VINCE icon indicating copy to clipboard operation
VINCE copied to clipboard
verified publisher icon CERTCC

CSAF Compatability

Open iainDe opened this issue 3 years ago • 3 comments

Please expand the Common Security Advisory Framework (CSAF) format when generating notes and sharing the notes through the API

iainDe avatar May 09 '22 16:05 iainDe

Hello @iainDe

Have you seen this case - https://github.com/CERTCC/VINCE/pull/19 ?

Limited CSAF output via API is available, we are working with CSAF oasis group members @tschmidtb51 @santosomar to take this forward. The CSAF format is only available for the authenticated end points today with limited information as described in the ticket. You can use our demo site using your API Key to view it https://democert.org/vince/ and see how to get to it.

For e.g., The URL https://kb.cert.org/vince/comm/api/case/636397/csaf/ (using your API Key) will provide CSAF document for VU#636397 for example.

Currently we have some limitations as

  1. We don't collect product names and version in a compatible format from each vendor, so we can only use the Vendor Product and Version fields as specified by the researcher/reporter at the time of submitting a case.
  2. We have an update pending moving from generic_csaf will be renamed into csaf_base, still waiting on some review and some more small changes to match recent schema updates

sei-vsarvepalli avatar May 09 '22 16:05 sei-vsarvepalli

#55 is a related recommendation and feedback we received from Oasis CSAF working group.

sei-vsarvepalli avatar Oct 12 '22 18:10 sei-vsarvepalli

Related issues #96 and #97 - more improvements needs to support CSAF properly.

sei-vsarvepalli avatar May 16 '23 15:05 sei-vsarvepalli