Updates to API calls for CSAF output

[sei-vsarvepalli]

This is further to issue #17 , the API example get_vince.py was not updated in the last PR merge.

Vijay

[tschmidtb51]

Please replace cvrf with csaf.

[tschmidtb51]

Suggested change

	def vince_to_cvrf(vince):
	def vince_to_csaf(vince):

[tschmidtb51]

This should include at least the anchor to acknowledgments section (as extracting the single values is not supported yet). The anchor must be supported by the website as well.

Suggested change

	"https://kb.cert.org/vuls/id/"+case_id
	"https://kb.cert.org/vuls/id/"+case_id+"#Acknowledgements"

[tschmidtb51]

If the product version is not present, it should not be specified.

[sei-vsarvepalli]

Hello @tschmidtb51

Thanks for these suggestions. I will merge them soon. I was going with our own SBOM recommendations that basically decided the author of the SBOM, should provide a semver complaint version number starting at 1.0.0 if no version number is provided. But I can totally see how this can confuse the recipients if we arbitrarily give version numbers to software that we don't own.

Let me chat with our SBOM WG on this feedback and dilemma we face at times with software that has no version number specified anywhere. I will merge in your commits soon, right after guessing there will be actually no better solution than just leaving the information as "unknown"

Vijay

[sei-vsarvepalli]

Hello @tschmidtb51 @santosomar

We have now pushed this code into production. You can use your VINCE API credentials to collect CSAF output for cases you are part of. I hope you have already generated API keys.

Once you have reviewed it, we can also provide the same to the public advisories that go out today as vulnerability notice at https://kb.cert.org/

Simple collect https://kb.cert.org/vince/comm/api/case/636397/csaf/ using the API key you have for VINCE comm.