Merge branch 'main' into sha-handling

2025-12-22 11:55:40 +01:00 · 2024-11-27 12:39:14 +01:00 · 2024-11-27 12:39:14 +01:00 · a5f4b10c4e
commit a5f4b10c4e
parent ffb4eff933 678f232a9a
67 changed files with 236 additions and 215 deletions
--- a/.github/workflows/itest.yml
+++ b/.github/workflows/itest.yml
@ -9,7 +9,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: 1.21.0
+          go-version: 1.22.0

      - name: Set up Node.js
        uses: actions/setup-node@v3
@ -25,7 +25,7 @@ jobs:
          sudo apt install -y make nginx fcgiwrap gnutls-bin
          cp -r $GITHUB_WORKSPACE ~
          cd ~
-          cd csaf_distribution/docs/scripts/
+          cd csaf/docs/scripts/
          # keep in sync with docs/scripts/Readme.md
          export FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)"
          source ./TLSConfigsForITest.sh
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -8,6 +8,8 @@ jobs:
  releases-matrix:
    name: Release Go binaries
    runs-on: ubuntu-20.04
+    permissions:
+      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v3
@ -24,5 +26,5 @@ jobs:
        uses: softprops/action-gh-release@v1
        with:
            files: |
-                dist/csaf_distribution-*.zip
-                dist/csaf_distribution-*.tar.gz
+                dist/csaf-*.zip
+                dist/csaf-*.tar.gz
--- a/16
+++ b/16
@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2021 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
 # Software-Engineering: 2021 Intevation GmbH <https://intevation.de>
 #
-# Makefile to build csaf_distribution components
+# Makefile to build csaf components

 SHELL = /bin/bash
 BUILD = go build
@ -41,7 +41,7 @@ tag_checked_out:
 # into a semver version. For this we increase the PATCH number, so that
 # any commit after a tag is considered newer than the semver from the tag
 # without an optional 'v'
-# Note we need `--tags` because github release only creates lightweight tags
+# Note we need `--tags` because github releases only create lightweight tags
 #   (see feature request https://github.com/github/feedback/discussions/4924).
 #   We use `--always` in case of being run as github action with shallow clone.
 #   In this case we might in some situations see an error like
@ -50,16 +50,16 @@ tag_checked_out:
 GITDESC := $(shell git describe --tags --always)
 GITDESCPATCH := $(shell echo '$(GITDESC)' | sed -E 's/v?[0-9]+\.[0-9]+\.([0-9]+)[-+]?.*/\1/')
 SEMVERPATCH := $(shell echo $$(( $(GITDESCPATCH) + 1 )))
-# Hint: The regexp in the next line only matches if there is a hyphen (`-`)
-#       followed by a number, by which we assume that git describe
-#       has added a string after the tag
-SEMVER := $(shell echo '$(GITDESC)' | sed -E 's/v?([0-9]+\.[0-9]+\.)([0-9]+)(-[1-9].*)/\1$(SEMVERPATCH)\3/' )
+# Hint: The second regexp in the next line only matches
+#       if there is a hyphen (`-`) followed by a number,
+#       by which we assume that git describe has added a string after the tag
+SEMVER := $(shell echo '$(GITDESC)' | sed -E -e 's/^v//' -e 's/([0-9]+\.[0-9]+\.)([0-9]+)(-[1-9].*)/\1$(SEMVERPATCH)\3/' )
 testsemver:
 	@echo from \'$(GITDESC)\' transformed to \'$(SEMVER)\'


 # Set -ldflags parameter to pass the semversion.
-LDFLAGS = -ldflags "-X github.com/csaf-poc/csaf_distribution/v3/util.SemVersion=$(SEMVER)"
+LDFLAGS = -ldflags "-X github.com/gocsaf/csaf/v3/util.SemVersion=$(SEMVER)"

 # Build binaries and place them under bin-$(GOOS)-$(GOARCH)
 # Using 'Target-specific Variable Values' to specify the build target system
@ -78,7 +78,7 @@ build_linux build_win build_mac_amd64 build_mac_arm64:
 	env GOARCH=$(GOARCH) GOOS=$(GOOS) $(BUILD) -o $(BINDIR) $(LDFLAGS) -v ./cmd/...


-DISTDIR := csaf_distribution-$(SEMVER)
+DISTDIR := csaf-$(SEMVER)
 dist: build_linux build_win build_mac_amd64 build_mac_arm64
 	mkdir -p dist
 	mkdir -p dist/$(DISTDIR)-windows-amd64/bin-windows-amd64
--- a/README.md
+++ b/README.md
@ -8,7 +8,17 @@
 Software-Engineering: 2024 Intevation GmbH <https://intevation.de>
 -->

-# csaf_distribution
+
+> [!IMPORTANT]
+> To avoid future breakage, if you still use `csaf-poc`:
+> 1. Adjust your HTML links.
+> 2. Adjust your go module paths, see [#579](https://github.com/gocsaf/csaf/issues/579#issuecomment-2497244379).
+>
+> (This repository was moved here on 2024-10-28. The old one is deprecated
+> and redirection will be switched off a few months later.)
+
+
+# csaf

 Implements a [CSAF](https://csaf.io/)
 ([specification v2.0](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html)
@ -42,10 +52,10 @@ is a CSAF Aggregator, to list or mirror providers.
 ## Other stuff

 ### [examples](./examples/README.md)
-are small examples of how to use `github.com/csaf-poc/csaf_distribution`
+are small examples of how to use `github.com/gocsaf/csaf`
 as an API. Currently this is a work in progress, as usage of this repository
 as a library to access is _not officially supported_, e.g.
-see https://github.com/csaf-poc/csaf_distribution/issues/367 .
+see https://github.com/gocsaf/csaf/issues/367 .

