csaf_distribution
csaf_distribution copied to clipboard
csaf-poc
Tools to download or provide CSAF (Common Security Advisory Framework) documents.
To allow browser based application to access the public files, the HTTP header `Access-Control-Allow Origin: *` must be set. * document this requirement in the provider docs * add the...
Using csaf_distribution-v2.1.0-gnulinux-amd64: when downloading from redhat.com the signatures do not verify. ```bash curl -L -O https://github.com/csaf-poc/csaf_distribution/releases/download/v2.1.0-gnulinux-amd64.tar.gz tar -xvmlzf csaf_distribution-v2.1.0-gnulinux-amd64.tar.gz ./csaf_distribution-v2.1.0-gnulinux-amd64/bin-linux-amd64/csaf_downloader --verbose --rate=10 redhat.com ``` ``` [..] 2023/04/26 09:49:05 [GET]: https://access.redhat.com/security/data/csaf/v2/advisories/2001/rhsa-2001_058.json...
To reproduce: On a fresh Ubuntu 20.04 instance (or comparable), execute the scripts in order as indicated in docs/scripts/Readme.md. To check: Execute the checker with access to the ROLIE feeds...
Both Flags ( -n , --nostore ) are not working. Help-Menu or Implementation is currently wrong. Examples: ``` csaf_downloader.exe -n www.siemens.com unknown flag `n' 2023/09/08 13:40:33 error: unknown flag `n'...
As mentioned in https://github.com/csaf-poc/csaf_distribution/pull/441#issuecomment-1691600300, a singular file can be linked to in different valid ways. Currently, the checker will treat a file found within the same place as two different...
Currently (`v2.2.1-95-ga65fead`) the following output is produced when requesting a CSAF provider with only one empty feed: ``` Requirement 15: ROLIE feed (failed) - WARN: No entries in https://example.test/.well-known/csaf/white/csaf-feed-tlp-white.json -...
Today, I run into a situation, while I tried to validate a new CSAF trusted provider: The `csaf_checker` reported: ``` "Loading ROLIE feed failed: https://support.citrix.com/.well-known/csaf/public/feed-tlp-white.json: json: cannot unmarshal object into...
Some CSAF trusted providers limit the retrieval from their side (e.g. due to CDN or resource constraints). We should add a remark about that.
We should separate the different cases in the report message: 1. We didn't had credentials and there was no access protected feed listed. (=> unlikely that a TLP:WHITE was hidden)...
Currently, it is hard to debug the `csaf_provider` as it needs to be called (or at least it needs to think that it is called) through nginx. To aid in...