csaf-poc
Evaluate `role` to determine overall result
The csaf_checker should evaluate the role from the provider-metadata.json to determine the overall result of the check.
@bernhardreiter: Please check whether that is in scope, otherwise label enhancement.
Basically, #42 (fixed in #238) provides the information what role a CSAF provider claims to fulfill. This issue is related to #220:
When checking the requirements, some of them are optional for a CSAF provider. For example, a CSAF provider has to satisfy at least one of the requirements 8 to 10: It can satisfy more than one, but it has to satisfy only one.
It gets more clear, when you look at requirement 18: A CSAF provider can fulfill that requirement but is not required to; a CSAF trusted provider must. If a CSAF provider (claiming to be a csaf_provider) doesn't fulfill the requirement 18, this should not result in the failing as overall result...
Does that answer your question?
Did check the contract documents and the current CSAF specs briefly. From my point of view it is out of scope for 1.0, because it is a larger change and it is not directly written down as requirement. And the situation changed, when after feedback between cs01 und cs02 the algorithm and the recommendation how to find a valid provider-metadata.json were clarified.
We believe it is useful to make the check more dynamic depending on the role that is given in the PMD. But it seems unwise to do it close to the 1.0.0 release or in scope for what was a proof of concept originally.
One improvement we aim for (outside of this issue) is to warn instead of pointing out as an error, if we find a valid PMD.
Added a hint in the documentation 6a605fdbcc6b2f14220327d699ffbf77febd4e51 And we shall address #220.