "description": "Provides the URL for the reference.", "type": "string", "format": "uri" } } } }, "version_t": { "title": "Version", "description": "Specifies a version string to denote clearly the evolution of the content of the document. Format must be either integer or semantic versioning.", "type": "string", "pattern": "^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$", "examples": [ "1", "4", "0.9.0", "1.4.3", "2.40.0+21AF26D3" ] } }, "required": [ "document" ], "properties": { "document": { "title": "Document level meta-data", "description": "Captures the meta-data about this document describing a particular set of security advisories.", "type": "object", "required": [ "category", "csaf_version", "publisher", "title", "tracking" ], "properties": { "acknowledgments": { "title": "Document acknowledgments", "description": "Contains a list of acknowledgment elements associated with the whole document.", "$ref": "#/$defs/acknowledgments_t" }, "aggregate_severity": { "title": "Aggregate severity", "description": "Is a vehicle that is provided by the document producer to convey the urgency and criticality with which the one or more vulnerabilities reported should be addressed. It is a document-level metric and applied to the document as a whole — not any specific vulnerability. The range of values in this field is defined according to the document producer's policies and procedures.", "type": "object", "required": [ "text" ], "properties": { "namespace": { "title": "Namespace of aggregate severity", "description": "Points to the namespace so referenced.", "type": "string", "format": "uri" }, "text": { "title": "Text of aggregate severity", "description": "Provides a severity which is independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).", "type": "string", "minLength": 1, "examples": [ "Critical", "Important", "Moderate" ] } } }, "category": { "title": "Document category", "description": "Defines a short canonical name, chosen by the document producer, which will inform the end user as to the category of document.", "type": "string", "pattern": "^[^\\s\\-_\\.](.*[^\\s\\-_\\.])?$", "minLength": 1, "examples": [ "csaf_base", "csaf_security_advisory", "csaf_vex", "Example Company Security Notice" ] }, "csaf_version": { "title": "CSAF version", "description": "Gives the version of the CSAF specification which the document was generated for.", "type": "string", "enum": [ "2.0" ] }, "distribution": { "title": "Rules for sharing document", "description": "Describe any constraints on how this document might be shared.", "type": "object", "minProperties": 1, "properties": { "text": { "title": "Textual description", "description": "Provides a textual description of additional constraints.", "type": "string", "minLength": 1, "examples": [ "Copyright 2021, Example Company, All Rights Reserved.", "Distribute freely.", "Share only on a need-to-know-basis only." ] }, "tlp": { "title": "Traffic Light Protocol (TLP)", "description": "Provides details about the TLP classification of the document.", "type": "object", "required": [ "label" ], "properties": { "label": { "title": "Label of TLP", "description": "Provides the TLP label of the document.", "type": "string", "enum": [ "AMBER", "GREEN", "RED", "WHITE" ] }, "url": { "title": "URL of TLP version", "description": "Provides a URL where to find the textual description of the TLP version which is used in this document. Default is the URL to the definition by FIRST.", "type": "string", "default": "https://www.first.org/tlp/", "format": "uri", "examples": [ "https://www.us-cert.gov/tlp", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf" ] } } } } }, "lang": { "title": "Document language", "description": "Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646.", "$ref": "#/$defs/lang_t" }, "notes": { "title": "Document notes", "description": "Holds notes associated with the whole document.", "$ref": "#/$defs/notes_t" }, "publisher": { "title": "Publisher", "description": "Provides information about the publisher of the document.", "type": "object", "required": [ "category", "name", "namespace" ], "properties": { "category": { "title": "Category of publisher", "description": "Provides information about the category of publisher releasing the document.", "type": "string", "enum": [ "coordinator", "discoverer", "other", "translator", "user", "vendor" ] }, "contact_details": { "title": "Contact details", "description": "Information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.", "type": "string", "minLength": 1, "examples": [ "Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact." ] }, "issuing_authority": { "title": "Issuing authority", "description": "Provides information about the authority of the issuing party to release the document, in particular, the party's constituency and responsibilities or other obligations.", "type": "string", "minLength": 1 }, "name": { "title": "Name of publisher", "description": "Contains the name of the issuing party.", "type": "string", "minLength": 1, "examples": [ "BSI", "Cisco PSIRT", "Siemens ProductCERT" ] }, "namespace": { "title": "Namespace of publisher", "description": "Contains a URL which is under control of the issuing party and can be used as a globally unique identifier for that issuing party.", "type": "string", "format": "uri", "examples": [ "https://csaf.io", "https://www.example.com" ] } } }, "references": { "title": "Document references", "description": "Holds a list of references associated with the whole document.", "$ref": "#/$defs/references_t" }, "source_lang": { "title": "Source language", "description": "If this copy of the document is a translation then the value of this property describes from which language this document was translated.", "$ref": "#/$defs/lang_t" }, "title": { "title": "Title of this document", "description": "This SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.", "type": "string", "minLength": 1, "examples": [ "Cisco IPv6 Crafted Packet Denial of Service Vulnerability", "Example Company Cross-Site-Scripting Vulnerability in Example Generator" ] }, "tracking": { "title": "Tracking", "description": "Is a container designated to hold all management attributes necessary to track a CSAF document as a whole.", "type": "object", "required": [ "current_release_date", "id", "initial_release_date", "revision_history", "status", "version" ], "properties": { "aliases": { "title": "Aliases", "description": "Contains a list of alternate names for the same document.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Alternate name", "description": "Specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.", "type": "string", "minLength": 1, "examples": [ "CVE-2019-12345" ] } }, "current_release_date": { "title": "Current release date", "description": "The date when the current revision of this document was released", "type": "string", "format": "date-time" }, "generator": { "title": "Document generator", "description": "Is a container to hold all elements related to the generation of the document. These items will reference when the document was actually created, including the date it was generated and the entity that generated it.", "type": "object", "required": [ "engine" ], "properties": { "date": { "title": "Date of document generation", "description": "This SHOULD be the current date that the document was generated. Because documents are often generated internally by a document producer and exist for a nonzero amount of time before being released, this field MAY be different from the Initial Release Date and Current Release Date.", "type": "string", "format": "date-time" }, "engine": { "title": "Engine of document generation", "description": "Contains information about the engine that generated the CSAF document.", "type": "object", "required": [ "name" ], "properties": { "name": { "title": "Engine name", "description": "Represents the name of the engine that generated the CSAF document.", "type": "string", "minLength": 1, "examples": [ "Red Hat rhsa-to-cvrf", "Secvisogram", "TVCE" ] }, "version": { "title": "Engine version", "description": "Contains the version of the engine that generated the CSAF document.", "type": "string", "minLength": 1, "examples": [ "0.6.0", "1.0.0-beta+exp.sha.a1c44f85", "2" ] } } } } }, "id": { "title": "Unique identifier for the document", "description": "The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority.", "type": "string", "pattern": "^[\\S](.*[\\S])?$", "minLength": 1, "examples": [ "Example Company - 2019-YH3234", "RHBA-2019:0024", "cisco-sa-20190513-secureboot" ] }, "initial_release_date": { "title": "Initial release date", "description": "The date when this document was first published.", "type": "string", "format": "date-time" }, "revision_history": { "title": "Revision history", "description": "Holds one revision item for each version of the CSAF document, including the initial one.", "type": "array", "minItems": 1, "items": { "title": "Revision", "description": "Contains all the information elements required to track the evolution of a CSAF document.", "type": "object", "required": [ "date", "number", "summary" ], "properties": { "date": { "title": "Date of the revision", "description": "The date of the revision entry", "type": "string", "format": "date-time" }, "legacy_version": { "title": "Legacy version of the revision", "description": "Contains the version string used in an existing document with the same content.", "type": "string", "minLength": 1 }, "number": { "$ref": "#/$defs/version_t" }, "summary": { "title": "Summary of the revision", "description": "Holds a single non-empty string representing a short description of the changes.", "type": "string", "minLength": 1, "examples": [ "Initial version." ] } } } }, "status": { "title": "Document status", "description": "Defines the draft status of the document.", "type": "string", "enum": [ "draft", "final", "interim" ] }, "version": { "$ref": "#/$defs/version_t" } } } } }, "product_tree": { "title": "Product tree", "description": "Is a container for all fully qualified product names that can be referenced elsewhere in the document.", "type": "object", "minProperties": 1, "properties": { "branches": { "$ref": "#/$defs/branches_t" }, "full_product_names": { "title": "List of full product names", "description": "Contains a list of full product names.", "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/full_product_name_t" } }, "product_groups": { "title": "List of product groups", "description": "Contains a list of product groups.", "type": "array", "minItems": 1, "items": { "title": "Product group", "description": "Defines a new logical group of products that can then be referred to in other parts of the document to address a group of products with a single identifier.", "type": "object", "required": [ "group_id", "product_ids" ], "properties": { "group_id": { "$ref": "#/$defs/product_group_id_t" }, "product_ids": { "title": "List of Product IDs", "description": "Lists the product_ids of those products which known as one group in the document.", "type": "array", "minItems": 2, "uniqueItems": true, "items": { "$ref": "#/$defs/product_id_t" } }, "summary": { "title": "Summary of the product group", "description": "Gives a short, optional description of the group.", "type": "string", "minLength": 1, "examples": [ "Products supporting Modbus.", "The x64 versions of the operating system." ] } } } }, "relationships": { "title": "List of relationships", "description": "Contains a list of relationships.", "type": "array", "minItems": 1, "items": { "title": "Relationship", "description": "Establishes a link between two existing full_product_name_t elements, allowing the document producer to define a combination of two products that form a new full_product_name entry.", "type": "object", "required": [ "category", "full_product_name", "product_reference", "relates_to_product_reference" ], "properties": { "category": { "title": "Relationship category", "description": "Defines the category of relationship for the referenced component.", "type": "string", "enum": [ "default_component_of", "external_component_of", "installed_on", "installed_with", "optional_component_of" ] }, "full_product_name": { "$ref": "#/$defs/full_product_name_t" }, "product_reference": { "title": "Product reference", "description": "Holds a Product ID that refers to the Full Product Name element, which is referenced as the first element of the relationship.", "$ref": "#/$defs/product_id_t" }, "relates_to_product_reference": { "title": "Relates to product reference", "description": "Holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.", "$ref": "#/$defs/product_id_t" } } } } } }, "vulnerabilities": { "title": "Vulnerabilities", "description": "Represents a list of all relevant vulnerability information items.", "type": "array", "minItems": 1, "items": { "title": "Vulnerability", "description": "Is a container for the aggregation of all fields that are related to a single vulnerability in the document.", "type": "object", "minProperties": 1, "properties": { "acknowledgments": { "title": "Vulnerability acknowledgments", "description": "Contains a list of acknowledgment elements associated with this vulnerability item.", "$ref": "#/$defs/acknowledgments_t" }, "cve": { "title": "CVE", "description": "Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.", "type": "string", "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$" }, "cwe": { "title": "CWE", "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.", "type": "object", "required": [ "id", "name" ], "properties": { "id": { "title": "Weakness ID", "description": "Holds the ID for the weakness associated.", "type": "string", "pattern": "^CWE-[1-9]\\d{0,5}$", "examples": [ "CWE-22", "CWE-352", "CWE-79" ] }, "name": { "title": "Weakness name", "description": "Holds the full name of the weakness as given in the CWE specification.", "type": "string", "minLength": 1, "examples": [ "Cross-Site Request Forgery (CSRF)", "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" ] } } }, "discovery_date": { "title": "Discovery date", "description": "Holds the date and time the vulnerability was originally discovered.", "type": "string", "format": "date-time" }, "flags": { "title": "List of flags", "description": "Contains a list of machine readable flags.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Flag", "description": "Contains product specific information in regard to this vulnerability as a single machine readable flag.", "type": "object", "required": [ "label" ], "properties": { "date": { "title": "Date of the flag", "description": "Contains the date when assessment was done or the flag was assigned.", "type": "string", "format": "date-time" }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "label": { "title": "Label of the flag", "description": "Specifies the machine readable label.", "type": "string", "enum": [ "component_not_present", "inline_mitigations_already_exist", "vulnerable_code_cannot_be_controlled_by_adversary", "vulnerable_code_not_in_execute_path", "vulnerable_code_not_present" ] }, "product_ids": { "$ref": "#/$defs/products_t" } } } }, "ids": { "title": "List of IDs", "description": "Represents a list of unique labels or tracking IDs for the vulnerability (if such information exists).", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "ID", "description": "Contains a single unique label or tracking ID for the vulnerability.", "type": "object", "required": [ "system_name", "text" ], "properties": { "system_name": { "title": "System name", "description": "Indicates the name of the vulnerability tracking or numbering system.", "type": "string", "minLength": 1, "examples": [ "Cisco Bug ID", "GitHub Issue" ] }, "text": { "title": "Text", "description": "Is unique label or tracking ID for the vulnerability (if such information exists).", "type": "string", "minLength": 1, "examples": [ "CSCso66472", "oasis-tcs/csaf#210" ] } } } }, "involvements": { "title": "List of involvements", "description": "Contains a list of involvements.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Involvement", "description": "Is a container, that allows the document producers to comment on the level of involvement (or engagement) of themselves or third parties in the vulnerability identification, scoping, and remediation process.", "type": "object", "required": [ "party", "status" ], "properties": { "date": { "title": "Date of involvement", "description": "Holds the date and time of the involvement entry.", "type": "string", "format": "date-time" }, "party": { "title": "Party category", "description": "Defines the category of the involved party.", "type": "string", "enum": [ "coordinator", "discoverer", "other", "user", "vendor" ] }, "status": { "title": "Party status", "description": "Defines contact status of the involved party.", "type": "string", "enum": [ "completed", "contact_attempted", "disputed", "in_progress", "not_contacted", "open" ] }, "summary": { "title": "Summary of the involvement", "description": "Contains additional context regarding what is going on.", "type": "string", "minLength": 1 } } } }, "notes": { "title": "Vulnerability notes", "description": "Holds notes associated with this vulnerability item.", "$ref": "#/$defs/notes_t" }, "product_status": { "title": "Product status", "description": "Contains different lists of product_ids which provide details on the status of the referenced product related to the current vulnerability. ", "type": "object", "minProperties": 1, "properties": { "first_affected": { "title": "First affected", "description": "These are the first versions of the releases known to be affected by the vulnerability.", "$ref": "#/$defs/products_t" }, "first_fixed": { "title": "First fixed", "description": "These versions contain the first fix for the vulnerability but may not be the recommended fixed versions.", "$ref": "#/$defs/products_t" }, "fixed": { "title": "Fixed", "description": "These versions contain a fix for the vulnerability but may not be the recommended fixed versions.", "$ref": "#/$defs/products_t" }, "known_affected": { "title": "Known affected", "description": "These versions are known to be affected by the vulnerability.", "$ref": "#/$defs/products_t" }, "known_not_affected": { "title": "Known not affected", "description": "These versions are known not to be affected by the vulnerability.", "$ref": "#/$defs/products_t" }, "last_affected": { "title": "Last affected", "description": "These are the last versions in a release train known to be affected by the vulnerability. Subsequently released versions would contain a fix for the vulnerability.", "$ref": "#/$defs/products_t" }, "recommended": { "title": "Recommended", "description": "These versions have a fix for the vulnerability and are the vendor-recommended versions for fixing the vulnerability.", "$ref": "#/$defs/products_t" }, "under_investigation": { "title": "Under investigation", "description": "It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.", "$ref": "#/$defs/products_t" } } }, "references": { "title": "Vulnerability references", "description": "Holds a list of references associated with this vulnerability item.", "$ref": "#/$defs/references_t" }, "release_date": { "title": "Release date", "description": "Holds the date and time the vulnerability was originally released into the wild.", "type": "string", "format": "date-time" }, "remediations": { "title": "List of remediations", "description": "Contains a list of remediations.", "type": "array", "minItems": 1, "items": { "title": "Remediation", "description": "Specifies details on how to handle (and presumably, fix) a vulnerability.", "type": "object", "required": [ "category", "details" ], "properties": { "category": { "title": "Category of the remediation", "description": "Specifies the category which this remediation belongs to.", "type": "string", "enum": [ "mitigation", "no_fix_planned", "none_available", "vendor_fix", "workaround" ] }, "date": { "title": "Date of the remediation", "description": "Contains the date from which the remediation is available.", "type": "string", "format": "date-time" }, "details": { "title": "Details of the remediation", "description": "Contains a thorough human-readable discussion of the remediation.", "type": "string", "minLength": 1 }, "entitlements": { "title": "List of entitlements", "description": "Contains a list of entitlements.", "type": "array", "minItems": 1, "items": { "title": "Entitlement of the remediation", "description": "Contains any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.", "type": "string", "minLength": 1 } }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "product_ids": { "$ref": "#/$defs/products_t" }, "restart_required": { "title": "Restart required by remediation", "description": "Provides information on category of restart is required by this remediation to become effective.", "type": "object", "required": [ "category" ], "properties": { "category": { "title": "Category of restart", "description": "Specifies what category of restart is required by this remediation to become effective.", "type": "string", "enum": [ "connected", "dependencies", "machine", "none", "parent", "service", "system", "vulnerable_component", "zone" ] }, "details": { "title": "Additional restart information", "description": "Provides additional information for the restart. This can include details on procedures, scope or impact.", "type": "string", "minLength": 1 } } }, "url": { "title": "URL to the remediation", "description": "Contains the URL where to obtain the remediation.", "type": "string", "format": "uri" } } } }, "scores": { "title": "List of scores", "description": "Contains score objects for the current vulnerability.", "type": "array", "minItems": 1, "items": { "title": "Score", "description": "Specifies information about (at least one) score of the vulnerability and for which products the given value applies.", "type": "object", "minProperties": 2, "required": [ "products" ], "properties": { "cvss_v2": { "$ref": "https://www.first.org/cvss/cvss-v2.0.json" }, "cvss_v3": { "oneOf": [ { "$ref": "https://www.first.org/cvss/cvss-v3.0.json" }, { "$ref": "https://www.first.org/cvss/cvss-v3.1.json" } ] }, "products": { "$ref": "#/$defs/products_t" } } } }, "threats": { "title": "List of threats", "description": "Contains information about a vulnerability that can change with time.", "type": "array", "minItems": 1, "items": { "title": "Threat", "description": "Contains the vulnerability kinetic information. This information can change as the vulnerability ages and new information becomes available.", "type": "object", "required": [ "category", "details" ], "properties": { "category": { "title": "Category of the threat", "description": "Categorizes the threat according to the rules of the specification.", "type": "string", "enum": [ "exploit_status", "impact", "target_set" ] }, "date": { "title": "Date of the threat", "description": "Contains the date when the assessment was done or the threat appeared.", "type": "string", "format": "date-time" }, "details": { "title": "Details of the threat", "description": "Represents a thorough human-readable discussion of the threat.", "type": "string", "minLength": 1 }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "product_ids": { "$ref": "#/$defs/products_t" } } } }, "title": { "title": "Title", "description": "Gives the document producer the ability to apply a canonical name or title to the vulnerability.", "type": "string", "minLength": 1 } } } } } } CSAF-0.25/lib/CSAF/resources/cache/310db979ce6c3fb104849a8943c463920000644000175000017500000001630514610514351021623 0ustar peppepeppe{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json", "title": "CSAF provider metadata", "description": "Representation of metadata information of a CSAF provider as a JSON document.", "type": "object", "$defs": { "json_url_t": { "title": "JSON URL type", "description": "Contains a URL of a JSON file.", "type": "string", "format": "uri", "pattern": "\\.json$" }, "provider_url_t": { "title": "Provider URL type", "description": "Contains a URL of a provider-metadata.json.", "type": "string", "format": "uri", "pattern": "/provider-metadata\\.json$" }, "url_t": { "title": "Generic URL type", "description": "Contains a URL.", "type": "string", "format": "uri" } }, "required": [ "canonical_url", "last_updated", "list_on_CSAF_aggregators", "mirror_on_CSAF_aggregators", "metadata_version", "publisher", "role" ], "properties": { "canonical_url": { "title": "Canonical URL", "description": "Contains the URL for this document.", "$ref": "#/$defs/provider_url_t" }, "distributions": { "title": "List of Distribution", "description": "Contains a list of used distribution mechanisms.