Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Exclude from changes list] Changes from previous version collector #838

Open
sthagen opened this issue Dec 1, 2024 · 1 comment
Open

[Exclude from changes list] Changes from previous version collector #838

sthagen opened this issue Dec 1, 2024 · 1 comment
Assignees
@sthagen
Labels
csaf 2.1 csaf 2.1 work editorial mostly nits and consistency

Comments

@sthagen
Copy link
Contributor

sthagen commented Dec 1, 2024
edited
Loading

As of 2024-12-01T09:00:00+00:00 the following closed and open issues carry the label "csaf 2.1". They are separated per state and sorted by title. The goal is to keep the lists aligned with processing state and use as a source for a human redacted list or table documenting the changes to CSAF v2.1 from CSAF v2.0 (content for section 1.1).

The basic proposal is to aggregate and order by impact / hardness, like:

  1. Changes to the schema files ordered by main csaf and then alphabetically others
  2. Changes to tests ordered by mandatory, optional, and informative (also in prose)
  3. Changes to normative prose "refining the JSON schema" and deprecations
  4. Clarifications of normative and informative prose
    (eventually with the detailed changes in that category delegated to the appendix
    revision history)
  5. Nits and fixes summary mention
    (eventually not even listing these in detail in the appendix revision history)

Cf. the proposal block in this issue.

Closed:

  1. 3.1.11.2 Version Type - Semantic versioning
  2. Add "Preconditions" item
  3. Add $schema to testcases_json_schema.json
  4. Add a new category "Platform" to the Product Branch
  5. Add a schema identifier to CSAF v2.1 and later data files
  6. Add comment on timezones for sorting timestamps
  7. Add conformance target "CSAF Downloader"
  8. Add conformance target "CSAF library"
  9. Add optional test: /document/tracking/id not in /document/title
  10. Add optional test: Suggest usage of latest version in CWE
  11. Add optional test: Warn if vulnerability mapping is not in state allowed
  12. Add optional test: Warn on usage of deprecated CWE
  13. Add reference to RFC8322
  14. Add remediation category "fix_planned"
  15. Add test for unwanted remediation combinations
  16. Add test: same timestamps in revision history
  17. Appendix C: Raise file size softlimit
  18. Clarify 6.1.14: same timestamps
  19. Clarify 6.1.16: same timestamps
  20. Clarify CPE version
  21. Clarify directly in section 7
  22. Clarify Markdown
  23. Clarify relation of search and filter
  24. Clarify Security consideration
  25. Clarify the maximum redirects
  26. Correct broken link in "Examples 32" under section 3.2.1.5.2
  27. Correct enforcing fingerprint
  28. Correct Example 129
  29. Correct namespace in example 17
  30. Feature request: Add source (reference) to CVSS
  31. handling the lack of CVSS string (CSAF specifications 6.1.8)
  32. Handling vulnerabilities with multiple CWEs
  33. Incorrect date in VEX-Justification reference entry
  34. Make TLP mandatory
  35. New value: "patch_for_not_affected" or similar in "remediation"
  36. Remove erroneous word "is" from 3.1.3.3.7 text
  37. Set TLP:CLEAR as default
  38. Specify recursion depth for branches
  39. Typographical error in section 3.1.11.1
  40. Update CSAF to use TLP 2.0
  41. v2.0 OS failed CPSR-coding in section 9.1.13 Conformance Clause 13: CSAF asset matching system bug
  42. Warning/Error for signature expirations
  43. Write purl instead of PURL

Open:

  1. Add conformance target "CSAF-2.0-CSAF-2.1 converter"
  2. Add mandatory test: CPE vs. product_version_range
  3. Add new profile: "Withdrawn"
  4. Add new profile: Superseded
  5. Add Sharing Groups
  6. Add test data for 6.1.7: duplicate items
  7. Add test: Consistent PIH
  8. Add version to CWE
  9. Allow detecting a ROLIE update efficiently
  10. Check code blocks for correct syntax
  11. Clarification on why test case 6-1-31-12 in CSAF2.0 is supposed to be valid
  12. Clarify csaf.data.security.domain.ltd in Requirement 10: DNS path
  13. Clarify Inclusion of Open Source
  14. Clarify quotes in changes.csv
  15. Clarify requirement 19: ASCII vs. Binary signature
  16. Clarify terminology of initial release of document version in 3.1.11.1 Version Type - Integer versioning
  17. Clarify the inclusion of open-source projects for the value vendor in 3.2.1.8.1 Document Property - Publisher - Category
  18. Clearly differentiate fixed vs known_not_affected
  19. Clearly state hardware/software separation in product_tree
  20. CPE pattern
  21. Enforce format validation
  22. Enforce use of affected in csaf_security_advisory
  23. Ensure VEX minimum requirements with CSAF
  24. Include support for SSVC
  25. Offer multiple documents of one advisory
  26. Provide an expected failure "code" or "message" in testcases.json
  27. Sharing groups
  28. Support CVSS 4.0 in CSAF 2.x
  29. Support for Multiple Notes, Products, and IDs
  30. Support multiple purl identifiers in product_identification_helper
@sthagen sthagen added editorial mostly nits and consistency csaf 2.1 csaf 2.1 work labels Dec 1, 2024
@sthagen sthagen self-assigned this Dec 1, 2024
@sthagen
Copy link
Contributor Author

sthagen commented Dec 1, 2024
edited
Loading

Proposal Sketch

Changes from Earlier Versions

Changes from CSAF Version 2.0

Changes from the Version 2.0 Schema Files

...ordered by main CSAF JSON schema and then alphabetically others

Changes from the Version 2.0 Tests

...ordered by mandatory, optional, and informative (also in prose)

Changes from the Version 2.0 Normative Parts

Changes to prose "refining the JSON schema" and deprecations
Clarifications of normative prose
(eventually with the detailed changes in that category delegated to the appendix
revision history)

Changes from the Version 2.0 Informative Parts

Clarifications of informative prose
(eventually with the detailed changes in that category delegated to the appendix
revision history)

Minor Editorial Fixes of the Version 2.0 Artifacts

Nits and fixes summary mention
(eventually not even listing these in detail in the appendix revision history)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sthagen sthagen

Labels
csaf 2.1 csaf 2.1 work editorial mostly nits and consistency
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sthagen