 ## Setup
 Binaries for the server side are only available and tested
@ -69,9 +79,9 @@ Download the binaries from the most recent release assets on Github.

 ### Build from sources

- A recent version of **Go** (1.21+) should be installed. [Go installation](https://go.dev/doc/install)
+- A recent version of **Go** (1.22+) should be installed. [Go installation](https://go.dev/doc/install)

- Clone the repository `git clone https://github.com/csaf-poc/csaf_distribution.git `
+- Clone the repository `git clone https://github.com/gocsaf/csaf.git `

 - Build Go components Makefile supplies the following targets:
 	- Build for GNU/Linux system: `make build_linux`
@ -100,7 +110,7 @@ For further details of the development process consult our [development page](./

 ## License

- `csaf_distribution` is licensed as Free Software under the terms of the [Apache License, Version 2.0](./LICENSES/Apache-2.0.txt).
+- `csaf` is licensed as Free Software under the terms of the [Apache License, Version 2.0](./LICENSES/Apache-2.0.txt).

 - See the specific source files
  for details, the license itself can be found in the directory `LICENSES/`.
--- a/cmd/csaf_aggregator/client.go
+++ b/cmd/csaf_aggregator/client.go
@ -13,7 +13,7 @@ import (
 	"io"
 	"net/http"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 var errNotFound = errors.New("not found")
--- a/cmd/csaf_aggregator/config.go
+++ b/cmd/csaf_aggregator/config.go
@ -20,12 +20,12 @@ import (
 	"time"

 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/filter"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/internal/certs"
+	"github.com/gocsaf/csaf/v3/internal/filter"
+	"github.com/gocsaf/csaf/v3/internal/models"
+	"github.com/gocsaf/csaf/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/util"
 	"golang.org/x/time/rate"
 )

@ -301,6 +301,11 @@ func (c *config) httpClient(p *provider) util.Client {
 			Client: client,
 			Header: c.ExtraHeader,
 		}
+	default:
+		client = &util.HeaderClient{
+			Client: client,
+			Header: http.Header{},
+		}
 	}

 	if c.Verbose {
--- a/cmd/csaf_aggregator/full.go
+++ b/cmd/csaf_aggregator/full.go
@ -18,8 +18,8 @@ import (
 	"sync"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type fullJob struct {
--- a/cmd/csaf_aggregator/indices.go
+++ b/cmd/csaf_aggregator/indices.go
@ -19,8 +19,8 @@ import (
 	"strings"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 const (
--- a/cmd/csaf_aggregator/interim.go
+++ b/cmd/csaf_aggregator/interim.go
@ -24,8 +24,8 @@ import (
 	"sync"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type interimJob struct {
--- a/cmd/csaf_aggregator/lazytransaction.go
+++ b/cmd/csaf_aggregator/lazytransaction.go
@ -13,7 +13,7 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type lazyTransaction struct {
--- a/cmd/csaf_aggregator/lister.go
+++ b/cmd/csaf_aggregator/lister.go
@ -11,8 +11,8 @@ package main
 import (
 	"fmt"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // mirrorAllowed checks if mirroring is allowed.
--- a/cmd/csaf_aggregator/main.go
+++ b/cmd/csaf_aggregator/main.go
@ -15,7 +15,7 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/internal/options"

 	"github.com/gofrs/flock"
 )
--- a/cmd/csaf_aggregator/mirror.go
+++ b/cmd/csaf_aggregator/mirror.go
@ -30,8 +30,8 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // mirrorAllowed checks if mirroring is allowed.
--- a/cmd/csaf_aggregator/processor.go
+++ b/cmd/csaf_aggregator/processor.go
@ -14,8 +14,8 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"

 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 )
--- a/cmd/csaf_checker/config.go
+++ b/cmd/csaf_checker/config.go
@ -13,10 +13,10 @@ import (
 	"fmt"
 	"net/http"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/filter"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/internal/certs"
+	"github.com/gocsaf/csaf/v3/internal/filter"
+	"github.com/gocsaf/csaf/v3/internal/models"
+	"github.com/gocsaf/csaf/v3/internal/options"
 )

 type outputFormat string
--- a/cmd/csaf_checker/links.go
+++ b/cmd/csaf_checker/links.go
@ -15,7 +15,7 @@ import (

 	"github.com/PuerkitoBio/goquery"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type (
--- a/cmd/csaf_checker/main.go
+++ b/cmd/csaf_checker/main.go
@ -12,7 +12,7 @@ package main
 import (
 	"log"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/internal/options"
 )

 // run uses a processor to check all the given domains or direct urls
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@ -33,8 +33,8 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"golang.org/x/time/rate"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // topicMessages stores the collected topicMessages for a specific topic.
@ -429,11 +429,9 @@ func (p *processor) fullClient() util.Client {
 	client := util.Client(&hClient)

 	// Add extra headers.
-	if len(p.cfg.ExtraHeader) > 0 {
-		client = &util.HeaderClient{
-			Client: client,
-			Header: p.cfg.ExtraHeader,
-		}
+	client = &util.HeaderClient{
+		Client: client,
+		Header: p.cfg.ExtraHeader,
 	}