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Distribution", "description": "Contains the information of a used distribution mechanism.", "type": "object", "minProperties": 1, "properties": { "directory_url": { "title": "Directory URL", "description": "Contains the base url for the directory distribution.", "$ref": "#/$defs/url_t" }, "rolie": { "title": "ROLIE", "description": "Contains all information for ROLIE distribution.", "type": "object", "required": [ "feeds" ], "properties": { "categories": { "title": "List of ROLIE category document URLs", "description": "Contains a list of URLs which contain ROLIE category documents.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "ROLIE category document URL", "description": "Contains a URL of a ROLIE category document.", "$ref": "#/$defs/json_url_t" } }, "feeds": { "title": "List of ROLIE feeds", "description": "Contains a list of information about ROLIE feeds.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "ROLIE feed", "description": "Contains information about the ROLIE feed.", "type": "object", "required": [ "tlp_label", "url" ], "properties": { "summary": { "title": "Summary of the feed", "description": "Contains a summary of the feed.", "type": "string", "examples": [ "All TLP:WHITE advisories of Example Company." ] }, "tlp_label": { "title": "TLP label", "description": "Provides the TLP label for the feed.", "type": "string", "enum": [ "UNLABELED", "WHITE", "GREEN", "AMBER", "RED" ] }, "url": { "title": "URL of the feed", "description": "Contains the URL of the feed.", "$ref": "#/$defs/json_url_t" } } } }, "services": { "title": "List of ROLIE service document URLs", "description": "Contains a list of URLs which contain ROLIE service documents.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "ROLIE service document URL", "description": "Contains a URL of a ROLIE service document.", "$ref": "#/$defs/json_url_t" } } } } } } }, "last_updated": { "title": "Last updated", "description": "Holds the date and time when the document was last updated.", "type": "string", "format": "date-time" }, "list_on_CSAF_aggregators": { "title": "List on CSAF aggregators", "description": "Decides whether this file should be linked in the list of a CSAF aggregator.", "type": "boolean", "default": true }, "metadata_version": { "title": "CSAF provider metadata version", "description": "Gives the version of the CSAF provider metadata specification which the document was generated for.", "type": "string", "enum": [ "2.0" ] }, "mirror_on_CSAF_aggregators": { "title": "Mirror on CSAF aggregators", "description": "Decides whether the CSAF documents can be mirrored and provided by a CSAF aggregator.", "type": "boolean", "default": true }, "public_openpgp_keys": { "title": "List of public OpenPGP keys", "description": "Contains a list of OpenPGP keys used to sign CSAF documents.", "type": "array", "items": { "title": "PGP keys", "description": "Contains all information about an OpenPGP key used to sign CSAF documents.", "type": "object", "required": [ "url" ], "properties": { "fingerprint": { "title": "Fingerprint of the key", "description": "Contains the fingerprint of the OpenPGP key.", "type": "string", "minLength": 40, "pattern": "^[0-9a-fA-F]{40,}$" }, "url": { "title": "URL of the key", "description": "Contains the URL where the key can be retrieved.", "$ref": "#/$defs/url_t" } } } }, "publisher": { "title": "Publisher", "description": "Provides information about the publisher of the CSAF documents in this repository.", "$ref": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json#/properties/document/properties/publisher" }, "role": { "title": "Role of the issuing party", "description": "Contains the role of the issuing party according to section 7 in the CSAF standard.", "type": "string", "default": "csaf_provider", "enum": [ "csaf_publisher", "csaf_provider", "csaf_trusted_provider" ] } } } CSAF-0.25/lib/CSAF/resources/cache/ac1b12ae2d190a0c468b534b8a1b9bd20000644000175000017500000015750014610514472022140 0ustar peppepeppe{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json", "title": "Common Security Advisory Framework", "description": "Representation of security advisory information as a JSON document.", "type": "object", "$defs": { "acknowledgments_t": { "title": "List of acknowledgments", "description": "Contains a list of acknowledgment elements.", "type": "array", "minItems": 1, "items": { "title": "Acknowledgment", "description": "Acknowledges contributions by describing those that contributed.", "type": "object", "minProperties": 1, "properties": { "names": { "title": "List of acknowledged names", "description": "Contains the names of contributors being recognized.", "type": "array", "minItems": 1, "items": { "title": "Name of the contributor", "description": "Contains the name of a single contributor being recognized.", "type": "string", "minLength": 1, "examples": [ "Albert Einstein", "Johann Sebastian Bach" ] } }, "organization": { "title": "Contributing organization", "description": "Contains the name of a contributing organization being recognized.", "type": "string", "minLength": 1, "examples": [ "CISA", "Google Project Zero", "Talos" ] }, "summary": { "title": "Summary of the acknowledgment", "description": "SHOULD represent any contextual details the document producers wish to make known about the acknowledgment or acknowledged parties.", "type": "string", "minLength": 1, "examples": [ "First analysis of Coordinated Multi-Stream Attack (CMSA)" ] }, "urls": { "title": "List of URLs", "description": "Specifies a list of URLs or location of the reference to be acknowledged.", "type": "array", "minItems": 1, "items": { "title": "URL of acknowledgment", "description": "Contains the URL or location of the reference to be acknowledged.", "type": "string", "format": "uri" } } } } }, "branches_t": { "title": "List of branches", "description": "Contains branch elements as children of the current element.", "type": "array", "minItems": 1, "items": { "title": "Branch", "description": "Is a part of the hierarchical structure of the product tree.", "type": "object", "maxProperties": 3, "minProperties": 3, "required": [ "category", "name" ], "properties": { "branches": { "$ref": "#/$defs/branches_t" }, "category": { "title": "Category of the branch", "description": "Describes the characteristics of the labeled branch.", "type": "string", "enum": [ "architecture", "host_name", "language", "legacy", "patch_level", "product_family", "product_name", "product_version", "product_version_range", "service_pack", "specification", "vendor" ] }, "name": { "title": "Name of the branch", "description": "Contains the canonical descriptor or 'friendly name' of the branch.", "type": "string", "minLength": 1, "examples": [ "10", "365", "Microsoft", "Office", "PCS 7", "SIMATIC", "Siemens", "Windows" ] }, "product": { "$ref": "#/$defs/full_product_name_t" } } } }, "full_product_name_t": { "title": "Full product name", "description": "Specifies information about the product and assigns the product_id.", "type": "object", "required": [ "name", "product_id" ], "properties": { "name": { "title": "Textual description of the product", "description": "The value should be the product’s full canonical name, including version number and other attributes, as it would be used in a human-friendly document.", "type": "string", "minLength": 1, "examples": [ "Cisco AnyConnect Secure Mobility Client 2.3.185", "Microsoft Host Integration Server 2006 Service Pack 1" ] }, "product_id": { "$ref": "#/$defs/product_id_t" }, "product_identification_helper": { "title": "Helper to identify the product", "description": "Provides at least one method which aids in identifying the product in an asset database.", "type": "object", "minProperties": 1, "properties": { "cpe": { "title": "Common Platform Enumeration representation", "description": "The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.", "type": "string", "pattern": "^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$", "minLength": 5 }, "hashes": { "title": "List of hashes", "description": "Contains a list of cryptographic hashes usable to identify files.", "type": "array", "minItems": 1, "items": { "title": "Cryptographic hashes", "description": "Contains all information to identify a file based on its cryptographic hash values.", "type": "object", "required": [ "file_hashes", "filename" ], "properties": { "file_hashes": { "title": "List of file hashes", "description": "Contains a list of cryptographic hashes for this file.", "type": "array", "minItems": 1, "items": { "title": "File hash", "description": "Contains one hash value and algorithm of the file to be identified.", "type": "object", "required": [ "algorithm", "value" ], "properties": { "algorithm": { "title": "Algorithm of the cryptographic hash", "description": "Contains the name of the cryptographic hash algorithm used to calculate the value.", "type": "string", "default": "sha256", "minLength": 1, "examples": [ "blake2b512", "sha256", "sha3-512", "sha384", "sha512" ] }, "value": { "title": "Value of the cryptographic hash", "description": "Contains the cryptographic hash value in hexadecimal representation.", "type": "string", "pattern": "^[0-9a-fA-F]{32,}$", "minLength": 32, "examples": [ "37df33cb7464da5c7f077f4d56a32bc84987ec1d85b234537c1c1a4d4fc8d09dc29e2e762cb5203677bf849a2855a0283710f1f5fe1d6ce8d5ac85c645d0fcb3", "4775203615d9534a8bfca96a93dc8b461a489f69124a130d786b42204f3341cc", "9ea4c8200113d49d26505da0e02e2f49055dc078d1ad7a419b32e291c7afebbb84badfbd46dec42883bea0b2a1fa697c" ] } } } }, "filename": { "title": "Filename", "description": "Contains the name of the file which is identified by the hash values.", "type": "string", "minLength": 1, "examples": [ "WINWORD.EXE", "msotadddin.dll", "sudoers.so" ] } } } }, "model_numbers": { "title": "List of models", "description": "Contains a list of full or abbreviated (partial) model numbers.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Model number", "description": "Contains a full or abbreviated (partial) model number of the component to identify.", "type": "string", "minLength": 1 } }, "purl": { "title": "package URL representation", "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.", "type": "string", "format": "uri", "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+", "minLength": 7 }, "sbom_urls": { "title": "List of SBOM URLs", "description": "Contains a list of URLs where SBOMs for this product can be retrieved.", "type": "array", "minItems": 1, "items": { "title": "SBOM URL", "description": "Contains a URL of one SBOM for this product.", "type": "string", "format": "uri" } }, "serial_numbers": { "title": "List of serial numbers", "description": "Contains a list of full or abbreviated (partial) serial numbers.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Serial number", "description": "Contains a full or abbreviated (partial) serial number of the component to identify.", "type": "string", "minLength": 1 } }, "skus": { "title": "List of stock keeping units", "description": "Contains a list of full or abbreviated (partial) stock keeping units.", "type": "array", "minItems": 1, "items": { "title": "Stock keeping unit", "description": "Contains a full or abbreviated (partial) stock keeping unit (SKU) which is used in the ordering process to identify the component.", "type": "string", "minLength": 1 } }, "x_generic_uris": { "title": "List of generic URIs", "description": "Contains a list of identifiers which are either vendor-specific or derived from a standard not yet supported.", "type": "array", "minItems": 1, "items": { "title": "Generic URI", "description": "Provides a generic extension point for any identifier which is either vendor-specific or derived from a standard not yet supported.", "type": "object", "required": [ "namespace", "uri" ], "properties": { "namespace": { "title": "Namespace of the generic URI", "description": "Refers to a URL which provides the name and knowledge about the specification used or is the namespace in which these values are valid.", "type": "string", "format": "uri" }, "uri": { "title": "URI", "description": "Contains the identifier itself.", "type": "string", "format": "uri" } } } } } } } }, "lang_t": { "title": "Language type", "description": "Identifies a language, corresponding to IETF BCP 47 / RFC 5646. See IETF language registry: https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry", "type": "string", "pattern": "^(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?|[A-Za-z]{4,8})(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3}))*(-[A-WY-Za-wy-z0-9](-[A-Za-z0-9]{2,8})+)*(-[Xx](-[A-Za-z0-9]{1,8})+)?|[Xx](-[A-Za-z0-9]{1,8})+|[Ii]-[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-[Mm][Ii][Nn][Gg][Oo])$", "examples": [ "de", "en", "fr", "frc", "jp" ] }, "notes_t": { "title": "List of notes", "description": "Contains notes which are specific to the current context.", "type": "array", "minItems": 1, "items": { "title": "Note", "description": "Is a place to put all manner of text blobs related to the current context.", "type": "object", "required": [ "category", "text" ], "properties": { "audience": { "title": "Audience of note", "description": "Indicates who is intended to read it.", "type": "string", "minLength": 1, "examples": [ "all", "executives", "operational management and system administrators", "safety engineers" ] }, "category": { "title": "Note category", "description": "Contains the information of what kind of note this is.", "type": "string", "enum": [ "description", "details", "faq", "general", "legal_disclaimer", "other", "summary" ] }, "text": { "title": "Note content", "description": "Holds the content of the note. Content varies depending on type.", "type": "string", "minLength": 1 }, "title": { "title": "Title of note", "description": "Provides a concise description of what is contained in the text of the note.", "type": "string", "minLength": 1, "examples": [ "Details", "Executive summary", "Technical summary", "Impact on safety systems" ] } } } }, "product_group_id_t": { "title": "Reference token for product group instance", "description": "Token required to identify a group of products so that it can be referred to from other parts in the document. There is no predefined or required format for the product_group_id as long as it uniquely identifies a group in the context of the current document.", "type": "string", "minLength": 1, "examples": [ "CSAFGID-0001", "CSAFGID-0002", "CSAFGID-0020" ] }, "product_groups_t": { "title": "List of product_group_ids", "description": "Specifies a list of product_group_ids to give context to the parent item.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "$ref": "#/$defs/product_group_id_t" } }, "product_id_t": { "title": "Reference token for product instance", "description": "Token required to identify a full_product_name so that it can be referred to from other parts in the document. There is no predefined or required format for the product_id as long as it uniquely identifies a product in the context of the current document.", "type": "string", "minLength": 1, "examples": [ "CSAFPID-0004", "CSAFPID-0008" ] }, "products_t": { "title": "List of product_ids", "description": "Specifies a list of product_ids to give context to the parent item.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "$ref": "#/$defs/product_id_t" } }, "references_t": { "title": "List of references", "description": "Holds a list of references.", "type": "array", "minItems": 1, "items": { "title": "Reference", "description": "Holds any reference to conferences, papers, advisories, and other resources that are related and considered related to either a surrounding part of or the entire document and to be of value to the document consumer.", "type": "object", "required": [ "summary", "url" ], "properties": { "category": { "title": "Category of reference", "description": "Indicates whether the reference points to the same document or vulnerability in focus (depending on scope) or to an external resource.", "type": "string", "default": "external", "enum": [ "external", "self" ] }, "summary": { "title": "Summary of the reference", "description": "Indicates what this reference refers to.", "type": "string", "minLength": 1 }, "url": { "title": "URL of reference", "description": "Provides the URL for the reference.", "type": "string", "format": "uri" } } } }, "version_t": { "title": "Version", "description": "Specifies a version string to denote clearly the evolution of the content of the document. Format must be either integer or semantic versioning.", "type": "string", "pattern": "^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$", "examples": [ "1", "4", "0.9.0", "1.4.3", "2.40.0+21AF26D3" ] } }, "required": [ "document" ], "properties": { "document": { "title": "Document level meta-data", "description": "Captures the meta-data about this document describing a particular set of security advisories.", "type": "object", "required": [ "category", "csaf_version", "publisher", "title", "tracking" ], "properties": { "acknowledgments": { "title": "Document acknowledgments", "description": "Contains a list of acknowledgment elements associated with the whole document.", "$ref": "#/$defs/acknowledgments_t" }, "aggregate_severity": { "title": "Aggregate severity", "description": "Is a vehicle that is provided by the document producer to convey the urgency and criticality with which the one or more vulnerabilities reported should be addressed. It is a document-level metric and applied to the document as a whole — not any specific vulnerability. The range of values in this field is defined according to the document producer's policies and procedures.", "type": "object", "required": [ "text" ], "properties": { "namespace": { "title": "Namespace of aggregate severity", "description": "Points to the namespace so referenced.", "type": "string", "format": "uri" }, "text": { "title": "Text of aggregate severity", "description": "Provides a severity which is independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).", "type": "string", "minLength": 1, "examples": [ "Critical", "Important", "Moderate" ] } } }, "category": { "title": "Document category", "description": "Defines a short canonical name, chosen by the document producer, which will inform the end user as to the category of document.", "type": "string", "pattern": "^[^\\s\\-_\\.](.*[^\\s\\-_\\.])?$", "minLength": 1, "examples": [ "csaf_base", "csaf_security_advisory", "csaf_vex", "Example Company Security Notice" ] }, "csaf_version": { "title": "CSAF version", "description": "Gives the version of the CSAF specification which the document was generated for.", "type": "string", "enum": [ "2.0" ] }, "distribution": { "title": "Rules for sharing document", "description": "Describe any constraints on how this document might be shared.", "type": "object", "minProperties": 1, "properties": { "text": { "title": "Textual description", "description": "Provides a textual description of additional constraints.", "type": "string", "minLength": 1, "examples": [ "Copyright 2021, Example Company, All Rights Reserved.", "Distribute freely.", "Share only on a need-to-know-basis only." ] }, "tlp": { "title": "Traffic Light Protocol (TLP)", "description": "Provides details about the TLP classification of the document.", "type": "object", "required": [ "label" ], "properties": { "label": { "title": "Label of TLP", "description": "Provides the TLP label of the document.", "type": "string", "enum": [ "AMBER", "GREEN", "RED", "WHITE" ] }, "url": { "title": "URL of TLP version", "description": "Provides a URL where to find the textual description of the TLP version which is used in this document. Default is the URL to the definition by FIRST.", "type": "string", "default": "https://www.first.org/tlp/", "format": "uri", "examples": [ "https://www.us-cert.gov/tlp", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf" ] } } } } }, "lang": { "title": "Document language", "description": "Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646.", "$ref": "#/$defs/lang_t" }, "notes": { "title": "Document notes", "description": "Holds notes associated with the whole document.", "$ref": "#/$defs/notes_t" }, "publisher": { "title": "Publisher", "description": "Provides information about the publisher of the document.", "type": "object", "required": [ "category", "name", "namespace" ], "properties": { "category": { "title": "Category of publisher", "description": "Provides information about the category of publisher releasing the document.", "type": "string", "enum": [ "coordinator", "discoverer", "other", "translator", "user", "vendor" ] }, "contact_details": { "title": "Contact details", "description": "Information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.", "type": "string", "minLength": 1, "examples": [ "Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact." ] }, "issuing_authority": { "title": "Issuing authority", "description": "Provides information about the authority of the issuing party to release the document, in particular, the party's constituency and responsibilities or other obligations.", "type": "string", "minLength": 1 }, "name": { "title": "Name of publisher", "description": "Contains the name of the issuing party.", "type": "string", "minLength": 1, "examples": [ "BSI", "Cisco PSIRT", "Siemens ProductCERT" ] }, "namespace": { "title": "Namespace of publisher", "description": "Contains a URL which is under control of the issuing party and can be used as a globally unique identifier for that issuing party.", "type": "string", "format": "uri", "examples": [ "https://csaf.io", "https://www.example.com" ] } } }, "references": { "title": "Document references", "description": "Holds a list of references associated with the whole document.", "$ref": "#/$defs/references_t" }, "source_lang": { "title": "Source language", "description": "If this copy of the document is a translation then the value of this property describes from which language this document was translated.", "$ref": "#/$defs/lang_t" }, "title": { "title": "Title of this document", "description": "This SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.", "type": "string", "minLength": 1, "examples": [ "Cisco IPv6 Crafted Packet Denial of Service Vulnerability", "Example Company Cross-Site-Scripting Vulnerability in Example Generator" ] }, "tracking": { "title": "Tracking", "description": "Is a container designated to hold all management attributes necessary to track a CSAF document as a whole.", "type": "object", "required": [ "current_release_date", "id", "initial_release_date", "revision_history", "status", "version" ], "properties": { "aliases": { "title": "Aliases", "description": "Contains a list of alternate names for the same document.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Alternate name", "description": "Specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.", "type": "string", "minLength": 1, "examples": [ "CVE-2019-12345" ] } }, "current_release_date": { "title": "Current release date", "description": "The date when the current revision of this document was released", "type": "string", "format": "date-time" }, "generator": { "title": "Document generator", "description": "Is a container to hold all elements related to the generation of the document. These items will reference when the document was actually created, including the date it was generated and the entity that generated it.", "type": "object", "required": [ "engine" ], "properties": { "date": { "title": "Date of document generation", "description": "This SHOULD be the current date that the document was generated. Because documents are often generated internally by a document producer and exist for a nonzero amount of time before being released, this field MAY be different from the Initial Release Date and Current Release Date.", "type": "string", "format": "date-time" }, "engine": { "title": "Engine of document generation", "description": "Contains information about the engine that generated the CSAF document.", "type": "object", "required": [ "name" ], "properties": { "name": { "title": "Engine name", "description": "Represents the name of the engine that generated the CSAF document.", "type": "string", "minLength": 1, "examples": [ "Red Hat rhsa-to-cvrf", "Secvisogram", "TVCE" ] }, "version": { "title": "Engine version", "description": "Contains the version of the engine that generated the CSAF document.", "type": "string", "minLength": 1, "examples": [ "0.6.0", "1.0.0-beta+exp.sha.a1c44f85", "2" ] } } } } }, "id": { "title": "Unique identifier for the document", "description": "The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority.", "type": "string", "pattern": "^[\\S](.