From 72917c1732ee68e15eddb80acd8ba44b5263cdf3 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 4 Nov 2024 10:31:10 +0100 Subject: [PATCH 01/49] Editor Revision 2024-11-27 - update dates - insert new revision for tracking --- csaf_2.1/prose/edit/src/frontmatter.md | 4 ++-- csaf_2.1/prose/edit/src/revision-history.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md index fa74a710c..bb09f4017 100644 --- a/csaf_2.1/prose/edit/src/frontmatter.md +++ b/csaf_2.1/prose/edit/src/frontmatter.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 30 October 2024 +## 27 November 2024 #### This stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \ @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used **[csaf-v2.1]** -_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. +_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. ------- diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md index 525db7592..7e7744c44 100644 --- a/csaf_2.1/prose/edit/src/revision-history.md +++ b/csaf_2.1/prose/edit/src/revision-history.md @@ -19,5 +19,6 @@ toc: | csaf-v2.0-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | +| csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | ------- From 64c4af2eb6a967d7f591af1d97a787169aa6283e Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 4 Nov 2024 16:09:10 +0100 Subject: [PATCH 02/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add `sharing_group` to JSON schema --- csaf_2.1/json_schema/csaf_json_schema.json | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index ec1d90fa2..1319a9039 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -581,6 +581,37 @@ "tlp" ], "properties": { + "sharing_group": { + "title": "Sharing Group", + "description": "Contains information about the group this document is intended to be shared with.", + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "title": "Sharing Group ID", + "description": "Provides the unique ID for the sharing group.", + "type": "string", + "format": "uuid", + "pattern": "^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$" + }, + "name": { + "title": "Sharing Group Name", + "description": "Contains a human-readable name for the sharing group.", + "type": "string", + "minLength": 1, + "examples": [ + "Customer A", + "ISAC members", + "NIS2 regulated important entities in Germany, sector water", + "Pre-Sharing group for advisory discussion", + "Users of Product A", + "US Federal Civilian Authorities" + ] + } + } + }, "text": { "title": "Textual description", "description": "Provides a textual description of additional constraints.", From 60a460be7fcce4e8fc272119c234b48363971668 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:08:22 +0100 Subject: [PATCH 03/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - adapt prose to reflect sharing group changes - add RFC 9562 to normative references - add RFC 4122 to informative references --- .../introduction-03-normative-references.md | 3 + .../introduction-04-informative-references.md | 3 + .../schema-elements-02-props-02-document.md | 76 ++++++++++++++++++- 3 files changed, 80 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md index ea6e9114e..d90250dbc 100644 --- a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md @@ -29,3 +29,6 @@ RFC8174 RFC8259 : T. Bray, Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, DOI 10.17487/RFC8259, December 2017, . + +RFC9562 +: Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, . diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md index 7794ee2fb..a13b34f08 100644 --- a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md @@ -69,6 +69,9 @@ RFC3552 RFC3986 : Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . +RFC4122 +: Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, . + RFC4880 : Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, . diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index b271922bb..00daba80c 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -136,12 +136,15 @@ The single valid value for this `enum` is: #### Document Property - Distribution Rules for sharing document (`distribution`) of value type `object` with the mandatory property Traffic Light Protocol (TLP) (`tlp`) and the -optional property Text (`text`) describes any constraints on how this document might be shared. +optional properties Sharing Group (`Sharing Group`) and Text (`text`) describes any constraints on how this document might be shared. ``` "distribution": { // ... "properties": { + "sharing_group": { + // ... + }, "text": { // ... }, @@ -152,7 +155,76 @@ optional property Text (`text`) describes any constraints on how this document m }, ``` -If both values are present, the TLP information SHOULD be preferred as this aids in automation. +If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. +The Sharing Group SHALL be interpreted as specification to the TLP information. +Therefore, the Sharing Group MAY also be used to convey special TLP restrictions: + +*Examples 1:* + +``` + Only releasable to European Energy sector + E-ISAC members-only + Releasable to NATO countries +``` + +> Note that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation. + +##### Document Property - Distribution - Sharing Group + +Sharing Group (`sharing_group`) of value type `object` with the mandatory property Sharing Group ID (`id`) and +the optional property Sharing Group Name (`name`) contains information about the group this document is intended to be shared with. + +``` + "sharing_group": { + // ... + "properties": { + "id": { + // ... + }, + "name": { + // ... + } + } + }, +``` + +Sharing Group ID (`id`) of value type `string` with format `uuid` and `pattern` (regular expression): + +``` + ^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$ +``` + +Sharing Group ID provides the unique ID for the sharing group. +This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group, +e.g. during a Multi-Party Coordinated Vulnerability Disclosure case. + +> Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case. +> Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered. + +The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed. +It MUST differ if a different sharing group is addressed. + +The ID SHALL be valid according to [cite](#RFC9562) and recorded in the 8-4-4-4-12 notation in lower case. +The ID SHALL be a UUID Version 4 for any closed sharing group, i.e. `TLP:GREEN` and above. + +The following ID values SHOULD NOT be used unless there are technical reasons for them. +Therefore, they are reserved for implementation-specific situations: + +- A system MAY use the Max UUID for `TLP:CLEAR` CSAF documents. + > For example, the system uses the UUID as an indication whether a