 	// Add optional URL logging.
@ -1443,9 +1441,9 @@ func (p *processor) checkWellknownSecurityDNS(domain string) error {
 }

 // checkPGPKeys checks if the OpenPGP keys are available and valid, fetches
-// the the remotely keys and compares the fingerprints.
-// As a result of these a respective error messages are passed to badPGP method
-// in case of errors. It returns nil if all checks are passed.
+// the remote pubkeys and compares the fingerprints.
+// As a result of these checks respective error messages are passed
+// to badPGP methods. It returns nil if all checks are passed.
 func (p *processor) checkPGPKeys(_ string) error {
 	p.badPGPs.use()

@ -1511,7 +1509,7 @@ func (p *processor) checkPGPKeys(_ string) error {
 		}

 		if !strings.EqualFold(ckey.GetFingerprint(), string(key.Fingerprint)) {
-			p.badPGPs.error("Fingerprint of public OpenPGP key %s does not match remotely loaded.", u)
+			p.badPGPs.error("Given Fingerprint (%q) of public OpenPGP key %q does not match remotely loaded (%q).", string(key.Fingerprint), u, ckey.GetFingerprint())
 			continue
 		}
 		if p.keys == nil {
--- a/cmd/csaf_checker/report.go
+++ b/cmd/csaf_checker/report.go
@ -18,8 +18,8 @@ import (
 	"os"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/internal/models"
 )

 // MessageType is the kind of the message.
--- a/cmd/csaf_checker/reporters.go
+++ b/cmd/csaf_checker/reporters.go
@ -13,7 +13,7 @@ import (
 	"sort"
 	"strings"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type (
--- a/cmd/csaf_checker/roliecheck.go
+++ b/cmd/csaf_checker/roliecheck.go
@ -15,8 +15,8 @@ import (
 	"sort"
 	"strings"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // identifier consist of document/tracking/id and document/publisher/namespace,
--- a/cmd/csaf_checker/rules.go
+++ b/cmd/csaf_checker/rules.go
@ -12,7 +12,7 @@ import (
 	"fmt"
 	"sort"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/gocsaf/csaf/v3/csaf"
 )

 type ruleCondition int
--- a/cmd/csaf_downloader/config.go
+++ b/cmd/csaf_downloader/config.go
@ -19,10 +19,10 @@ import (
 	"path/filepath"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/filter"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/internal/certs"
+	"github.com/gocsaf/csaf/v3/internal/filter"
+	"github.com/gocsaf/csaf/v3/internal/models"
+	"github.com/gocsaf/csaf/v3/internal/options"
 )

 const (
--- a/cmd/csaf_downloader/downloader.go
+++ b/cmd/csaf_downloader/downloader.go
@ -34,8 +34,8 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"golang.org/x/time/rate"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type hashFetchInfo struct {
@ -138,11 +138,9 @@ func (d *downloader) httpClient() util.Client {
 	}

 	// Add extra headers.
-	if len(d.cfg.ExtraHeader) > 0 {
-		client = &util.HeaderClient{
-			Client: client,
-			Header: d.cfg.ExtraHeader,
-		}
+	client = &util.HeaderClient{
+		Client: client,
+		Header: d.cfg.ExtraHeader,
 	}

 	// Add optional URL logging.
@ -378,7 +376,7 @@ func (d *downloader) loadOpenPGPKeys(
 		if !strings.EqualFold(ckey.GetFingerprint(), string(key.Fingerprint)) {
 			slog.Warn(
 				"Fingerprint of public OpenPGP key does not match remotely loaded",
-				"url", u)
+				"url", u, "fingerprint", key.Fingerprint, "remote-fingerprint", ckey.GetFingerprint())
 			continue
 		}
 		if d.keys == nil {
--- a/cmd/csaf_downloader/forwarder.go
+++ b/cmd/csaf_downloader/forwarder.go
@ -19,8 +19,8 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/misc"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/internal/misc"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // failedForwardDir is the name of the special sub folder
@ -111,11 +111,9 @@ func (f *forwarder) httpClient() util.Client {
 	client := util.Client(&hClient)

 	// Add extra headers.
-	if len(f.cfg.ForwardHeader) > 0 {
-		client = &util.HeaderClient{
-			Client: client,
-			Header: f.cfg.ForwardHeader,
-		}
+	client = &util.HeaderClient{
+		Client: client,
+		Header: f.cfg.ForwardHeader,
 	}

 	// Add optional URL logging.
--- a/cmd/csaf_downloader/forwarder_test.go
+++ b/cmd/csaf_downloader/forwarder_test.go
@ -23,8 +23,8 @@ import (
 	"strings"
 	"testing"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/util"
 )

 func TestValidationStatusUpdate(t *testing.T) {
--- a/cmd/csaf_downloader/main.go
+++ b/cmd/csaf_downloader/main.go
@ -15,7 +15,7 @@ import (
 	"os"
 	"os/signal"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/internal/options"
 )

 func run(cfg *config, domains []string) error {
--- a/cmd/csaf_provider/actions.go
+++ b/cmd/csaf_provider/actions.go
@ -26,8 +26,8 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 const dateFormat = time.RFC3339
--- a/cmd/csaf_provider/config.go
+++ b/cmd/csaf_provider/config.go
@ -18,7 +18,7 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"golang.org/x/crypto/bcrypt"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/gocsaf/csaf/v3/csaf"
 )

 const (
--- a/cmd/csaf_provider/create.go
+++ b/cmd/csaf_provider/create.go
@ -22,8 +22,8 @@ import (