*[\\S])?$", "minLength": 1, "examples": [ "Example Company - 2019-YH3234", "RHBA-2019:0024", "cisco-sa-20190513-secureboot" ] }, "initial_release_date": { "title": "Initial release date", "description": "The date when this document was first published.", "type": "string", "format": "date-time" }, "revision_history": { "title": "Revision history", "description": "Holds one revision item for each version of the CSAF document, including the initial one.", "type": "array", "minItems": 1, "items": { "title": "Revision", "description": "Contains all the information elements required to track the evolution of a CSAF document.", "type": "object", "required": [ "date", "number", "summary" ], "properties": { "date": { "title": "Date of the revision", "description": "The date of the revision entry", "type": "string", "format": "date-time" }, "legacy_version": { "title": "Legacy version of the revision", "description": "Contains the version string used in an existing document with the same content.", "type": "string", "minLength": 1 }, "number": { "$ref": "#/$defs/version_t" }, "summary": { "title": "Summary of the revision", "description": "Holds a single non-empty string representing a short description of the changes.", "type": "string", "minLength": 1, "examples": [ "Initial version." ] } } } }, "status": { "title": "Document status", "description": "Defines the draft status of the document.", "type": "string", "enum": [ "draft", "final", "interim" ] }, "version": { "$ref": "#/$defs/version_t" } } } } }, "product_tree": { "title": "Product tree", "description": "Is a container for all fully qualified product names that can be referenced elsewhere in the document.", "type": "object", "minProperties": 1, "properties": { "branches": { "$ref": "#/$defs/branches_t" }, "full_product_names": { "title": "List of full product names", "description": "Contains a list of full product names.", "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/full_product_name_t" } }, "product_groups": { "title": "List of product groups", "description": "Contains a list of product groups.", "type": "array", "minItems": 1, "items": { "title": "Product group", "description": "Defines a new logical group of products that can then be referred to in other parts of the document to address a group of products with a single identifier.", "type": "object", "required": [ "group_id", "product_ids" ], "properties": { "group_id": { "$ref": "#/$defs/product_group_id_t" }, "product_ids": { "title": "List of Product IDs", "description": "Lists the product_ids of those products which known as one group in the document.", "type": "array", "minItems": 2, "uniqueItems": true, "items": { "$ref": "#/$defs/product_id_t" } }, "summary": { "title": "Summary of the product group", "description": "Gives a short, optional description of the group.", "type": "string", "minLength": 1, "examples": [ "Products supporting Modbus.", "The x64 versions of the operating system." ] } } } }, "relationships": { "title": "List of relationships", "description": "Contains a list of relationships.", "type": "array", "minItems": 1, "items": { "title": "Relationship", "description": "Establishes a link between two existing full_product_name_t elements, allowing the document producer to define a combination of two products that form a new full_product_name entry.", "type": "object", "required": [ "category", "full_product_name", "product_reference", "relates_to_product_reference" ], "properties": { "category": { "title": "Relationship category", "description": "Defines the category of relationship for the referenced component.", "type": "string", "enum": [ "default_component_of", "external_component_of", "installed_on", "installed_with", "optional_component_of" ] }, "full_product_name": { "$ref": "#/$defs/full_product_name_t" }, "product_reference": { "title": "Product reference", "description": "Holds a Product ID that refers to the Full Product Name element, which is referenced as the first element of the relationship.", "$ref": "#/$defs/product_id_t" }, "relates_to_product_reference": { "title": "Relates to product reference", "description": "Holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.", "$ref": "#/$defs/product_id_t" } } } } } }, "vulnerabilities": { "title": "Vulnerabilities", "description": "Represents a list of all relevant vulnerability information items.", "type": "array", "minItems": 1, "items": { "title": "Vulnerability", "description": "Is a container for the aggregation of all fields that are related to a single vulnerability in the document.", "type": "object", "minProperties": 1, "properties": { "acknowledgments": { "title": "Vulnerability acknowledgments", "description": "Contains a list of acknowledgment elements associated with this vulnerability item.", "$ref": "#/$defs/acknowledgments_t" }, "cve": { "title": "CVE", "description": "Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.", "type": "string", "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$" }, "cwe": { "title": "CWE", "description": "Holds the MITRE standard Common Weakness Enumeration (CWE) for the weakness associated.", "type": "object", "required": [ "id", "name" ], "properties": { "id": { "title": "Weakness ID", "description": "Holds the ID for the weakness associated.", "type": "string", "pattern": "^CWE-[1-9]\\d{0,5}$", "examples": [ "CWE-22", "CWE-352", "CWE-79" ] }, "name": { "title": "Weakness name", "description": "Holds the full name of the weakness as given in the CWE specification.", "type": "string", "minLength": 1, "examples": [ "Cross-Site Request Forgery (CSRF)", "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" ] } } }, "discovery_date": { "title": "Discovery date", "description": "Holds the date and time the vulnerability was originally discovered.", "type": "string", "format": "date-time" }, "flags": { "title": "List of flags", "description": "Contains a list of machine readable flags.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Flag", "description": "Contains product specific information in regard to this vulnerability as a single machine readable flag.", "type": "object", "required": [ "label" ], "properties": { "date": { "title": "Date of the flag", "description": "Contains the date when assessment was done or the flag was assigned.", "type": "string", "format": "date-time" }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "label": { "title": "Label of the flag", "description": "Specifies the machine readable label.", "type": "string", "enum": [ "component_not_present", "inline_mitigations_already_exist", "vulnerable_code_cannot_be_controlled_by_adversary", "vulnerable_code_not_in_execute_path", "vulnerable_code_not_present" ] }, "product_ids": { "$ref": "#/$defs/products_t" } } } }, "ids": { "title": "List of IDs", "description": "Represents a list of unique labels or tracking IDs for the vulnerability (if such information exists).", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "ID", "description": "Contains a single unique label or tracking ID for the vulnerability.", "type": "object", "required": [ "system_name", "text" ], "properties": { "system_name": { "title": "System name", "description": "Indicates the name of the vulnerability tracking or numbering system.", "type": "string", "minLength": 1, "examples": [ "Cisco Bug ID", "GitHub Issue" ] }, "text": { "title": "Text", "description": "Is unique label or tracking ID for the vulnerability (if such information exists).", "type": "string", "minLength": 1, "examples": [ "CSCso66472", "oasis-tcs/csaf#210" ] } } } }, "involvements": { "title": "List of involvements", "description": "Contains a list of involvements.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Involvement", "description": "Is a container, that allows the document producers to comment on the level of involvement (or engagement) of themselves or third parties in the vulnerability identification, scoping, and remediation process.", "type": "object", "required": [ "party", "status" ], "properties": { "date": { "title": "Date of involvement", "description": "Holds the date and time of the involvement entry.", "type": "string", "format": "date-time" }, "party": { "title": "Party category", "description": "Defines the category of the involved party.", "type": "string", "enum": [ "coordinator", "discoverer", "other", "user", "vendor" ] }, "status": { "title": "Party status", "description": "Defines contact status of the involved party.", "type": "string", "enum": [ "completed", "contact_attempted", "disputed", "in_progress", "not_contacted", "open" ] }, "summary": { "title": "Summary of the involvement", "description": "Contains additional context regarding what is going on.", "type": "string", "minLength": 1 } } } }, "notes": { "title": "Vulnerability notes", "description": "Holds notes associated with this vulnerability item.", "$ref": "#/$defs/notes_t" }, "product_status": { "title": "Product status", "description": "Contains different lists of product_ids which provide details on the status of the referenced product related to the current vulnerability. ", "type": "object", "minProperties": 1, "properties": { "first_affected": { "title": "First affected", "description": "These are the first versions of the releases known to be affected by the vulnerability.", "$ref": "#/$defs/products_t" }, "first_fixed": { "title": "First fixed", "description": "These versions contain the first fix for the vulnerability but may not be the recommended fixed versions.", "$ref": "#/$defs/products_t" }, "fixed": { "title": "Fixed", "description": "These versions contain a fix for the vulnerability but may not be the recommended fixed versions.", "$ref": "#/$defs/products_t" }, "known_affected": { "title": "Known affected", "description": "These versions are known to be affected by the vulnerability.", "$ref": "#/$defs/products_t" }, "known_not_affected": { "title": "Known not affected", "description": "These versions are known not to be affected by the vulnerability.", "$ref": "#/$defs/products_t" }, "last_affected": { "title": "Last affected", "description": "These are the last versions in a release train known to be affected by the vulnerability. Subsequently released versions would contain a fix for the vulnerability.", "$ref": "#/$defs/products_t" }, "recommended": { "title": "Recommended", "description": "These versions have a fix for the vulnerability and are the vendor-recommended versions for fixing the vulnerability.", "$ref": "#/$defs/products_t" }, "under_investigation": { "title": "Under investigation", "description": "It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.", "$ref": "#/$defs/products_t" } } }, "references": { "title": "Vulnerability references", "description": "Holds a list of references associated with this vulnerability item.", "$ref": "#/$defs/references_t" }, "release_date": { "title": "Release date", "description": "Holds the date and time the vulnerability was originally released into the wild.", "type": "string", "format": "date-time" }, "remediations": { "title": "List of remediations", "description": "Contains a list of remediations.", "type": "array", "minItems": 1, "items": { "title": "Remediation", "description": "Specifies details on how to handle (and presumably, fix) a vulnerability.", "type": "object", "required": [ "category", "details" ], "properties": { "category": { "title": "Category of the remediation", "description": "Specifies the category which this remediation belongs to.", "type": "string", "enum": [ "mitigation", "no_fix_planned", "none_available", "vendor_fix", "workaround" ] }, "date": { "title": "Date of the remediation", "description": "Contains the date from which the remediation is available.", "type": "string", "format": "date-time" }, "details": { "title": "Details of the remediation", "description": "Contains a thorough human-readable discussion of the remediation.", "type": "string", "minLength": 1 }, "entitlements": { "title": "List of entitlements", "description": "Contains a list of entitlements.", "type": "array", "minItems": 1, "items": { "title": "Entitlement of the remediation", "description": "Contains any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.", "type": "string", "minLength": 1 } }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "product_ids": { "$ref": "#/$defs/products_t" }, "restart_required": { "title": "Restart required by remediation", "description": "Provides information on category of restart is required by this remediation to become effective.", "type": "object", "required": [ "category" ], "properties": { "category": { "title": "Category of restart", "description": "Specifies what category of restart is required by this remediation to become effective.", "type": "string", "enum": [ "connected", "dependencies", "machine", "none", "parent", "service", "system", "vulnerable_component", "zone" ] }, "details": { "title": "Additional restart information", "description": "Provides additional information for the restart. This can include details on procedures, scope or impact.", "type": "string", "minLength": 1 } } }, "url": { "title": "URL to the remediation", "description": "Contains the URL where to obtain the remediation.", "type": "string", "format": "uri" } } } }, "scores": { "title": "List of scores", "description": "Contains score objects for the current vulnerability.", "type": "array", "minItems": 1, "items": { "title": "Score", "description": "Specifies information about (at least one) score of the vulnerability and for which products the given value applies.", "type": "object", "minProperties": 2, "required": [ "products" ], "properties": { "cvss_v2": { "$ref": "https://www.first.org/cvss/cvss-v2.0.json" }, "cvss_v3": { "oneOf": [ { "$ref": "https://www.first.org/cvss/cvss-v3.0.json" }, { "$ref": "https://www.first.org/cvss/cvss-v3.1.json" } ] }, "products": { "$ref": "#/$defs/products_t" } } } }, "threats": { "title": "List of threats", "description": "Contains information about a vulnerability that can change with time.", "type": "array", "minItems": 1, "items": { "title": "Threat", "description": "Contains the vulnerability kinetic information. This information can change as the vulnerability ages and new information becomes available.", "type": "object", "required": [ "category", "details" ], "properties": { "category": { "title": "Category of the threat", "description": "Categorizes the threat according to the rules of the specification.", "type": "string", "enum": [ "exploit_status", "impact", "target_set" ] }, "date": { "title": "Date of the threat", "description": "Contains the date when the assessment was done or the threat appeared.", "type": "string", "format": "date-time" }, "details": { "title": "Details of the threat", "description": "Represents a thorough human-readable discussion of the threat.", "type": "string", "minLength": 1 }, "group_ids": { "$ref": "#/$defs/product_groups_t" }, "product_ids": { "$ref": "#/$defs/products_t" } } } }, "title": { "title": "Title", "description": "Gives the document producer the ability to apply a canonical name or title to the vulnerability.", "type": "string", "minLength": 1 } } } } } } CSAF-0.25/lib/CSAF/resources/cache/9653b500aa11f9eec08e6722af41cac70000644000175000017500000001641114610514351022072 0ustar peppepeppe{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://docs.oasis-open.org/csaf/csaf/v2.0/aggregator_json_schema.json", "title": "CSAF aggregator", "description": "Representation of information where to find CSAF providers as a JSON document.", "type": "object", "$defs": { "aggregator_url_t": { "title": "Aggregator URL type", "description": "Contains a URL.", "type": "string", "format": "uri", "pattern": "/aggregator\\.json$" }, "metadata_t": { "title": "CSAF issuing party metadata.", "description": "Contains the metadata of a single CSAF issuing party.", "type": "object", "required": [ "last_updated", "publisher", "url" ], "properties": { "last_updated": { "title": "Last updated", "description": "Holds the date and time when this entry was last updated.", "type": "string", "format": "date-time" }, "publisher": { "title": "Publisher", "description": "Provides information about the issuing party for this entry.", "$ref": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#/properties/publisher" }, "role": { "title": "Role of the issuing party", "description": "Contains the role of the issuing party according to section 7 in the CSAF standard.", "$ref": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#/properties/role" }, "url": { "title": "URL of the metadata", "description": "Contains the URL of the provider-metadata.json for that entry.", "$ref": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#/properties/canonical_url" } } }, "mirrors_t": { "title": "List of mirrors", "description": "Contains a list of URLs or mirrors for this issuing party.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "Mirror", "description": "Contains the base URL of the mirror for this issuing party.", "$ref": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#/$defs/provider_url_t" } } }, "required": [ "aggregator", "aggregator_version", "canonical_url", "csaf_providers", "last_updated" ], "properties": { "aggregator": { "title": "Aggregator", "description": "Provides information about the aggregator.", "type": "object", "required": [ "category", "name", "namespace" ], "properties": { "category": { "title": "Category of aggregator", "description": "Provides information about the category of aggregator.", "type": "string", "enum": [ "aggregator", "lister" ] }, "contact_details": { "title": "Contact details", "description": "Information on how to contact the aggregator, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.", "type": "string", "minLength": 1, "examples": [ "Aggregator can be reached at contact_us@aggregator.example.com, or via our website at https://www.example.com/security/csaf/aggregator/contact." ] }, "issuing_authority": { "title": "Issuing authority", "description": "Provides information about the authority of the aggregator to release the list, in particular, the party's constituency and responsibilities or other obligations.", "type": "string", "minLength": 1 }, "name": { "title": "Name of aggregator", "description": "Contains the name of the aggregator.", "type": "string", "minLength": 1, "examples": [ "BSI", "CISA", "CSAF TC" ] }, "namespace": { "title": "Namespace of aggregator", "description": "Contains a URL which is under control of the aggregator and can be used as a globally unique identifier for that aggregator.", "type": "string", "format": "uri", "examples": [ "https://www.example.com", "https://csaf.io" ] } } }, "aggregator_version": { "title": "CSAF aggregator version", "description": "Gives the version of the CSAF aggregator specification which the document was generated for.", "type": "string", "enum": [ "2.0" ] }, "canonical_url": { "title": "Canonical URL", "description": "Contains the URL for this document.", "$ref": "#/$defs/aggregator_url_t" }, "csaf_providers": { "title": "List of CSAF providers", "description": "Contains a list with information from CSAF providers.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "CSAF provider entry", "description": "Contains information from a CSAF provider.", "type": "object", "required": [ "metadata" ], "properties": { "metadata": { "title": "CSAF provider metadata.", "description": "Contains the metadata of a single CSAF provider.", "$ref": "#/$defs/metadata_t" }, "mirrors": { "title": "List of mirrors", "description": "Contains a list of URLs or mirrors for this CSAF provider.", "$ref": "#/$defs/mirrors_t" } } } }, "csaf_publishers": { "title": "List of CSAF publishers", "description": "Contains a list with information from CSAF publishers.