user allowed to see the document. + > The security considerations from [cite](#RFC9562) should be reflected on. +- A system MAY use the Nil UUID for CSAF documents that MUST NOT be shared. + > For example, the CSAF document is just being drafted and the accidental leakage should be prevented. + +> Note, that both values do not indicate a closed sharing group. + +A CSAF document with `TLP:CLEAR` SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (`ffffffff-ffff-ffff-ffff-ffffffffffff`). + +Sharing Group Name (`name`) of value type `string` with one or more characters contains a human-readable name for the sharing group. + +The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. +For the Max UUID, the value of `name` SHALL exist and be `Public`. +For the Nil UUID, the value of `name` SHALL exist and be `No Sharing allowed`. ##### Document Property - Distribution - Text From 02ae5ba138fbfdd1dc7760a34079b07b46de315d Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:39:32 +0100 Subject: [PATCH 04/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add mandatory test to prevent usage of Max UUID in other TLP than CLEAR - add invalid examples - add valid examples - adapt testcases list and schema --- ...-non-public-sharing-group-with-max-uuid.md | 25 +++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json | 36 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json | 36 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json | 36 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json | 36 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json | 36 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json | 35 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json | 36 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json | 32 ++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json | 36 +++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 44 +++++++++++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 12 files changed, 389 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md new file mode 100644 index 000000000..b281d1db9 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md @@ -0,0 +1,25 @@ +### Non-Public Sharing Group with Max UUID + +It MUST be tested that a CSAF document using Max UUID as sharing group ID has the TLP label `CLEAR`. + +The relevant path for this test is: + +``` + /document/distribution/tlp/label +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "RED" + } + }, +``` + +> The sharing group uses the Max UUID but the CSAF document is labeled as `TLP:RED`. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json new file mode 100644 index 000000000..771130e98 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json new file mode 100644 index 000000000..a717d6036 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "AMBER+STRICT" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json new file mode 100644 index 000000000..fdc9774b0 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json new file mode 100644 index 000000000..0fda4fdf2 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "GREEN" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-04", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json new file mode 100644 index 000000000..0a621afeb --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json new file mode 100644 index 000000000..a88c2c2d2 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "AMBER+STRICT" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json new file mode 100644 index 000000000..5de4604d1 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "234efd7a-a3a1-4897-8296-633d5d37659c", + "name": "Example Sharing Group 3" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json new file mode 100644 index 000000000..3dad85df9 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "GREEN" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-14", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json new file mode 100644 index 000000000..074d3c37f --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 5)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-15", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index a1d19886a..2c56db1d4 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1096,6 +1096,50 @@ } ] }, + { + "id": "6.1.39", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 567312972..ace987880 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69]))$" }, "valid": { "title": "List of valid examples", From 71bbbd2665c76ba04415139b5ecb132f0213b5f3 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:14:13 +0100 Subject: [PATCH 05/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add mandatory test to prevent usage of reserved names - improve wording - add invalid examples - add valid examples - adapt testcases list and schema --- .../schema-elements-02-props-02-document.md | 6 ++-- ...-01-mndtr-40-invalid-sharing-group-name.md | 23 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json | 36 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 24 +++++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 8 files changed, 196 insertions(+), 3 deletions(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index 00daba80c..614018bd3 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -223,8 +223,10 @@ A CSAF document with `TLP:CLEAR` SHOULD NOT contain a sharing group value and SH Sharing Group Name (`name`) of value type `string` with one or more characters contains a human-readable name for the sharing group. The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. -For the Max UUID, the value of `name` SHALL exist and be `Public`. -For the Nil UUID, the value of `name` SHALL exist and be `No Sharing allowed`. +However, the following values are reserved for the conditions below: + +- For the Max UUID, the value of `name` SHALL exist and be `Public`. +- For the Nil UUID, the value of `name` SHALL exist and be `No sharing allowed`. ##### Document Property - Distribution - Text diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md new file mode 100644 index 000000000..f8dd880d1 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md @@ -0,0 +1,23 @@ +### Invalid Sharing Group Name + +It MUST be tested that the value of sharing group name does not equal the reserved values from section [#cite](document-property---distribution---sharing-group) if the precondition is not fulfilled. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/name +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group name is `Public` but it does not use the Max UUID. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json new file mode 100644 index 000000000..eba1bc0b3 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json new file mode 100644 index 000000000..e96a3e9be --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json new file mode 100644 index 000000000..6f1416409 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json new file mode 100644 index 000000000..d6dab838c --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 2c56db1d4..bf69c6330 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1140,6 +1140,30 @@ } ] }, + { + "id": "6.1.40", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index ace987880..f2aa3faff 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0]))$" }, "valid": { "title": "List of valid examples", From 077fc244a9d37368be081fd25d23544f1d2460f4 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:56:46 +0100 Subject: [PATCH 06/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add mandatory test to prevent usage other UUID than Max UUID in TLP:CLEAR - add invalid examples - add valid examples - adapt testcases list and schema --- ...1-public-sharing-group-with-no-max-uuid.md | 25 +++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json | 35 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json | 36 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 24 +++++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 7 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-41-public-sharing-group-with-no-max-uuid.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-public-sharing-group-with-no-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-public-sharing-group-with-no-max-uuid.md new file mode 100644 index 000000000..c52269b90 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-public-sharing-group-with-no-max-uuid.md @@ -0,0 +1,25 @@ +### Public Sharing Group with no Max UUID + +It MUST be tested that a CSAF document with the TLP label `CLEAR` use the Max UUID as sharing group ID if any. +The test SHALL pass if no sharing group is present or the Nil UUID is used and the document status is `draft`. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "CLEAR" + } + }, +``` + +> The sharing group is present for the `TLP:CLEAR` document but it differs from the Max UUID. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json new file mode 100644 index 000000000..a6cc3f6c3 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json new file mode 100644 index 000000000..6c6ac9cce --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json new file mode 100644 index 000000000..32381c256 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json new file mode 100644 index 000000000..dc4aca64b --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index bf69c6330..75f4868f5 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1164,6 +1164,30 @@ } ] }, + { + "id": "6.1.41", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index f2aa3faff..f56530c12 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-1]))$" }, "valid": { "title": "List of valid examples", From 3487dadc46bf5f9d638d68a03a6c559eb18c6419 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:09:39 +0100 Subject: [PATCH 07/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - swap order of 6.1.40 and 6.1.41 - adapt testfiles --- ...-01-mndtr-40-public-sharing-group-with-no-max-uuid.md} | 0 ...md => tests-01-mndtr-41-invalid-sharing-group-name.md} | 0 .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json | 5 ++--- .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json | 8 ++++---- .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json | 2 +- .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json | 4 ++-- .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json | 5 +++-- .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json | 8 ++++---- .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json | 2 +- .../mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json | 4 ++-- 10 files changed, 19 insertions(+), 19 deletions(-) rename csaf_2.1/prose/edit/src/{tests-01-mndtr-41-public-sharing-group-with-no-max-uuid.md => tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md} (100%) rename csaf_2.1/prose/edit/src/{tests-01-mndtr-40-invalid-sharing-group-name.md => tests-01-mndtr-41-invalid-sharing-group-name.md} (100%) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-public-sharing-group-with-no-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md similarity index 100% rename from csaf_2.1/prose/edit/src/tests-01-mndtr-41-public-sharing-group-with-no-max-uuid.md rename to csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md similarity index 100% rename from csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md rename to csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json index eba1bc0b3..2c880de0c 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json @@ -5,8 +5,7 @@ "csaf_version": "2.1", "distribution": { "sharing_group": { - "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", - "name": "Public" + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" }, "tlp": { "label": "CLEAR" @@ -17,7 +16,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Invalid Sharing Group Name (failing example 1)", + "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 1)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-01", diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json index e96a3e9be..927dc5c19 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json @@ -5,11 +5,11 @@ "csaf_version": "2.1", "distribution": { "sharing_group": { - "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "id": "00000000-0000-0000-0000-000000000000", "name": "No sharing allowed" }, "tlp": { - "label": "RED" + "label": "CLEAR" } }, "publisher": { @@ -17,7 +17,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Invalid Sharing Group Name (failing example 2)", + "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 2)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-02", @@ -29,7 +29,7 @@ "summary": "Initial version." } ], - "status": "draft", + "status": "final", "version": "1" } } diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json index 6f1416409..3a0e71eaa 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json @@ -17,7 +17,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Invalid Sharing Group Name (valid example 1)", + "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 1)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-11", diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json index d6dab838c..8efdd4695 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json @@ -9,7 +9,7 @@ "name": "No sharing allowed" }, "tlp": { - "label": "RED" + "label": "CLEAR" } }, "publisher": { @@ -17,7 +17,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Invalid Sharing Group Name (valid example 2)", + "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 2)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-12", diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json index a6cc3f6c3..6bddafe9e 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json @@ -5,7 +5,8 @@ "csaf_version": "2.1", "distribution": { "sharing_group": { - "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", + "name": "Public" }, "tlp": { "label": "CLEAR" @@ -16,7 +17,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 1)", + "title": "Mandatory test: Invalid Sharing Group Name (failing example 1)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-01", diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json index 6c6ac9cce..d4b9cc245 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json @@ -5,11 +5,11 @@ "csaf_version": "2.1", "distribution": { "sharing_group": { - "id": "00000000-0000-0000-0000-000000000000", + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b", "name": "No sharing allowed" }, "tlp": { - "label": "CLEAR" + "label": "RED" } }, "publisher": { @@ -17,7 +17,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 2)", + "title": "Mandatory test: Invalid Sharing Group Name (failing example 2)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-02", @@ -29,7 +29,7 @@ "summary": "Initial version." } ], - "status": "final", + "status": "draft", "version": "1" } } diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json index 32381c256..29ef03c04 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json @@ -17,7 +17,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 1)", + "title": "Mandatory test: Invalid Sharing Group Name (valid example 1)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-11", diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json index dc4aca64b..3773793ad 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json @@ -9,7 +9,7 @@ "name": "No sharing allowed" }, "tlp": { - "label": "CLEAR" + "label": "RED" } }, "publisher": { @@ -17,7 +17,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 2)", + "title": "Mandatory test: Invalid Sharing Group Name (valid example 2)", "tracking": { "current_release_date": "2024-01-24T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-12", From dcee34c4acf16d54e703455ba46b17fb87f73bf7 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:29:13 +0100 Subject: [PATCH 08/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add mandatory test to enforce usage of sharing group names - add invalid examples - add valid examples - adapt testcases list and schema --- ...-01-mndtr-42-missing-sharing-group-name.md | 22 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json | 35 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json | 35 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json | 36 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 32 +++++++++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 9 files changed, 269 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md new file mode 100644 index 000000000..2afeefaa5 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md @@ -0,0 +1,22 @@ +### Missing Sharing Group Name + +It MUST be tested that the sharing group name exists and equals the predefined reserved value from section [#cite](document-property---distribution---sharing-group) if the precondition is fulfilled. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/name +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff" + }, + // ... + }, +``` + +> The Max UUID is used but the sharing group name does not exist. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json new file mode 100644 index 000000000..8a74b252a --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json new file mode 100644 index 000000000..d693fe4b6 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json new file mode 100644 index 000000000..b984b526a --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "No sharing restrictions" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json new file mode 100644 index 000000000..8967cac76 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "Releasable to OASIS CSAF TC member organizations" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (failing example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-04", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json new file mode 100644 index 000000000..c4fdec312 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json new file mode 100644 index 000000000..fc5929109 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Missing Sharing Group Name (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 75f4868f5..f67cb2181 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1188,6 +1188,38 @@ } ] }, + { + "id": "6.1.42", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index f56530c12..4cc487a56 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-1]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-2]))$" }, "valid": { "title": "List of valid examples", From c027e19786bc9b807fc2541e4098b3b21e1c69cc Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:35:26 +0100 Subject: [PATCH 09/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add additional valid examples for 6.1.41 --- ...oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json | 35 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json | 36 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 8 +++++ 3 files changed, 79 insertions(+) create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json new file mode 100644 index 000000000..4cd124091 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "5868d6be-b28a-404e-a245-0b5093b31b8b" + }, + "tlp": { + "label": "GREEN" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json new file mode 100644 index 000000000..b2384c54f --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "234efd7a-a3a1-4897-8296-633d5d37659c", + "name": "Example Sharing Group 3" + }, + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Invalid Sharing Group Name (valid example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-14", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index f67cb2181..85589c9e8 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1185,6 +1185,14 @@ { "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json", "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json", + "valid": true } ] }, From 0d98fc43c6ed0cca35a0e07113260548af0d1686 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:48:00 +0100 Subject: [PATCH 10/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add rule about the relationship between sharing group ID and `/document/tracking/id` --- .../prose/edit/src/schema-elements-02-props-02-document.