 	"github.com/ProtonMail/gopenpgp/v2/crypto"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // ensureFolders initializes the paths and call functions to create
--- a/cmd/csaf_provider/files.go
+++ b/cmd/csaf_provider/files.go
@ -13,7 +13,7 @@ import (
 	"crypto/sha512"
 	"os"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 func writeHashedFile(fname, name string, data []byte, armored string) error {
--- a/cmd/csaf_provider/indices.go
+++ b/cmd/csaf_provider/indices.go
@ -18,7 +18,7 @@ import (
 	"sort"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 func updateIndex(dir, fname string) error {
--- a/cmd/csaf_provider/main.go
+++ b/cmd/csaf_provider/main.go
@ -18,7 +18,7 @@ import (

 	"github.com/jessevdk/go-flags"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type options struct {
--- a/cmd/csaf_provider/rolie.go
+++ b/cmd/csaf_provider/rolie.go
@ -15,8 +15,8 @@ import (
 	"strings"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // mergeCategories merges the given categories into the old ones.
--- a/cmd/csaf_provider/transaction.go
+++ b/cmd/csaf_provider/transaction.go
@ -12,8 +12,8 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 func doTransaction(
--- a/cmd/csaf_uploader/config.go
+++ b/cmd/csaf_uploader/config.go
@ -18,8 +18,8 @@ import (
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/term"

-	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
+	"github.com/gocsaf/csaf/v3/internal/certs"
+	"github.com/gocsaf/csaf/v3/internal/options"
 )

 const (
--- a/cmd/csaf_uploader/main.go
+++ b/cmd/csaf_uploader/main.go
@ -9,7 +9,7 @@
 // Implements a command line tool that uploads csaf documents to csaf_provider.
 package main

-import "github.com/csaf-poc/csaf_distribution/v3/internal/options"
+import "github.com/gocsaf/csaf/v3/internal/options"

 func main() {
 	args, cfg, err := parseArgsConfig()
--- a/cmd/csaf_uploader/processor.go
+++ b/cmd/csaf_uploader/processor.go
@ -26,9 +26,9 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/misc"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/internal/misc"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type processor struct {
--- a/cmd/csaf_validator/main.go
+++ b/cmd/csaf_validator/main.go
@ -18,8 +18,8 @@ import (

 	"github.com/jessevdk/go-flags"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 type options struct {
--- a/csaf/advisories.go
+++ b/csaf/advisories.go
@ -19,7 +19,7 @@ import (
 	"strings"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // AdvisoryFile constructs the urls of a remote file.
--- a/csaf/models.go
+++ b/csaf/models.go
@ -17,7 +17,7 @@ import (
 	"strings"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // TLPLabel is the traffic light policy of the CSAF.
--- a/csaf/providermetaloader.go
+++ b/csaf/providermetaloader.go
@ -18,7 +18,7 @@ import (
 	"net/http"
 	"strings"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // ProviderMetadataLoader helps load provider-metadata.json from
--- a/csaf/rolie.go
+++ b/csaf/rolie.go
@ -14,7 +14,7 @@ import (
 	"sort"
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 // ROLIEServiceWorkspaceCollectionCategoriesCategory is a category in a ROLIE service collection.
--- a/csaf/schema/aggregator_json_schema.json
+++ b/csaf/schema/aggregator_json_schema.json
@ -175,7 +175,7 @@
        "type": "object",
        "required": [
          "metadata",
-          "mirror",
+          "mirrors",
          "update_interval"
        ],
        "properties": {
--- a/csaf/summary.go
+++ b/csaf/summary.go
@ -11,7 +11,7 @@ package csaf
 import (
 	"time"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"
 )

 const (
--- a/docs/Development.md
+++ b/docs/Development.md
@ -3,7 +3,7 @@
 ## Supported Go versions

 We support the latest version and the one before
-the latest version of Go (currently 1.22 and 1.21).
+the latest version of Go (currently 1.22 and 1.23).

 ## Generated files

--- a/docs/csaf_aggregator.md
+++ b/docs/csaf_aggregator.md
@ -16,6 +16,7 @@ Help Options:
 ```

 If no config file is explictly given the follwing places are searched for a config file:
+
 ```
 ~/.config/csaf/aggregator.toml
 ~/.csaf_aggregator.toml
@ -25,6 +26,7 @@ csaf_aggregator.toml
 with `~` expanding to `$HOME` on unixoid systems and `%HOMEPATH` on Windows systems.

 Usage example for a single run, to test if the config is good:
+
 ```bash
 ./csaf_aggregator -c docs/examples/aggregator.toml
 ```
@ -62,7 +64,6 @@ SHELL=/bin/bash
 30 0-23 * * * $HOME/bin/csaf_aggregator --config /etc/csaf_aggregator.toml --interim >> /var/log/csaf_aggregator/interim.log 2>&1
 ```

-
 #### serve via web server

 Serve the paths where the aggregator writes its `html/` output
@ -78,7 +79,6 @@ a template. For the aggregator the difference is that you can leave out
 the cgi-bin part, potentially commend out the TLS client parts and
 adjust the `root` path accordingly.

-
 ### config options

 The config file is written in [TOML](https://toml.io/en/v1.0.0).
@ -118,10 +118,12 @@ Next we have two TOML _tables_:
 aggregator            // basic infos for the aggregator object
 remote_validator      // config for optional remote validation checker
 ```
+
 [See the provider config](csaf_provider.md#provider-options) about
 how to configure `remote_validator`.

