Editor revision for TC meeting 2025-01-29 (#861)

* Support multiple purl identifiers in product_identification_helper

This allows a vendor to specify multiple purl identifiers for a single
component (present as a product version branch in the product tree).
Multiple purls may identify the same component but point to different
locations from where that component may be available. Thus, it is mandatory
that if multiple purls are present in a single
product_identification_helper object, they must only differ in their
qualifiers. Otherwise they should be set up as different product
tree branches.

* PURLs

- addresses parts of #774
- assign new test number based on current master branch

* PURLs

- addresses parts of #774, #781, #693
- add `\\` to mask `/` (based on discussion in #693)

* PURLs

- addresses parts of #774, #781
- adapt prose to meet writing style and align with schema

* PURLs

- addresses parts of #774, #781
- sort list entries

* PURLs

- addresses parts of #774, #781, #341
- improve wording
- add valid example

* PURLs

- addresses parts of #774, #781, #341
- improve wording of 6.1.42
- move tests to testfiles
- add invalid examples
- add valid examples
- adapt test schema

* Test 6.1.13

- addresses parts of #774, #781, #341
- add valid example
- add invalid example for oci case (not namespace allowed)

* Fixed nits in participants table

- names and affiliations should match roster
- sorted lines

* Seed Editor revision 2025-01-29

- update dates
- insert new revision for tracking

* ROLIE update

- addresses parts of #677
- add `last_updated` ROLIE section in PMD schema

* ROLIE update

- addresses parts of #677
- adapt examples to reflect change

* Hardware and Software

- addresses parts of #817
- add section about hardware/software separation with example
- add full describe rule

* Nit: incomplete word

* Hardware and Software

- addresses parts of #817
- add optional test to detect potential mixing of hard- and software (6.2.31)
- add invalid example
- add valid examples

* Hardware and Software

- addresses parts of #817
- clarify the informative note about test failure

* Hardware and Software

- addresses parts of review comment of #857
- state linking in vulnerability section as example

* Hardware and Software

- addresses parts of review comment of #857
- soften statement and link to CVE statistics

* Hardware and Software

- addresses parts of review comment of #857
- remove "prohibited" from informative paragraph

* Update csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md

Co-authored-by: tschmidtb51 <[email protected]>

* Candidate rewording of informative text

Feel free to revert ...

* Hardware and Software

- addresses parts of #817
- add optional test to detect multiple same PIH (6.2.32)
- add invalid examples
- add valid examples

* Hardware and Software

- addresses parts of review comment of #857
- remove merge artifact
- clarify text regarding matching

* Hardware and Software

- addresses parts of #817
- add invalid example
- update testcases

* Hardware and Software

- addresses parts of #817
- update testcase schema to add new test 6.2.32

* Editorial

- addresses parts of #841
- correct vers example by removing invalid space

* Editorial

- addresses parts of #841
- update link to vers

* Editorial

- addresses parts of #841
- update count of conformance targets

* Editorial

- addresses parts of #841
- fix refs in date and time (wrong brackets)

* Editorial

- addresses parts of #841
- fix format mistake
- add section 5 to be of relevance for conformance

* Editorial

- addresses parts of #841
- sort guidance on size
- remove obsolete scores from guidance on size

* Editorial

- addresses parts of #841
- update OpenSSL digest list

* Editorial

- addresses parts of #841
- update reference to ISO 8601

* Editorial

- addresses parts of #841
- update SBOM format references

* CWEs

- addresses parts of #530, #841
- rephrase test 6.1.11 and 6.3.4 to clarify the test according to the change to multiple CWEs

* PURLs

- addresses parts of #774, #841
- add conversion rule
- correct JSON path by adding missing `product_identification_helper` part

* Editorial

- addresses parts of #841
- update missing dates
- update CVE link

* Editorial

- addresses parts of #841, #817, #629
- clearly state that additional conventions have to be respected by the consumer

