mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00

Tools to download or provide CSAF2 (Common Security Advisory Framework) documents.

csaf csaf-aggregator csaf-distribution csaf-downloader csaf-trusted-provider mit-license provider-checker security-automation tools

Find a file

Sascha L. Teichmann e4c2c00879 Merge pull request #137 from csaf-poc/fix-locating-providermetadata Fix path for locating provider-metadata.json		2022-05-17 12:56:56 +02:00
.github/workflows	Add checker results as GH artifact for integration test	2022-05-17 10:18:50 +02:00
cmd	Fix path for locating provider-metadata.json	2022-05-17 12:54:14 +02:00
csaf	Add Comment	2022-05-16 11:27:09 +02:00
docs	Add checker results as GH artifact for integration test	2022-05-17 10:18:50 +02:00
LICENSES	Add MIT licensing text	2021-12-10 09:07:35 +01:00
util	Add aggregator; improve itest workflow	2022-05-10 18:12:38 +02:00
3rdpartylicenses.md	Add aggregator; improve itest workflow	2022-05-10 18:12:38 +02:00
go.mod	Add aggregator; improve itest workflow	2022-05-10 18:12:38 +02:00
go.sum	Add aggregator; improve itest workflow	2022-05-10 18:12:38 +02:00
Makefile	Improve documentation and its structure	2022-05-13 11:04:38 +02:00
README.md	Improve documentation and its structure	2022-05-13 11:04:38 +02:00

README.md

csaf_distribution

A proof of concept implementation of a CSAF 2.0 trusted provider, checker and aggregator. Includes an uploader command line tool for the trusted provider.

Status: Alpha (all planned functionality, but known defects, see issues.)

csaf_provider

is an implementation of the role CSAF Trusted Provider, also offering a simple HTTPS based management service.

csaf_uploader

is a command line tool that uploads CSAF documents to the csaf_provider.

csaf_aggregator

is an implementation of the role CSAF Aggregator.

csaf_checker

is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard.

Setup

Note that the server side is only tested and the binaries available for GNU/Linux-Systems, e.g. Ubuntu LTS. It is likely to run on similar systems when build from sources.

The windows binaries only include csaf_uploader and csaf_checker.

Prebuild binaries

Download the binaries (from the most recent release assets on Github).

Build from sources

A recent version of Go (1.17+) should be installed. Go installation
Clone the repository git clone https://github.com/csaf-poc/csaf_distribution.git
Build Go components Makefile supplies the following targets:
- Build For GNU/Linux System: make build_linux
- Build For Windows System (cross build): make build_win
- Build For both linux and windows: make build
- Build from a specific github tag by passing the intended tag to the BUILDTAG variable. E.g. make BUILDTAG=v1.0.0 build or make BUILDTAG=1 build_linux. The special value 1 means checking out the highest github tag for the build.
- Remove the generated binaries und their directories: make mostlyclean

Binaries will be placed in directories named like bin-linux-amd64/ and bin-windows-amd64/.

Setup (Trusted Provider)

Install nginx
To install server certificate on nginx see docs/install-server-certificate.md
To configure nginx see docs/provider-setup.md
To configure nginx for client certificate authentication see docs/client-certificate-setup.md

License

csaf_distribution is licensed as Free Software under MIT License.
See the specific source files for details, the license itself can be found in the directory LICENSES/.
Contains third party Free Software components under licenses that to our best knowledge are compatible at time of adding the dependency, 3rdpartylicenses.md has the details.
Check the source file of each schema under /csaf/schema/ to see the source and license of each one.