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "title": "CSAF publisher entry", "description": "Contains information from a CSAF publisher.", "type": "object", "required": [ "metadata", "mirror", "update_interval" ], "properties": { "metadata": { "title": "CSAF publisher metadata.", "description": "Contains the metadata of a single CSAF publisher extracted from one of its CSAF documents.", "$ref": "#/$defs/metadata_t" }, "mirrors": { "title": "List of mirrors", "description": "Contains a list of URLs or mirrors for this CSAF publisher.", "$ref": "#/$defs/mirrors_t" }, "update_interval": { "title": "Update interval", "description": "Contains information about how often the CSAF publisher is checked for new CSAF documents.", "type": "string", "minLength": 1, "examples": [ "daily", "weekly", "monthly", "on best effort", "on notification by CSAF publisher" ] } } } }, "last_updated": { "title": "Last updated", "description": "Holds the date and time when the document was last updated.", "type": "string", "format": "date-time" } } } CSAF-0.25/lib/CSAF/Schema.pm0000644000175000017500000000460114612023627014204 0ustar peppepeppepackage CSAF::Schema; use 5.010001; use strict; use warnings; use utf8; use CSAF::Util qw(schema_cache_path); use JSON::Validator; our %SCHEMAS = ( 'csaf-2.0' => 'https://docs.oasis-open.org/csaf/csaf/v2.0/os/schemas/csaf_json_schema.json', 'strict-csaf-2.0' => 'https://docs.oasis-open.org/csaf/csaf/v2.0/os/schemas/csaf_json_schema.json?strict', 'csaf-2.0-provider' => 'https://docs.oasis-open.org/csaf/csaf/v2.0/os/schemas/provider_json_schema.json', 'csaf-2.0-aggregator' => 'https://docs.oasis-open.org/csaf/csaf/v2.0/os/schemas/aggregator_json_schema.json', 'cvss-v3.1' => 'https://www.first.org/cvss/cvss-v3.1.json', 'cvss-v3.0' => 'https://www.first.org/cvss/cvss-v3.0.json', 'cvss-v2.0' => 'https://www.first.org/cvss/cvss-v2.0.json', 'cvss-v3.x' => { oneOf => [ {'$ref' => 'https://www.first.org/cvss/cvss-v3.0.json'}, {'$ref' => 'https://www.first.org/cvss/cvss-v3.1.json'} ] } ); sub validator { my ($class, $schema) = @_; my $jv = JSON::Validator->new; $jv->cache_paths([schema_cache_path]); $jv->schema($SCHEMAS{$schema} || $schema); return $jv; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Schema - "JSON::Validator" wrapper =head1 SYNOPSIS use CSAF::Schema; my $schema = CSAF::Schema->validator('strict-csaf-2.0'); my @errors = $schema->validate($data); =head1 DESCRIPTION L is a wrapper for L. =head2 METHODS =over =item validator Load the provided schema (ID, URL or hash) and return L object. =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Base.pm0000644000175000017500000000310114612023627013650 0ustar peppepeppepackage CSAF::Base; use 5.010001; use strict; use warnings; use utf8; use Carp; use Moo; around BUILDARGS => sub { my ($orig, $class, @args) = @_; return {csaf => $args[0]} if @args == 1; return $class->$orig(@args); }; has csaf => ( is => 'ro', isa => sub { Carp::croak 'Must be an instance of "CSAF"' unless ref($_[0]) eq 'CSAF'; }, required => 1 ); sub clone { my $self = shift; my $clone = {%$self}; bless $clone, ref $self; return $clone; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Base - CSAF base class =head1 DESCRIPTION CSAF base class. =head2 ATTRIBUTES =over =item csaf $app->csaf(CSAF->new); =back =head2 METHODS =over =item clone Clone the object my $cloned = $app->clone; =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Document.pm0000644000175000017500000000533114612023627014563 0ustar peppepeppepackage CSAF::Document; use 5.010001; use strict; use warnings; use utf8; use CSAF::Type::Document; use CSAF::Type::ProductTree; use CSAF::Type::Vulnerabilities; use Moo; extends 'CSAF::Type::Base'; sub document { my ($self, %params) = @_; $self->{document} ||= CSAF::Type::Document->new(%params); } sub product_tree { my ($self, %params) = @_; $self->{product_tree} ||= CSAF::Type::ProductTree->new(%params); } sub vulnerabilities { my ($self, %params) = @_; $self->{vulnerabilities} ||= CSAF::Type::Vulnerabilities->new(%params); } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Document - CSAF Document =head1 SYNOPSIS use CSAF::Document; my $csaf = CSAF::Document->new; $csaf->document->title('Base CSAF Document'); $csaf->document->category('csaf_security_advisory'); $csaf->document->publisher( category => 'vendor', name => 'CSAF', namespace => 'https://csaf.io' ); my $tracking = $csaf->document->tracking( id => 'CSAF:2024-001', status => 'final', version => '1.0.0', initial_release_date => 'now', current_release_date => 'now' ); $tracking->revision_history->add( date => 'now', summary => 'First release', number => '1' ); =head1 DESCRIPTION The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. L =head2 CSAF PROPERTIES =over =item document Return L. =item product_tree Return L. =item vulnerabilities Return L. =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Util/0000755000175000017500000000000014755634263013376 5ustar peppepeppeCSAF-0.25/lib/CSAF/Util/Options.pm0000644000175000017500000000526714704276340015371 0ustar peppepeppepackage CSAF::Util::Options; use 5.010001; use strict; use warnings; use utf8; use YAML::XS 'LoadFile'; use Moo::Role; $YAML::XS::LoadBlessed = 0; has config_file => (is => 'rw', isa => sub { Carp::croak "Unable to open configuration file" unless -e $_[0] }, trigger => 1); sub _trigger_config_file { my $self = shift; my $config_data = LoadFile($self->config_file); foreach my $config_name (keys %{$config_data}) { my $config_value = $config_data->{$config_name}; $config_name =~ s/\-/_/; $self->$config_name($config_value) if $self->can($config_name); } } sub configure { my ($self, %args) = @_; foreach my $method (keys %args) { my $value = $args{$method}; $self->$method($value) if $self->can($method); } } sub clone { my $self = shift; my $clone = {%$self}; bless $clone, ref $self; return $clone; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Util::Options - Options utility for CSAF =head1 SYNOPSIS package My::CSAF::Options { use Moo; with 'CSAF::Util::Options'; has enable_foo => (is => 'rw', required => 1); has make_bar => (is => 'rw'); } package My::CSAF { use Moo; use My::CSAF::Options; has options => (is => 'lazy', build => 1); sub _build_options { My::CSAF::Options->new } sub my_job { my $self = shift; $self->options->configure(make_bar => $bar); if ($self->options->enable_foo) { [...] } } } =head1 DESCRIPTION L is L role and utility for L. =head2 ATTRIBUTES =over =item config_file Load config from YAML file. =back =head2 METHODS =over =item configure Configure an item. $options->configure( foo => 'foo', bar => 'bar', baz => 'baz' ); =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Util/CVSS.pm0000644000175000017500000001434714612023627014507 0ustar peppepeppepackage CSAF::Util::CVSS; use 5.010001; use strict; use warnings; use utf8; use Exporter 'import'; our @EXPORT_OK = (qw[decode_cvss_vector_string]); my $CVSS2_METRIC_LABEL = { AV => 'accessVector', AC => 'accessComplexity', Au => 'authentication', C => 'confidentialityImpact', I => 'integrityImpact', A => 'availabilityImpact', E => 'exploitability', RL => 'remediationLevel', RC => 'reportConfidence', CDP => 'collateralDamagePotential', TD => 'targetDistribution', CR => 'confidentialityRequirement', IR => 'integrityRequirement', AR => 'availabilityRequirement' }; my $CVSS3_METRIC_LABEL = { A => 'availabilityImpact', AC => 'attackComplexity', AV => 'attackVector', C => 'confidentialityImpact', E => 'exploitCodeMaturity', I => 'integrityImpact', PR => 'privilegesRequired', RC => 'reportConfidence', RL => 'remediationLevel', S => 'scope', UI => 'userInteraction', MA => 'modifiedAvailabilityImpact', MAC => 'modifiedAttackComplexity', MAV => 'modifiedAttackVector', MC => 'modifiedConfidentialityImpact', MI => 'modifiedIntegrityImpact', MPR => 'modifiedPrivilegesRequired', MS => 'modifiedScope', MUI => 'modifiedUserInteraction', }; my $CVSS2_METRIC_VALUES = { AV => {N => 'NETWORK', A => 'ADJACENT_NETWORK', L => 'LOCAL'}, AC => {H => 'HIGH', M => 'MEDIUM', L => 'LOW'}, Au => {M => 'MULTIPLE', S => 'SINGLE', N => 'NONE'}, C => {N => 'NONE', P => 'PARTIAL', C => 'COMPLETE'}, I => {N => 'NONE', P => 'PARTIAL', C => 'COMPLETE'}, A => {N => 'NONE', P => 'PARTIAL', C => 'COMPLETE'}, E => {U => 'UNPROVEN', POC => 'PROOF_OF_CONCEPT', F => 'FUNCTIONAL', H => 'HIGH', ND => 'NOT_DEFINED'}, RL => {OF => 'OFFICIAL_FIX', TF => 'TEMPORARY_FIX', W => 'WORKAROUND', U => 'UNAVAILABLE', ND => 'NOT_DEFINED'}, RC => {UC => 'UNCONFIRMED', UR => 'UNCORROBORATED', C => 'CONFIRMED', ND => 'NOT_DEFINED'}, CDP => {N => 'NONE', L => 'LOW', LM => 'LOW_MEDIUM', MH => 'MEDIUM_HIGH', H => 'HIGH', ND => 'NOT_DEFINED'}, TD => {N => 'NONE', L => 'LOW', M => 'MEDIUM', H => 'HIGH', ND => 'NOT_DEFINED'}, CR => {L => 'LOW', M => 'MEDIUM', H => 'HIGH', ND => 'NOT_DEFINED'}, IR => {L => 'LOW', M => 'MEDIUM', H => 'HIGH', ND => 'NOT_DEFINED'}, AR => {L => 'LOW', M => 'MEDIUM', H => 'HIGH', ND => 'NOT_DEFINED'}, }; my $CVSS3_METRIC_VALUES = { AV => {N => 'NETWORK', A => 'ADJACENT_NETWORK', L => 'LOCAL', P => 'PHYSICAL'}, AC => {L => 'LOW', H => 'HIGH'}, PR => {N => 'NONE', L => 'LOW', H => 'HIGH'}, UI => {N => 'NONE', R => 'REQUIRED'}, S => {U => 'UNCHANGED', C => 'CHANGED'}, C => {N => 'NONE', L => 'LOW', H => 'HIGH'}, I => {N => 'NONE', L => 'LOW', H => 'HIGH'}, A => {N => 'NONE', L => 'LOW', H => 'HIGH'}, E => {X => 'NOT_DEFINED', U => 'UNPROVEN', P => 'PROOF_OF_CONCEPT', F => 'FUNCTIONAL', H => 'HIGH'}, RL => {X => 'NOT_DEFINED', O => 'OFFICIAL_FIX', T => 'TEMPORARY_FIX', W => 'WORKAROUND', U => 'UNAVAILABLE'}, RC => {X => 'NOT_DEFINED', U => 'UNKNOWN', R => 'REASONABLE', C => 'CONFIRMED'}, MA => {X => 'NOT_DEFINED', N => 'NONE', L => 'LOW', H => 'HIGH'}, MAC => {X => 'NOT_DEFINED', L => 'LOW', H => 'HIGH'}, MAV => {X => 'NOT_DEFINED', N => 'NETWORK', A => 'ADJACENT_NETWORK', L => 'LOCAL', P => 'PHYSICAL'}, MC => {X => 'NOT_DEFINED', N => 'NONE', L => 'LOW', H => 'HIGH'}, MI => {X => 'NOT_DEFINED', N => 'NONE', L => 'LOW', H => 'HIGH'}, MPR => {X => 'NOT_DEFINED', N => 'NONE', L => 'LOW', H => 'HIGH'}, MS => {X => 'NOT_DEFINED', U => 'UNCHANGED', C => 'CHANGED'}, MUI => {X => 'NOT_DEFINED', N => 'NONE', R => 'REQUIRED'}, }; sub decode_cvss_vector_string { my $vector_string = shift; my $decoded = {}; if ($vector_string =~ /^CVSS:3[.][0-1]\/(.*)/) { my %cvss = split /[:\/]/, $1; foreach my $metric (keys %cvss) { if (defined $CVSS3_METRIC_LABEL->{$metric}) { my $value = $cvss{$metric}; my $label = $CVSS3_METRIC_LABEL->{$metric}; $decoded->{$label} = $CVSS3_METRIC_VALUES->{$metric}->{$value} || $value; } } } else { my %cvss = split /[:\/]/, $vector_string; foreach my $metric (keys %cvss) { if (defined $CVSS2_METRIC_LABEL->{$metric}) { my $value = $cvss{$metric}; my $label = $CVSS2_METRIC_LABEL->{$metric}; $decoded->{$label} = $CVSS2_METRIC_VALUES->{$metric}->{$value} || $value; } } } return $decoded; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Util::CVSS - CVSS utility for CSAF =head1 SYNOPSIS use CSAF::Util::CVSS qw(decode_cvss_vector_string); say Dumper(decode_cvss_vector_string('CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C')); =head1 DESCRIPTION CVSS utility for L. =head2 FUNCTIONS =over =item decode_cvss_vector_string Decode the provided CVSS (v2.0 or v3.x) vector string. my $decoded = decode_cvss_vector_string('CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C'); say $decoded->{attackVector}; # LOCAL =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Util/Log.pm0000644000175000017500000000270214612023627014442 0ustar peppepeppepackage CSAF::Util::Log; use 5.010001; use strict; use warnings; use utf8; use Moo::Role; use Log::Any; has log => ( is => 'ro', default => sub { Log::Any->get_logger(filter => \&CSAF::Util::log_formatter, category => (caller(0))[0]) } ); 1; __END__ =encoding utf-8 =head1 NAME CSAF::Util::Log - Log utility for CSAF =head1 SYNOPSIS package My::CSAF; use Moo; with 'CSAF::Util::Log'; sub my_job { my $self = shift; $self->log->info("Execute My Job"); } =head1 DESCRIPTION L is L role and utility for L. =head2 METHODS =over =item log Return L logger. =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Util/List.pm0000644000175000017500000000607314612152304014634 0ustar peppepeppepackage CSAF::Util::List; use 5.010001; use strict; use warnings; use utf8; use Moo; use overload '@{}' => \&to_array, fallback => 1; has items => (is => 'rw', default => sub { [] }); around BUILDARGS => sub { my ($orig, $class, @args) = @_; return {items => \@args} if @args > 0; # TODO return $class->$orig(@args); }; sub size { scalar @{shift->items} } sub each { my ($self, $callback) = @_; return @{$self->items} unless $callback; my $idx = 0; $_->$callback($idx++) for @{$self->items}; return $self; } sub grep { my ($self, $callback) = @_; return $self->new(grep { $_->$callback(@_) } @{$self->items}); } sub map { my ($self, $callback) = @_; return $self->new(map { $_->$callback(@_) } @{$self->items}); } sub to_array { [@{shift->items}] } sub item { push @{shift->items}, shift } sub add { shift->item(@_) } sub first { shift->items->[0] } sub last { shift->items->[-1] } sub join { join($_[1] // '', @{$_[0]->items}) } sub TO_JSON { [@{shift->items}] } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Util::List - (Mojo like) collection utility =head1 SYNOPSIS use CSAF::Util::List; my $collection = CSAF::Util::List->new( qw[foo bar baz] ); =head1 DESCRIPTION L is a collection utility. =head2 METHODS =over =item TO_JSON Alias for L. =item add Alias for L. =item each Evaluate callback for each element in collection. foreach my $item ($c->each) { [...] } my $collection = $c->each(sub {...}); $c->each(sub { my ($value, $idx) = @_; [...] }); =item first Get the first element of collection. =item grep Filter items. my $filtered = $c->grep(sub { $_ eq 'foo' }); =item item Add a new item in collection. $c->item('foo'); $c->item(sub {...}); =item items Get the list of collection items. =item join Join elements in collection. $c->join(', '); =item last Get the last element of collection. =item map Evaluate the callback and create a new collection. CSAF::Util::List->new(1,2,3)->map(sub { $_ * 2 }); =item new Create a new collection. my $c = CSAF::Util::List->new( [foo bar baz] ); =item size Number of item elements. =item to_array Return the collection array. =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Util/App.pm0000644000175000017500000000346514612023627014450 0ustar peppepeppepackage CSAF::Util::App; use 5.010001; use strict; use warnings; use utf8; use Exporter 'import'; our @EXPORT_OK = (qw[cli_error cli_version]); sub cli_error { my ($error) = @_; $error =~ s/ at .* line \d+.*//; print STDERR "ERROR: $error\n"; } sub cli_version { (my $progname = $0) =~ s/.*\///; require CSAF; say <<"VERSION"; $progname version $CSAF::VERSION Copyright 2023-2024, Giuseppe Di Terlizzi This program is part of the CSAF distribution and is free software; you can redistribute it and/or modify it under the same terms as Perl itself. Complete documentation for $progname can be found using 'man $progname' or on the internet at . VERSION return 0; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Util::App - Utility for CSAF CLI Applications =head1 SYNOPSIS use CSAF::Util::App qw(cli_version); =head1 DESCRIPTION Utility for L CLI Applications. =head2 FUNCTIONS =over =item cli_version =item cli_error =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Util/CWE.pm0000644000175000017500000027461414612023627014354 0ustar peppepeppepackage CSAF::Util::CWE; use 5.010001; use strict; use warnings; use utf8; use Exporter 'import'; our @EXPORT_OK = (qw[get_weakness_name weakness_exists]); use constant WEAKNESSES => ( # WEAKNESS 'CWE-5' => q"J2EE Misconfiguration: Data Transmission Without Encryption", 'CWE-6' => q"J2EE Misconfiguration: Insufficient Session-ID Length", 'CWE-7' => q"J2EE Misconfiguration: Missing Custom Error Page", 'CWE-8' => q"J2EE Misconfiguration: Entity Bean Declared Remote", 'CWE-9' => q"J2EE Misconfiguration: Weak Access Permissions for EJB Methods", 'CWE-11' => q"ASP.NET Misconfiguration: Creating Debug Binary", 'CWE-12' => q"ASP.NET Misconfiguration: Missing Custom Error Page", 'CWE-13' => q"ASP.NET Misconfiguration: Password in Configuration File", 'CWE-14' => q"Compiler Removal of Code to Clear Buffers", 'CWE-15' => q"External Control of System or Configuration Setting", 'CWE-20' => q"Improper Input Validation", 'CWE-22' => q"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", 'CWE-23' => q"Relative Path Traversal", 'CWE-24' => q"Path Traversal: '../filedir'", 'CWE-25' => q"Path Traversal: '/../filedir'", 'CWE-26' => q"Path Traversal: '/dir/../filename'", 'CWE-27' => q"Path Traversal: 'dir/../../filename'", 'CWE-28' => q"Path Traversal: '..\filedir'", 'CWE-29' => q"Path Traversal: '\..\filename'", 'CWE-30' => q"Path Traversal: '\dir\..\filename'", 'CWE-31' => q"Path Traversal: 'dir\..\..\filename'", 'CWE-32' => q"Path Traversal: '...' (Triple Dot)", 'CWE-33' => q"Path Traversal: '....' (Multiple Dot)", 'CWE-34' => q"Path Traversal: '....//'", 'CWE-35' => q"Path Traversal: '.../...//'", 'CWE-36' => q"Absolute Path Traversal", 'CWE-37' => q"Path Traversal: '/absolute/pathname/here'", 'CWE-38' => q"Path Traversal: '\absolute\pathname\here'", 'CWE-39' => q"Path Traversal: 'C:dirname'", 'CWE-40' => q"Path Traversal: '\\UNC\share\name\' (Windows UNC Share)", 'CWE-41' => q"Improper Resolution of Path Equivalence", 'CWE-42' => q"Path Equivalence: 'filename.' (Trailing Dot)", 'CWE-43' => q"Path Equivalence: 'filename....' (Multiple Trailing Dot)", 'CWE-44' => q"Path Equivalence: 'file.name' (Internal Dot)", 'CWE-45' => q"Path Equivalence: 'file...name' (Multiple Internal Dot)", 'CWE-46' => q"Path Equivalence: 'filename ' (Trailing Space)", 'CWE-47' => q"Path Equivalence: ' filename' (Leading Space)", 'CWE-48' => q"Path Equivalence: 'file name' (Internal Whitespace)", 'CWE-49' => q"Path Equivalence: 'filename/' (Trailing Slash)", 'CWE-50' => q"Path Equivalence: '//multiple/leading/slash'", 'CWE-51' => q"Path Equivalence: '/multiple//internal/slash'", 'CWE-52' => q"Path Equivalence: '/multiple/trailing/slash//'", 'CWE-53' => q"Path Equivalence: '\multiple\\internal\backslash'", 'CWE-54' => q"Path Equivalence: 'filedir\' (Trailing Backslash)", 'CWE-55' => q"Path Equivalence: '/./' (Single Dot Directory)", 'CWE-56' => q"Path Equivalence: 'filedir*' (Wildcard)", 'CWE-57' => q"Path Equivalence: 'fakedir/../realdir/filename'", 'CWE-58' => q"Path Equivalence: Windows 8.3 Filename", 'CWE-59' => q"Improper Link Resolution Before File Access ('Link Following')", 'CWE-61' => q"UNIX Symbolic Link (Symlink) Following", 'CWE-62' => q"UNIX Hard Link", 'CWE-64' => q"Windows Shortcut Following (.LNK)", 'CWE-65' => q"Windows Hard Link", 'CWE-66' => q"Improper Handling of File Names that Identify Virtual Resources", 'CWE-67' => q"Improper Handling of Windows Device Names", 'CWE-69' => q"Improper Handling of Windows ::DATA Alternate Data Stream", 'CWE-71' => q"DEPRECATED: Apple '.DS_Store'", 'CWE-72' => q"Improper Handling of Apple HFS+ Alternate Data Stream Path", 'CWE-73' => q"External Control of File Name or Path", 'CWE-74' => q"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", 'CWE-75' => q"Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", 'CWE-76' => q"Improper Neutralization of Equivalent Special Elements", 'CWE-77' => q"Improper Neutralization of Special Elements used in a Command ('Command Injection')", 'CWE-78' => q"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", 'CWE-79' => q"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", 'CWE-80' => q"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", 'CWE-81' => q"Improper Neutralization of Script in an Error Message Web Page", 'CWE-82' => q"Improper Neutralization of Script in Attributes of IMG Tags in a Web Page", 'CWE-83' => q"Improper Neutralization of Script in Attributes in a Web Page", 'CWE-84' => q"Improper Neutralization of Encoded URI Schemes in a Web Page", 'CWE-85' => q"Doubled Character XSS Manipulations", 'CWE-86' => q"Improper Neutralization of Invalid Characters in Identifiers in Web Pages", 'CWE-87' => q"Improper Neutralization of Alternate XSS Syntax", 'CWE-88' => q"Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", 'CWE-89' => q"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", 'CWE-90' => q"Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", 'CWE-91' => q"XML Injection (aka Blind XPath Injection)", 'CWE-92' => q"DEPRECATED: Improper Sanitization of Custom Special Characters", 'CWE-93' => q"Improper Neutralization of CRLF Sequences ('CRLF Injection')", 'CWE-94' => q"Improper Control of Generation of Code ('Code Injection')", 'CWE-95' => q"Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", 'CWE-96' => q"Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", 'CWE-97' => q"Improper Neutralization of Server-Side Includes (SSI) Within a Web Page", 'CWE-98' => "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", 'CWE-99' => q"Improper Control of Resource Identifiers ('Resource Injection')", 'CWE-102' => q"Struts: Duplicate Validation Forms", 'CWE-103' => q"Struts: Incomplete validate() Method Definition", 'CWE-104' => q"Struts: Form Bean Does Not Extend Validation Class", 'CWE-105' => q"Struts: Form Field Without Validator", 'CWE-106' => q"Struts: Plug-in Framework not in Use", 'CWE-107' => q"Struts: Unused Validation Form", 'CWE-108' => q"Struts: Unvalidated Action Form", 'CWE-109' => q"Struts: Validator Turned Off", 'CWE-110' => q"Struts: Validator Without Form Field", 'CWE-111' => q"Direct Use of Unsafe JNI", 'CWE-112' => q"Missing XML Validation", 'CWE-113' => q"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", 'CWE-114' => q"Process Control", 'CWE-115' => q"Misinterpretation of Input", 'CWE-116' => q"Improper Encoding or Escaping of Output", 'CWE-117' => q"Improper Output Neutralization for Logs", 'CWE-118' => q"Incorrect Access of Indexable Resource ('Range Error')", 'CWE-119' => q"Improper Restriction of Operations within the Bounds of a Memory Buffer", 'CWE-120' => q"Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", 'CWE-121' => q"Stack-based Buffer Overflow", 'CWE-122' => q"Heap-based Buffer Overflow", 'CWE-123' => q"Write-what-where Condition", 'CWE-124' => q"Buffer Underwrite ('Buffer Underflow')", 'CWE-125' => q"Out-of-bounds Read", 'CWE-126' => q"Buffer Over-read", 'CWE-127' => q"Buffer Under-read", 'CWE-128' => q"Wrap-around Error", 'CWE-129' => q"Improper Validation of Array Index", 'CWE-130' => q"Improper Handling of Length Parameter Inconsistency", 'CWE-131' => q"Incorrect Calculation of Buffer Size", 'CWE-132' => q"DEPRECATED: Miscalculated Null Termination", 'CWE-134' => q"Use of Externally-Controlled Format String", 'CWE-135' => q"Incorrect Calculation of Multi-Byte String Length", 'CWE-138' => q"Improper Neutralization of Special Elements", 'CWE-140' => q"Improper Neutralization of Delimiters", 'CWE-141' => q"Improper Neutralization of Parameter/Argument Delimiters", 'CWE-142' => q"Improper Neutralization of Value Delimiters", 'CWE-143' => q"Improper Neutralization of Record Delimiters", 'CWE-144' => q"Improper Neutralization of Line Delimiters", 'CWE-145' => q"Improper Neutralization of Section Delimiters", 'CWE-146' => q"Improper Neutralization of Expression/Command Delimiters", 'CWE-147' => q"Improper Neutralization of Input Terminators", 'CWE-148' => q"Improper Neutralization of Input Leaders", 'CWE-149' => q"Improper Neutralization of Quoting Syntax", 'CWE-150' => q"Improper Neutralization of Escape, Meta, or Control Sequences", 'CWE-151' => q"Improper Neutralization of Comment Delimiters", 'CWE-152' => q"Improper Neutralization of Macro Symbols", 'CWE-153' => q"Improper Neutralization of Substitution Characters", 'CWE-154' => q"Improper Neutralization of Variable Name Delimiters", 'CWE-155' => q"Improper Neutralization of Wildcards or Matching Symbols", 'CWE-156' => q"Improper Neutralization of Whitespace", 'CWE-157' => q"Failure to Sanitize Paired Delimiters", 'CWE-158' => q"Improper Neutralization of Null Byte or NUL Character", 'CWE-159' => q"Improper Handling of Invalid Use of Special Elements", 'CWE-160' => q"Improper Neutralization of Leading Special Elements", 'CWE-161' => q"Improper Neutralization of Multiple Leading Special Elements", 'CWE-162' => q"Improper Neutralization of Trailing Special Elements", 'CWE-163' => q"Improper Neutralization of Multiple Trailing Special Elements", 'CWE-164' => q"Improper Neutralization of Internal Special Elements", 'CWE-165' => q"Improper Neutralization of Multiple Internal Special Elements", 'CWE-166' => q"Improper Handling of Missing Special Element", 'CWE-167' => q"Improper Handling of Additional Special Element", 'CWE-168' => q"Improper Handling of Inconsistent Special Elements", 'CWE-170' => q"Improper Null Termination", 'CWE-172' => q"Encoding Error", 'CWE-173' => q"Improper Handling of Alternate Encoding", 'CWE-174' => q"Double Decoding of the Same Data", 'CWE-175' => q"Improper Handling of Mixed Encoding", 'CWE-176' => q"Improper Handling of Unicode Encoding", 'CWE-177' => q"Improper Handling of URL Encoding (Hex Encoding)", 'CWE-178' => q"Improper Handling of Case Sensitivity", 'CWE-179' => q"Incorrect Behavior Order: Early Validation", 'CWE-180' => q"Incorrect Behavior Order: Validate Before Canonicalize", 'CWE-181' => q"Incorrect Behavior Order: Validate Before Filter", 'CWE-182' => q"Collapse of Data into Unsafe Value", 'CWE-183' => q"Permissive List of Allowed Inputs", 'CWE-184' => q"Incomplete List of Disallowed Inputs", 'CWE-185' => q"Incorrect Regular Expression", 'CWE-186' => q"Overly Restrictive Regular Expression", 'CWE-187' => q"Partial String Comparison", 'CWE-188' => q"Reliance on Data/Memory Layout", 'CWE-190' => q"Integer Overflow or Wraparound", 'CWE-191' => q"Integer Underflow (Wrap or Wraparound)", 'CWE-192' => q"Integer Coercion Error", 'CWE-193' => q"Off-by-one Error", 'CWE-194' => q"Unexpected Sign Extension", 'CWE-195' => q"Signed to Unsigned Conversion Error", 'CWE-196' => q"Unsigned to Signed Conversion Error", 'CWE-197' => q"Numeric Truncation Error", 'CWE-198' => q"Use of Incorrect Byte Ordering", 'CWE-200' => q"Exposure of Sensitive Information to an Unauthorized Actor", 'CWE-201' => q"Insertion of Sensitive Information Into Sent Data", 'CWE-202' => q"Exposure of Sensitive Information Through Data Queries", 'CWE-203' => q"Observable Discrepancy", 'CWE-204' => q"Observable Response Discrepancy", 'CWE-205' => q"Observable Behavioral Discrepancy", 'CWE-206' => q"Observable Internal Behavioral Discrepancy", 'CWE-207' => q"Observable Behavioral Discrepancy With Equivalent Products", 'CWE-208' => q"Observable Timing Discrepancy", 'CWE-209' => q"Generation of Error Message Containing Sensitive Information", 'CWE-210' => q"Self-generated Error Message Containing Sensitive Information", 'CWE-211' => q"Externally-Generated Error Message Containing Sensitive Information", 'CWE-212' => q"Improper Removal of Sensitive Information Before Storage or Transfer", 'CWE-213' => q"Exposure of Sensitive Information Due to Incompatible Policies", 'CWE-214' => q"Invocation of Process Using Visible Sensitive Information", 'CWE-215' => q"Insertion of Sensitive Information Into Debugging Code", 'CWE-216' => q"DEPRECATED: Containment Errors (Container Errors)", 'CWE-217' => q"DEPRECATED: Failure to Protect Stored Data from Modification", 'CWE-218' => q"DEPRECATED: Failure to provide confidentiality for stored data", 'CWE-219' => q"Storage of File with Sensitive Data Under Web Root", 'CWE-220' => q"Storage of File With Sensitive Data Under FTP Root", 'CWE-221' => q"Information Loss or Omission", 'CWE-222' => q"Truncation of Security-relevant Information", 'CWE-223' => q"Omission of Security-relevant Information", 'CWE-224' => q"Obscured Security-relevant Information by Alternate Name", 'CWE-225' => q"DEPRECATED: General Information Management Problems", 