Editor revision for TC meeting 2024-08-28

csaf_2.1/examples/aggregator/example-01-aggregator.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/aggregator_json_schema.json",
   "aggregator": {
     "category": "lister",
     "contact_details": "Example CSAF Lister can be reached at [email protected], or via our website at https://lister.example/security/csaf/aggregator/contact.",
@@ -33,4 +34,4 @@
     }
   ],
   "last_updated": "2024-01-24T22:35:38.978Z"
-}
+}

csaf_2.1/examples/aggregator/example-02-aggregator.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/aggregator_json_schema.json",
   "aggregator": {
     "category": "aggregator",
     "contact_details": "Example Aggregator can be reached at [email protected], or via our website at https://aggregator.example/security/csaf/aggregator/contact.",
@@ -39,4 +40,4 @@
     }
   ],
   "last_updated": "2024-01-24T22:35:38.978Z"
-}
+}

csaf_2.1/examples/aggregator/example-03-aggregator.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/aggregator_json_schema.json",
   "aggregator": {
     "category": "aggregator",
     "contact_details": "Example Aggregator can be reached at [email protected], or via our website at https://aggregator.example/security/csaf/aggregator/contact.",
@@ -56,4 +57,4 @@
     }
   ],
   "last_updated": "2024-01-24T22:35:38.978Z"
-}
+}

csaf_2.1/examples/provider-metadata/example-01-provider-metadata.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/provider_json_schema.json",
   "canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
   "distributions": [
     {
@@ -29,4 +30,4 @@
     "namespace": "https://psirt.example.com"
   },
   "role": "csaf_trusted_provider"
-}
+}

csaf_2.1/json_schema/aggregator_json_schema.json

@@ -59,13 +59,23 @@
     }
   },
   "required": [
+    "$schema",
     "aggregator",
     "aggregator_version",
     "canonical_url",
     "csaf_providers",
     "last_updated"
   ],
   "properties": {
+    "$schema": {
+      "title": "JSON schema",
+      "description": "Contains the URL of the Aggregator JSON schema which the document promises to be valid for.",
+      "type": "string",
+      "enum": [
+        "https://docs.oasis-open.org/csaf/csaf/v2.1/aggregator_json_schema.json"
+      ],
+      "format": "uri"
+    },
     "aggregator": {
       "title": "Aggregator",
       "description": "Provides information about the aggregator.",

csaf_2.1/json_schema/provider_json_schema.json

@@ -27,6 +27,7 @@
     }
   },
   "required": [
+    "$schema",
     "canonical_url",
     "last_updated",
     "list_on_CSAF_aggregators",
@@ -36,6 +37,15 @@
     "role"
   ],
   "properties": {
+    "$schema": {
+      "title": "JSON schema",
+      "description": "Contains the URL of the provider-metadata.json JSON schema which the document promises to be valid for.",
+      "type": "string",
+      "enum": [
+        "https://docs.oasis-open.org/csaf/csaf/v2.1/provider_json_schema.json"
+      ],
+      "format": "uri"
+    },
     "canonical_url": {
       "title": "Canonical URL",
       "description": "Contains the URL for this document.",
@@ -53,10 +63,26 @@
         "type": "object",
         "minProperties": 1,
         "properties": {
-          "directory_url": {
-            "title": "Directory URL",
-            "description": "Contains the base url for the directory distribution.",
-            "$ref": "#/$defs/url_t"
+          "directory": {
+            "title": "Directory",
+            "description": "Contains all information for directory-based distribution.",
+            "type": "object",
+            "required": [
+              "tlp_label",
+              "url"
+            ],
+            "properties": {
+              "tlp_label": {
+                "title": "TLP label",
+                "description": "Provides the TLP label for the directory.",
+                "$ref": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json#/properties/document/properties/distribution/properties/tlp/properties/label"
+              },
+              "url": {
+                "title": "Directory URL",
+                "description": "Contains the base url for the directory-based distribution.",
+                "$ref": "#/$defs/url_t"
+              }
+            }
           },
           "rolie": {
             "title": "ROLIE",
@@ -104,15 +130,7 @@
                     "tlp_label": {
                       "title": "TLP label",
                       "description": "Provides the TLP label for the feed.",
-                      "type": "string",
-                      "enum": [
-                        "UNLABELED",
-                        "CLEAR",
-                        "GREEN",
-                        "AMBER",
-                        "AMBER+STRICT",
-                        "RED"
-                      ]
+                      "$ref": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json#/properties/document/properties/distribution/properties/tlp/properties/label"
                     },
                     "url": {
                       "title": "URL of the feed",

