mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00

Tools to download or provide CSAF2 (Common Security Advisory Framework) documents.

csaf csaf-aggregator csaf-distribution csaf-downloader csaf-trusted-provider mit-license provider-checker security-automation tools

Find a file

Bernhard Reiter d54e211ef3 docs: improve README.md * Deemphazise the old repo link alert. * Add more hints about officially unsupported but possible use as library. solve #634		2025-06-27 09:49:32 +02:00
.github/workflows	Update modver	2025-06-19 14:39:02 +02:00
cmd	Merge pull request #649 from gocsaf/url-join	2025-06-26 08:18:39 +02:00
csaf	Use correct base URL	2025-06-20 16:37:37 +02:00
docs	Extend structured logging usage in aggregator (#622 )	2025-03-19 09:04:19 +01:00
examples	Add example for iterating product id and product helper (#617 )	2025-03-03 17:31:21 +01:00
internal	Use JoinPath	2025-06-19 15:11:45 +02:00
LICENSES	docs: fix licensing info for generated files (#542 )	2024-06-21 14:02:51 +02:00
testdata	Add check for missing either sha256 or sha512 hashes only	2025-01-10 11:42:54 +01:00
util	Update lint (#626 )	2025-03-19 09:39:07 +01:00
.gitignore	refactor: add a .gitignore and include build directory	2022-09-24 19:21:56 +02:00
3rdpartylicenses.md	Add support for remote validation services. (#185 )	2022-06-21 14:47:06 +02:00
go.mod	Upgrade jsonschema to v6	2025-06-12 15:53:39 +02:00
go.sum	Upgrade jsonschema to v6	2025-06-12 15:53:39 +02:00
LICENSE-Apache-2.0.txt	Add Apache 2.0 license to root folder	2024-11-25 14:27:56 +01:00
Makefile	Feat: More explicitely handle which doc files are included in the gnulinux dist	2025-06-24 14:34:44 +02:00
README.md	docs: improve README.md	2025-06-27 09:49:32 +02:00

csaf

Implements a CSAF (specification v2.0 and its errata) trusted provider, checker, aggregator and downloader. Includes an uploader command line tool for the trusted provider.

Tools for users

csaf_downloader

is a tool for downloading advisories from a provider. Can be used for automated forwarding of CSAF documents.

csaf_validator

is a tool to validate local advisories files against the JSON Schema and an optional remote validator.

Tools for advisory providers

csaf_provider

is an implementation of the role CSAF Trusted Provider, also offering a simple HTTPS based management service.

csaf_uploader

is a command line tool to upload CSAF documents to the csaf_provider.

csaf_checker

is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard.

csaf_aggregator

is a CSAF Aggregator, to list or mirror providers.

Use as go library

The modules of this repository can be used as library from other Go applications. ISDuBA does so, for example. But there is only limited support, and thus not officially supported. There are plans to change this without timeline, with a future major release, e.g. see #367.

Initially envisioned as toolbox, it was not constructed as a library, and to name one issue, exposes to many functions. This leads to problems like #634, where we have to accept that with 3.2.0 there was an unintended API change, that we now have to live with.

examples

are small examples of how to use github.com/gocsaf/csaf as an API. Currently this is a work in progress.

Setup

Binaries for the server side are only available and tested for GNU/Linux-Systems, e.g. Ubuntu LTS. They are likely to run on similar systems when build from sources.

The windows binary package only includes csaf_downloader, csaf_validator, csaf_checker and csaf_uploader.

The MacOS binary archives come with the same set of client tools and are community supported. Which means: while they are expected to run fine, they are not at the same level of testing and maintenance as the Windows and GNU/Linux binaries.

Prebuild binaries

Download the binaries from the most recent release assets on Github.

Build from sources

A recent version of Go (1.23+) should be installed. Go installation
Clone the repository git clone https://github.com/gocsaf/csaf.git
Build Go components Makefile supplies the following targets:
- Build for GNU/Linux system: make build_linux
- Build for Windows system (cross build): make build_win
- Build for macOS system on Intel Processor (AMD64) (cross build): make build_mac_amd64
- Build for macOS system on Apple Silicon (ARM64) (cross build): make build_mac_arm64
- Build For GNU/Linux, macOS and Windows: make build
- Build from a specific git tag by passing the intended tag to the BUILDTAG variable. E.g. make BUILDTAG=v1.0.0 build or make BUILDTAG=1 build_linux. The special value 1 means checking out the highest git tag for the build.
- Remove the generated binaries und their directories: make mostlyclean

Binaries will be placed in directories named like bin-linux-amd64/ and bin-windows-amd64/.

Setup (Trusted Provider)

Install nginx
To install a TLS server certificate on nginx see docs/install-server-certificate.md
To configure nginx see docs/provider-setup.md
To configure nginx for client certificate authentication see docs/client-certificate-setup.md

Development

For further details of the development process consult our development page.

Previous repo URLs

Note

To avoid future breakage, if you have csaf-poc in some of your URLs:

Adjust your HTML links.

Adjust your go module paths, see #579.

(This repository was moved here from https://github.com/csaf-poc/csaf_distribution on 2024-10-28. The old one is deprecated and redirection will be switched off somtimes in 2025.)

License

csaf is licensed as Free Software under the terms of the Apache License, Version 2.0.
See the specific source files for details, the license itself can be found in the directory LICENSES/.
Contains third party Free Software components under licenses that to our best knowledge are compatible at time of adding the dependency, 3rdpartylicenses.md has the details.
Check the source file of each schema under /csaf/schema/ to see the source and license of each one.