mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00

Tools to download or provide CSAF2 (Common Security Advisory Framework) documents.

csaf csaf-aggregator csaf-distribution csaf-downloader csaf-trusted-provider mit-license provider-checker security-automation tools

Find a file

Sascha L. Teichmann 55540a32e0 Simplified requirement 15 (#369 ) * Add badROLIEfeed as Topic Message * Use badROLIEfeed to guarantee existant TLP labels White, Green or unlabeled. (Test not implemented) * syntax * Formatting * Add Tlp check, completion struct * Add mismatch to completion, add function checkCompletion to fill mismatch and also give an error if invalid tlp levels have been used * formatting * Add function to remove incomplete csaf feeds from list of complete csaf feeds for a given tlp level * Add checkSummary function that checks whether a given feed would qualify as summary feed between all currently checked feeds * Add completed check of tlp levels * Add checks for correct hashes and signatures in ROLIE feed * formatting * Add rolieFeedReporter functionality * fix typo * Add todo, add return values to functions * Switch error, ... return value so error returns last * Fix typo * Remove hash/sig checks that don't work, improve ROLIE message * Add handling for advisories without tlp level * Formatting * Clean up rolie checks. * Started with simplifying rolie checking * Every ROLIE with data should have a summary. * Clean up ROLIE feed label checker. * if no TLP level can be extracted, return Unlabeled, not WHITE * Add handling of advisories whose tlp exists, but has no label * Also check TLP Red for completeness * Only remove advisory from remain when it has exactly the right tlp color. * Fix import in new rolie feed checker. * Update comment to reflect current functionality * Accept advisory of lesser tlp color in feed as completing. * Collect advisory labels from advisories. * Clarify that if no summary feed was found, it may exist but be either not listed or not accessible. * Do not clone advisory lookup before. * Move rolie check code to respective file. --------- Co-authored-by: JanHoefelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de> Co-authored-by: JanHoefelmeyer <hoefelmeyer.jan@gmail.com>		2023-06-08 18:16:56 +02:00
.github/workflows	Add concurrent downloads to downloader. (#363 )	2023-05-02 10:10:12 +02:00
cmd	Simplified requirement 15 (#369 )	2023-06-08 18:16:56 +02:00
csaf	Fix go.mod and internal dependencies (#371 )	2023-06-05 10:24:35 +02:00
docs	Add concurrent downloads to downloader. (#363 )	2023-05-02 10:10:12 +02:00
LICENSES	Improve joining of url paths in some situations	2022-07-18 17:41:52 +02:00
util	Add IDMatchesFilename function	2023-04-25 17:08:14 +02:00
.gitignore	refactor: add a .gitignore and include build directory	2022-09-24 19:21:56 +02:00
3rdpartylicenses.md	Add support for remote validation services. (#185 )	2022-06-21 14:47:06 +02:00
go.mod	Fix go.mod and internal dependencies (#371 )	2023-06-05 10:24:35 +02:00
go.sum	Update 3rd party libraries. (#362 )	2023-05-02 10:09:32 +02:00
Makefile	Upgrade jsonschema library to 5.2.0 (#349 )	2023-03-10 10:39:23 +01:00
README.md	We need at least Go 1.20	2023-06-05 10:26:31 +02:00

README.md

csaf_distribution

An implementation of a CSAF 2.0 trusted provider, checker, aggregator and downloader. Includes an uploader command line tool for the trusted provider.

csaf_provider

is an implementation of the role CSAF Trusted Provider, also offering a simple HTTPS based management service.

csaf_uploader

is a command line tool that uploads CSAF documents to the csaf_provider.

csaf_aggregator

is an implementation of the role CSAF Aggregator.

csaf_checker

is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard. Does check requirements without considering the indicated role yet.

csaf_downloader

is a tool for downloading advisories from a provider.

csaf_validator

is a tool to validate local advisories files against the JSON Schema and an optional remote validator.

Setup

Note that binaries for the server side are only available and tested for GNU/Linux-Systems, e.g. Ubuntu LTS. They are likely to run on similar systems when build from sources.

The windows binary package only includes csaf_downloader, csaf_validator, csaf_checker and csaf_uploader.

Prebuild binaries

Download the binaries from the most recent release assets on Github.

Build from sources

A recent version of Go (1.20+) should be installed. Go installation
Clone the repository git clone https://github.com/csaf-poc/csaf_distribution.git
Build Go components Makefile supplies the following targets:
- Build For GNU/Linux System: make build_linux
- Build For Windows System (cross build): make build_win
- Build For both linux and windows: make build
- Build from a specific github tag by passing the intended tag to the BUILDTAG variable. E.g. make BUILDTAG=v1.0.0 build or make BUILDTAG=1 build_linux. The special value 1 means checking out the highest github tag for the build.
- Remove the generated binaries und their directories: make mostlyclean

Binaries will be placed in directories named like bin-linux-amd64/ and bin-windows-amd64/.

Setup (Trusted Provider)

Install nginx
To install a TLS server certificate on nginx see docs/install-server-certificate.md
To configure nginx see docs/provider-setup.md
To configure nginx for client certificate authentication see docs/client-certificate-setup.md

License

csaf_distribution is licensed as Free Software under MIT License.
See the specific source files for details, the license itself can be found in the directory LICENSES/.
Contains third party Free Software components under licenses that to our best knowledge are compatible at time of adding the dependency, 3rdpartylicenses.md has the details.
Check the source file of each schema under /csaf/schema/ to see the source and license of each one.