 At last there is the TOML _array of tables_:
+
 ```
 providers             // each entry to be mirrored or listed
 ```
@ -148,6 +150,9 @@ header

 Where valid `name` and `domain` settings are required.

+If no user agent is specified with `header = "user-agent:custom-agent/1.0"`
+then the default agent in the form of `csaf_distribution/VERSION` is sent.
+
 If you want an entry to be listed instead of mirrored
 in a `aggregator.category == "aggregator"` instance,
 set `category` to `lister` in the entry.
@ -170,10 +175,11 @@ The latter is evaluated as JSONPath and the result will be added into the
 categories document. For a more detailed explanation and examples,
 [refer to the provider config](csaf_provider.md#provider-options).

-
 #### Example config file
+
 <!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/examples/aggregator.toml) -->
 <!-- The below code snippet is automatically added from ../docs/examples/aggregator.toml -->
+
 ```toml
 workers = 2
 folder = "/var/csaf_aggregator"
@ -233,8 +239,8 @@ insecure = true
  category = "lister"
 # ignore_pattern = [".*white.*", ".*red.*"]
 ```
-<!-- MARKDOWN-AUTO-DOCS:END -->

+<!-- MARKDOWN-AUTO-DOCS:END -->

 #### Publish others' advisories

--- a/docs/csaf_checker.md
+++ b/docs/csaf_checker.md
@ -30,9 +30,12 @@ Help Options:

 Will check all given _domains_, by trying each as a CSAF provider.

+If no user agent is specified with `--header=user-agent:custom-agent/1.0` then the default agent in the form of `csaf_distribution/VERSION` is sent.
+
 If a _domain_ starts with `https://` it is instead considered a direct URL to the `provider-metadata.json` and checking proceeds from there.

 If no config file is explictly given the follwing places are searched for a config file:
+
 ```
 ~/.config/csaf/checker.toml
 ~/.csaf_checker.toml
@ -41,6 +44,7 @@ csaf_checker.toml

 with `~` expanding to `$HOME` on unixoid systems and `%HOMEPATH` on Windows systems.
 Supported options in config files:
+
 ```
 output              = ""
 format              = "json"
@ -58,9 +62,10 @@ validator_preset    = ["mandatory"]
 ```

 Usage example:
-` ./csaf_checker example.com -f html --rate=5.3 -H apikey:SECRET -o check-results.html`
+`./csaf_checker example.com -f html --rate=5.3 -H apikey:SECRET -o check-results.html`

 Each performed check has a return type of either 0,1 or 2:
+
 ```
 type 0: success
 type 1: warning
@ -70,16 +75,16 @@ type 2: error
 The checker result is a success if no checks resulted in type 2, and a failure otherwise.

 The option `timerange` allows to only check advisories from a given time
-interval. It can only be given once.  See the
+interval. It can only be given once. See the
 [downloader documentation](csaf_downloader.md#timerange-option) for details.

-
 You can ignore certain advisories while checking by specifying a list
 of regular expressions[^1] to match their URLs by using the `ignorepattern`
 option.
 E.g. `-i='.*white.*' -i='*.red.*'` will ignore files which URLs contain
 the sub strings **white** or **red**.
 In the config file this has to be noted as:
+
 ```
 ignorepattern = [".*white.*", ".*red.*"]
 ```
@ -88,7 +93,7 @@ ignorepattern = [".*white.*", ".*red.*"]

 The `role` given in the `provider-metadata.json` is not
 yet considered to change the overall result,
-see https://github.com/csaf-poc/csaf_distribution/issues/221 .
+see <https://github.com/gocsaf/csaf/issues/221> .

 If a provider hosts one or more advisories with a TLP level of AMBER or RED, then these advisories must be access protected.
 To check these advisories, authorization can be given via custom headers or certificates.
--- a/docs/csaf_downloader.md
+++ b/docs/csaf_downloader.md
@ -1,4 +1,5 @@
 ## csaf_downloader
+
 A tool to download CSAF documents from CSAF providers.

 ### Usage
@ -21,6 +22,7 @@ Application Options:
  -f, --folder=FOLDER                            Download into a given subFOLDER
  -i, --ignore_pattern=PATTERN                   Do not download files if their URLs match any of the given PATTERNs
  -H, --header=                                  One or more extra HTTP header fields
+      --enumerate_pmd_only                       If this flag is set to true, the downloader will only enumerate valid provider metadata files, but not download documents
      --validator=URL                            URL to validate documents remotely
      --validator_cache=FILE                     FILE to cache remote validations
      --validator_preset=PRESETS                 One or more PRESETS to validate remotely (default: [mandatory])
@ -29,8 +31,8 @@ Application Options:
      --forward_header=                          One or more extra HTTP header fields used by forwarding
      --forward_queue=LENGTH                     Maximal queue LENGTH before forwarder (default: 5)
      --forward_insecure                         Do not check TLS certificates from forward endpoint
-      --logfile=FILE                             FILE to log downloading to (default: downloader.log)
-      --loglevel=LEVEL[debug|info|warn|error]    LEVEL of logging details (default: info)
+      --log_file=FILE                            FILE to log downloading to (default: downloader.log)
+      --log_level=LEVEL[debug|info|warn|error]   LEVEL of logging details (default: info)
  -c, --config=TOML-FILE                         Path to config TOML file
      --preferred_hash=HASH[sha256|sha512]       HASH to prefer

@ -40,6 +42,8 @@ Help Options:

 Will download all CSAF documents for the given _domains_, by trying each as a CSAF provider.