csaf_2.1/prose/edit/etc/example-global-to-local.json

@@ -114,36 +114,41 @@
   "112": "cvss-for-fixed-products-eg-1",
   "113": "additional-properties-eg-1",
   "114": "same-timestamps-in-revision-history-eg-1",
-  "115": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
-  "116": "use-of-cvss-v3-0-eg-1",
-  "117": "missing-cve-eg-1",
-  "118": "missing-cwe-eg-1",
-  "119": "use-of-short-hash-eg-1",
-  "120": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
-  "121": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
-  "122": "spell-check-eg-1",
-  "123": "branch-categories-eg-1",
-  "124": "usage-of-product-version-range-eg-1",
-  "126": "usage-of-v-as-version-indicator-eg-1",
-  "127": "missing-cvss-v4-0-eg-1",
-  "128": "requirement-7-provider-metadata-json-eg-1",
-  "129": "requirement-8-security-txt-eg-1",
-  "130": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
-  "131": "requirement-11-one-folder-per-year-eg-1",
-  "132": "requirement-12-index-txt-eg-1",
-  "133": "requirement-13-changes-csv-eg-1",
-  "134": "requirement-15-rolie-feed-eg-1",
-  "135": "requirement-16-rolie-service-document-eg-1",
-  "136": "requirement-17-rolie-category-document-eg-1",
-  "137": "requirement-17-rolie-category-document-eg-2",
-  "138": "requirement-17-rolie-category-document-eg-3",
-  "139": "requirement-18-integrity-eg-1",
-  "140": "requirement-18-integrity-eg-2",
-  "141": "requirement-19-signatures-eg-1",
-  "142": "requirement-21-list-of-csaf-providers-eg-1",
-  "143": "requirement-23-mirror-eg-1",
-  "144": "conformance-clause-5-cvrf-csaf-converter-eg-1",
-  "145": "conformance-clause-5-cvrf-csaf-converter-eg-2",
-  "146": "conformance-clause-5-cvrf-csaf-converter-eg-3",
-  "147": "conformance-clause-5-cvrf-csaf-converter-eg-4"
+  "115": "document-tracking-id-in-title-eg-1",
+  "116": "usage-of-deprecated-cwe-eg-1",
+  "117": "usage-of-non-latest-cwe-version-eg-1",
+  "118": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1",
+  "119": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1",
+  "120": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
+  "121": "use-of-cvss-v3-0-eg-1",
+  "122": "missing-cve-eg-1",
+  "123": "missing-cwe-eg-1",
+  "124": "use-of-short-hash-eg-1",
+  "125": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
+  "126": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
+  "127": "spell-check-eg-1",
+  "128": "branch-categories-eg-1",
+  "129": "usage-of-product-version-range-eg-1",
+  "130": "usage-of-v-as-version-indicator-eg-1",
+  "131": "missing-cvss-v4-0-eg-1",
+  "132": "requirement-7-provider-metadata-json-eg-1",
+  "133": "requirement-8-security-txt-eg-1",
+  "134": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
+  "135": "requirement-11-one-folder-per-year-eg-1",
+  "136": "requirement-12-index-txt-eg-1",
+  "137": "requirement-13-changes-csv-eg-1",
+  "138": "requirement-15-rolie-feed-eg-1",
+  "139": "requirement-16-rolie-service-document-eg-1",
+  "140": "requirement-17-rolie-category-document-eg-1",
+  "141": "requirement-17-rolie-category-document-eg-2",
+  "142": "requirement-17-rolie-category-document-eg-3",
+  "143": "requirement-18-integrity-eg-1",
+  "144": "requirement-18-integrity-eg-2",
+  "145": "requirement-19-signatures-eg-1",
+  "146": "requirement-21-list-of-csaf-providers-eg-1",
+  "147": "requirement-23-mirror-eg-1",
+  "148": "conformance-clause-5-cvrf-csaf-converter-eg-1",
+  "149": "conformance-clause-5-cvrf-csaf-converter-eg-2",
+  "150": "conformance-clause-5-cvrf-csaf-converter-eg-3",
+  "151": "conformance-clause-5-cvrf-csaf-converter-eg-4"
 }

