SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00
Code Issues Releases Activity Actions

Amend checker docs to explain why authorization for RED/AMBER advisories needs to be genuine

Browse source
This commit is contained in:
JanHoefelmeyer 2023-06-22 13:40:00 +02:00
parent 7dc1a6530e
commit 18732f26ba
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/csaf_checker.md
View file

@ -49,3 +49,8 @@ The checker result is a success if no checks resulted in type 2, and a failure o
The `role` given in the `provider-metadata.json` is not
yet considered to change the overall result,
see https://github.com/csaf-poc/csaf_distribution/issues/221 .
If a provider hosts one or more advisories with a TLP level of AMBER or RED, then these advisories should be access protected.
To check these advisories, authorization can be given via custom headers or certificates.
The authorization method chosen should grant access to all advisories, as otherwise the
checker will be unable to check all advisories and returns likely wrong output.