* Suggested edit of CVE reference

* Added missing section entries

* Amended example and section label mappings

* Rendered user facing delivery items

---------

Signed-off-by: Stefan Hagen <[email protected]>
Co-authored-by: Martin Prpič <[email protected]>
Co-authored-by: Stefan Hagen <[email protected]>

csaf_2.1/examples/provider-metadata/example-01-provider-metadata.json

@@ -6,6 +6,7 @@
       "rolie": {
         "feeds": [
           {
+            "last_updated": "2024-01-24T20:20:56.169Z",
             "summary": "All TLP:CLEAR advisories of Example Company.",
             "tlp_label": "CLEAR",
             "url": "https://www.example.com/.well-known/csaf/feed-tlp-clear.json"

csaf_2.1/json_schema/csaf_json_schema.json

@@ -247,13 +247,20 @@
                 "minLength": 1
               }
             },
-            "purl": {
-              "title": "package URL representation",
-              "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
-              "type": "string",
-              "format": "uri",
-              "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
-              "minLength": 7
+            "purls": {
+              "title": "List of package URLs",
+              "description": "Contains a list of package URLs (purl).",
+              "type": "array",
+              "minItems": 1,
+              "uniqueItems": true,
+              "items": {
+                "title": "package URL representation",
+                "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
+                "type": "string",
+                "format": "uri",
+                "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
+                "minLength": 7
+              }
             },
             "sbom_urls": {
               "title": "List of SBOM URLs",

csaf_2.1/json_schema/provider_json_schema.json

@@ -115,10 +115,17 @@
                   "description": "Contains information about the ROLIE feed.",
                   "type": "object",
                   "required": [
+                    "last_updated",
                     "tlp_label",
                     "url"
                   ],
                   "properties": {
+                    "last_updated": {
+                      "title": "Last updated",
+                      "description": "Holds the date and time when the feed was last updated.",
+                      "type": "string",
+                      "format": "date-time"
+                    },
                     "summary": {
                       "title": "Summary of the feed",
                       "description": "Contains a summary of the feed.",

csaf_2.1/prose/edit/etc/bind.txt

@@ -72,6 +72,7 @@ tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md
 tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md
 tests-01-mndtr-40-invalid-sharing-group-name.md
 tests-01-mndtr-41-missing-sharing-group-name.md
+tests-01-mndtr-42-purl-qualifiers.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