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index 614018bd3..833f43dd3 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -220,6 +220,9 @@ Therefore, they are reserved for implementation-specific situations: A CSAF document with `TLP:CLEAR` SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (`ffffffff-ffff-ffff-ffff-ffffffffffff`). +If an issuing party distributes multiple versions of a single CSAF document to different sharing groups, the rules for CSAF modifier (cf. section [sec](#conformance-clause-8-csaf-modifier)) regarding the generation of the value of `/document/tracking/id` SHALL be applied. +This implies that usually the sharing group ID is used as a prefix to the original `/document/tracking/id`. + Sharing Group Name (`name`) of value type `string` with one or more characters contains a human-readable name for the sharing group. The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. From 38d97cebf673c17e0eddc6f1df69f2827165699b Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:50:23 +0100 Subject: [PATCH 11/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - correct link format --- .../edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md | 2 +- .../edit/src/tests-01-mndtr-42-missing-sharing-group-name.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md index f8dd880d1..a1153c3e3 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md @@ -1,6 +1,6 @@ ### Invalid Sharing Group Name -It MUST be tested that the value of sharing group name does not equal the reserved values from section [#cite](document-property---distribution---sharing-group) if the precondition is not fulfilled. +It MUST be tested that the value of sharing group name does not equal the reserved values from section [sec](#document-property-distribution-sharing-group) if the precondition is not fulfilled. The relevant path for this test is: diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md index 2afeefaa5..d704152ab 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md @@ -1,6 +1,6 @@ ### Missing Sharing Group Name -It MUST be tested that the sharing group name exists and equals the predefined reserved value from section [#cite](document-property---distribution---sharing-group) if the precondition is fulfilled. +It MUST be tested that the sharing group name exists and equals the predefined reserved value from section [sec](#document-property-distribution-sharing-group) if the precondition is fulfilled. The relevant path for this test is: From 34cd7ba06df9312ed7d8b83d88979213ee1fcd77 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:05:38 +0100 Subject: [PATCH 12/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add optional test to discourage usage of Max UUID - add invalid example - add valid examples - adapt testcases list and schema --- csaf_2.1/prose/edit/src/tests-02-optional.md | 26 ++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json | 32 +++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json | 36 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 20 +++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 6 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index f5b0f941f..d32514e19 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -839,3 +839,29 @@ The relevant path for this test is: ``` > For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all. + +### Usage of Max UUID + +It MUST be tested that the Max UUID is not used as sharing group id. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, +``` + +> The sharing group id uses the Max UUID. diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json new file mode 100644 index 000000000..8bc6b78d4 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Max UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-28-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json new file mode 100644 index 000000000..6a4c469c0 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Max UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-28-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json new file mode 100644 index 000000000..22a56ca0d --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Max UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-28-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 85589c9e8..50e4b3ee2 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1842,6 +1842,26 @@ } ] }, + { + "id": "6.2.28", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-01.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-28-12.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 4cc487a56..21c80edd1 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-2]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.2[78])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-2]))$" }, "valid": { "title": "List of valid examples", From 025eed0cd5422958a4e958a70702313b50190a05 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:19:22 +0100 Subject: [PATCH 13/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add optional test to discourage usage of Nil UUID - add invalid example - add valid examples - adapt testcases list and schema --- csaf_2.1/prose/edit/src/tests-02-optional.md | 28 +++++++++++++-- ...oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json | 32 +++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 20 +++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 6 files changed, 150 insertions(+), 4 deletions(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index d32514e19..5a2201c70 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -858,10 +858,32 @@ The relevant path for this test is: "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", "name": "Public" }, - "tlp": { - "label": "CLEAR" - } + // ... }, ``` > The sharing group id uses the Max UUID. + +### Usage of Nil UUID + +It MUST be tested that the Nil UUID is not used as sharing group id. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group/id +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + // ... + }, +``` + +> The sharing group id uses the Nil UUID. diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json new file mode 100644 index 000000000..5b0374583 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "No sharing allowed" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Nil UUID (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-29-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json new file mode 100644 index 000000000..005347894 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Nil UUID (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-29-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json new file mode 100644 index 000000000..17946d69b --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "AMBER" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Nil UUID (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-29-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "draft", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 50e4b3ee2..9553e5fe2 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1862,6 +1862,26 @@ } ] }, + { + "id": "6.2.29", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-01.