vulnerability-lookup icon indicating copy to clipboard operation
vulnerability-lookup copied to clipboard
verified publisher icon cve-search

Attempts with alternative CSAF downloader that support incremental updates

Open Rafiot opened this issue 3 months ago • 0 comments

This issue is just a bunch of notes

Many CSAF servers are flaky and it makes using the official downloader somewhat tricky as it doesn't support resuming the download of a partial repository.

Below are alternative downloaders, and a few notes about them

CSAF Walker

  • Requires rust 1.87+ (which is not available in ubuntu 25.04)
  • Didn't manage to install the packages by building them, but works fine with binstall
  • Source: https://github.com/scm-rs/csaf-walker/tree/main

Successful fetch

  • CISA
  • nozominetworks
  • OX
  • sick
  • siemens
  • redhat
    • csaf download --ignore-prefix cve -r 2 -w 5 -v -d csaf_redhat https://access.redhat.com/security/data/csaf/v2/provider-metadata.json

Failed sync

  • Certbund
    • Failed to retrieve: Request error: HTTP status client error (404 Not Found) for url (https://wid.cert-bund.de/.well-known/csaf/green/bsi-wid-green.json)
  • Microsoft
    • Failed to retrieve: Request error: HTTP status client error (400 Bad Request) for url (https://msrc.microsoft.com/csaf/changes.csv)
  • Cisco
    • Failed to execute: Visitor error: Key source error: Key error: Fingerprint mismatch - expected: 081e38f3eb110265a214514124b3ec61e4205802, actual: 081E38F3EB110265A214514124B3EC61E4205802
  • NCSCnl
    • Failed to retrieve: Request error: error sending request for url (https://www.ncsc.nl/pgp.txt)
  • (Open)suse
    • Failed to execute: Visitor error: Invalid signature: Invalid key: "Subkey of 6B62473BD771517D41E684DFD4439E7EC133994D not bound: No binding signature at time 2024-12-05T12:32:34Z"
    • Works with the download switch (no validation):
    • OpenSuse: csaf download --ignore-prefix suse --ignore-prefix cve -r 2 -w 5 -v -d csaf_opensuse https://www.suse.com/.well-known/csaf/provider-metadata.json
    • Suse: csaf download --ignore-prefix opensuse --ignore-prefix cve -r 2 -w 5 -v -d csaf_suse https://www.suse.com/.well-known/csaf/provider-metadata.json
  • trustsource
    • Failed to retrieve: Request error: HTTP status client error (404 Not Found) for url (https://trustsource.csaf.trustsource.io/.well-known/csaf/changes.csv)

Rafiot avatar Sep 01 '25 11:09 Rafiot