tschmidtb51
tschmidtb51
We need to improve the error message for requirement 18, if only one hash is found: Currently, it reports the other one as missing and labels that as an error....
Currently, we use the standard go-http-lib user agent. However, to be able to better track the usage of the tool, we should use our own user-agent string, e.g., `" "`.
Currently, the `csaf_checker` accepts HTTP header redirects when checking for [requirement 9](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#719-requirement-9-well-known-url-for-provider-metadatajson) (and maybe [10](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#7110-requirement-10-dns-path) - but I didn't check that). However, the standard explicitly states in both requirements >...
Currently, we request also SHA256 even if a SHA512 was present in the ROLIE feed. We need to find a way to improve that.
We could add to the more verbose report additional details about the OpenPGP key: e.g. - which key length - valid from, valid until - uid - fpr - options...
The `csaf_checker` should evaluate the `role` from the `provider-metadata.json` to determine the overall result of the check. @bernhardreiter: Please check whether that is in scope, otherwise label enhancement.
The category values should be added to the corresponding entries of the ROLIE feed.
Currently, we don't list the `service.json` and ROLIE categories in the `provider-metadata.json`. We should add those to the `distribution` if present.
Currently, we don't list CSAF provider with empty feeds in our `csaf_aggregator`. However, that might be helpful to advertise their existence. We need to consider, whether that should be implemented...
Currently ("version": "2.1.1-100-g540d02d"), the `csaf_checker` validates CSAF (trusted) providers even if the `distributions` array is missing in the PMD. However, in that case the the requirements 11-14 and 15-17 can't...