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-29-12.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 21c80edd1..96136aa33 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.2[78])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-2]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-2]))$" }, "valid": { "title": "List of valid examples", From cc06295231bc5030141551cd3f8dfd2a96d93703 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:29:06 +0100 Subject: [PATCH 14/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add optional test to discourage usage sharing group with TLP:CLEAR - add invalid example - add valid examples - adapt testcases list and schema --- csaf_2.1/prose/edit/src/tests-02-optional.md | 26 ++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json | 36 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json | 32 +++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json | 36 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 20 +++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 6 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 5a2201c70..e426a2e76 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -887,3 +887,29 @@ The relevant path for this test is: ``` > The sharing group id uses the Nil UUID. + +### Usage of Sharing Group on TLP:CLEAR + +It MUST be tested that no sharing group is used if the document is `TLP:CLEAR`. + +The relevant path for this test is: + +``` + /document/distribution/sharing_group +``` + +*Example 1 (which fails the test):* + +``` + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, +``` + +> The CSAF document is `TLP:CLEAR` but a sharing group is given. diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json new file mode 100644 index 000000000..23c0b6018 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "ffffffff-ffff-ffff-ffff-ffffffffffff", + "name": "Public" + }, + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Sharing Group on TLP:CLEAR (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-30-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json new file mode 100644 index 000000000..796fb393f --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Sharing Group on TLP:CLEAR (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-30-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json new file mode 100644 index 000000000..4a197e46f --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "sharing_group": { + "id": "86c81730-1a06-478d-82d4-978e41eb332f", + "name": "Example Sharing Group 1" + }, + "tlp": { + "label": "RED" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of Sharing Group on TLP:CLEAR (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-30-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 9553e5fe2..ebe4df440 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1882,6 +1882,26 @@ } ] }, + { + "id": "6.2.30", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-01.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-30-12.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 96136aa33..fe815cb5d 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(1\\.4[0-2]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(2\\.30)|(1\\.4[0-2]))$" }, "valid": { "title": "List of valid examples", From a7ace02db2e8577242fe3b7b3215d788e8fa3f87 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:33:11 +0100 Subject: [PATCH 15/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add new files into bind.txt --- csaf_2.1/prose/edit/etc/bind.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index 79e127241..f5ac69f8e 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -67,6 +67,10 @@ tests-01-mndtr-33-multiple-flags-with-vex-justification-codes-per-product.md tests-01-mndtr-34-branches-recursion-depth.md tests-01-mndtr-35-contradicting-remediations.md tests-01-mndtr-36-contradicting-product-status-remediation-combination.md +tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md +tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md +tests-01-mndtr-41-invalid-sharing-group-name.md +tests-01-mndtr-42-missing-sharing-group-name.md tests-02-optional.md tests-03-informative.md distributing.md From c3459bdd756c6465b272c0f47b31c6e4d660e0d6 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:38:01 +0100 Subject: [PATCH 16/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add suggestions for quick fixes throughout the sharing group tests --- ...ts-01-mndtr-39-non-public-sharing-group-with-max-uuid.md | 2 ++ ...sts-01-mndtr-40-public-sharing-group-with-no-max-uuid.md | 2 ++ .../src/tests-01-mndtr-41-invalid-sharing-group-name.md | 2 ++ .../src/tests-01-mndtr-42-missing-sharing-group-name.md | 2 ++ csaf_2.1/prose/edit/src/tests-02-optional.md | 6 ++++++ 5 files changed, 14 insertions(+) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md index b281d1db9..fe1ee7d8a 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md @@ -23,3 +23,5 @@ The relevant path for this test is: ``` > The sharing group uses the Max UUID but the CSAF document is labeled as `TLP:RED`. + +> A tool MAY remove the property `sharing_group` as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md index c52269b90..89d04ca15 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md @@ -23,3 +23,5 @@ The relevant path for this test is: ``` > The sharing group is present for the `TLP:CLEAR` document but it differs from the Max UUID. + +> A tool MAY update the sharing group id as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md index a1153c3e3..8b313360a 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md @@ -21,3 +21,5 @@ The relevant path for this test is: ``` > The sharing group name is `Public` but it does not use the Max UUID. + +> A tool MAY update the sharing group name as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md index d704152ab..d37fe06cf 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md @@ -20,3 +20,5 @@ The relevant path for this test is: ``` > The Max UUID is used but the sharing group name does not exist. + +> A tool MAY add the corresponding sharing group name as a quick