Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test: Consistent PIH #812

Open
tschmidtb51 opened this issue Oct 25, 2024 · 2 comments
Open

Add test: Consistent PIH #812

tschmidtb51 opened this issue Oct 25, 2024 · 2 comments
Assignees
Labels
csaf 2.1 csaf 2.1 work motion_passed A motion has passed

Comments

@tschmidtb51
Copy link
Contributor

We have seen CSAF documents that have product_identification_helper that do not match the product described in branches, e.g. the version number is missing in a CPE or purl. We should add a mandatory (?) test to check for the low-hanging fruits.

@santosomar
Copy link
Contributor

santosomar commented Nov 27, 2024

During the CSAF TC Monthly meeting on 2024-11-27, Feng provided the update of the CVE efforts around CPE assignments and the reference to: https://csrc.nist.gov/schema/nvd/feed/1.1/nvd_cve_feed_json_1.1.schema

@santosomar
Copy link
Contributor

Thomas Schmidt moves to adopt the implementation of a mandatory test within the CSAF validation process to identify and flag discrepancies between the product_identification_helper and the product details specified in the branches section of CSAF documents. This test will focus on low-hanging issues, such as missing version numbers in Common Platform Enumeration (CPE) identifiers or Package URLs (purls). The motion was seconded by Sonny. The motion passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
csaf 2.1 csaf 2.1 work motion_passed A motion has passed
Projects
None yet
Development

No branches or pull requests

2 participants