csaf_2.1/prose/edit/etc/example-global-to-local.json

@@ -32,7 +32,6 @@
   "30": "document-property-aggregate-severity-eg-1",
   "31": "document-property-category-eg-1",
   "32": "document-property-distribution-eg-1",
-
   "33": "document-property-distribution-text-eg-1",
   "34": "document-property-distribution-tlp-eg-1",
   "35": "document-property-publisher-contact-details-eg-1",
@@ -52,118 +51,122 @@
   "49": "vulnerabilities-property-ids-eg-2",
   "50": "filename-eg-1",
   "51": "filename-eg-2",
-  "52": "missing-definition-of-product-id-eg-1",
-  "53": "multiple-definition-of-product-id-eg-1",
-  "54": "circular-definition-of-product-id-eg-1",
-  "55": "missing-definition-of-product-group-id-eg-1",
-  "56": "multiple-definition-of-product-group-id-eg-1",
-  "57": "contradicting-product-status-eg-1",
-  "58": "multiple-scores-with-same-version-per-product-eg-1",
-  "59": "invalid-cvss-eg-1",
-  "60": "invalid-cvss-computation-eg-1",
-  "61": "inconsistent-cvss-eg-1",
-  "62": "cwe-eg-1",
-  "63": "language-eg-1",
-  "64": "purl-eg-1",
-  "65": "sorted-revision-history-eg-1",
-  "66": "translator-eg-1",
-  "67": "latest-document-version-eg-1",
-  "68": "document-status-draft-eg-1",
-  "69": "released-revision-history-eg-1",
-  "70": "revision-history-entries-for-pre-release-versions-eg-1",
-  "71": "non-draft-document-version-eg-1",
-  "72": "missing-item-in-revision-history-eg-1",
-  "73": "multiple-definition-in-revision-history-eg-1",
-  "74": "multiple-use-of-same-cve-eg-1",
-  "75": "multiple-definition-in-involvements-eg-1",
-  "76": "multiple-use-of-same-hash-algorithm-eg-1",
-  "77": "prohibited-document-category-name-eg-1",
-  "78": "prohibited-document-category-name-eg-2",
-  "79": "document-notes-eg-1",
-  "80": "document-references-eg-1",
-  "81": "vulnerabilities-for-informational-advisory-eg-1",
-  "82": "product-tree-eg-1",
-  "83": "vulnerability-notes-eg-1",
-  "84": "product-status-eg-1",
-  "85": "vex-product-status-eg-1",
-  "86": "vulnerability-id-eg-1",
-  "87": "impact-statement-eg-1",
-  "88": "action-statement-eg-1",
-  "89": "vulnerabilities-for-security-advisory-or-vex-eg-1",
-  "90": "translation-eg-1",
-  "91": "remediation-without-product-reference-eg-1",
-  "92": "mixed-integer-and-semantic-versioning-eg-1",
-  "93": "version-range-in-product-version-eg-1",
-  "94": "flag-without-product-reference-eg-1",
-  "95": "multiple-flags-with-vex-justification-codes-per-product-eg-1",
-  "96": "mandatory-tests--branches-recursion-depth-eg-1",
-  "97": "contradicting-remediations-eg-1",
-  "98": "contradicting-product-status-remediation-combination-eg-1",
-  "99": "mandatory-tests--date-and-time-eg-1",
-  "100": "non-public-sharing-group-with-max-uuid-eg-1",
-  "101": "public-sharing-group-with-no-max-uuid-eg-1",
-  "102": "invalid-sharing-group-name-eg-1",
-  "103": "missing-sharing-group-name-eg-1",
-  "104": "unused-definition-of-product-id-eg-1",
-  "105": "missing-remediation-eg-1",
-  "107": "missing-metric-eg-1",
-  "108": "build-metadata-in-revision-history-eg-1",
-  "109": "older-initial-release-date-than-revision-history-eg-1",
-  "110": "older-current-release-date-than-revision-history-eg-1",
-  "111": "missing-date-in-involvements-eg-1",
-  "112": "use-of-md5-as-the-only-hash-algorithm-eg-1",
-  "113": "use-of-sha-1-as-the-only-hash-algorithm-eg-1",
-  "114": "missing-tlp-label-eg-1",
-  "115": "missing-canonical-url-eg-1",
-  "116": "missing-document-language-eg-1",
-  "117": "optional-tests--sorting-eg-1",
-  "118": "use-of-private-language-eg-1",
-  "119": "use-of-default-language-eg-1",
-  "120": "missing-product-identification-helper-eg-1",
-  "121": "cve-in-field-ids-eg-1",
-  "122": "product-version-range-without-vers-eg-1",
-  "123": "cvss-for-fixed-products-eg-1",
-  "124": "additional-properties-eg-1",
