From 18732f26baad1a1faf98ef57e94bb7738501e950 Mon Sep 17 00:00:00 2001 From: JanHoefelmeyer Date: Thu, 22 Jun 2023 13:40:00 +0200 Subject: [PATCH] Amend checker docs to explain why authorization for RED/AMBER advisories needs to be genuine --- docs/csaf_checker.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/csaf_checker.md b/docs/csaf_checker.md index e418813..74e7475 100644 --- a/docs/csaf_checker.md +++ b/docs/csaf_checker.md @@ -49,3 +49,8 @@ The checker result is a success if no checks resulted in type 2, and a failure o The `role` given in the `provider-metadata.json` is not yet considered to change the overall result, see https://github.com/csaf-poc/csaf_distribution/issues/221 . + +If a provider hosts one or more advisories with a TLP level of AMBER or RED, then these advisories should be access protected. +To check these advisories, authorization can be given via custom headers or certificates. +The authorization method chosen should grant access to all advisories, as otherwise the +checker will be unable to check all advisories and returns likely wrong output.