+If no user agent is specified with `--header=user-agent:custom-agent/1.0` then the default agent in the form of `csaf_distribution/VERSION` is sent.
+
 If a _domain_ starts with `https://` it is instead considered a direct URL to the `provider-metadata.json` and downloading procedes from there.

 Increasing the number of workers opens more connections to the web servers
@ -48,6 +52,7 @@ However, since this also increases the load on the servers, their administrators
 have taken countermeasures to limit this.

 If no config file is explictly given the follwing places are searched for a config file:
+
 ```
 ~/.config/csaf/downloader.toml
 ~/.csaf_downloader.toml
@ -57,6 +62,7 @@ csaf_downloader.toml
 with `~` expanding to `$HOME` on unixoid systems and `%HOMEPATH` on Windows systems.

 Supported options in config files:
+
 ```
 # directory         # not set by default
 insecure            = false
@ -91,6 +97,7 @@ option.
 E.g. `-i='.*white.*' -i='*.red.*'` will ignore files which URLs contain
 the sub strings **white** or **red**.
 In the config file this has to be noted as:
+
 ```
 ignorepattern = [".*white.*", ".*red.*"]
 ```
@ -107,16 +114,18 @@ into a given intervall. There are three possible notations:
   and 'y' for years are recognized. In these cases only integer
   values are accepted without any fractions.
   Some examples:
+
   - `"3h"` means downloading the advisories that have changed in the last three hours.
-   - `"30m"`  .. changed within the last thirty minutes.
+   - `"30m"` .. changed within the last thirty minutes.
   - `"3M2m"` .. changed within the last three months and two minutes.
-   - `"2y"`   .. changed within the last two years.
+   - `"2y"` .. changed within the last two years.

 2. Absolute. If the given string is an RFC 3339 date timestamp
   the time interval between this date and now is used.
   E.g. `"2006-01-02"` means that all files between 2006 January 2nd and now going to being
   downloaded.
   Accepted patterns are:
+
   - `"2006-01-02T15:04:05Z"`
   - `"2006-01-02T15:04:05+07:00"`
   - `"2006-01-02T15:04:05-07:00"`
@ -135,6 +144,7 @@ into a given intervall. There are three possible notations:
 All interval boundaries are inclusive.

 #### Forwarding
+
 The downloader is able to forward downloaded advisories and their checksums,
 OpenPGP signatures and validation results to an HTTP endpoint.  
 The details of the implemented API are described [here](https://github.com/mfd2007/csaf_upload_interface).  
@ -150,7 +160,7 @@ key protection mechanism based on RFC 1423, see
 Thus it considered experimental and most likely to be removed
 in a future release. Please only use this option, if you fully understand
 the security implications!
-Note that for fully automated processes, it usually not make sense
+Note that for fully automated processes, it usually does not make sense
 to protect the client certificate's private key with a passphrase.
 Because the passphrase has to be accessible to the process anyway to run
 unattented. In this situation the processing environment should be secured
--- a/docs/csaf_provider.md
+++ b/docs/csaf_provider.md
@ -4,7 +4,7 @@ The [setup docs](../README.md#setup-trusted-provider)
 explain how to wire this up with nginx and where the config file lives.

 When installed, two endpoints are offered,
-and you should use the [csaf_uploader](../docs/csaf_uploader)
+and you should use the [csaf_uploader](../docs/csaf_uploader.md)
 to access them:

 ### /api/create
@ -141,5 +141,5 @@ contact_details = "Example Company can be reached at contact_us@example.com, or

 There is an experimental upload interface which works with a web browser.
 It is disabled by default, as there are known issues, notably:
- * https://github.com/csaf-poc/csaf_distribution/issues/43
- * https://github.com/csaf-poc/csaf_distribution/issues/256
+ * https://github.com/gocsaf/csaf/issues/43
+ * https://github.com/gocsaf/csaf/issues/256
--- a/docs/development-ca.md
+++ b/docs/development-ca.md
@ -55,7 +55,7 @@ signing_key
 encryption_key
 non_repudiation

-dns_name = "*.local"
+dns_name = "*.test"
 dns_name = "localhost"

 serial = 010
--- a/docs/provider-setup.md
+++ b/docs/provider-setup.md
@ -115,7 +115,7 @@ sudo chmod g+r,o-rwx /etc/csaf/config.toml

 Here is a minimal example configuration,
 which you need to customize for a production setup,
-see the [options of `csaf_provider`](https://github.com/csaf-poc/csaf_distribution/blob/main/docs/csaf_provider.md).
+see the [options of `csaf_provider`](https://github.com/gocsaf/csaf/blob/main/docs/csaf_provider.md).

 <!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=94-101) -->
 <!-- The below code snippet is automatically added from ../docs/scripts/setupProviderForITest.sh -->
--- a/docs/scripts/Readme.md
+++ b/docs/scripts/Readme.md
@ -1,7 +1,7 @@
 Scripts for assisting the Integration tests.
 They were written on Ubuntu 20.04 TLS amd64 and also tested with 24.04 TLS.

- `prepareUbuntuInstanceForITests.sh` installs the required packages for the csaf_distribution integration tests on a naked ubuntu LTS amd64.
+- `prepareUbuntuInstanceForITests.sh` installs the required packages for the csaf integration tests on a naked Ubuntu LTS amd64.