-  "125": "same-timestamps-in-revision-history-eg-1",
-  "126": "document-tracking-id-in-title-eg-1",
-  "127": "usage-of-deprecated-cwe-eg-1",
-  "128": "usage-of-non-latest-cwe-version-eg-1",
-  "129": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1",
-  "130": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1",
-  "131": "discouraged-product-status-remediation-combination-eg-1",
-  "132": "usage-of-max-uuid-eg-1",
-  "133": "usage-of-nil-uuid-eg-1",
-  "134": "usage-of-sharing-group-on-tlp-clear-eg-1",
-  "135": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
-  "136": "use-of-cvss-v3-0-eg-1",
-  "137": "missing-cve-eg-1",
-  "138": "missing-cwe-eg-1",
-  "139": "use-of-short-hash-eg-1",
-  "140": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
-  "141": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
-  "142": "spell-check-eg-1",
-  "143": "branch-categories-eg-1",
-  "144": "usage-of-product-version-range-eg-1",
-  "145": "usage-of-v-as-version-indicator-eg-1",
-  "146": "missing-cvss-v4-0-eg-1",
-  "147": "requirement-7-provider-metadata-json-eg-1",
-  "148": "requirement-8-security-txt-eg-1",
-  "149": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
-  "150": "requirement-11-one-folder-per-year-eg-1",
-  "151": "requirement-12-index-txt-eg-1",
-  "152": "requirement-13-changes-csv-eg-1",
-  "153": "requirement-15-rolie-feed-eg-1",
-  "154": "requirement-16-rolie-service-document-eg-1",
-  "155": "requirement-17-rolie-category-document-eg-1",
-  "156": "requirement-17-rolie-category-document-eg-2",
-  "157": "requirement-17-rolie-category-document-eg-3",
-  "158": "requirement-18-integrity-eg-1",
-  "159": "requirement-18-integrity-eg-2",
-  "160": "requirement-19-signatures-eg-1",
-  "161": "requirement-21-list-of-csaf-providers-eg-1",
-  "162": "requirement-23-mirror-eg-1",
-  "163": "conformance-clause-5-cvrf-csaf-converter-eg-1",
-  "164": "conformance-clause-5-cvrf-csaf-converter-eg-2",
-  "165": "conformance-clause-5-cvrf-csaf-converter-eg-3",
-  "166": "conformance-clause-5-cvrf-csaf-converter-eg-4"
+  "52": "hardware-and-software-within-the-product-tree-eg-1",
+  "53": "missing-definition-of-product-id-eg-1",
+  "54": "multiple-definition-of-product-id-eg-1",
+  "55": "circular-definition-of-product-id-eg-1",
+  "56": "missing-definition-of-product-group-id-eg-1",
+  "57": "multiple-definition-of-product-group-id-eg-1",
+  "58": "contradicting-product-status-eg-1",
+  "59": "multiple-scores-with-same-version-per-product-eg-1",
+  "60": "invalid-cvss-eg-1",
+  "61": "invalid-cvss-computation-eg-1",
+  "62": "inconsistent-cvss-eg-1",
+  "63": "cwe-eg-1",
+  "64": "language-eg-1",
+  "65": "purl-eg-1",
+  "66": "sorted-revision-history-eg-1",
+  "67": "translator-eg-1",
+  "68": "latest-document-version-eg-1",
+  "69": "document-status-draft-eg-1",
+  "70": "released-revision-history-eg-1",
+  "71": "revision-history-entries-for-pre-release-versions-eg-1",
+  "72": "non-draft-document-version-eg-1",
+  "73": "missing-item-in-revision-history-eg-1",
+  "74": "multiple-definition-in-revision-history-eg-1",
+  "75": "multiple-use-of-same-cve-eg-1",
+  "76": "multiple-definition-in-involvements-eg-1",
+  "77": "multiple-use-of-same-hash-algorithm-eg-1",
+  "78": "prohibited-document-category-name-eg-1",
+  "79": "prohibited-document-category-name-eg-2",
+  "80": "document-notes-eg-1",
+  "81": "document-references-eg-1",
+  "82": "vulnerabilities-for-informational-advisory-eg-1",
+  "83": "product-tree-eg-1",
+  "84": "vulnerability-notes-eg-1",
+  "85": "product-status-eg-1",
+  "86": "vex-product-status-eg-1",
+  "87": "vulnerability-id-eg-1",
+  "88": "impact-statement-eg-1",
+  "89": "action-statement-eg-1",
+  "90": "vulnerabilities-for-security-advisory-or-vex-eg-1",
+  "91": "translation-eg-1",
+  "92": "remediation-without-product-reference-eg-1",