fix. diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index e426a2e76..1b6b3547d 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -864,6 +864,8 @@ The relevant path for this test is: > The sharing group id uses the Max UUID. +> A tool MAY remove the property `sharing_group` as a quick fix. + ### Usage of Nil UUID It MUST be tested that the Nil UUID is not used as sharing group id. @@ -888,6 +890,8 @@ The relevant path for this test is: > The sharing group id uses the Nil UUID. +> A tool MAY remove the property `sharing_group` as a quick fix. + ### Usage of Sharing Group on TLP:CLEAR It MUST be tested that no sharing group is used if the document is `TLP:CLEAR`. @@ -913,3 +917,5 @@ The relevant path for this test is: ``` > The CSAF document is `TLP:CLEAR` but a sharing group is given. + +> A tool MAY remove the property `sharing_group` as a quick fix. From 325ef97b5e1d4d1ebbc7ac5364c5816a4e440eff Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:48:13 +0100 Subject: [PATCH 17/49] Sharing Groups - addresses parts of oasis-tcs/csaf#705 - add guidance of size for UUIDs - swap date and URI to make it alphabetic amongst the "special" strings --- csaf_2.1/prose/edit/src/guidance-on-size.md | 77 +++++++++++---------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md index 8cfead215..4dee97e93 100644 --- a/csaf_2.1/prose/edit/src/guidance-on-size.md +++ b/csaf_2.1/prose/edit/src/guidance-on-size.md @@ -139,6 +139,7 @@ A string SHOULD NOT have a length greater than: * `/document/acknowledgments[]/organization` * `/document/aggregate_severity/text` * `/document/category` + * `/document/distribution/sharing_group/name` * `/document/lang` * `/document/notes[]/audience` * `/document/notes[]/title` @@ -250,31 +251,20 @@ A string SHOULD NOT have a length greater than: * `/vulnerabilities[]/remediations[]/restart_required/details` * `/vulnerabilities[]/threats[]/details` -## URI length +## Date -A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to: +The maximum length of strings representing a temporal value is given by the format specifier. This applies to: -* `/document/acknowledgments[]/urls[]` -* `/document/aggregate_severity/namespace` -* `/document/distribution/tlp/url` -* `/document/references[]/url` -* `/document/publisher/namespace` -* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]` -* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]` -* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace` -* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri` -* `/vulnerabilities[]/acknowledgments[]/urls[]` -* `/vulnerabilities[]/metrics[]/source` -* `/vulnerabilities[]/references[]/url` -* `/vulnerabilities[]/remediations[]/url` +* `/document/tracking/current_release_date` +* `/document/tracking/generator/date` +* `/document/tracking/initial_release_date` +* `/document/tracking/revision_history[]/date` +* `/vulnerabilities[]/discovery_date` +* `/vulnerabilities[]/flags[]/date` +* `/vulnerabilities[]/release_date` +* `/vulnerabilities[]/involvements[]/date` +* `/vulnerabilities[]/remediations[]/date` +* `/vulnerabilities[]/threats[]/date` ## Enum @@ -386,17 +376,34 @@ This applies to: * `/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity` (8) * `/vulnerabilities[]/threats[]/category` (14) -## Date +## URI length -The maximum length of strings representing a temporal value is given by the format specifier. This applies to: +A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to: -* `/document/tracking/current_release_date` -* `/document/tracking/generator/date` -* `/document/tracking/initial_release_date` -* `/document/tracking/revision_history[]/date` -* `/vulnerabilities[]/discovery_date` -* `/vulnerabilities[]/flags[]/date` -* `/vulnerabilities[]/release_date` -* `/vulnerabilities[]/involvements[]/date` -* `/vulnerabilities[]/remediations[]/date` -* `/vulnerabilities[]/threats[]/date` +* `/document/acknowledgments[]/urls[]` +* `/document/aggregate_severity/namespace` +* `/document/distribution/tlp/url` +* `/document/references[]/url` +* `/document/publisher/namespace` +* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]` +* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]` +* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace` +* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri` +* `/vulnerabilities[]/acknowledgments[]/urls[]` +* `/vulnerabilities[]/metrics[]/source` +* `/vulnerabilities[]/references[]/url` +* `/vulnerabilities[]/remediations[]/url` + +## UUID length + +A string with format `uuid` SHOULD NOT have a length greater than 50. This applies to: + +* `/document/distribution/sharing_group/id (36) From 8d4441648f240c3d58ece73a9cf0d27d47e7adee Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:52:10 +0100 Subject: [PATCH 18/49] Editorial - convert headings into title case --- csaf_2.1/prose/edit/src/guidance-on-size.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md index 4dee97e93..7c70bf645 100644 --- a/csaf_2.1/prose/edit/src/guidance-on-size.md +++ b/csaf_2.1/prose/edit/src/guidance-on-size.md @@ -33,7 +33,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits > If you come across a case where these limits are exceeded, please provide feedback to the TC. -## File size +## File Size A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB. @@ -46,7 +46,7 @@ e.g.: 50 MiB. > In addition, the BSON format adds length information for the entries inside the document, > which adds to the size when storing CSAF document content in a BSON format. -## Array length +## Array Length An array SHOULD NOT have more than: @@ -130,7 +130,7 @@ An array SHOULD NOT have more than: * `/vulnerabilities[]/threats[]/group_ids` * `/vulnerabilities[]/threats[]/product_ids` -## String length +## String Length A string SHOULD NOT have a length greater than: @@ -376,7 +376,7 @@ This applies to: * `/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity` (8) * `/vulnerabilities[]/threats[]/category` (14) -## URI length +## URI Length A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to: @@ -402,7 +402,7 @@ A string with format `uri` SHOULD NOT have a length greater than 20000. This app * `/vulnerabilities[]/references[]/url` * `/vulnerabilities[]/remediations[]/url` -## UUID length +## UUID Length A string with format `uuid` SHOULD NOT have a length greater than 50. This applies to: From 33da68c89c4807c10bf7dc6823d13a87268e6265 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:54:24 +0100 Subject: [PATCH 19/49] Editorial - fix format issue --- csaf_2.1/prose/edit/src/guidance-on-size.