 - `TLSConfigsForITest.sh` generates a root CA and webserver cert by running `createRootCAForITest.sh` and `createWebserverCertForITest.sh`
 and configures nginx for serving TLS connections.
@ -12,13 +12,13 @@ and configures nginx for serving TLS connections.

 As creating the folders needs to authenticate with the csaf_provider, the configurations of TLS server and Client certificate authentication should be set. So it is recommended to call the scripts in this order: `TLSConfigsForITest.sh`, `TLSClientConfigsForITest.sh`, `setupProviderForITest.sh`

-Calling example (as root):
+Calling example (as user with sudo privileges):
 ``` bash
-    curl --fail -O https://raw.githubusercontent.com/csaf-poc/csaf_distribution/main/docs/scripts/prepareUbuntuInstanceForITests.sh
-    bash prepareUbuntuInstanceForITests.sh
+    curl --fail -O https://raw.githubusercontent.com/gocsaf/csaf/main/docs/scripts/prepareUbuntuInstanceForITests.sh
+    sudo bash prepareUbuntuInstanceForITests.sh

-    git clone https://github.com/csaf-poc/csaf_distribution.git # --branch <name>
-    pushd csaf_distribution/docs/scripts/
+    git clone https://github.com/gocsaf/csaf.git # --branch <name>
+    pushd csaf/docs/scripts/

    export FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)"
    source ./TLSConfigsForITest.sh
--- a/docs/scripts/TLSClientConfigsForITest.sh
+++ b/docs/scripts/TLSClientConfigsForITest.sh
@ -18,7 +18,7 @@ set -e

 NGINX_CONFIG_PATH=/etc/nginx/sites-available/default

-cd ~/csaf_distribution/docs/scripts/
+cd ~/csaf/docs/scripts/
 source ./createCCForITest.sh

 echo '
--- a/docs/scripts/TLSConfigsForITest.sh
+++ b/docs/scripts/TLSConfigsForITest.sh
@ -17,7 +17,7 @@ set -e

 NGINX_CONFIG_PATH=/etc/nginx/sites-available/default

-cd ~/csaf_distribution/docs/scripts/
+cd ~/csaf/docs/scripts/
 ## Create Root CA
 ./createRootCAForITest.sh

--- a/docs/scripts/prepareUbuntuInstanceForITests.sh
+++ b/docs/scripts/prepareUbuntuInstanceForITests.sh
@ -2,11 +2,11 @@
 set -e

 # This script prepares a naked Ubuntu LTS amd64
-# for the csaf_distribution integration tests
+# for the csaf integration tests
 # by installing the required packages.

 apt update
-apt install -y make bash curl gnupg sed tar git nginx fcgiwrap gnutls-bin
+apt install -y make bash curl gnupg sed tar git nginx fcgiwrap gnutls-bin zip

 # Install Go from binary distribution
 latest_go="$(curl https://go.dev/VERSION\?m=text| head -1).linux-amd64.tar.gz"
--- a/docs/scripts/setupProviderForITest.sh
+++ b/docs/scripts/setupProviderForITest.sh
@ -17,7 +17,7 @@ sudo chgrp -R www-data  /var/www
 sudo chmod -R g+ws  /var/www

 export NGINX_CONFIG_PATH=/etc/nginx/sites-available/default
-export DNS_NAME=csaf.data.security.localhost
+export DNS_NAME=csaf.data.security.test

 sudo cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf

--- a/docs/scripts/setupValidationService.sh
+++ b/docs/scripts/setupValidationService.sh
@ -21,7 +21,7 @@ echo '
 remote_validator= { "url" = "http://localhost:8082", "presets" = ["mandatory"], "cache" = "/var/lib/csaf/validations.db" }
 ' | sudo tee --append /etc/csaf/config.toml

-npm install pm2 -g
+sudo npm install pm2 -g

 pushd ~
 git clone https://github.com/secvisogram/csaf-validator-service.git
--- a/docs/scripts/testAggregator.sh
+++ b/docs/scripts/testAggregator.sh
@ -29,6 +29,6 @@ popd
 echo
 echo '=== run aggregator'

-cd ~/csaf_distribution/
+cd ~/csaf/
 sudo cp docs/examples/aggregator.toml /etc/csaf
 sudo ./bin-linux-amd64/csaf_aggregator -c /etc/csaf/aggregator.toml
--- a/docs/scripts/testChecker.sh
+++ b/docs/scripts/testChecker.sh
@ -11,7 +11,7 @@
 set -e  # to exit if a command in the script fails

 echo '==== run checker (twice)'
-cd ~/csaf_distribution
+cd ~/csaf

 ./bin-linux-amd64/csaf_checker -f html -o ../checker-results.html --insecure \
  --client_cert ~/devca1/testclient1.crt \
--- a/docs/scripts/testDownloader.sh
+++ b/docs/scripts/testDownloader.sh
@ -10,7 +10,7 @@

 set -e  # to exit if a command in the script fails

-cd ~/csaf_distribution
+cd ~/csaf

 echo
 echo '==== run downloader (1)'
--- a/examples/README.md
+++ b/examples/README.md
@ -1,6 +1,6 @@
 # API examples

-An experimental example of how to use `github.com/csaf-poc/csaf_distribution`
+An experimental example of how to use `github.com/gocsaf/csaf`
 as a library.
 As usage of the repository as an API is currently a _work in progress_,
 these examples are likely to be changed.
--- a/examples/purls_searcher/main.go
+++ b/examples/purls_searcher/main.go
@ -1,5 +1,5 @@
 // Package main implements a simple demo program to
