csaf_distribution icon indicating copy to clipboard operation
csaf_distribution copied to clipboard

Published 20 hours ago verified publisher icon csaf-poc

The provider set up via the scripts in docs/scripts contains only-access-protected-available TLP:WHITE advisories

Open JanHoefelmeyer opened this issue 1 year ago • 3 comments

To reproduce:

On a fresh Ubuntu 20.04 instance (or comparable), execute the scripts in order as indicated in docs/scripts/Readme.md.

To check: Execute the checker with access to the ROLIE feeds with TLP:GREEN or higher:

./bin-linux-amd64/csaf_checker -f html -o ../checker-results.html --insecure --client-cert ~/devca1/testclient1.crt --client-key ~/devca1/testclient1-key.pem --verbose --insecure localhost

Result: Provider fails:

 "num": 4,
      "description": "TLP:WHITE",
      "messages": [
        {
          "type": 2,
          "text": "TLP:WHITE advisories with ids (https://www.redhat.com, RHSA-2019:1862), (https://www.redhat.com, RHSA-2021:5186), (https://www.redhat.com, RHSA-2022:0011) are only available access-protected."
        }
      ]

or alternatively, you can manually check the advisories' existence:

For example: rhsa-2022_0011.json exists in /var/www/html/.well-known/csaf/green/2022 (access-protected), but not in any non-access-protected directories. (The same holds true for rhsa-2019_1862.json and rhsa-2021_5186.json)

JanHoefelmeyer avatar Sep 19 '23 10:09 JanHoefelmeyer

The Problem:

Requirement 4 (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#714-requirement-4-tlpwhite) states that:

If the CSAF document is labeled TLP:WHITE, it MUST be freely accessible.

This means every TLP:WHITE Advisory currently only avaible access-protected needs another copy in a non-access-protected directory, e.g. the white directory.

This would be acceptable, according to the Standard (again, requirement 4:)

This does not exclude that such a document is also available in an access protected customer portal. However, there MUST be one copy of the document available for people without access to the portal.

JanHoefelmeyer avatar Sep 20 '23 13:09 JanHoefelmeyer

So the problem in the provider is probably caused by uploadToProvider.sh which just rotates the upload traffic light status levels.

bernhardreiter avatar Sep 20 '23 13:09 bernhardreiter

Removing "defect" and "investigation" tags, because the situation is understood and it is in a testing script, which does not make it a defect per default.

The solution I propose is to check in the script somehow if a csaf document has the tlp white attribute and then upload to white additionally. We could also see if we add the VEX examples to the uploading script to have more documents.

bernhardreiter avatar Sep 25 '23 06:09 bernhardreiter