'CWE-226' => q"Sensitive Information in Resource Not Removed Before Reuse", 'CWE-228' => q"Improper Handling of Syntactically Invalid Structure", 'CWE-229' => q"Improper Handling of Values", 'CWE-230' => q"Improper Handling of Missing Values", 'CWE-231' => q"Improper Handling of Extra Values", 'CWE-232' => q"Improper Handling of Undefined Values", 'CWE-233' => q"Improper Handling of Parameters", 'CWE-234' => q"Failure to Handle Missing Parameter", 'CWE-235' => q"Improper Handling of Extra Parameters", 'CWE-236' => q"Improper Handling of Undefined Parameters", 'CWE-237' => q"Improper Handling of Structural Elements", 'CWE-238' => q"Improper Handling of Incomplete Structural Elements", 'CWE-239' => q"Failure to Handle Incomplete Element", 'CWE-240' => q"Improper Handling of Inconsistent Structural Elements", 'CWE-241' => q"Improper Handling of Unexpected Data Type", 'CWE-242' => q"Use of Inherently Dangerous Function", 'CWE-243' => q"Creation of chroot Jail Without Changing Working Directory", 'CWE-244' => q"Improper Clearing of Heap Memory Before Release ('Heap Inspection')", 'CWE-245' => q"J2EE Bad Practices: Direct Management of Connections", 'CWE-246' => q"J2EE Bad Practices: Direct Use of Sockets", 'CWE-247' => q"DEPRECATED: Reliance on DNS Lookups in a Security Decision", 'CWE-248' => q"Uncaught Exception", 'CWE-249' => q"DEPRECATED: Often Misused: Path Manipulation", 'CWE-250' => q"Execution with Unnecessary Privileges", 'CWE-252' => q"Unchecked Return Value", 'CWE-253' => q"Incorrect Check of Function Return Value", 'CWE-256' => q"Plaintext Storage of a Password", 'CWE-257' => q"Storing Passwords in a Recoverable Format", 'CWE-258' => q"Empty Password in Configuration File", 'CWE-259' => q"Use of Hard-coded Password", 'CWE-260' => q"Password in Configuration File", 'CWE-261' => q"Weak Encoding for Password", 'CWE-262' => q"Not Using Password Aging", 'CWE-263' => q"Password Aging with Long Expiration", 'CWE-266' => q"Incorrect Privilege Assignment", 'CWE-267' => q"Privilege Defined With Unsafe Actions", 'CWE-268' => q"Privilege Chaining", 'CWE-269' => q"Improper Privilege Management", 'CWE-270' => q"Privilege Context Switching Error", 'CWE-271' => q"Privilege Dropping / Lowering Errors", 'CWE-272' => q"Least Privilege Violation", 'CWE-273' => q"Improper Check for Dropped Privileges", 'CWE-274' => q"Improper Handling of Insufficient Privileges", 'CWE-276' => q"Incorrect Default Permissions", 'CWE-277' => q"Insecure Inherited Permissions", 'CWE-278' => q"Insecure Preserved Inherited Permissions", 'CWE-279' => q"Incorrect Execution-Assigned Permissions", 'CWE-280' => q"Improper Handling of Insufficient Permissions or Privileges ", 'CWE-281' => q"Improper Preservation of Permissions", 'CWE-282' => q"Improper Ownership Management", 'CWE-283' => q"Unverified Ownership", 'CWE-284' => q"Improper Access Control", 'CWE-285' => q"Improper Authorization", 'CWE-286' => q"Incorrect User Management", 'CWE-287' => q"Improper Authentication", 'CWE-288' => q"Authentication Bypass Using an Alternate Path or Channel", 'CWE-289' => q"Authentication Bypass by Alternate Name", 'CWE-290' => q"Authentication Bypass by Spoofing", 'CWE-291' => q"Reliance on IP Address for Authentication", 'CWE-292' => q"DEPRECATED: Trusting Self-reported DNS Name", 'CWE-293' => q"Using Referer Field for Authentication", 'CWE-294' => q"Authentication Bypass by Capture-replay", 'CWE-295' => q"Improper Certificate Validation", 'CWE-296' => q"Improper Following of a Certificate's Chain of Trust", 'CWE-297' => q"Improper Validation of Certificate with Host Mismatch", 'CWE-298' => q"Improper Validation of Certificate Expiration", 'CWE-299' => q"Improper Check for Certificate Revocation", 'CWE-300' => q"Channel Accessible by Non-Endpoint", 'CWE-301' => q"Reflection Attack in an Authentication Protocol", 'CWE-302' => q"Authentication Bypass by Assumed-Immutable Data", 'CWE-303' => q"Incorrect Implementation of Authentication Algorithm", 'CWE-304' => q"Missing Critical Step in Authentication", 'CWE-305' => q"Authentication Bypass by Primary Weakness", 'CWE-306' => q"Missing Authentication for Critical Function", 'CWE-307' => q"Improper Restriction of Excessive Authentication Attempts", 'CWE-308' => q"Use of Single-factor Authentication", 'CWE-309' => q"Use of Password System for Primary Authentication", 'CWE-311' => q"Missing Encryption of Sensitive Data", 'CWE-312' => q"Cleartext Storage of Sensitive Information", 'CWE-313' => q"Cleartext Storage in a File or on Disk", 'CWE-314' => q"Cleartext Storage in the Registry", 'CWE-315' => q"Cleartext Storage of Sensitive Information in a Cookie", 'CWE-316' => q"Cleartext Storage of Sensitive Information in Memory", 'CWE-317' => q"Cleartext Storage of Sensitive Information in GUI", 'CWE-318' => q"Cleartext Storage of Sensitive Information in Executable", 'CWE-319' => q"Cleartext Transmission of Sensitive Information", 'CWE-321' => q"Use of Hard-coded Cryptographic Key", 'CWE-322' => q"Key Exchange without Entity Authentication", 'CWE-323' => q"Reusing a Nonce, Key Pair in Encryption", 'CWE-324' => q"Use of a Key Past its Expiration Date", 'CWE-325' => q"Missing Cryptographic Step", 'CWE-326' => q"Inadequate Encryption Strength", 'CWE-327' => q"Use of a Broken or Risky Cryptographic Algorithm", 'CWE-328' => q"Use of Weak Hash", 'CWE-329' => q"Generation of Predictable IV with CBC Mode", 'CWE-330' => q"Use of Insufficiently Random Values", 'CWE-331' => q"Insufficient Entropy", 'CWE-332' => q"Insufficient Entropy in PRNG", 'CWE-333' => q"Improper Handling of Insufficient Entropy in TRNG", 'CWE-334' => q"Small Space of Random Values", 'CWE-335' => q"Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)", 'CWE-336' => q"Same Seed in Pseudo-Random Number Generator (PRNG)", 'CWE-337' => q"Predictable Seed in Pseudo-Random Number Generator (PRNG)", 'CWE-338' => q"Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", 'CWE-339' => q"Small Seed Space in PRNG", 'CWE-340' => q"Generation of Predictable Numbers or Identifiers", 'CWE-341' => q"Predictable from Observable State", 'CWE-342' => q"Predictable Exact Value from Previous Values", 'CWE-343' => q"Predictable Value Range from Previous Values", 'CWE-344' => q"Use of Invariant Value in Dynamically Changing Context", 'CWE-345' => q"Insufficient Verification of Data Authenticity", 'CWE-346' => q"Origin Validation Error", 'CWE-347' => q"Improper Verification of Cryptographic Signature", 'CWE-348' => q"Use of Less Trusted Source", 'CWE-349' => q"Acceptance of Extraneous Untrusted Data With Trusted Data", 'CWE-350' => q"Reliance on Reverse DNS Resolution for a Security-Critical Action", 'CWE-351' => q"Insufficient Type Distinction", 'CWE-352' => q"Cross-Site Request Forgery (CSRF)", 'CWE-353' => q"Missing Support for Integrity Check", 'CWE-354' => q"Improper Validation of Integrity Check Value", 'CWE-356' => q"Product UI does not Warn User of Unsafe Actions", 'CWE-357' => q"Insufficient UI Warning of Dangerous Operations", 'CWE-358' => q"Improperly Implemented Security Check for Standard", 'CWE-359' => q"Exposure of Private Personal Information to an Unauthorized Actor", 'CWE-360' => q"Trust of System Event Data", 'CWE-362' => q"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", 'CWE-363' => q"Race Condition Enabling Link Following", 'CWE-364' => q"Signal Handler Race Condition", 'CWE-365' => q"DEPRECATED: Race Condition in Switch", 'CWE-366' => q"Race Condition within a Thread", 'CWE-367' => q"Time-of-check Time-of-use (TOCTOU) Race Condition", 'CWE-368' => q"Context Switching Race Condition", 'CWE-369' => q"Divide By Zero", 'CWE-370' => q"Missing Check for Certificate Revocation after Initial Check", 'CWE-372' => q"Incomplete Internal State Distinction", 'CWE-373' => q"DEPRECATED: State Synchronization Error", 'CWE-374' => q"Passing Mutable Objects to an Untrusted Method", 'CWE-375' => q"Returning a Mutable Object to an Untrusted Caller", 'CWE-377' => q"Insecure Temporary File", 'CWE-378' => q"Creation of Temporary File With Insecure Permissions", 'CWE-379' => q"Creation of Temporary File in Directory with Insecure Permissions", 'CWE-382' => q"J2EE Bad Practices: Use of System.exit()", 'CWE-383' => q"J2EE Bad Practices: Direct Use of Threads", 'CWE-384' => q"Session Fixation", 'CWE-385' => q"Covert Timing Channel", 'CWE-386' => q"Symbolic Name not Mapping to Correct Object", 'CWE-390' => q"Detection of Error Condition Without Action", 'CWE-391' => q"Unchecked Error Condition", 'CWE-392' => q"Missing Report of Error Condition", 'CWE-393' => q"Return of Wrong Status Code", 'CWE-394' => q"Unexpected Status Code or Return Value", 'CWE-395' => q"Use of NullPointerException Catch to Detect NULL Pointer Dereference", 'CWE-396' => q"Declaration of Catch for Generic Exception", 'CWE-397' => q"Declaration of Throws for Generic Exception", 'CWE-400' => q"Uncontrolled Resource Consumption", 'CWE-401' => q"Missing Release of Memory after Effective Lifetime", 'CWE-402' => q"Transmission of Private Resources into a New Sphere ('Resource Leak')", 'CWE-403' => q"Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", 'CWE-404' => q"Improper Resource Shutdown or Release", 'CWE-405' => q"Asymmetric Resource Consumption (Amplification)", 'CWE-406' => q"Insufficient Control of Network Message Volume (Network Amplification)", 'CWE-407' => q"Inefficient Algorithmic Complexity", 'CWE-408' => q"Incorrect Behavior Order: Early Amplification", 'CWE-409' => q"Improper Handling of Highly Compressed Data (Data Amplification)", 'CWE-410' => q"Insufficient Resource Pool", 'CWE-412' => q"Unrestricted Externally Accessible Lock", 'CWE-413' => q"Improper Resource Locking", 'CWE-414' => q"Missing Lock Check", 'CWE-415' => q"Double Free", 'CWE-416' => q"Use After Free", 'CWE-419' => q"Unprotected Primary Channel", 'CWE-420' => q"Unprotected Alternate Channel", 'CWE-421' => q"Race Condition During Access to Alternate Channel", 'CWE-422' => q"Unprotected Windows Messaging Channel ('Shatter')", 'CWE-423' => q"DEPRECATED: Proxied Trusted Channel", 'CWE-424' => q"Improper Protection of Alternate Path", 'CWE-425' => q"Direct Request ('Forced Browsing')", 'CWE-426' => q"Untrusted Search Path", 'CWE-427' => q"Uncontrolled Search Path Element", 'CWE-428' => q"Unquoted Search Path or Element", 'CWE-430' => q"Deployment of Wrong Handler", 'CWE-431' => q"Missing Handler", 'CWE-432' => q"Dangerous Signal Handler not Disabled During Sensitive Operations", 'CWE-433' => q"Unparsed Raw Web Content Delivery", 'CWE-434' => q"Unrestricted Upload of File with Dangerous Type", 'CWE-435' => q"Improper Interaction Between Multiple Correctly-Behaving Entities", 'CWE-436' => q"Interpretation Conflict", 'CWE-437' => q"Incomplete Model of Endpoint Features", 'CWE-439' => q"Behavioral Change in New Version or Environment", 'CWE-440' => q"Expected Behavior Violation", 'CWE-441' => q"Unintended Proxy or Intermediary ('Confused Deputy')", 'CWE-443' => q"DEPRECATED: HTTP response splitting", 'CWE-444' => q"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", 'CWE-446' => q"UI Discrepancy for Security Feature", 'CWE-447' => q"Unimplemented or Unsupported Feature in UI", 'CWE-448' => q"Obsolete Feature in UI", 'CWE-449' => q"The UI Performs the Wrong Action", 'CWE-450' => q"Multiple Interpretations of UI Input", 'CWE-451' => q"User Interface (UI) Misrepresentation of Critical Information", 'CWE-453' => q"Insecure Default Variable Initialization", 'CWE-454' => q"External Initialization of Trusted Variables or Data Stores", 'CWE-455' => q"Non-exit on Failed Initialization", 'CWE-456' => q"Missing Initialization of a Variable", 'CWE-457' => q"Use of Uninitialized Variable", 'CWE-458' => q"DEPRECATED: Incorrect Initialization", 'CWE-459' => q"Incomplete Cleanup", 'CWE-460' => q"Improper Cleanup on Thrown Exception", 'CWE-462' => q"Duplicate Key in Associative List (Alist)", 'CWE-463' => q"Deletion of Data Structure Sentinel", 'CWE-464' => q"Addition of Data Structure Sentinel", 'CWE-466' => q"Return of Pointer Value Outside of Expected Range", 'CWE-467' => q"Use of sizeof() on a Pointer Type", 'CWE-468' => q"Incorrect Pointer Scaling", 'CWE-469' => q"Use of Pointer Subtraction to Determine Size", 'CWE-470' => q"Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", 'CWE-471' => q"Modification of Assumed-Immutable Data (MAID)", 'CWE-472' => q"External Control of Assumed-Immutable Web Parameter", 'CWE-473' => q"PHP External Variable Modification", 'CWE-474' => q"Use of Function with Inconsistent Implementations", 'CWE-475' => q"Undefined Behavior for Input to API", 'CWE-476' => q"NULL Pointer Dereference", 'CWE-477' => q"Use of Obsolete Function", 'CWE-478' => q"Missing Default Case in Multiple Condition Expression", 'CWE-479' => q"Signal Handler Use of a Non-reentrant Function", 'CWE-480' => q"Use of Incorrect Operator", 'CWE-481' => q"Assigning instead of Comparing", 'CWE-482' => q"Comparing instead of Assigning", 'CWE-483' => q"Incorrect Block Delimitation", 'CWE-484' => q"Omitted Break Statement in Switch", 'CWE-486' => q"Comparison of Classes by Name", 'CWE-487' => q"Reliance on Package-level Scope", 'CWE-488' => q"Exposure of Data Element to Wrong Session", 'CWE-489' => q"Active Debug Code", 'CWE-491' => q"Public cloneable() Method Without Final ('Object Hijack')", 'CWE-492' => q"Use of Inner Class Containing Sensitive Data", 'CWE-493' => q"Critical Public Variable Without Final Modifier", 'CWE-494' => q"Download of Code Without Integrity Check", 'CWE-495' => q"Private Data Structure Returned From A Public Method", 'CWE-496' => q"Public Data Assigned to Private Array-Typed Field", 'CWE-497' => q"Exposure of Sensitive System Information to an Unauthorized Control Sphere", 'CWE-498' => q"Cloneable Class Containing Sensitive Information", 'CWE-499' => q"Serializable Class Containing Sensitive Data", 'CWE-500' => q"Public Static Field Not Marked Final", 'CWE-501' => q"Trust Boundary Violation", 'CWE-502' => q"Deserialization of Untrusted Data", 'CWE-506' => q"Embedded Malicious Code", 'CWE-507' => q"Trojan Horse", 'CWE-508' => q"Non-Replicating Malicious Code", 'CWE-509' => q"Replicating Malicious Code (Virus or Worm)", 'CWE-510' => q"Trapdoor", 'CWE-511' => q"Logic/Time Bomb", 'CWE-512' => q"Spyware", 'CWE-514' => q"Covert Channel", 'CWE-515' => q"Covert Storage Channel", 'CWE-516' => q"DEPRECATED: Covert Timing Channel", 'CWE-520' => q".NET Misconfiguration: Use of Impersonation", 'CWE-521' => q"Weak Password Requirements", 'CWE-522' => q"Insufficiently Protected Credentials", 'CWE-523' => q"Unprotected Transport of Credentials", 'CWE-524' => q"Use of Cache Containing Sensitive Information", 'CWE-525' => q"Use of Web Browser Cache Containing Sensitive Information", 'CWE-526' => q"Cleartext Storage of Sensitive Information in an Environment Variable", 'CWE-527' => q"Exposure of Version-Control Repository to an Unauthorized Control Sphere", 'CWE-528' => q"Exposure of Core Dump File to an Unauthorized Control Sphere", 'CWE-529' => q"Exposure of Access Control List Files to an Unauthorized Control Sphere", 'CWE-530' => q"Exposure of Backup File to an Unauthorized Control Sphere", 'CWE-531' => q"Inclusion of Sensitive Information in Test Code", 'CWE-532' => q"Insertion of Sensitive Information into Log File", 'CWE-533' => q"DEPRECATED: Information Exposure Through Server Log Files", 'CWE-534' => q"DEPRECATED: Information Exposure Through Debug Log Files", 'CWE-535' => q"Exposure of Information Through Shell Error Message", 'CWE-536' => q"Servlet Runtime Error Message Containing Sensitive Information", 'CWE-537' => q"Java Runtime Error Message Containing Sensitive Information", 'CWE-538' => q"Insertion of Sensitive Information into Externally-Accessible File or Directory", 'CWE-539' => q"Use of Persistent Cookies Containing Sensitive Information", 'CWE-540' => q"Inclusion of Sensitive Information in Source Code", 'CWE-541' => q"Inclusion of Sensitive Information in an Include File", 'CWE-542' => q"DEPRECATED: Information Exposure Through Cleanup Log Files", 'CWE-543' => q"Use of Singleton Pattern Without Synchronization in a Multithreaded Context", 'CWE-544' => q"Missing Standardized Error Handling Mechanism", 'CWE-545' => q"DEPRECATED: Use of Dynamic Class Loading", 'CWE-546' => q"Suspicious Comment", 'CWE-547' => q"Use of Hard-coded, Security-relevant Constants", 'CWE-548' => q"Exposure of Information Through Directory Listing", 'CWE-549' => q"Missing Password Field Masking", 'CWE-550' => q"Server-generated Error Message Containing Sensitive Information", 'CWE-551' => q"Incorrect Behavior Order: Authorization Before Parsing and Canonicalization", 'CWE-552' => q"Files or Directories Accessible to External Parties", 'CWE-553' => q"Command Shell in Externally Accessible Directory", 'CWE-554' => q"ASP.NET Misconfiguration: Not Using Input Validation Framework", 'CWE-555' => q"J2EE Misconfiguration: Plaintext Password in Configuration File", 'CWE-556' => q"ASP.NET Misconfiguration: Use of Identity Impersonation", 'CWE-558' => q"Use of getlogin() in Multithreaded Application", 'CWE-560' => q"Use of umask() with chmod-style Argument", 'CWE-561' => q"Dead Code", 'CWE-562' => q"Return of Stack Variable Address", 'CWE-563' => q"Assignment to Variable without Use", 'CWE-564' => q"SQL Injection: Hibernate", 'CWE-565' => q"Reliance on Cookies without Validation and Integrity Checking", 'CWE-566' => q"Authorization Bypass Through User-Controlled SQL Primary Key", 'CWE-567' => q"Unsynchronized Access to Shared Data in a Multithreaded Context", 'CWE-568' => q"finalize() Method Without super.finalize()", 'CWE-570' => q"Expression is Always False", 'CWE-571' => q"Expression is Always True", 'CWE-572' => q"Call to Thread run() instead of start()", 'CWE-573' => q"Improper Following of Specification by Caller", 'CWE-574' => q"EJB Bad Practices: Use of Synchronization Primitives", 'CWE-575' => q"EJB Bad Practices: Use of AWT Swing", 'CWE-576' => q"EJB Bad Practices: Use of Java I/O", 'CWE-577' => q"EJB Bad Practices: Use of Sockets", 'CWE-578' => q"EJB Bad Practices: Use of Class Loader", 'CWE-579' => q"J2EE Bad Practices: Non-serializable Object Stored in Session", 'CWE-580' => q"clone() Method Without super.clone()", 'CWE-581' => q"Object Model Violation: Just One of Equals and Hashcode Defined", 'CWE-582' => q"Array Declared Public, Final, and Static", 'CWE-583' => q"finalize() Method Declared Public", 'CWE-584' => q"Return Inside Finally Block", 'CWE-585' => q"Empty Synchronized Block", 'CWE-586' => q"Explicit Call to Finalize()", 'CWE-587' => q"Assignment of a Fixed Address to a Pointer", 'CWE-588' => q"Attempt to Access Child of a Non-structure Pointer", 'CWE-589' => q"Call to Non-ubiquitous API", 'CWE-590' => q"Free of Memory not on the Heap", 'CWE-591' => q"Sensitive Data Storage in Improperly Locked Memory", 'CWE-592' => q"DEPRECATED: Authentication Bypass Issues", 'CWE-593' => q"Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created", 'CWE-594' => q"J2EE Framework: Saving Unserializable Objects to Disk", 'CWE-595' => q"Comparison of Object References Instead of Object Contents", 'CWE-596' => q"DEPRECATED: Incorrect Semantic Object Comparison", 'CWE-597' => q"Use of Wrong Operator in String Comparison", 'CWE-598' => q"Use of GET Request Method With Sensitive Query Strings", 'CWE-599' => q"Missing Validation of OpenSSL Certificate", 'CWE-600' => q"Uncaught Exception in Servlet ", 'CWE-601' => q"URL Redirection to Untrusted Site ('Open Redirect')", 'CWE-602' => q"Client-Side Enforcement of Server-Side Security", 'CWE-603' => q"Use of Client-Side Authentication", 'CWE-605' => q"Multiple Binds to the Same Port", 'CWE-606' => q"Unchecked Input for Loop Condition", 'CWE-607' => q"Public Static Final Field References Mutable Object", 'CWE-608' => q"Struts: Non-private Field in ActionForm Class", 'CWE-609' => q"Double-Checked Locking", 'CWE-610' => q"Externally Controlled Reference to a Resource in Another Sphere", 'CWE-611' => q"Improper Restriction of XML External Entity Reference", 'CWE-612' => q"Improper Authorization of Index Containing Sensitive Information", 'CWE-613' => q"Insufficient Session Expiration", 'CWE-614' => q"Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", 'CWE-615' => q"Inclusion of Sensitive Information in Source Code Comments", 'CWE-616' => q"Incomplete Identification of Uploaded File Variables (PHP)", 'CWE-617' => q"Reachable Assertion", 'CWE-618' => q"Exposed Unsafe ActiveX Method", 'CWE-619' => q"Dangling Database Cursor ('Cursor Injection')", 'CWE-620' => q"Unverified Password Change", 'CWE-621' => q"Variable Extraction Error", 'CWE-622' => q"Improper Validation of Function Hook Arguments", 'CWE-623' => q"Unsafe ActiveX Control Marked Safe For Scripting", 'CWE-624' => q"Executable Regular Expression Error", 'CWE-625' => q"Permissive Regular Expression", 'CWE-626' => q"Null Byte Interaction Error (Poison Null Byte)", 'CWE-627' => q"Dynamic Variable Evaluation", 'CWE-628' => q"Function Call with Incorrectly Specified Arguments", 'CWE-636' => q"Not Failing Securely ('Failing Open')", 'CWE-637' => q"Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", 'CWE-638' => q"Not Using Complete Mediation", 'CWE-639' => q"Authorization Bypass Through User-Controlled Key", 'CWE-640' => q"Weak Password Recovery Mechanism for Forgotten Password", 'CWE-641' => q"Improper Restriction of Names for Files and Other Resources", 'CWE-642' => q"External Control of Critical State Data", 'CWE-643' => q"Improper Neutralization of Data within XPath Expressions ('XPath Injection')", 'CWE-644' => q"Improper Neutralization of HTTP Headers for Scripting Syntax", 'CWE-645' => q"Overly Restrictive Account Lockout Mechanism", 'CWE-646' => q"Reliance on File Name or Extension of Externally-Supplied File", 'CWE-647' => q"Use of Non-Canonical URL Paths for Authorization Decisions", 'CWE-648' => q"Incorrect Use of Privileged APIs", 'CWE-649' => q"Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking", 'CWE-650' => q"Trusting HTTP Permission Methods on the Server Side", 'CWE-651' => q"Exposure of WSDL File Containing Sensitive Information", 'CWE-652' => q"Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", 'CWE-653' => q"Improper Isolation or Compartmentalization", 'CWE-654' => q"Reliance on a Single Factor in a Security Decision", 'CWE-655' => q"Insufficient Psychological Acceptability", 'CWE-656' => q"Reliance on Security Through Obscurity", 'CWE-657' => q"Violation of Secure Design Principles", 'CWE-662' => q"Improper Synchronization", 'CWE-663' => q"Use of a Non-reentrant Function in a Concurrent Context", 'CWE-664' => q"Improper Control of a Resource Through its Lifetime", 'CWE-665' => q"Improper Initialization", 'CWE-666' => q"Operation on Resource in Wrong Phase of Lifetime", 'CWE-667' => q"Improper Locking", 'CWE-668' => q"Exposure of Resource to Wrong Sphere", 'CWE-669' => q"Incorrect Resource Transfer Between Spheres", 'CWE-670' => q"Always-Incorrect Control Flow Implementation", 'CWE-671' => q"Lack of Administrator Control over Security", 'CWE-672' => q"Operation on a Resource after Expiration or Release", 'CWE-673' => q"External Influence of Sphere Definition", 'CWE-674' => q"Uncontrolled Recursion", 'CWE-675' => q"Multiple Operations on Resource in Single-Operation Context", 'CWE-676' => q"Use of Potentially Dangerous Function", 'CWE-680' => q"Integer Overflow to Buffer Overflow", 'CWE-681' => q"Incorrect Conversion between Numeric Types", 'CWE-682' => q"Incorrect Calculation", 'CWE-683' => q"Function Call With Incorrect Order of Arguments", 'CWE-684' => q"Incorrect Provision of Specified Functionality", 'CWE-685' => q"Function Call With Incorrect Number of Arguments", 'CWE-686' => q"Function Call With Incorrect Argument Type", 'CWE-687' => q"Function Call With Incorrectly Specified Argument Value", 'CWE-688' => q"Function Call With Incorrect Variable or Reference as Argument", 'CWE-689' => q"Permission Race Condition During Resource Copy", 'CWE-690' => q"Unchecked Return Value to NULL Pointer Dereference", 'CWE-691' => q"Insufficient Control Flow Management", 'CWE-692' => q"Incomplete Denylist to Cross-Site Scripting", 'CWE-693' => q"Protection Mechanism Failure", 'CWE-694' => q"Use of Multiple Resources with Duplicate Identifier", 'CWE-695' => q"Use of Low-Level Functionality", 'CWE-696' => q"Incorrect Behavior Order", 'CWE-697' => q"Incorrect Comparison", 