-// work with the csaf_distribution library.
+// work with the csaf library.
 package main

 import (
@ -9,8 +9,8 @@ import (
 	"os"
 	"strings"

-	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/util"
 )

 func main() {
--- a/go.mod
+++ b/go.mod
@ -1,31 +1,31 @@
-module github.com/csaf-poc/csaf_distribution/v3
+module github.com/gocsaf/csaf/v3

-go 1.21
+go 1.22.9

 require (
-	github.com/BurntSushi/toml v1.3.2
+	github.com/BurntSushi/toml v1.4.0
 	github.com/Intevation/gval v1.3.0
 	github.com/Intevation/jsonpath v0.2.1
-	github.com/ProtonMail/gopenpgp/v2 v2.7.4
+	github.com/ProtonMail/gopenpgp/v2 v2.8.0
 	github.com/PuerkitoBio/goquery v1.8.1
-	github.com/gofrs/flock v0.8.1
-	github.com/jessevdk/go-flags v1.5.0
+	github.com/gofrs/flock v0.12.1
+	github.com/jessevdk/go-flags v1.6.1
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
-	go.etcd.io/bbolt v1.3.8
-	golang.org/x/crypto v0.14.0
-	golang.org/x/term v0.13.0
-	golang.org/x/time v0.3.0
+	go.etcd.io/bbolt v1.3.11
+	golang.org/x/crypto v0.29.0
+	golang.org/x/term v0.26.0
+	golang.org/x/time v0.8.0
 )

 require (
-	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/ProtonMail/go-crypto v1.1.2 // indirect
 	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
 	github.com/andybalholm/cascadia v1.3.2 // indirect
-	github.com/cloudflare/circl v1.3.6 // indirect
+	github.com/cloudflare/circl v1.5.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	golang.org/x/net v0.31.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,34 +1,30 @@
-github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Intevation/gval v1.3.0 h1:+Ze5sft5MmGbZrHj06NVUbcxCb67l9RaPTLMNr37mjw=
 github.com/Intevation/gval v1.3.0/go.mod h1:xmGyGpP5be12EL0P12h+dqiYG8qn2j3PJxIgkoOHO5o=
 github.com/Intevation/jsonpath v0.2.1 h1:rINNQJ0Pts5XTFEG+zamtdL7l9uuE1z0FBA+r55Sw+A=
 github.com/Intevation/jsonpath v0.2.1/go.mod h1:WnZ8weMmwAx/fAO3SutjYFU+v7DFreNYnibV7CiaYIw=
-github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
-github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
-github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v1.1.2 h1:A7JbD57ThNqh7XjmHE+PXpQ3Dqt3BrSAC0AL0Go3KS0=
+github.com/ProtonMail/go-crypto v1.1.2/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k=
 github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw=
-github.com/ProtonMail/gopenpgp/v2 v2.7.4 h1:Vz/8+HViFFnf2A6XX8JOvZMrA6F5puwNvvF21O1mRlo=
-github.com/ProtonMail/gopenpgp/v2 v2.7.4/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g=
+github.com/ProtonMail/gopenpgp/v2 v2.8.0 h1:WvMv3CMcFsqKSM4/Qf8sf3tgyQkzDqQmoSE49bnBuP4=
+github.com/ProtonMail/gopenpgp/v2 v2.8.0/go.mod h1:qb2GUSnmA9ipBW5GVtCtEhkummSlqs2A8Ar3S0HBgSY=
 github.com/PuerkitoBio/goquery v1.8.1 h1:uQxhNlArOIdbrH1tr0UXwdVFgDcZDrZVdcpygAcwmWM=
 github.com/PuerkitoBio/goquery v1.8.1/go.mod h1:Q8ICL1kNUJ2sXGoAhPGUdYDJvgQgHzJsnnd3H7Ho5jQ=
 github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEqc0Sk8XGwHqvA=
 github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss=
 github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
-github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/cloudflare/circl v1.5.0 h1:hxIWksrX6XN5a1L2TI/h53AGPhNHoUBo+TD1ms9+pys=
+github.com/cloudflare/circl v1.5.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
-github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc=
-github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
+github.com/jessevdk/go-flags v1.6.1 h1:Cvu5U8UGrLay1rZfv/zP7iLpSHGUZ/Ou68T0iX1bBK4=
+github.com/jessevdk/go-flags v1.6.1/go.mod h1:Mk8T1hIAWpOiJiHa9rJASDK2UGWji0EuPGBnNLMooyc=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@ -37,78 +33,66 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
 github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
-go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
+go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
+golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/internal/options/options.go
+++ b/internal/options/options.go
@ -15,7 +15,7 @@ import (
 	"log/slog"
 	"os"

-	"github.com/csaf-poc/csaf_distribution/v3/util"
+	"github.com/gocsaf/csaf/v3/util"

 	"github.com/BurntSushi/toml"
 	"github.com/jessevdk/go-flags"
--- a/util/client.go
+++ b/util/client.go
@ -61,6 +61,11 @@ func (hc *HeaderClient) Do(req *http.Request) (*http.Response, error) {
 			req.Header.Add(key, v)
 		}
 	}
+
+	// Use default user agent if none is set
+	if userAgent := hc.Header.Get("User-Agent"); userAgent == "" {
+		req.Header.Add("User-Agent", "csaf_distribution/"+SemVersion)
+	}
 	return hc.Client.Do(req)
 }