csaf_2.1/prose/edit/etc/example-local-to-global.json

@@ -5,18 +5,18 @@
   "acknowledgments-type-summary-eg-1": "3",
   "action-statement-eg-1": "86",
   "additional-properties-eg-1": "113",
-  "branch-categories-eg-1": "123",
+  "branch-categories-eg-1": "128",
   "branches-type-name-eg-1": "5",
   "branches-type-name-under-product-version-eg-1": "6",
   "branches-type-name-under-product-version-eg-2": "7",
   "branches-type-name-under-product-version-range-eg-1": "8",
   "branches-type-name-under-product-version-range-eg-2": "9",
   "build-metadata-in-revision-history-eg-1": "97",
   "circular-definition-of-product-id-eg-1": "52",
-  "conformance-clause-5-cvrf-csaf-converter-eg-1": "144",
-  "conformance-clause-5-cvrf-csaf-converter-eg-2": "145",
-  "conformance-clause-5-cvrf-csaf-converter-eg-3": "146",
-  "conformance-clause-5-cvrf-csaf-converter-eg-4": "147",
+  "conformance-clause-5-cvrf-csaf-converter-eg-1": "148",
+  "conformance-clause-5-cvrf-csaf-converter-eg-2": "149",
+  "conformance-clause-5-cvrf-csaf-converter-eg-3": "150",
+  "conformance-clause-5-cvrf-csaf-converter-eg-4": "151",
   "contradicting-product-status-eg-1": "55",
   "cve-in-field-ids-eg-1": "110",
   "cvss-for-fixed-products-eg-1": "112",
@@ -36,6 +36,7 @@
   "document-property-tracking-id-eg-1": "40",
   "document-references-eg-1": "78",
   "document-status-draft-eg-1": "66",
+  "document-tracking-id-in-title-eg-1": "115",
   "filename-eg-1": "48",
   "filename-eg-2": "49",
   "flag-without-product-reference-eg-1": "92",
@@ -55,17 +56,17 @@
   "language-type-eg-1": "18",
   "latest-document-version-eg-1": "65",
   "missing-canonical-url-eg-1": "104",
-  "missing-cve-eg-1": "117",
-  "missing-cvss-v4-0-eg-1": "127",
-  "missing-cwe-eg-1": "118",
+  "missing-cve-eg-1": "122",
+  "missing-cvss-v4-0-eg-1": "131",
+  "missing-cwe-eg-1": "123",
   "missing-date-in-involvements-eg-1": "100",
   "missing-definition-of-product-group-id-eg-1": "53",
   "missing-definition-of-product-id-eg-1": "50",
   "missing-document-language-eg-1": "105",
   "missing-item-in-revision-history-eg-1": "70",
+  "missing-metric-eg-1": "96",
   "missing-product-identification-helper-eg-1": "109",
   "missing-remediation-eg-1": "95",
-  "missing-metric-eg-1": "96",
   "missing-tlp-label-eg-1": "103",
   "mixed-integer-and-semantic-versioning-eg-1": "90",
   "multiple-definition-in-involvements-eg-1": "73",
@@ -94,41 +95,45 @@
   "purl-eg-1": "62",
   "released-revision-history-eg-1": "67",
   "remediation-without-product-reference-eg-1": "89",
-  "requirement-11-one-folder-per-year-eg-1": "131",
-  "requirement-12-index-txt-eg-1": "132",
-  "requirement-13-changes-csv-eg-1": "133",
-  "requirement-15-rolie-feed-eg-1": "134",
-  "requirement-16-rolie-service-document-eg-1": "135",
-  "requirement-17-rolie-category-document-eg-1": "136",
-  "requirement-17-rolie-category-document-eg-2": "137",
-  "requirement-17-rolie-category-document-eg-3": "138",
-  "requirement-18-integrity-eg-1": "139",
-  "requirement-18-integrity-eg-2": "140",
-  "requirement-19-signatures-eg-1": "141",
-  "requirement-21-list-of-csaf-providers-eg-1": "142",
-  "requirement-23-mirror-eg-1": "143",
-  "requirement-7-provider-metadata-json-eg-1": "128",
-  "requirement-8-security-txt-eg-1": "129",
-  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "130",
+  "requirement-11-one-folder-per-year-eg-1": "135",
+  "requirement-12-index-txt-eg-1": "136",
+  "requirement-13-changes-csv-eg-1": "137",
+  "requirement-15-rolie-feed-eg-1": "138",
+  "requirement-16-rolie-service-document-eg-1": "139",
+  "requirement-17-rolie-category-document-eg-1": "140",
+  "requirement-17-rolie-category-document-eg-2": "141",
+  "requirement-17-rolie-category-document-eg-3": "142",
+  "requirement-18-integrity-eg-1": "143",
+  "requirement-18-integrity-eg-2": "144",
+  "requirement-19-signatures-eg-1": "145",
+  "requirement-21-list-of-csaf-providers-eg-1": "146",
+  "requirement-23-mirror-eg-1": "147",
+  "requirement-7-provider-metadata-json-eg-1": "132",
+  "requirement-8-security-txt-eg-1": "133",
+  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "134",
   "revision-history-entries-for-pre-release-versions-eg-1": "68",
   "same-timestamps-in-revision-history-eg-1": "114",
   "sorted-revision-history-eg-1": "63",
-  "spell-check-eg-1": "122",
+  "spell-check-eg-1": "127",
   "translation-eg-1": "88",
   "translator-eg-1": "64",
   "typographical-conventions-eg-1": "4321",
   "unused-definition-of-product-id-eg-1": "94",
-  "usage-of-product-version-range-eg-1": "124",
-  "usage-of-v-as-version-indicator-eg-1": "126",
-  "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "115",
-  "use-of-cvss-v3-0-eg-1": "116",
+  "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "119",
+  "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "118",
+  "usage-of-deprecated-cwe-eg-1": "116",
+  "usage-of-non-latest-cwe-version-eg-1": "117",
+  "usage-of-product-version-range-eg-1": "129",
+  "usage-of-v-as-version-indicator-eg-1": "130",
+  "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "120",
+  "use-of-cvss-v3-0-eg-1": "121",
   "use-of-default-language-eg-1": "108",
   "use-of-md5-as-the-only-hash-algorithm-eg-1": "101",
-  "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "120",
+  "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "125",
   "use-of-private-language-eg-1": "107",
-  "use-of-self-referencing-urls-failing-to-resolve-eg-1": "121",
+  "use-of-self-referencing-urls-failing-to-resolve-eg-1": "126",
   "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "102",
-  "use-of-short-hash-eg-1": "119",
+  "use-of-short-hash-eg-1": "124",
   "version-range-in-product-version-eg-1": "91",
   "version-type-eg-1": "23",
   "version-type-semantic-versioning-eg-1": "24",