'CWE-698' => q"Execution After Redirect (EAR)", 'CWE-703' => q"Improper Check or Handling of Exceptional Conditions", 'CWE-704' => q"Incorrect Type Conversion or Cast", 'CWE-705' => q"Incorrect Control Flow Scoping", 'CWE-706' => q"Use of Incorrectly-Resolved Name or Reference", 'CWE-707' => q"Improper Neutralization", 'CWE-708' => q"Incorrect Ownership Assignment", 'CWE-710' => q"Improper Adherence to Coding Standards", 'CWE-732' => q"Incorrect Permission Assignment for Critical Resource", 'CWE-733' => q"Compiler Optimization Removal or Modification of Security-critical Code", 'CWE-749' => q"Exposed Dangerous Method or Function", 'CWE-754' => q"Improper Check for Unusual or Exceptional Conditions", 'CWE-755' => q"Improper Handling of Exceptional Conditions", 'CWE-756' => q"Missing Custom Error Page", 'CWE-757' => q"Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", 'CWE-758' => q"Reliance on Undefined, Unspecified, or Implementation-Defined Behavior", 'CWE-759' => q"Use of a One-Way Hash without a Salt", 'CWE-760' => q"Use of a One-Way Hash with a Predictable Salt", 'CWE-761' => q"Free of Pointer not at Start of Buffer", 'CWE-762' => q"Mismatched Memory Management Routines", 'CWE-763' => q"Release of Invalid Pointer or Reference", 'CWE-764' => q"Multiple Locks of a Critical Resource", 'CWE-765' => q"Multiple Unlocks of a Critical Resource", 'CWE-766' => q"Critical Data Element Declared Public", 'CWE-767' => q"Access to Critical Private Variable via Public Method", 'CWE-768' => q"Incorrect Short Circuit Evaluation", 'CWE-769' => q"DEPRECATED: Uncontrolled File Descriptor Consumption", 'CWE-770' => q"Allocation of Resources Without Limits or Throttling", 'CWE-771' => q"Missing Reference to Active Allocated Resource", 'CWE-772' => q"Missing Release of Resource after Effective Lifetime", 'CWE-773' => q"Missing Reference to Active File Descriptor or Handle", 'CWE-774' => q"Allocation of File Descriptors or Handles Without Limits or Throttling", 'CWE-775' => q"Missing Release of File Descriptor or Handle after Effective Lifetime", 'CWE-776' => q"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", 'CWE-777' => q"Regular Expression without Anchors", 'CWE-778' => q"Insufficient Logging", 'CWE-779' => q"Logging of Excessive Data", 'CWE-780' => q"Use of RSA Algorithm without OAEP", 'CWE-781' => q"Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code", 'CWE-782' => q"Exposed IOCTL with Insufficient Access Control", 'CWE-783' => q"Operator Precedence Logic Error", 'CWE-784' => q"Reliance on Cookies without Validation and Integrity Checking in a Security Decision", 'CWE-785' => q"Use of Path Manipulation Function without Maximum-sized Buffer", 'CWE-786' => q"Access of Memory Location Before Start of Buffer", 'CWE-787' => q"Out-of-bounds Write", 'CWE-788' => q"Access of Memory Location After End of Buffer", 'CWE-789' => q"Memory Allocation with Excessive Size Value", 'CWE-790' => q"Improper Filtering of Special Elements", 'CWE-791' => q"Incomplete Filtering of Special Elements", 'CWE-792' => q"Incomplete Filtering of One or More Instances of Special Elements", 'CWE-793' => q"Only Filtering One Instance of a Special Element", 'CWE-794' => q"Incomplete Filtering of Multiple Instances of Special Elements", 'CWE-795' => q"Only Filtering Special Elements at a Specified Location", 'CWE-796' => q"Only Filtering Special Elements Relative to a Marker", 'CWE-797' => q"Only Filtering Special Elements at an Absolute Position", 'CWE-798' => q"Use of Hard-coded Credentials", 'CWE-799' => q"Improper Control of Interaction Frequency", 'CWE-804' => q"Guessable CAPTCHA", 'CWE-805' => q"Buffer Access with Incorrect Length Value", 'CWE-806' => q"Buffer Access Using Size of Source Buffer", 'CWE-807' => q"Reliance on Untrusted Inputs in a Security Decision", 'CWE-820' => q"Missing Synchronization", 'CWE-821' => q"Incorrect Synchronization", 'CWE-822' => q"Untrusted Pointer Dereference", 'CWE-823' => q"Use of Out-of-range Pointer Offset", 'CWE-824' => q"Access of Uninitialized Pointer", 'CWE-825' => q"Expired Pointer Dereference", 'CWE-826' => q"Premature Release of Resource During Expected Lifetime", 'CWE-827' => q"Improper Control of Document Type Definition", 'CWE-828' => q"Signal Handler with Functionality that is not Asynchronous-Safe", 'CWE-829' => q"Inclusion of Functionality from Untrusted Control Sphere", 'CWE-830' => q"Inclusion of Web Functionality from an Untrusted Source", 'CWE-831' => q"Signal Handler Function Associated with Multiple Signals", 'CWE-832' => q"Unlock of a Resource that is not Locked", 'CWE-833' => q"Deadlock", 'CWE-834' => q"Excessive Iteration", 'CWE-835' => q"Loop with Unreachable Exit Condition ('Infinite Loop')", 'CWE-836' => q"Use of Password Hash Instead of Password for Authentication", 'CWE-837' => q"Improper Enforcement of a Single, Unique Action", 'CWE-838' => q"Inappropriate Encoding for Output Context", 'CWE-839' => q"Numeric Range Comparison Without Minimum Check", 'CWE-841' => q"Improper Enforcement of Behavioral Workflow", 'CWE-842' => q"Placement of User into Incorrect Group", 'CWE-843' => q"Access of Resource Using Incompatible Type ('Type Confusion')", 'CWE-862' => q"Missing Authorization", 'CWE-863' => q"Incorrect Authorization", 'CWE-908' => q"Use of Uninitialized Resource", 'CWE-909' => q"Missing Initialization of Resource", 'CWE-910' => q"Use of Expired File Descriptor", 'CWE-911' => q"Improper Update of Reference Count", 'CWE-912' => q"Hidden Functionality", 'CWE-913' => q"Improper Control of Dynamically-Managed Code Resources", 'CWE-914' => q"Improper Control of Dynamically-Identified Variables", 'CWE-915' => q"Improperly Controlled Modification of Dynamically-Determined Object Attributes", 'CWE-916' => q"Use of Password Hash With Insufficient Computational Effort", 'CWE-917' => "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", 'CWE-918' => q"Server-Side Request Forgery (SSRF)", 'CWE-920' => q"Improper Restriction of Power Consumption", 'CWE-921' => q"Storage of Sensitive Data in a Mechanism without Access Control", 'CWE-922' => q"Insecure Storage of Sensitive Information", 'CWE-923' => q"Improper Restriction of Communication Channel to Intended Endpoints", 'CWE-924' => q"Improper Enforcement of Message Integrity During Transmission in a Communication Channel", 'CWE-925' => q"Improper Verification of Intent by Broadcast Receiver", 'CWE-926' => q"Improper Export of Android Application Components", 'CWE-927' => q"Use of Implicit Intent for Sensitive Communication", 'CWE-939' => q"Improper Authorization in Handler for Custom URL Scheme", 'CWE-940' => q"Improper Verification of Source of a Communication Channel", 'CWE-941' => q"Incorrectly Specified Destination in a Communication Channel", 'CWE-942' => q"Permissive Cross-domain Policy with Untrusted Domains", 'CWE-943' => q"Improper Neutralization of Special Elements in Data Query Logic", 'CWE-1004' => q"Sensitive Cookie Without 'HttpOnly' Flag", 'CWE-1007' => q"Insufficient Visual Distinction of Homoglyphs Presented to User", 'CWE-1021' => q"Improper Restriction of Rendered UI Layers or Frames", 'CWE-1022' => q"Use of Web Link to Untrusted Target with window.opener Access", 'CWE-1023' => q"Incomplete Comparison with Missing Factors", 'CWE-1024' => q"Comparison of Incompatible Types", 'CWE-1025' => q"Comparison Using Wrong Factors", 'CWE-1037' => q"Processor Optimization Removal or Modification of Security-critical Code", 'CWE-1038' => q"Insecure Automated Optimizations", 'CWE-1039' => "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations", 'CWE-1041' => q"Use of Redundant Code", 'CWE-1042' => q"Static Member Data Element outside of a Singleton Class Element", 'CWE-1043' => q"Data Element Aggregating an Excessively Large Number of Non-Primitive Elements", 'CWE-1044' => q"Architecture with Number of Horizontal Layers Outside of Expected Range", 'CWE-1045' => q"Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor", 'CWE-1046' => q"Creation of Immutable Text Using String Concatenation", 'CWE-1047' => q"Modules with Circular Dependencies", 'CWE-1048' => q"Invokable Control Element with Large Number of Outward Calls", 'CWE-1049' => q"Excessive Data Query Operations in a Large Data Table", 'CWE-1050' => q"Excessive Platform Resource Consumption within a Loop", 'CWE-1051' => q"Initialization with Hard-Coded Network Resource Configuration Data", 'CWE-1052' => q"Excessive Use of Hard-Coded Literals in Initialization", 'CWE-1053' => q"Missing Documentation for Design", 'CWE-1054' => q"Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer", 'CWE-1055' => q"Multiple Inheritance from Concrete Classes", 'CWE-1056' => q"Invokable Control Element with Variadic Parameters", 'CWE-1057' => q"Data Access Operations Outside of Expected Data Manager Component", 'CWE-1058' => q"Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element", 'CWE-1059' => q"Insufficient Technical Documentation", 'CWE-1060' => q"Excessive Number of Inefficient Server-Side Data Accesses", 'CWE-1061' => q"Insufficient Encapsulation", 'CWE-1062' => q"Parent Class with References to Child Class", 'CWE-1063' => q"Creation of Class Instance within a Static Code Block", 'CWE-1064' => q"Invokable Control Element with Signature Containing an Excessive Number of Parameters", 'CWE-1065' => q"Runtime Resource Management Control Element in a Component Built to Run on Application Servers", 'CWE-1066' => q"Missing Serialization Control Element", 'CWE-1067' => q"Excessive Execution of Sequential Searches of Data Resource", 'CWE-1068' => q"Inconsistency Between Implementation and Documented Design", 'CWE-1069' => q"Empty Exception Block", 'CWE-1070' => q"Serializable Data Element Containing non-Serializable Item Elements", 'CWE-1071' => q"Empty Code Block", 'CWE-1072' => q"Data Resource Access without Use of Connection Pooling", 'CWE-1073' => q"Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses", 'CWE-1074' => q"Class with Excessively Deep Inheritance", 'CWE-1075' => q"Unconditional Control Flow Transfer outside of Switch Block", 'CWE-1076' => q"Insufficient Adherence to Expected Conventions", 'CWE-1077' => q"Floating Point Comparison with Incorrect Operator", 'CWE-1078' => q"Inappropriate Source Code Style or Formatting", 'CWE-1079' => q"Parent Class without Virtual Destructor Method", 'CWE-1080' => q"Source Code File with Excessive Number of Lines of Code", 'CWE-1082' => q"Class Instance Self Destruction Control Element", 'CWE-1083' => q"Data Access from Outside Expected Data Manager Component", 'CWE-1084' => q"Invokable Control Element with Excessive File or Data Access Operations", 'CWE-1085' => q"Invokable Control Element with Excessive Volume of Commented-out Code", 'CWE-1086' => q"Class with Excessive Number of Child Classes", 'CWE-1087' => q"Class with Virtual Method without a Virtual Destructor", 'CWE-1088' => q"Synchronous Access of Remote Resource without Timeout", 'CWE-1089' => q"Large Data Table with Excessive Number of Indices", 'CWE-1090' => q"Method Containing Access of a Member Element from Another Class", 'CWE-1091' => q"Use of Object without Invoking Destructor Method", 'CWE-1092' => q"Use of Same Invokable Control Element in Multiple Architectural Layers", 'CWE-1093' => q"Excessively Complex Data Representation", 'CWE-1094' => q"Excessive Index Range Scan for a Data Resource", 'CWE-1095' => q"Loop Condition Value Update within the Loop", 'CWE-1096' => q"Singleton Class Instance Creation without Proper Locking or Synchronization", 'CWE-1097' => q"Persistent Storable Data Element without Associated Comparison Control Element", 'CWE-1098' => q"Data Element containing Pointer Item without Proper Copy Control Element", 'CWE-1099' => q"Inconsistent Naming Conventions for Identifiers", 'CWE-1100' => q"Insufficient Isolation of System-Dependent Functions", 'CWE-1101' => q"Reliance on Runtime Component in Generated Code", 'CWE-1102' => q"Reliance on Machine-Dependent Data Representation", 'CWE-1103' => q"Use of Platform-Dependent Third Party Components", 'CWE-1104' => q"Use of Unmaintained Third Party Components", 'CWE-1105' => q"Insufficient Encapsulation of Machine-Dependent Functionality", 'CWE-1106' => q"Insufficient Use of Symbolic Constants", 'CWE-1107' => q"Insufficient Isolation of Symbolic Constant Definitions", 'CWE-1108' => q"Excessive Reliance on Global Variables", 'CWE-1109' => q"Use of Same Variable for Multiple Purposes", 'CWE-1110' => q"Incomplete Design Documentation", 'CWE-1111' => q"Incomplete I/O Documentation", 'CWE-1112' => q"Incomplete Documentation of Program Execution", 'CWE-1113' => q"Inappropriate Comment Style", 'CWE-1114' => q"Inappropriate Whitespace Style", 'CWE-1115' => q"Source Code Element without Standard Prologue", 'CWE-1116' => q"Inaccurate Comments", 'CWE-1117' => q"Callable with Insufficient Behavioral Summary", 'CWE-1118' => q"Insufficient Documentation of Error Handling Techniques", 'CWE-1119' => q"Excessive Use of Unconditional Branching", 'CWE-1120' => q"Excessive Code Complexity", 'CWE-1121' => q"Excessive McCabe Cyclomatic Complexity", 'CWE-1122' => q"Excessive Halstead Complexity", 'CWE-1123' => q"Excessive Use of Self-Modifying Code", 'CWE-1124' => q"Excessively Deep Nesting", 'CWE-1125' => q"Excessive Attack Surface", 'CWE-1126' => q"Declaration of Variable with Unnecessarily Wide Scope", 'CWE-1127' => q"Compilation with Insufficient Warnings or Errors", 'CWE-1164' => q"Irrelevant Code", 'CWE-1173' => q"Improper Use of Validation Framework", 'CWE-1174' => q"ASP.NET Misconfiguration: Improper Model Validation", 'CWE-1176' => q"Inefficient CPU Computation", 'CWE-1177' => q"Use of Prohibited Code", 'CWE-1187' => q"DEPRECATED: Use of Uninitialized Resource", 'CWE-1188' => q"Initialization of a Resource with an Insecure Default", 'CWE-1189' => q"Improper Isolation of Shared Resources on System-on-a-Chip (SoC)", 'CWE-1190' => q"DMA Device Enabled Too Early in Boot Phase", 'CWE-1191' => q"On-Chip Debug and Test Interface With Improper Access Control", 'CWE-1192' => q"Improper Identifier for IP Block used in System-On-Chip (SOC)", 'CWE-1193' => q"Power-On of Untrusted Execution Core Before Enabling Fabric Access Control", 'CWE-1204' => q"Generation of Weak Initialization Vector (IV)", 'CWE-1209' => q"Failure to Disable Reserved Bits", 'CWE-1220' => q"Insufficient Granularity of Access Control", 'CWE-1221' => q"Incorrect Register Defaults or Module Parameters", 'CWE-1222' => q"Insufficient Granularity of Address Regions Protected by Register Locks", 'CWE-1223' => q"Race Condition for Write-Once Attributes", 'CWE-1224' => q"Improper Restriction of Write-Once Bit Fields", 'CWE-1229' => q"Creation of Emergent Resource", 'CWE-1230' => q"Exposure of Sensitive Information Through Metadata", 'CWE-1231' => q"Improper Prevention of Lock Bit Modification", 'CWE-1232' => q"Improper Lock Behavior After Power State Transition", 'CWE-1233' => q"Security-Sensitive Hardware Controls with Missing Lock Bit Protection", 'CWE-1234' => q"Hardware Internal or Debug Modes Allow Override of Locks", 'CWE-1235' => q"Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations", 'CWE-1236' => q"Improper Neutralization of Formula Elements in a CSV File", 'CWE-1239' => q"Improper Zeroization of Hardware Register", 'CWE-1240' => q"Use of a Cryptographic Primitive with a Risky Implementation", 'CWE-1241' => q"Use of Predictable Algorithm in Random Number Generator", 'CWE-1242' => q"Inclusion of Undocumented Features or Chicken Bits", 'CWE-1243' => q"Sensitive Non-Volatile Information Not Protected During Debug", 'CWE-1244' => q"Internal Asset Exposed to Unsafe Debug Access Level or State", 'CWE-1245' => q"Improper Finite State Machines (FSMs) in Hardware Logic", 'CWE-1246' => q"Improper Write Handling in Limited-write Non-Volatile Memories", 'CWE-1247' => q"Improper Protection Against Voltage and Clock Glitches", 'CWE-1248' => q"Semiconductor Defects in Hardware Logic with Security-Sensitive Implications", 'CWE-1249' => q"Application-Level Admin Tool with Inconsistent View of Underlying Operating System", 'CWE-1250' => q"Improper Preservation of Consistency Between Independent Representations of Shared State", 'CWE-1251' => q"Mirrored Regions with Different Values", 'CWE-1252' => q"CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations", 'CWE-1253' => q"Incorrect Selection of Fuse Values", 'CWE-1254' => q"Incorrect Comparison Logic Granularity", 'CWE-1255' => q"Comparison Logic is Vulnerable to Power Side-Channel Attacks", 'CWE-1256' => q"Improper Restriction of Software Interfaces to Hardware Features", 'CWE-1257' => q"Improper Access Control Applied to Mirrored or Aliased Memory Regions", 'CWE-1258' => q"Exposure of Sensitive System Information Due to Uncleared Debug Information", 'CWE-1259' => q"Improper Restriction of Security Token Assignment", 'CWE-1260' => q"Improper Handling of Overlap Between Protected Memory Ranges", 'CWE-1261' => q"Improper Handling of Single Event Upsets", 'CWE-1262' => q"Improper Access Control for Register Interface", 'CWE-1263' => q"Improper Physical Access Control", 'CWE-1264' => q"Hardware Logic with Insecure De-Synchronization between Control and Data Channels", 'CWE-1265' => q"Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls", 'CWE-1266' => q"Improper Scrubbing of Sensitive Data from Decommissioned Device", 'CWE-1267' => q"Policy Uses Obsolete Encoding", 'CWE-1268' => q"Policy Privileges are not Assigned Consistently Between Control and Data Agents", 'CWE-1269' => q"Product Released in Non-Release Configuration", 'CWE-1270' => q"Generation of Incorrect Security Tokens", 'CWE-1271' => q"Uninitialized Value on Reset for Registers Holding Security Settings", 'CWE-1272' => q"Sensitive Information Uncleared Before Debug/Power State Transition", 'CWE-1273' => q"Device Unlock Credential Sharing", 'CWE-1274' => q"Improper Access Control for Volatile Memory Containing Boot Code", 'CWE-1275' => q"Sensitive Cookie with Improper SameSite Attribute", 'CWE-1276' => q"Hardware Child Block Incorrectly Connected to Parent System", 'CWE-1277' => q"Firmware Not Updateable", 'CWE-1278' => "Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques", 'CWE-1279' => q"Cryptographic Operations are run Before Supporting Units are Ready", 'CWE-1280' => q"Access Control Check Implemented After Asset is Accessed", 'CWE-1281' => q"Sequence of Processor Instructions Leads to Unexpected Behavior", 'CWE-1282' => q"Assumed-Immutable Data is Stored in Writable Memory", 'CWE-1283' => q"Mutable Attestation or Measurement Reporting Data", 'CWE-1284' => q"Improper Validation of Specified Quantity in Input", 'CWE-1285' => q"Improper Validation of Specified Index, Position, or Offset in Input", 'CWE-1286' => q"Improper Validation of Syntactic Correctness of Input", 'CWE-1287' => q"Improper Validation of Specified Type of Input", 'CWE-1288' => q"Improper Validation of Consistency within Input", 'CWE-1289' => q"Improper Validation of Unsafe Equivalence in Input", 'CWE-1290' => q"Incorrect Decoding of Security Identifiers ", 'CWE-1291' => q"Public Key Re-Use for Signing both Debug and Production Code", 'CWE-1292' => q"Incorrect Conversion of Security Identifiers", 'CWE-1293' => q"Missing Source Correlation of Multiple Independent Data", 'CWE-1294' => q"Insecure Security Identifier Mechanism", 'CWE-1295' => q"Debug Messages Revealing Unnecessary Information", 'CWE-1296' => q"Incorrect Chaining or Granularity of Debug Components", 'CWE-1297' => q"Unprotected Confidential Information on Device is Accessible by OSAT Vendors", 'CWE-1298' => q"Hardware Logic Contains Race Conditions", 'CWE-1299' => q"Missing Protection Mechanism for Alternate Hardware Interface", 'CWE-1300' => q"Improper Protection of Physical Side Channels", 'CWE-1301' => q"Insufficient or Incomplete Data Removal within Hardware Component", 'CWE-1302' => q"Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)", 'CWE-1303' => q"Non-Transparent Sharing of Microarchitectural Resources", 'CWE-1304' => "Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation", 'CWE-1310' => q"Missing Ability to Patch ROM Code", 'CWE-1311' => q"Improper Translation of Security Attributes by Fabric Bridge", 'CWE-1312' => q"Missing Protection for Mirrored Regions in On-Chip Fabric Firewall", 'CWE-1313' => q"Hardware Allows Activation of Test or Debug Logic at Runtime", 'CWE-1314' => q"Missing Write Protection for Parametric Data Values", 'CWE-1315' => q"Improper Setting of Bus Controlling Capability in Fabric End-point", 'CWE-1316' => q"Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges", 'CWE-1317' => q"Improper Access Control in Fabric Bridge", 'CWE-1318' => q"Missing Support for Security Features in On-chip Fabrics or Buses", 'CWE-1319' => q"Improper Protection against Electromagnetic Fault Injection (EM-FI)", 'CWE-1320' => q"Improper Protection for Outbound Error Messages and Alert Signals", 'CWE-1321' => q"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", 'CWE-1322' => q"Use of Blocking Code in Single-threaded, Non-blocking Context", 'CWE-1323' => q"Improper Management of Sensitive Trace Data", 'CWE-1324' => q"DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface", 'CWE-1325' => q"Improperly Controlled Sequential Memory Allocation", 'CWE-1326' => q"Missing Immutable Root of Trust in Hardware", 'CWE-1327' => q"Binding to an Unrestricted IP Address", 'CWE-1328' => q"Security Version Number Mutable to Older Versions", 'CWE-1329' => q"Reliance on Component That is Not Updateable", 'CWE-1330' => q"Remanent Data Readable after Memory Erase", 'CWE-1331' => q"Improper Isolation of Shared Resources in Network On Chip (NoC)", 'CWE-1332' => q"Improper Handling of Faults that Lead to Instruction Skips", 'CWE-1333' => q"Inefficient Regular Expression Complexity", 'CWE-1334' => q"Unauthorized Error Injection Can Degrade Hardware Redundancy", 'CWE-1335' => q"Incorrect Bitwise Shift of Integer", 'CWE-1336' => q"Improper Neutralization of Special Elements Used in a Template Engine", 'CWE-1338' => q"Improper Protections Against Hardware Overheating", 'CWE-1339' => q"Insufficient Precision or Accuracy of a Real Number", 'CWE-1341' => q"Multiple Releases of Same Resource or Handle", 'CWE-1342' => q"Information Exposure through Microarchitectural State after Transient Execution", 'CWE-1351' => q"Improper Handling of Hardware Behavior in Exceptionally Cold Environments", 'CWE-1357' => q"Reliance on Insufficiently Trustworthy Component", 'CWE-1384' => q"Improper Handling of Physical or Environmental Conditions", 'CWE-1385' => q"Missing Origin Validation in WebSockets", 'CWE-1386' => q"Insecure Operation on Windows Junction / Mount Point", 'CWE-1389' => q"Incorrect Parsing of Numbers with Different Radices", 'CWE-1390' => q"Weak Authentication", 'CWE-1391' => q"Use of Weak Credentials", 'CWE-1392' => q"Use of Default Credentials", 'CWE-1393' => q"Use of Default Password", 'CWE-1394' => q"Use of Default Cryptographic Key", 'CWE-1395' => q"Dependency on Vulnerable Third-Party Component", 'CWE-1419' => q"Incorrect Initialization of Resource", 'CWE-1420' => q"Exposure of Sensitive Information during Transient Execution", 'CWE-1421' => "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution", 'CWE-1422' => q"Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution", 'CWE-1423' => "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution", # CATEGORY 'CWE-1' => q"DEPRECATED: Location", 'CWE-2' => q"7PK - Environment", 'CWE-3' => q"DEPRECATED: Technology-specific Environment Issues", 'CWE-4' => q"DEPRECATED: J2EE Environment Issues", 'CWE-10' => q"DEPRECATED: ASP.NET Environment Issues", 'CWE-16' => q"Configuration", 'CWE-17' => q"DEPRECATED: Code", 'CWE-18' => q"DEPRECATED: Source Code", 'CWE-19' => q"Data Processing Errors", 'CWE-21' => q"DEPRECATED: Pathname Traversal and Equivalence Errors", 'CWE-60' => q"DEPRECATED: UNIX Path Link Problems", 'CWE-63' => q"DEPRECATED: Windows Path Link Problems", 'CWE-68' => q"DEPRECATED: Windows Virtual File Problems", 'CWE-70' => q"DEPRECATED: Mac Virtual File Problems", 'CWE-100' => q"DEPRECATED: Technology-Specific Input Validation Problems", 'CWE-101' => q"DEPRECATED: Struts Validation Problems", 'CWE-133' => q"String Errors", 'CWE-136' => q"Type Errors", 'CWE-137' => q"Data Neutralization Issues", 'CWE-139' => q"DEPRECATED: General Special Element Problems", 'CWE-169' => q"DEPRECATED: Technology-Specific Special Elements", 'CWE-171' => q"DEPRECATED: Cleansing, Canonicalization, and Comparison Errors", 'CWE-189' => q"Numeric Errors", 'CWE-199' => q"Information Management Errors", 'CWE-227' => q"7PK - API Abuse", 'CWE-251' => q"Often Misused: String Management", 'CWE-254' => q"7PK - Security Features", 'CWE-255' => q"Credentials Management Errors", 'CWE-264' => q"Permissions, Privileges, and Access Controls", 'CWE-265' => q"Privilege Issues", 'CWE-275' => q"Permission Issues", 'CWE-310' => q"Cryptographic Issues", 'CWE-320' => q"Key Management Errors", 'CWE-355' => q"User Interface Security Issues", 'CWE-361' => q"7PK - Time and State", 'CWE-371' => q"State Issues", 'CWE-376' => q"DEPRECATED: Temporary File Issues", 'CWE-380' => q"DEPRECATED: Technology-Specific Time and State Issues", 'CWE-381' => q"DEPRECATED: J2EE Time and State Issues", 'CWE-387' => q"Signal Errors", 'CWE-388' => q"7PK - Errors", 'CWE-389' => q"Error Conditions, Return Values, Status Codes", 'CWE-398' => q"7PK - Code Quality", 'CWE-399' => q"Resource Management Errors", 'CWE-411' => q"Resource Locking Problems", 'CWE-417' => q"Communication Channel Errors", 'CWE-418' => q"DEPRECATED: Channel Errors", 'CWE-429' => q"Handler Errors", 'CWE-438' => q"Behavioral Problems", 'CWE-442' => q"DEPRECATED: Web Problems", 'CWE-445' => q"DEPRECATED: User Interface Errors", 'CWE-452' => q"Initialization and Cleanup Errors", 'CWE-461' => q"DEPRECATED: Data Structure Issues", 'CWE-465' => q"Pointer Issues", 'CWE-485' => q"7PK - Encapsulation", 'CWE-490' => q"DEPRECATED: Mobile Code Issues", 'CWE-503' => q"DEPRECATED: Byte/Object Code", 'CWE-504' => q"DEPRECATED: Motivation/Intent", 'CWE-505' => q"DEPRECATED: Intentionally Introduced Weakness", 'CWE-513' => q"DEPRECATED: Intentionally Introduced Nonmalicious Weakness", 'CWE-517' => q"DEPRECATED: Other Intentional, Nonmalicious Weakness", 'CWE-518' => q"DEPRECATED: Inadvertently Introduced Weakness", 'CWE-519' => q"DEPRECATED: .NET Environment Issues", 'CWE-557' => q"Concurrency Issues", 'CWE-559' => q"DEPRECATED: Often Misused: Arguments and Parameters", 'CWE-569' => q"Expression Issues", 'CWE-632' => q"DEPRECATED: Weaknesses that Affect Files or Directories", 'CWE-633' => q"DEPRECATED: Weaknesses that Affect Memory", 'CWE-634' => q"DEPRECATED: Weaknesses that Affect System Processes", 'CWE-712' => q"OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)", 'CWE-713' => q"OWASP Top Ten 2007 Category A2 - Injection Flaws", 'CWE-714' => q"OWASP Top Ten 2007 Category A3 - Malicious File Execution", 'CWE-715' => q"OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference", 'CWE-716' => q"OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)", 'CWE-717' => q"OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling", 'CWE-718' => q"OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management", 'CWE-719' => q"OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage", 'CWE-720' => q"OWASP Top Ten 2007 Category A9 - Insecure Communications", 'CWE-721' => q"OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access", 'CWE-722' => q"OWASP Top Ten 2004 Category A1 - Unvalidated Input", 'CWE-723' => q"OWASP Top Ten 2004 Category A2 - Broken Access Control", 'CWE-724' => q"OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management", 'CWE-725' => q"OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws", 'CWE-726' => q"OWASP Top Ten 2004 Category A5 - Buffer Overflows", 'CWE-727' => q"OWASP Top Ten 2004 Category A6 - Injection Flaws", 'CWE-728' => q"OWASP Top Ten 2004 Category A7 - Improper Error Handling", 'CWE-729' => q"OWASP Top Ten 2004 Category A8 - Insecure Storage", 'CWE-730' => q"OWASP Top Ten 2004 Category A9 - Denial of Service", 'CWE-731' => q"OWASP Top Ten 2004 Category A10 - Insecure Configuration Management", 'CWE-735' => q"CERT C Secure Coding Standard (2008) Chapter 2 - Preprocessor (PRE)", 'CWE-736' => q"CERT C Secure Coding Standard (2008) Chapter 3 - Declarations and Initialization (DCL)", 'CWE-737' => q"CERT C Secure Coding Standard (2008) Chapter 4 - Expressions (EXP)", 'CWE-738' => q"CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT)", 'CWE-739' => q"CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP)", 'CWE-740' => q"CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR)", 'CWE-741' => q"CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR)", 'CWE-742' => q"CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM)", 'CWE-743' => q"CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO)", 'CWE-744' => q"CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV)", 'CWE-745' => q"CERT C Secure Coding Standard (2008) Chapter 12 - Signals (SIG)", 'CWE-746' => q"CERT C Secure Coding Standard (2008) Chapter 13 - Error Handling (ERR)", 'CWE-747' => q"CERT C Secure Coding Standard (2008) Chapter 14 - Miscellaneous (MSC)", 'CWE-748' => q"CERT C Secure Coding Standard (2008) Appendix - POSIX (POS)", 'CWE-751' => q"2009 Top 25 - Insecure Interaction Between Components", 'CWE-752' => q"2009 Top 25 - Risky Resource Management", 'CWE-753' => q"2009 Top 25 - Porous Defenses", 'CWE-801' => q"2010 Top 25 - Insecure Interaction Between Components", 'CWE-802' => q"2010 Top 25 - Risky Resource Management", 'CWE-803' => q"2010 Top 25 - Porous Defenses", 'CWE-808' => q"2010 Top 25 - Weaknesses On the Cusp", 'CWE-810' => q"OWASP Top Ten 2010 Category A1 - Injection", 'CWE-811' => q"OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)", 'CWE-812' => q"OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management", 'CWE-813' => q"OWASP Top Ten 2010 Category A4 - Insecure Direct Object References", 'CWE-814' => q"OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)", 'CWE-815' => q"OWASP Top Ten 2010 Category A6 - Security Misconfiguration", 'CWE-816' => q"OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage", 'CWE-817' => q"OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access", 'CWE-818' => q"OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection", 'CWE-819' => q"OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards", 'CWE-840' => q"Business Logic Errors", 'CWE-845' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS)", 'CWE-846' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 3 - Declarations and Initialization (DCL)", 'CWE-847' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 4 - Expressions (EXP)", 'CWE-848' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM)", 'CWE-849' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ)", 'CWE-850' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 7 - Methods (MET)", 'CWE-851' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)", 'CWE-852' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 9 - Visibility and Atomicity (VNA)", 'CWE-853' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK)", 'CWE-854' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 11 - Thread APIs (THI)", 'CWE-855' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS)", 'CWE-856' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 13 - Thread-Safety Miscellaneous (TSM)", 'CWE-857' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 14 - Input Output (FIO)", 'CWE-858' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 15 - Serialization (SER)", 'CWE-859' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC)", 'CWE-860' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 17 - Runtime Environment (ENV)", 'CWE-861' => q"The CERT Oracle Secure Coding Standard for Java (2011) Chapter 18 - Miscellaneous (MSC)", 'CWE-864' => q"2011 Top 25 - Insecure Interaction Between Components", 'CWE-865' => q"2011 Top 25 - Risky Resource Management", 'CWE-866' => q"2011 Top 25 - Porous Defenses", 'CWE-867' => q"2011 Top 25 - Weaknesses On the Cusp", 'CWE-869' => q"CERT C++ Secure Coding Section 01 - Preprocessor (PRE)", 'CWE-870' => q"CERT C++ Secure Coding Section 02 - Declarations and Initialization (DCL)", 'CWE-871' => q"CERT C++ Secure Coding Section 03 - Expressions (EXP)", 'CWE-872' => q"CERT C++ Secure Coding Section 04 - Integers (INT)", 'CWE-873' => q"CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)", 'CWE-874' => q"CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)", 'CWE-875' => q"CERT C++ Secure Coding Section 07 - Characters and Strings (STR)", 'CWE-876' => q"CERT C++ Secure Coding Section 08 - Memory Management (MEM)", 'CWE-877' => q"CERT C++ Secure Coding Section 09 - Input Output (FIO)", 'CWE-878' => q"CERT C++ Secure Coding Section 10 - Environment (ENV)", 'CWE-879' => q"CERT C++ Secure Coding Section 11 - Signals (SIG)", 'CWE-880' => q"CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)", 'CWE-881' => q"CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP)", 'CWE-882' => q"CERT C++ Secure Coding Section 14 - Concurrency (CON)", 'CWE-883' => q"CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)", 'CWE-885' => q"SFP Primary Cluster: Risky Values", 'CWE-886' => q"SFP Primary Cluster: Unused entities", 'CWE-887' => q"SFP Primary Cluster: API", 'CWE-889' => q"SFP Primary Cluster: Exception Management", 'CWE-890' => q"SFP Primary Cluster: Memory Access", 'CWE-891' => q"SFP Primary Cluster: Memory Management", 'CWE-892' => q"SFP Primary Cluster: Resource Management", 'CWE-893' => q"SFP Primary Cluster: Path Resolution", 'CWE-894' => q"SFP Primary Cluster: Synchronization", 'CWE-895' => q"SFP Primary Cluster: Information Leak", 'CWE-896' => q"SFP Primary Cluster: Tainted Input", 'CWE-897' => q"SFP Primary Cluster: Entry Points", 'CWE-898' => q"SFP Primary Cluster: Authentication", 'CWE-899' => q"SFP Primary Cluster: Access Control", 'CWE-901' => q"SFP Primary Cluster: Privilege", 'CWE-902' => q"SFP Primary Cluster: Channel", 'CWE-903' => q"SFP Primary Cluster: Cryptography", 'CWE-904' => q"SFP Primary Cluster: Malware", 'CWE-905' => q"SFP Primary Cluster: Predictability", 'CWE-906' => q"SFP Primary Cluster: UI", 'CWE-907' => q"SFP Primary Cluster: Other", 'CWE-929' => q"OWASP Top Ten 2013 Category A1 - Injection", 'CWE-930' => q"OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management", 'CWE-931' => q"OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)", 'CWE-932' => q"OWASP Top Ten 2013 Category A4 - Insecure Direct Object References", 'CWE-933' => q"OWASP Top Ten 2013 Category A5 - Security Misconfiguration", 'CWE-934' => q"OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure", 'CWE-935' => q"OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control", 'CWE-936' => q"OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)", 'CWE-937' => q"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", 'CWE-938' => q"OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards", 'CWE-944' => q"SFP Secondary Cluster: Access Management", 'CWE-945' => q"SFP Secondary Cluster: Insecure Resource Access", 'CWE-946' => q"SFP Secondary Cluster: Insecure Resource Permissions", 'CWE-947' => q"SFP Secondary Cluster: Authentication Bypass", 'CWE-948' => q"SFP Secondary Cluster: Digital Certificate", 'CWE-949' => q"SFP Secondary Cluster: Faulty Endpoint Authentication", 'CWE-950' => q"SFP Secondary Cluster: Hardcoded Sensitive Data", 'CWE-951' => q"SFP Secondary Cluster: Insecure Authentication Policy", 'CWE-952' => q"SFP Secondary Cluster: Missing Authentication", 'CWE-953' => q"SFP Secondary Cluster: Missing Endpoint Authentication", 'CWE-954' => q"SFP Secondary Cluster: Multiple Binds to the Same Port", 'CWE-955' => q"SFP Secondary Cluster: Unrestricted Authentication", 'CWE-956' => q"SFP Secondary Cluster: Channel Attack", 'CWE-957' => q"SFP Secondary Cluster: Protocol Error", 'CWE-958' => q"SFP Secondary Cluster: Broken Cryptography", 'CWE-959' => q"SFP Secondary Cluster: Weak Cryptography", 'CWE-960' => q"SFP Secondary Cluster: Ambiguous Exception Type", 'CWE-961' => q"SFP Secondary Cluster: Incorrect Exception Behavior", 'CWE-962' => q"SFP Secondary Cluster: Unchecked Status Condition", 'CWE-963' => q"SFP Secondary Cluster: Exposed Data", 'CWE-964' => q"SFP Secondary Cluster: Exposure Temporary File", 'CWE-965' => q"SFP Secondary Cluster: Insecure Session Management", 'CWE-966' => q"SFP Secondary Cluster: Other Exposures", 'CWE-967' => q"SFP Secondary Cluster: State Disclosure", 'CWE-968' => q"SFP Secondary Cluster: Covert Channel", 'CWE-969' => q"SFP Secondary Cluster: Faulty Memory Release", 'CWE-970' => q"SFP Secondary Cluster: Faulty Buffer Access", 'CWE-971' => q"SFP Secondary Cluster: Faulty Pointer Use", 'CWE-972' => q"SFP Secondary Cluster: Faulty String Expansion", 'CWE-973' => q"SFP Secondary Cluster: Improper NULL Termination", 'CWE-974' => q"SFP Secondary Cluster: Incorrect Buffer Length Computation", 'CWE-975' => q"SFP Secondary Cluster: Architecture", 'CWE-976' => q"SFP Secondary Cluster: Compiler", 'CWE-977' => q"SFP Secondary Cluster: Design", 'CWE-978' => q"SFP Secondary Cluster: Implementation", 'CWE-979' => q"SFP Secondary Cluster: Failed Chroot Jail", 'CWE-980' => q"SFP Secondary Cluster: Link in Resource Name Resolution", 'CWE-981' => q"SFP Secondary Cluster: Path Traversal", 'CWE-982' => q"SFP Secondary Cluster: Failure to Release Resource", 'CWE-983' => q"SFP Secondary Cluster: Faulty Resource Use", 'CWE-984' => q"SFP Secondary Cluster: Life Cycle", 'CWE-985' => q"SFP Secondary Cluster: Unrestricted Consumption", 'CWE-986' => q"SFP Secondary Cluster: Missing Lock", 'CWE-987' => q"SFP Secondary Cluster: Multiple Locks/Unlocks", 'CWE-988' => q"SFP Secondary Cluster: Race Condition Window", 'CWE-989' => q"SFP Secondary Cluster: Unrestricted Lock", 'CWE-990' => q"SFP Secondary Cluster: Tainted Input to Command", 'CWE-991' => q"SFP Secondary Cluster: Tainted Input to Environment", 'CWE-992' => q"SFP Secondary Cluster: Faulty Input Transformation", 'CWE-993' => q"SFP Secondary Cluster: Incorrect Input Handling", 'CWE-994' => q"SFP Secondary Cluster: Tainted Input to Variable", 'CWE-995' => q"SFP Secondary Cluster: Feature", 'CWE-996' => q"SFP Secondary Cluster: Security", 'CWE-997' => q"SFP Secondary Cluster: Information Loss", 'CWE-998' => q"SFP Secondary Cluster: Glitch in Computation", 'CWE-1001' => q"SFP Secondary Cluster: Use of an Improper API", 'CWE-1002' => q"SFP Secondary Cluster: Unexpected Entry Points", 'CWE-1005' => q"7PK - Input Validation and Representation", 'CWE-1006' => q"Bad Coding Practices", 'CWE-1009' => q"Audit", 'CWE-1010' => q"Authenticate Actors", 'CWE-1011' => q"Authorize Actors", 'CWE-1012' => q"Cross Cutting", 'CWE-1013' => q"Encrypt Data", 'CWE-1014' => q"Identify Actors", 'CWE-1015' => q"Limit Access", 'CWE-1016' => q"Limit Exposure", 'CWE-1017' => q"Lock Computer", 'CWE-1018' => q"Manage User Sessions", 'CWE-1019' => q"Validate Inputs", 'CWE-1020' => q"Verify Message Integrity", 'CWE-1027' => q"OWASP Top Ten 2017 Category A1 - Injection", 'CWE-1028' => q"OWASP Top Ten 2017 Category A2 - Broken Authentication", 'CWE-1029' => q"OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure", 'CWE-1030' => q"OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)", 'CWE-1031' => q"OWASP Top Ten 2017 Category A5 - Broken Access Control", 'CWE-1032' => q"OWASP Top Ten 2017 Category A6 - Security Misconfiguration", 'CWE-1033' => q"OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)", 'CWE-1034' => q"OWASP Top Ten 2017 Category A8 - Insecure Deserialization", 'CWE-1035' => q"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", 'CWE-1036' => q"OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring", 'CWE-1129' => q"CISQ Quality Measures (2016) - Reliability", 'CWE-1130' => q"CISQ Quality Measures (2016) - Maintainability", 'CWE-1131' => q"CISQ Quality Measures (2016) - Security", 'CWE-1132' => q"CISQ Quality Measures (2016) - Performance Efficiency", 'CWE-1134' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)", 'CWE-1135' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 01. Declarations and Initialization (DCL)", 'CWE-1136' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP)", 'CWE-1137' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)", 'CWE-1138' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 04. Characters and Strings (STR)", 'CWE-1139' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)", 'CWE-1140' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)", 'CWE-1141' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)", 'CWE-1142' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)", 'CWE-1143' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK)", 'CWE-1144' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 10. Thread APIs (THI)", 'CWE-1145' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)", 'CWE-1146' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 12. Thread-Safety Miscellaneous (TSM)", 'CWE-1147' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)", 'CWE-1148' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER)", 'CWE-1149' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC)", 'CWE-1150' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV)", 'CWE-1151' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 17. Java Native Interface (JNI)", 'CWE-1152' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)", 'CWE-1153' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD)", 'CWE-1155' => q"SEI CERT C Coding Standard - Guidelines 01. Preprocessor (PRE)", 'CWE-1156' => q"SEI CERT C Coding Standard - Guidelines 02. Declarations and Initialization (DCL)", 'CWE-1157' => q"SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP)", 'CWE-1158' => q"SEI CERT C Coding Standard - Guidelines 04. Integers (INT)", 'CWE-1159' => q"SEI CERT C Coding Standard - Guidelines 05. Floating Point (FLP)", 'CWE-1160' => q"SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR)", 'CWE-1161' => q"SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR)", 'CWE-1162' => q"SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)", 'CWE-1163' => q"SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)", 'CWE-1165' => q"SEI CERT C Coding Standard - Guidelines 10. Environment (ENV)", 'CWE-1166' => q"SEI CERT C Coding Standard - Guidelines 11. Signals (SIG)", 'CWE-1167' => q"SEI CERT C Coding Standard - Guidelines 12. Error Handling (ERR)", 'CWE-1168' => q"SEI CERT C Coding Standard - Guidelines 13. Application Programming Interfaces (API)", 'CWE-1169' => q"SEI CERT C Coding Standard - Guidelines 14. Concurrency (CON)", 'CWE-1170' => q"SEI CERT C Coding Standard - Guidelines 48. Miscellaneous (MSC)", 'CWE-1171' => q"SEI CERT C Coding Standard - Guidelines 50. POSIX (POS)", 'CWE-1172' => q"SEI CERT C Coding Standard - Guidelines 51. Microsoft Windows (WIN) ", 'CWE-1175' => q"SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON)", 'CWE-1179' => q"SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS)", 'CWE-1180' => q"SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL)", 'CWE-1181' => q"SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP)", 'CWE-1182' => q"SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT)", 'CWE-1183' => q"SEI CERT Perl Coding Standard - Guidelines 05. Strings (STR)", 'CWE-1184' => q"SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP)", 'CWE-1185' => q"SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO)", 'CWE-1186' => q"SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC)", 'CWE-1195' => q"Manufacturing and Life Cycle Management Concerns", 'CWE-1196' => q"Security Flow Issues", 'CWE-1197' => q"Integration Issues", 'CWE-1198' => q"Privilege Separation and Access Control Issues", 'CWE-1199' => q"General Circuit and Logic Design Concerns", 'CWE-1201' => q"Core and Compute Issues", 'CWE-1202' => q"Memory and Storage Issues", 'CWE-1203' => q"Peripherals, On-chip Fabric, and Interface/IO Problems", 'CWE-1205' => q"Security Primitives and Cryptography Issues", 'CWE-1206' => q"Power, Clock, Thermal, and Reset Concerns", 'CWE-1207' => q"Debug and Test Problems", 'CWE-1208' => q"Cross-Cutting Problems", 'CWE-1210' => q"Audit / Logging Errors", 'CWE-1211' => q"Authentication Errors", 'CWE-1212' => q"Authorization Errors", 'CWE-1213' => q"Random Number Issues", 'CWE-1214' => q"Data Integrity Issues", 'CWE-1215' => q"Data Validation Issues", 'CWE-1216' => q"Lockout Mechanism Errors", 'CWE-1217' => q"User Session Errors", 'CWE-1218' => q"Memory Buffer Errors", 'CWE-1219' => q"File Handling Issues", 'CWE-1225' => q"Documentation Issues", 'CWE-1226' => q"Complexity Issues", 'CWE-1227' => q"Encapsulation Issues", 'CWE-1228' => q"API / Function Errors", 'CWE-1237' => q"SFP Primary Cluster: Faulty Resource Release", 'CWE-1238' => q"SFP Primary Cluster: Failure to Release Memory", 'CWE-1306' => q"CISQ Quality Measures - Reliability", 'CWE-1307' => q"CISQ Quality Measures - Maintainability", 'CWE-1308' => q"CISQ Quality Measures - Security", 'CWE-1309' => q"CISQ Quality Measures - Efficiency", 'CWE-1345' => q"OWASP Top Ten 2021 Category A01:2021 - Broken Access Control", 'CWE-1346' => q"OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures", 'CWE-1347' => q"OWASP Top Ten 2021 Category A03:2021 - Injection", 'CWE-1348' => q"OWASP Top Ten 2021 Category A04:2021 - Insecure Design", 'CWE-1349' => q"OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration", 'CWE-1352' => q"OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components", 'CWE-1353' => q"OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures", 'CWE-1354' => q"OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures", 'CWE-1355' => q"OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures", 'CWE-1356' => q"OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)", 'CWE-1359' => q"ICS Communications", 'CWE-1360' => q"ICS Dependencies (& Architecture)", 'CWE-1361' => q"ICS Supply Chain", 'CWE-1362' => q"ICS Engineering (Constructions/Deployment)", 'CWE-1363' => q"ICS Operations (& Maintenance)", 'CWE-1364' => q"ICS Communications: Zone Boundary Failures", 'CWE-1365' => q"ICS Communications: Unreliability", 'CWE-1366' => q"ICS Communications: Frail Security in Protocols", 'CWE-1367' => q"ICS Dependencies (& Architecture): External Physical Systems", 'CWE-1368' => q"ICS Dependencies (& Architecture): External Digital Systems", 'CWE-1369' => q"ICS Supply Chain: IT/OT Convergence/Expansion", 'CWE-1370' => q"ICS Supply Chain: Common Mode Frailties", 'CWE-1371' => q"ICS Supply Chain: Poorly Documented or Undocumented Features", 'CWE-1372' => q"ICS Supply Chain: OT Counterfeit and Malicious Corruption", 'CWE-1373' => q"ICS Engineering (Construction/Deployment): Trust Model Problems", 'CWE-1374' => q"ICS Engineering (Construction/Deployment): Maker Breaker Blindness", 'CWE-1375' => q"ICS Engineering (Construction/Deployment): Gaps in Details/Data", 'CWE-1376' => q"ICS Engineering (Construction/Deployment): Security Gaps in Commissioning", 'CWE-1377' => q"ICS Engineering (Construction/Deployment): Inherent Predictability in Design", 'CWE-1378' => q"ICS Operations (& Maintenance): Gaps in obligations and training", 'CWE-1379' => q"ICS Operations (& Maintenance): Human factors in ICS environments", 'CWE-1380' => q"ICS Operations (& Maintenance): Post-analysis changes", 'CWE-1381' => q"ICS Operations (& Maintenance): Exploitable Standard Operational Procedures", 'CWE-1382' => q"ICS Operations (& Maintenance): Emerging Energy Technologies", 'CWE-1383' => q"ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements", 'CWE-1388' => q"Physical Access Issues and Concerns", 'CWE-1396' => q"Comprehensive Categorization: Access Control", 'CWE-1397' => q"Comprehensive Categorization: Comparison", 'CWE-1398' => q"Comprehensive Categorization: Component Interaction", 'CWE-1399' => q"Comprehensive Categorization: Memory Safety", 'CWE-1401' => q"Comprehensive Categorization: Concurrency", 'CWE-1402' => q"Comprehensive Categorization: Encryption", 'CWE-1403' => q"Comprehensive Categorization: Exposed Resource", 'CWE-1404' => q"Comprehensive Categorization: File Handling", 'CWE-1405' => q"Comprehensive Categorization: Improper Check or Handling of Exceptional Conditions", 'CWE-1406' => q"Comprehensive Categorization: Improper Input Validation", 'CWE-1407' => q"Comprehensive Categorization: Improper Neutralization", 'CWE-1408' => q"Comprehensive Categorization: Incorrect Calculation", 'CWE-1409' => q"Comprehensive Categorization: Injection", 'CWE-1410' => q"Comprehensive Categorization: Insufficient Control Flow Management", 'CWE-1411' => q"Comprehensive