CSAF Compatability
iainDe opened this issue · comments
Please expand the Common Security Advisory Framework (CSAF) format when generating notes and sharing the notes through the API
Hello @iainDe
Have you seen this case - #19 ?
Limited CSAF output via API is available, we are working with CSAF oasis group members @tschmidtb51 @santosomar to take this forward. The CSAF format is only available for the authenticated end points today with limited information as described in the ticket. You can use our demo site using your API Key to view it https://democert.org/vince/ and see how to get to it.
For e.g., The URL https://kb.cert.org/vince/comm/api/case/636397/csaf/ (using your API Key) will provide CSAF document for VU#636397 for example.
Currently we have some limitations as
- We don't collect
product
names andversion
in a compatible format from each vendor, so we can only use the Vendor Product and Version fields as specified by the researcher/reporter at the time of submitting a case. - We have an update pending moving from generic_csaf will be renamed into csaf_base, still waiting on some review and some more small changes to match recent schema updates
#55 is a related recommendation and feedback we received from Oasis CSAF working group.