+  "93": "mixed-integer-and-semantic-versioning-eg-1",
+  "94": "version-range-in-product-version-eg-1",
+  "95": "flag-without-product-reference-eg-1",
+  "96": "multiple-flags-with-vex-justification-codes-per-product-eg-1",
+  "97": "mandatory-tests--branches-recursion-depth-eg-1",
+  "98": "contradicting-remediations-eg-1",
+  "99": "contradicting-product-status-remediation-combination-eg-1",
+  "100": "mandatory-tests--date-and-time-eg-1",
+  "101": "non-public-sharing-group-with-max-uuid-eg-1",
+  "102": "public-sharing-group-with-no-max-uuid-eg-1",
+  "103": "invalid-sharing-group-name-eg-1",
+  "104": "missing-sharing-group-name-eg-1",
+  "105": "purl-qualifiers-eg-1",
+  "106": "unused-definition-of-product-id-eg-1",
+  "107": "missing-remediation-eg-1",
+  "108": "missing-metric-eg-1",
+  "109": "build-metadata-in-revision-history-eg-1",
+  "110": "older-initial-release-date-than-revision-history-eg-1",
+  "111": "older-current-release-date-than-revision-history-eg-1",
+  "112": "missing-date-in-involvements-eg-1",
+  "113": "use-of-md5-as-the-only-hash-algorithm-eg-1",
+  "114": "use-of-sha-1-as-the-only-hash-algorithm-eg-1",
+  "115": "missing-tlp-label-eg-1",
+  "116": "missing-canonical-url-eg-1",
+  "117": "missing-document-language-eg-1",
+  "118": "optional-tests--sorting-eg-1",
+  "119": "use-of-private-language-eg-1",
+  "120": "use-of-default-language-eg-1",
+  "121": "missing-product-identification-helper-eg-1",
+  "122": "cve-in-field-ids-eg-1",
+  "123": "product-version-range-without-vers-eg-1",
+  "124": "cvss-for-fixed-products-eg-1",
+  "125": "additional-properties-eg-1",
+  "126": "same-timestamps-in-revision-history-eg-1",
+  "127": "document-tracking-id-in-title-eg-1",
+  "128": "usage-of-deprecated-cwe-eg-1",
+  "129": "usage-of-non-latest-cwe-version-eg-1",
+  "130": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1",
+  "131": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1",
+  "132": "discouraged-product-status-remediation-combination-eg-1",
+  "133": "usage-of-max-uuid-eg-1",
+  "134": "usage-of-nil-uuid-eg-1",
+  "135": "usage-of-sharing-group-on-tlp-clear-eg-1",
+  "136": "hardware-and-software-eg-1",
+  "137": "use-of-same-product-identification-helper-for-different-products-eg-1",
+  "138": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
+  "139": "use-of-cvss-v3-0-eg-1",
+  "140": "missing-cve-eg-1",
+  "141": "missing-cwe-eg-1",
+  "142": "use-of-short-hash-eg-1",
+  "143": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
+  "144": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
+  "145": "spell-check-eg-1",
+  "146": "branch-categories-eg-1",
+  "147": "usage-of-product-version-range-eg-1",
+  "148": "usage-of-v-as-version-indicator-eg-1",
+  "149": "missing-cvss-v4-0-eg-1",
+  "150": "requirement-7-provider-metadata-json-eg-1",
+  "151": "requirement-8-security-txt-eg-1",
+  "152": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
+  "153": "requirement-11-one-folder-per-year-eg-1",
+  "154": "requirement-12-index-txt-eg-1",
+  "155": "requirement-13-changes-csv-eg-1",
+  "156": "requirement-15-rolie-feed-eg-1",
+  "157": "requirement-16-rolie-service-document-eg-1",
+  "158": "requirement-17-rolie-category-document-eg-1",
+  "159": "requirement-17-rolie-category-document-eg-2",
+  "160": "requirement-17-rolie-category-document-eg-3",
+  "161": "requirement-18-integrity-eg-1",
+  "162": "requirement-18-integrity-eg-2",
+  "163": "requirement-19-signatures-eg-1",
+  "164": "requirement-21-list-of-csaf-providers-eg-1",
+  "165": "requirement-23-mirror-eg-1",
+  "166": "conformance-clause-5-cvrf-csaf-converter-eg-1",
+  "167": "conformance-clause-5-cvrf-csaf-converter-eg-2",
+  "168": "conformance-clause-5-cvrf-csaf-converter-eg-3",
+  "169": "conformance-clause-5-cvrf-csaf-converter-eg-4"
 }