Categorization: Insufficient Verification of Data Authenticity", 'CWE-1412' => q"Comprehensive Categorization: Poor Coding Practices", 'CWE-1413' => q"Comprehensive Categorization: Protection Mechanism Failure", 'CWE-1414' => q"Comprehensive Categorization: Randomness", 'CWE-1415' => q"Comprehensive Categorization: Resource Control", 'CWE-1416' => q"Comprehensive Categorization: Resource Lifecycle Management", 'CWE-1417' => q"Comprehensive Categorization: Sensitive Information Exposure", 'CWE-1418' => q"Comprehensive Categorization: Violation of Secure Design Principles", ); sub get_weakness_name { my $id = shift; return unless $id; my %cwes = WEAKNESSES; if (defined $cwes{$id}) { return $cwes{$id}; } } sub weakness_exists { my $id = shift; return unless $id; my %cwes = WEAKNESSES; return defined($cwes{$id}); } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Util - CWE utility for CSAF =head1 SYNOPSIS use CSAF::Util::CWE qw(get_weakness_name); say get_weakness_name('CWE-200'); =head1 DESCRIPTION CWE utility for L. =head2 FUNCTIONS =over =item get_weakness_name =item weakness_exxists =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Type.pm0000644000175000017500000001333214612023627013726 0ustar peppepeppepackage CSAF::Type; use 5.010001; use strict; use warnings; use utf8; use Carp; use constant TYPE_CLASSES => { acknowledgment => 'CSAF::Type::Acknowledgment', acknowledgments => 'CSAF::Type::Acknowledgments', aggregate_severity => 'CSAF::Type::AggregateSeverity', branch => 'CSAF::Type::Branch', branches => 'CSAF::Type::Branches', cvss_v2 => 'CSAF::Type::CVSS2', cvss_v3 => 'CSAF::Type::CVSS3', cwe => 'CSAF::Type::CWE', distribution => 'CSAF::Type::Distribution', document => 'CSAF::Type::Document', engine => 'CSAF::Type::Engine', file_hash => 'CSAF::Type::FileHash', file_hashes => 'CSAF::Type::FileHashes', flag => 'CSAF::Type::Flag', flags => 'CSAF::Type::Flags', full_product_name => 'CSAF::Type::FullProductName', full_product_names => 'CSAF::Type::FullProductNames', generator => 'CSAF::Type::Generator', generic_uri => 'CSAF::Type::GenericURI', generic_uris => 'CSAF::Type::GenericURIs', hash => 'CSAF::Type::Hash', hashes => 'CSAF::Type::Hashes', id => 'CSAF::Type::ID', ids => 'CSAF::Type::IDs', note => 'CSAF::Type::Note', notes => 'CSAF::Type::Notes', product => 'CSAF::Type::Product', product_group => 'CSAF::Type::ProductGroup', product_groups => 'CSAF::Type::ProductGroups', product_identification_helper => 'CSAF::Type::ProductIdentificationHelper', product_status => 'CSAF::Type::ProductStatus', product_tree => 'CSAF::Type::ProductTree', publisher => 'CSAF::Type::Publisher', reference => 'CSAF::Type::Reference', references => 'CSAF::Type::References', relationship => 'CSAF::Type::Relationship', relationships => 'CSAF::Type::Relationships', remediation => 'CSAF::Type::Remediation', remediations => 'CSAF::Type::Remediations', restart_required => 'CSAF::Type::RestartRequired', revision => 'CSAF::Type::Revision', revision_history => 'CSAF::Type::RevisionHistory', score => 'CSAF::Type::Score', scores => 'CSAF::Type::Scores', threat => 'CSAF::Type::Threat', threats => 'CSAF::Type::Threats', tlp => 'CSAF::Type::TLP', tracking => 'CSAF::Type::Tracking', vulnerabilities => 'CSAF::Type::Vulnerabilities', vulnerability => 'CSAF::Type::Vulnerability', }; sub new { my ($self, %params) = @_; my $name = delete $params{name}; my $value = delete $params{value}; return _build(lc $name, $value); } sub name { my ($self, $name, $value) = @_; return _build(lc $name, $value); } sub _build { my ($name, $value) = @_; my $class = TYPE_CLASSES->{$name} or Carp::croak 'Unknown CSAF type'; if ($class->can('new') or eval "require $class; 1") { local $Carp::Internal{caller()} = 1; return $class->new($value); } } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Type - Wrapper for all CSAF document types =head1 SYNOPSIS use CSAF::Type; CSAF::Type->name( reference => { url => 'https://www.cve.org/CVERecord?id=CVE-2022-43634', summary => 'CVE-2022-43634', category => 'external' } ); CSAF::Type->new( name => 'reference', value => { url => 'https://www.cve.org/CVERecord?id=CVE-2022-43634', summary => 'CVE-2022-43634', category => 'external' } ); =head1 DESCRIPTION =head2 METHODS =over =item new ( name => $name, value => $value ) Load and return the B class provided in B. CSAF::Type->new( name => 'reference', value => { url => 'https://www.cve.org/CVERecord?id=CVE-2022-43634', summary => 'CVE-2022-43634', category => 'external' } ); =item name ( $type => $value ) Load and return the B class. CSAF::Type->name( reference => { url => 'https://www.cve.org/CVERecord?id=CVE-2022-43634', summary => 'CVE-2022-43634', category => 'external' } ); =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Parser.pm0000644000175000017500000002252714612023627014247 0ustar peppepeppepackage CSAF::Parser; use 5.010001; use strict; use warnings; use utf8; use CSAF; use CSAF::Util qw(file_read); use CSAF::Schema; use List::Util qw(first); use Cpanel::JSON::XS; use Moo; has file => (is => 'ro'); has content => (is => 'ro'); has data => (is => 'rw'); sub parse { my $self = shift; if ($self->content || $self->file) { my $content = $self->content; if ($self->file) { Carp::croak sprintf('File "%s" not found', $self->file) unless (-e $self->file); $content = file_read($self->file); } Carp::croak "Empty 'content'" unless $content; my $json = eval { Cpanel::JSON::XS->new->decode($content) }; Carp::croak "Failed to parse the CSAF document: $@" if ($@); $self->data($json); } my $data = $self->data; Carp::croak 'Invalid CSAF document' unless (exists $data->{document}); my $csaf = CSAF->new; if (my $document = $data->{document}) { $csaf->document->title($document->{title}); $csaf->document->category($document->{category}); $csaf->document->csaf_version($document->{csaf_version}); $csaf->document->lang($document->{lang}) if ($document->{lang}); $csaf->document->source_lang($document->{source_lang}) if ($document->{source_lang}); if (my $aggregate_severity = $document->{aggregate_severity}) { $csaf->document->aggregate_severity(%{$aggregate_severity}); } if (my $distribution = $document->{distribution}) { $csaf->document->distribution(%{$distribution}); if (my $tlp = $distribution->{tlp}) { $csaf->document->distribution->tlp(%{$tlp}); } } $csaf->document->publisher(%{$document->{publisher}}); if (my $notes = $document->{notes}) { $csaf->document->notes->item(%{$_}) for (@{$notes}); } if (my $references = $document->{references}) { $csaf->document->references->item(%{$_}) for (@{$references}); } if (my $tracking = $document->{tracking}) { $csaf->document->tracking(%{$tracking}); $csaf->document->tracking->generator(%{$tracking->{generator}}) if ($tracking->{generator}); $csaf->document->tracking->generator->engine(%{$tracking->{generator}->{engine}}) if ($tracking->{generator}->{engine}); $csaf->document->tracking->revision_history->item(%{$_}) for (@{$tracking->{revision_history}}); } if (my $acknowledgments = $document->{acknowledgments}) { $csaf->document->acknowledgments->item(%{$_}) for (@{$acknowledgments}); } } if (my $vulnerabilities = $data->{vulnerabilities}) { foreach my $vulnerability (@{$vulnerabilities}) { my $vuln = $csaf->vulnerabilities->item(cve => $vulnerability->{cve}); if (my $cwe = $vulnerability->{cwe}) { $vuln->cwe(%{$cwe}); } if (my $notes = $vulnerability->{notes}) { $vuln->notes->item(%{$_}) for (@{$notes}); } if (my $references = $vulnerability->{references}) { $vuln->references->item(%{$_}) for (@{$references}); } if (my $product_status = $vulnerability->{product_status}) { $vuln->product_status(%{$product_status}); } if (my $scores = $vulnerability->{scores}) { $vuln->scores->item(%{$_}) for (@{$scores}); } if (my $acknowledgments = $vulnerability->{acknowledgments}) { $vuln->acknowledgments->item(%{$_}) for (@{$acknowledgments}); } if (my $remediations = $vulnerability->{remediations}) { $vuln->remediations->item(%{$_}) for (@{$remediations}); } if (my $threats = $vulnerability->{threats}) { $vuln->threats->item(%{$_}) for (@{$threats}); } if (my $involvements = $vulnerability->{involvements}) { $vuln->involvements->item(%{$_}) for (@{$involvements}); } if (my $flags = $vulnerability->{flags}) { $vuln->flags->item(%{$_}) for (@{$flags}); } if (my $ids = $vulnerability->{ids}) { $vuln->ids->item(%{$_}) for (@{$ids}); } } } if (my $product_tree = $data->{product_tree}) { my $csaf_product_tree = $csaf->product_tree; if (my $branches = $product_tree->{branches}) { _branches_walk($branches, $csaf_product_tree); } if (my $relationships = $product_tree->{relationships}) { $csaf_product_tree->relationships->item(%{$_}) for (@{$relationships}); } if (my $product_groups = $product_tree->{product_groups}) { $csaf_product_tree->product_groups->item(%{$_}) for (@{$product_groups}); } if (my $full_product_names = $product_tree->{full_product_names}) { $csaf_product_tree->full_product_names->item(%{$_}) for (@{$full_product_names}); } } my $v = $csaf->validator; my $schema = CSAF::Schema->validator('strict-csaf-2.0'); my @errors = $schema->validate($data); foreach my $error (@errors) { if (first { 'additionalProperties' eq $_ } @{$error->details}) { $v->add_message( type => 'warning', category => 'optional', path => $error->path, code => '6.2.20', message => $error->message ); } } return $csaf; } sub _branches_walk { my ($branches, $csaf) = @_; foreach my $branch (@{$branches}) { if (defined $branch->{branches}) { _branches_walk($branch->{branches}, $csaf->branches->item(%{$branch})); } else { $csaf->branches->item(%{$branch}); } } } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Parser - Parse a CSAF document =head1 SYNOPSIS use CSAF::Parser; my $parser = eval { CSAF::Parser->new(file => 'csaf-2023-01.json') }; Carp::croak "Failed to parse CSAF document" if ($@); my $csaf = $parser->parse; $csaf->document->title('CSAF Document'); $csaf->to_string; =head1 DESCRIPTION CSAF document parser. =head2 ATTRIBUTES =over =item data CSAF document hash. =item file CSAF document file. =item content CSAF document string. =back =head2 METHODS =over =item new ([file => ($path | ) | content => $json_string | data => $hash]) CSAF document file: my $parser = CSAF::Parser->new(file => 'csaf-2023-01.json'); open (my $fh, '<', 'csaf-2023-01.json') or die $!; my $parser = CSAF::Parser->new(file => $fh); CSAF document in JSON string format: my $parser = CSAF::Parser->new(content => <new(data => { "document" => { "category" => "csaf_base", "csaf_version" => "2.0", "publisher" => { "category" => "other", "name" => "OASIS CSAF TC", "namespace" => "https://csaf.io" }, "title" => "Template for generating CSAF files for Validator examples", "tracking" => { "current_release_date" => "2021-07-21T10:00:00.000Z", "id" => "OASIS_CSAF_TC-CSAF_2.0-2021-TEMPLATE", "initial_release_date" => "2021-07-21T10:00:00.000Z", "revision_history" => [ { "date" => "2021-07-21T10:00:00.000Z", "number" => 1, "summary" => "Initial version." } ], "status" => "final", "version" => 1 } } }); =item parse Parse the provided CSAF document and return L. =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/ROLIE/0000755000175000017500000000000014755634263013333 5ustar peppepeppeCSAF-0.25/lib/CSAF/ROLIE/Entry.pm0000644000175000017500000000423714612023627014764 0ustar peppepeppepackage CSAF::ROLIE::Entry; use 5.010001; use strict; use warnings; use utf8; use Moo; use CSAF::Util qw(parse_datetime); has id => (is => 'rw', required => 1); has title => (is => 'rw', required => 1); has published => (is => 'rw', coerce => \&parse_datetime); has updated => (is => 'rw', required => 1, coerce => \&parse_datetime); has format => (is => 'rw', required => 1); has link => (is => 'rw', required => 1); has content => (is => 'rw', required => 1); has summary => (is => 'rw'); sub TO_JSON { my $self = shift; my $json = { id => $self->id, title => $self->title, published => $self->published->datetime, updated => $self->updated->datetime, format => $self->format, link => $self->link, content => $self->content }; $json->{summary} = $self->summary if ($self->summary); return $json; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::ROLIE::Feed::Entry - ROLIE feed entry =head1 SYNOPSIS use CSAF::ROLIE::Feed::Entry; my $entry = CSAF::ROLIE::Feed::Entry->new( ); =head1 DESCRIPTION ROLIE feed entry for L. =head2 METHODS =over =item $entry->id =item $entry->title =item $entry->published =item $entry->updated =item $entry->link =item $entry->content =item $entry->summary =item $entry->TO_JSON =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/ROLIE/Feed.pm0000644000175000017500000002421014744673165014535 0ustar peppepeppepackage CSAF::ROLIE::Feed; use 5.010001; use strict; use warnings; use utf8; use Moo; use CSAF::Util qw(file_write file_read parse_datetime tracking_id_to_well_filename); use CSAF::ROLIE::Entries; use CSAF::Options::ROLIE; use Cpanel::JSON::XS; use File::Basename; use File::Find; use File::Spec::Functions qw(catfile); use Time::Piece; use constant TRUE => !!1; use constant FALSE => !!0; my $CSAF_SCHEMAS = {'2.0' => 'https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json'}; has options => ( isa => sub { Carp::croak q{Not "CSAF::Options::ROLIE" object} unless ref($_[0]) eq 'CSAF::Options::ROLIE' }, is => 'lazy', build => 1, ); sub _build_options { CSAF::Options::ROLIE->new } # ROLIE feed properties has id => (is => 'rw'); has title => (is => 'rw'); has link => (is => 'rw'); has category => ( is => 'lazy', default => sub { [{scheme => 'urn:ietf:params:rolie:category:information-type', term => 'csaf'}] } ); has updated => (is => 'rw', required => 1, default => sub { Time::Piece->new }, coerce => \&parse_datetime); sub init { my $self = shift; $self->id($self->options->feed_id) unless $self->id; $self->title($self->options->feed_title) unless $self->title; $self->link($self->options->feed_link) unless $self->link; } sub entry { my $self = shift; $self->{entry} ||= CSAF::ROLIE::Entries->new(@_); } sub import_entry_from_file { my ($self, $feed_path) = @_; Carp::croak 'ROLIE feed not found' unless -e $feed_path; my $json = eval { Cpanel::JSON::XS->new->decode(file_read($feed_path)) }; Carp::croak "Failed to parse the ROLIE feed: $@" if ($@); Carp::croak 'Invalid ROLIE feed' unless defined $json->{feed}; foreach my $entry (@{$json->{feed}->{entry}}) { $self->entry->item(%{$entry}); } } sub add_entry { my ($self, $csaf, $options) = @_; $options //= {}; Carp::croak 'Not CSAF object' unless (ref($csaf) eq 'CSAF'); my $id = $csaf->document->tracking->id; my $title = $csaf->document->title; my $published = $csaf->document->tracking->initial_release_date; my $updated = $csaf->document->tracking->current_release_date; my $csaf_year = $csaf->document->tracking->initial_release_date->year; my $csaf_url = join('/', $self->options->base_url, $csaf_year, tracking_id_to_well_filename($id)); my $format = {schema => $CSAF_SCHEMAS->{$csaf->document->csaf_version}, version => $csaf->document->csaf_version}; my $content = {type => 'application/json', src => $csaf_url}; my $link = [{href => $csaf_url, rel => 'self'}]; my $summary = undef; $csaf->document->notes->each(sub { my $note = shift; $summary = $note->text if ($note->category eq 'summary'); }); # TODO Add the check of the existence of integrity and signature files if (defined $options->{integrity}) { my $integrity = $options->{integrity}; push @{$link}, {href => "$csaf_url.sha256", rel => 'hash'} if (defined $integrity->{sha256} && $integrity->{sha256}); push @{$link}, {href => "$csaf_url.sha512", rel => 'hash'} if (defined $integrity->{sha512} && $integrity->{sha512}); } push @{$link}, {href => "$csaf_url.asc", rel => 'signature'} if (defined $options->{signature} && $options->{signature}); my $is_updated = 0; $self->entry->each(sub { my ($item) = @_; if ($item->id eq $id) { if ($item->updated < $updated) { $item->updated($updated); $item->title($title); $item->summary($summary); } $is_updated = 1; return; } }); unless ($is_updated) { my $entry = { id => $id, title => $title, published => $published, updated => $updated, format => $format, link => $link, summary => $summary, content => $content }; $self->entry->item(%{$entry}); } $self->updated(Time::Piece->new); return $self; } sub from_file { my ($class, $feed_path) = @_; Carp::croak 'ROLIE feed not found' unless -e $feed_path; my $json = eval { Cpanel::JSON::XS->new->decode(file_read($feed_path)) }; Carp::croak "Failed to parse the ROLIE feed: $@" if ($@); Carp::croak 'Invalid ROLIE feed' unless defined $json->{feed}; my $feed = $class->new( id => $json->{feed}->{id}, title => $json->{feed}->{title}, link => $json->{feed}->{link}, updated => $json->{feed}->{updated} ); $feed->options->configure(feed_directory => dirname($feed_path), feed_filename => basename($feed_path)); foreach my $entry (@{$json->{feed}->{entry}}) { $feed->entry->item(%{$entry}); } return $feed; } sub render { my $self = shift; $self->init; my $json = Cpanel::JSON::XS->new->utf8->canonical->allow_nonref->allow_unknown->allow_blessed->convert_blessed ->stringify_infnan->escape_slash(0)->allow_dupkeys->pretty->space_before(0); my @sorted_entries = sort { $b->updated->epoch <=> $a->updated->epoch } @{$self->entry->to_array}; $self->entry->items(\@sorted_entries); return $json->encode($self); } sub write { my ($self, $path) = @_; $path //= $self->options->feed_filename; file_write($path, $self->render); return 1; } sub from_csaf_directory { my ($self, $path) = @_; $path //= $self->options->csaf_directory; Carp::croak 'Directory not found' unless -e -d $path; my @files = (); my $wanted = sub { push @files, $File::Find::name if !-d $File::Find::name && $File::Find::name =~ /\.json$/; }; find {wanted => $wanted, no_chdir => 1}, $path; foreach my $file (@files) { my $parser = CSAF::Parser->new(file => $file); my $csaf = eval { $parser->parse }; next unless $csaf; my $id = $csaf->document->tracking->id; my $tlp_label = $csaf->document->distribution->tlp->label; if ($tlp_label eq $self->options->tlp_label) { $self->add_entry( $csaf, { integrity => {sha256 => (-e "$file.sha256"), sha512 => (-e "$file.sha512")}, signature => (-e "$file.asc") } ); } } return $self; } sub TO_JSON { my $self = shift; my $json = { feed => { id => $self->id, title => $self->title, link => $self->link, category => $self->category, updated => $self->updated, entry => $self->entry } }; return $json; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::ROLIE::Feed - Build ROLIE (Resource-Oriented Lightweight Information Exchange) feed =head1 SYNOPSIS use CSAF::ROLIE::Feed; my $rolie = CSAF::ROLIE::Feed->new; $rolie->options->configure( feed_id => 'acme-csaf-feed-tlp-white', feed_title => 'ACME Security Advisory CSAF feed (TLP:WHITE)' base_url => 'https://security.acme.tld/advisories/csaf' ); # Add CSAF document entry $rolie->add_entry($csaf); if ($rolie->write) { say "ROLIE feed created"; } =head1 DESCRIPTION L build a ROLIE (Resource-Oriented Lightweight Information Exchange) feed using the CSAF documents. L The Resource Oriented Lightweight Information Exchange (ROLIE) is standard (RFC-8322) for exchanging security automation information between two machines, or between a machine and a human operator. L =head2 ATTRIBUTES =over =item id Feed ID =item title Feed title =item link =item category Feed category =item entry Feed entries =item updated Feed last update =back =head2 METHODS =over =item $rolie->options Change the default options for L configurator. $rolie->options->configure( feed_title => 'ACME Security Advisory CSAF feed (TLP:WHITE)' base_url => 'https://security.acme.tld/advisories/csaf' ); =item $rolie->add_entry ( $csaf, [ $options ]) Add a L document to the ROLIE feed and provide a C<$options> hash to include the integrity and signature files. $rolie->add_entry($csaf, { integrity => { sha256 => 0, sha512 => 1 }, signature => 1 }); =item $rolie->from_csaf_directory ( [$path] ) Create ROLIE feed from the provided CSAF directory in C<$path>. If C<$path> is not specified, the name will be taken from the C option in L. $rolie->from_csaf_directory('/var/www/html/advisories/csaf'); $rolie->write; =item $rolie->from_file ( $path ) Import ROLIE feed from the provided file. =item $rolie->import_entry_from_file ( $path ) Import only the entries from provided ROLIE feed file. =item $rolie->render Render a ROLIE feed in JSON. $rolie->render; =item $rolie->write ( [$path] ) Render and write a ROLIE feed. If C<$path> is not specified, the name will be taken from the C option in L (default C). $rolie->write('acme-csaf-feed-tlp-white.json'); =item $rolie->TO_JSON =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/ROLIE/Entries.pm0000644000175000017500000000253014612023627015266 0ustar peppepeppepackage CSAF::ROLIE::Entries; use 5.010001; use strict; use warnings; use utf8; use Moo; extends 'CSAF::Type::List'; has item_class => (is => 'ro', default => 'CSAF::ROLIE::Entry'); 1; __END__ =encoding utf-8 =head1 NAME CSAF::ROLIE::Entries - ROLIE entry collection =head1 SYNOPSIS use CSAF::ROLIE::Entries; my $entries = CSAF::ROLIE::Entries->new( ); =head1 DESCRIPTION L is a collection of L elements. =head2 METHODS L inherits all methods from L. =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Renderer/0000755000175000017500000000000014755634263014227 5ustar peppepeppeCSAF-0.25/lib/CSAF/Renderer/Base.pm0000644000175000017500000000261614612023627015430 0ustar peppepeppepackage CSAF::Renderer::Base; use 5.010001; use strict; use warnings; use utf8; use Carp; use Moo; extends 'CSAF::Base'; use overload '""' => \&render, fallback => 1; sub render { Carp::croak 'Method "render" not implemented by subclass' } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Renderer::Base - Renderer base class =head1 SYNOPSIS use CSAF::Renderer::Base; my $renderer = CSAF::Renderer::Base->new( ); =head1 DESCRIPTION =head2 METHODS L inherits all methods from L and implements the following new ones. =over =item $renderer->render =back =head1 SUPPORT =head2 Bugs / Feature Requests Please report any bugs or feature requests through the issue tracker at L. You will be notified automatically of any progress on your issue. =head2 Source Code This is open source software. The code repository is available for public review and contribution under the terms of the license. L git clone https://github.com/giterlizzi/perl-CSAF.git =head1 AUTHOR =over 4 =item * Giuseppe Di Terlizzi =back =head1 LICENSE AND COPYRIGHT This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut CSAF-0.25/lib/CSAF/Renderer/HTML.pm0000644000175000017500000000616714704316755015340 0ustar peppepeppepackage CSAF::Renderer::HTML; use 5.010001; use strict; use warnings; use utf8; use CSAF::Util qw(tt_templates_path); use Template; use Moo; extends 'CSAF::Renderer::Base'; with 'CSAF::Util::Log'; sub render { my ($self, %options) = @_; my $products = $CSAF::CACHE->{products} || {}; my $max_base_score = 0; $self->csaf->build; foreach my $vuln ($self->csaf->vulnerabilities->each) { foreach my $score ($vuln->scores->each) { if ($score->cvss_v3 && $score->cvss_v3->baseScore && $max_base_score < $score->cvss_v3->baseScore) { $max_base_score = $score->cvss_v3->baseScore; } } } my %tt_options = ( PRE_CHOMP => 1, TRIM => 1, ENCODING => 'UTF-8', VARIABLES => { document => $self->csaf->document, product_tree => $self->csaf->product_tree, vulnerabilities => $self->csaf->vulnerabilities, max_base_score => $max_base_score, }, FILTERS => { product_name => sub { my ($product_id) = @_; return $products->{$product_id} || $product_id; } } ); my $template = $options{template} || 'default'; my $vars = $options{vars} || {}; my $output = undef; $template .= '.tt2' unless $template =~ /\.tt2$/; unless (-e $template) { $tt_options{INCLUDE_PATH} = tt_templates_path; } my $tt = Template->new(%tt_options) or Carp::croak $Template::ERROR; $self->log->debug("Render CSAF document using $template template"); $tt->process($template, $vars, \$output) or Carp::croak $tt->error; return $output; } 1; __END__ =encoding utf-8 =head1 NAME CSAF::Renderer::HTML - Render a CSAF document in HTML =head1 SYNOPSIS use CSAF::Renderer::HTML; my $renderer = CSAF::Renderer::HTML->new( csaf => $csaf ); my $html = $renderer->render; =head1 DESCRIPTION =head2 METHODS L inherits all methods from L and implements the following new ones. =over =item $renderer->render ( [%options] ) Render a CSAF document in HTML format using L