Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CWEs, CWE version and CWE Weakness clarification #738

Merged
merged 16 commits into from
Jun 17, 2024
Merged

CWEs, CWE version and CWE Weakness clarification #738

merged 16 commits into from
Jun 17, 2024

Conversation

tschmidtb51
Copy link
Contributor

  • addresses parts of Add version to CWE #660
    • add version as new required field to cwe
    • adopt prose, testdata and examples to reflect schema
    • add conversion rules
    • add invalid examples for 6.1.11
    • add valid examples for 6.1.11
  • addresses parts of Conformance target CVRF CSAF converter #154
    • state explicit how to handle CWE categories and views
    • explicitly state in 6.1.11 that CWE Views and Categories are not valid
    • add conversion rule
  • addresses parts of Handling vulnerabilities with multiple CWEs #530
    • wrap CWE into a list to allow multiple CWEs per vulnerability
    • adopt prose, testdata and examples to reflect schema
    • add conversion rules
    • remove CVRF conversion rule (not needed anymore)
  • adopt guidance on size

tschmidtb51 added 10 commits May 23, 2024 23:35
@tschmidtb51
CWE version
70afea3 
- addresses parts of oasis-tcs#660
- add `version` as new required field to `cwe`
@tschmidtb51
CWE version
432d454 
- addresses parts of oasis-tcs#660
- adopt prose to reflect schema
- add CSAF 2.0 to CSAF 2.1 conversion rule
- copy conversion rule to CVRF CSAF converter
@tschmidtb51
CWE version
5732616 
- addresses parts of oasis-tcs#660
- adopt testdata to reflect current version of the schema
- adopt examples to reflect current version of the schema
@tschmidtb51
CWE version
9e28312 
- addresses parts of oasis-tcs#660
- add invalid examples for 6.1.11
- add valid examples for 6.1.11
- explicitly state in 6.1.11 that CWE Views and Categories are not valid
@tschmidtb51
CWE
bd53258 
- addresses parts of oasis-tcs#154
- state explicit how to handle CWE categories and views
@tschmidtb51
CWEs
182f051 
- addresses parts of oasis-tcs#530
- wrap CWE into a list to allow multiple CWEs per vulnerability
@tschmidtb51
CWEs
0af0785 
- addresses parts of oasis-tcs#530, oasis-tcs#154
- adopt prose to reflect schema
- remove conversion rule for CVRF CSAF converter
- reorder CVRF CSAF converter rules regarding CWEs
- clarify warning regarding conversion of CWE category and view
@tschmidtb51
CWEs
9dc1a49 
- addresses parts of oasis-tcs#530
- adopt test 6.1.11 to reflect schema
@tschmidtb51
CWEs
64a22d1 
- addresses parts of oasis-tcs#530
- adopt examples to reflect schema
- adopt testdata to reflect schema
@tschmidtb51
CWEs
d433431 
- addresses parts of oasis-tcs#530, oasis-tcs#660
- add `/vulnerabilities[]/cwes[]/version` to guidance on size
- add `/vulnerabilities[]/cwes` to guidance on size
- adopt pathes to match schema
@tschmidtb51 tschmidtb51 added the csaf 2.1 csaf 2.1 work label May 25, 2024
@tschmidtb51 tschmidtb51 requested a review from sthagen May 25, 2024 18:41
@tschmidtb51 tschmidtb51 self-assigned this May 25, 2024
@tschmidtb51
CWEs
4ae8d1d 
- addresses parts of oasis-tcs#530
- add invalid example for 6.1.11
- add valid example for 6.1.11
sthagen
sthagen requested changes May 26, 2024
View reviewed changes
Copy link
Contributor

@sthagen sthagen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should consider extending the cwe collector more directly and allowing the external IDs (CWE IDs) to be keys in an object.

@tschmidtb51
CWEs
6f5b64a 
- addresses review comment from oasis-tcs#738
- clarify that invalid CWEs MUST omitted
- use RFC 2119 language
@tschmidtb51
CWEs
5908da1 
- addresses review comment from oasis-tcs#738
- convert abbreviation back to singular (from plural)
@tschmidtb51 tschmidtb51 requested a review from sthagen May 27, 2024 09:10
@tschmidtb51
Copy link
Contributor Author

@sthagen Thank you for the review. Please see my comments.

@tschmidtb51 tschmidtb51 marked this pull request as draft May 27, 2024 21:05
@tschmidtb51
Copy link
Contributor Author

As we are still discussing the possible solutions, I set this back to draft.

@tschmidtb51
CWEs
2429c31 
- addresses review comment from oasis-tcs#738
- clarify that an order of CWEs is expected
@tschmidtb51
Copy link
Contributor Author

@sthagen Please see the suggested wording regarding the order of CWEs.

@tschmidtb51
Copy link
Contributor Author

@mprpic Please review as well.

sthagen
sthagen approved these changes May 31, 2024
View reviewed changes
Copy link
Contributor

@sthagen sthagen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ship it! 😁

@tschmidtb51 @mprpic
CWEs
5e3d2e9 
- addresses review comment from oasis-tcs#738
- simplify the statement of ordered CWEs

Co-authored-by: Martin Prpič <[email protected]>
@tschmidtb51 tschmidtb51 requested a review from mprpic May 31, 2024 21:21
@tschmidtb51 tschmidtb51 added motion This item has a motion pending labels May 31, 2024
@tschmidtb51 tschmidtb51 marked this pull request as ready for review May 31, 2024 21:24
@santosomar
Copy link
Contributor

The motion to accept the pull request #738 "CWEs, CWE version and CWE Weakness clarification" as suggested in github.com//pull/738 and include it into CSAF 2.1, has passed. It automatically carried on 2024-06-07 23:00 UTC.
https://groups.oasis-open.org/discussion/motion-for-738

@tschmidtb51 tschmidtb51 added motion_passed A motion has passed and removed motion This item has a motion pending labels Jun 17, 2024
@tschmidtb51 tschmidtb51 merged commit 40a2236 into oasis-tcs:editor-revision-2024-05-29 Jun 17, 2024
5 checks passed
@tschmidtb51 tschmidtb51 removed the motion_passed A motion has passed label Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sthagen sthagen sthagen approved these changes

@santosomar santosomar santosomar approved these changes

@mprpic mprpic Awaiting requested review from mprpic

Assignees

@tschmidtb51 tschmidtb51

Labels
csaf 2.1 csaf 2.1 work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tschmidtb51 @santosomar @sthagen @mprpic