csaf_2.1/prose/edit/etc/section-display-to-label.json

@@ -184,6 +184,11 @@
   "6.2.19": "cvss-for-fixed-products",
   "6.2.20": "additional-properties",
   "6.2.21": "same-timestamps-in-revision-history",
+  "6.2.22": "document-tracking-id-in-title",
+  "6.2.23": "usage-of-deprecated-cwe",
+  "6.2.24": "usage-of-non-latest-cwe-version",
+  "6.2.25": "usage-of-cwe-not-allowed-for-vulnerability-mapping",
+  "6.2.26": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping",
   "6.3": "informative-test",
   "6.3.1": "use-of-cvss-v2-as-the-only-scoring-system",
   "6.3.2": "use-of-cvss-v3-0",
@@ -251,6 +256,11 @@
   "9.1.15": "conformance-clause-15-csaf-extended-validator",
   "9.1.16": "conformance-clause-16-csaf-full-validator",
   "9.1.17": "conformance-clause-17-csaf-sbom-matching-system",
+  "9.1.18": "conformance-clause-18-csaf-2-0-to-csaf-2-1-converter",
+  "9.1.19": "conformance-clause-19-csaf-library",
+  "9.1.20": "conformance-clause-20-csaf-library-with-basic-validation",
+  "9.1.21": "conformance-clause-21-csaf-library-with-extended-validation",
+  "9.1.22": "conformance-clause-22-csaf-library-with-full-validation",
   "Appendix A.": "acknowledgments",
   "Appendix B.": "revision-history",
   "Appendix C.": "guidance-on-the-size-of-csaf-documents",