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md index 7c70bf645..edd66eb22 100644 --- a/csaf_2.1/prose/edit/src/guidance-on-size.md +++ b/csaf_2.1/prose/edit/src/guidance-on-size.md @@ -406,4 +406,4 @@ A string with format `uri` SHOULD NOT have a length greater than 20000. This app A string with format `uuid` SHOULD NOT have a length greater than 50. This applies to: -* `/document/distribution/sharing_group/id (36) +* `/document/distribution/sharing_group/id` (36) From 611e7973d6f9ac6597922d2b329f445222ca455f Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 23:47:19 +0100 Subject: [PATCH 20/49] Test 6.1.31 - addresses parts of oasis-tcs/csaf#825 - improve wording in prose Co-authored-by: Christian Banse --- ...dtr-31-version-range-in-product-version.md | 36 +++++++++++-------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md index 663f1b64f..f11d444c7 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md @@ -3,22 +3,28 @@ For each element of type `/$defs/branches_t` with `category` of `product_version` it MUST be tested that the value of `name` does not contain a version range. -> To implement this test it is deemed sufficient that, when converted to lower case, -> the value of `name` does not contain any of the following strings: +> To implement this test it is deemed sufficient that, when converted to lower case, the value of `name` satisfies the two requirements below: > -> ``` -> < -> <= -> > -> >= -> after -> all -> before -> earlier -> later -> prior -> versions -> ``` +> 1. It does not contain any of the following operators: +> +> ``` +> < +> <= +> > +> >= +> ``` +> +> 2. If interpreted as individual word separated by whitespace, it does not contain any of the following keywords: +> +> ``` +> after +> all +> before +> earlier +> later +> prior +> versions +> ``` The relevant paths for this test are: From 9458e492a690ac91f7d638c1bc0a8bbea4789cdc Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 19 Nov 2024 00:10:40 +0100 Subject: [PATCH 21/49] Test 6.1.31 - addresses parts of oasis-tcs/csaf#825 - add additional valid example --- ...oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json | 56 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 4 ++ 2 files changed, 60 insertions(+) create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json new file mode 100644 index 000000000..9185702eb --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Version Range in Product Version (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-31-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "branches": [ + { + "category": "vendor", + "name": "Example Company", + "branches": [ + { + "category": "product_name", + "name": "Product A", + "branches": [ + { + "category": "product_version", + "name": "overall otter", + "product": { + "product_id": "CSAFPID-9080700", + "name": "Example Company Product A overall otter" + } + } + ] + } + ] + } + ] + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index a1d19886a..db1a06fb0 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -969,6 +969,10 @@ { "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-12.json", "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json", + "valid": true } ] }, From ef421554e54d9cfb499454b367104ccc40151c8b Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 19 Nov 2024 00:46:16 +0100 Subject: [PATCH 22/49] ASCII armored OpenPGP - resolves oasis-tcs/csaf#797 - add explicit statements about OpenPGP signatures and key files being ASCII armored --- csaf_2.1/prose/edit/src/distributing.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 8dfb5d209..44095da32 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -413,7 +413,9 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ ### Requirement 19: Signatures All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is -extended by the appropriate extension. See [cite](#RFC4880) for more details. +extended by the appropriate extension. +This signature SHALL be presented as an ASCII armored file. +See [cite](#RFC4880) for more details. *Example 1:* @@ -437,6 +439,7 @@ Tools SHOULD treat the violation of the rules given in the first sentence as: ### Requirement 20: Public OpenPGP Key The public part of the OpenPGP key used to sign the CSAF documents MUST be available. +This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server. > For example, the public part of the OpenPGP key could be placed in a directory `openpgp` adjacent to the `provider-metadata.json`. From 526a890256ad04ac254c61718e67211b6ba1b92e Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 19 Nov 2024 10:24:08 +0100 Subject: [PATCH 23/49] Rephrase word to list of words Co-authored-by: Christian Banse --- .../src/tests-01-mndtr-31-version-range-in-product-version.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md index f11d444c7..d13929fc8 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md @@ -14,7 +14,7 @@ the value of `name` does not contain a version range. > >= > ``` > -> 2. If interpreted as individual word separated by whitespace, it does not contain any of the following keywords: +> 2. If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords: > > ``` > after From f090e06ad50430a6dd3ecdbb03547235e1e7108e Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 20 Nov 2024 10:50:20 +0100 Subject: [PATCH 24/49] Changes.csv - addresses parts of oasis-tcs/csaf#768 - change changes.csv to non-quoted - clarify wording - add normative reference to RFC 4180 --- csaf_2.1/prose/edit/src/distributing.md | 17 ++++++++++++----- .../src/introduction-03-normative-references.md | 3 +++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 8dfb5d209..3bb154b33 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -194,18 +194,25 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents ### Requirement 13: changes.csv -The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each +The file `changes.csv` contains a list of CSAF documents in the current TLP level that were changed recently. +Therefore, it MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first. +The `changes.csv` SHALL be a valid comma separated values format as defined by [cite](#RFC4180) without double quotes. + +> Note: As a consequence of section [sec](#requirement-2-filename) Requirement 2 for filenames and section [sec](#requirement-11-one-folder-per-year) +> Requirement for directory names, there must not be any characters within the `changes.csv` that would require quoting. *Example 1:* ``` -"2023/esa-2023-09953.json","2023-07-01T10:09:07Z" -"2021/esa-2021-03676.json","2023-07-01T10:09:01Z" -"2022/esa-2022-02723.json","2022-04-17T15:08:41Z" -"2021/esa-2021-31916.json","2022-03-01T06:01:00Z" +2023/esa-2023-09953.json,2023-07-01T10:09:07Z +2021/esa-2021-03676.json,2023-07-01T10:09:01Z +2022/esa-2022-02723.json,2022-04-17T15:08:41Z +2021/esa-2021-31916.json,2022-03-01T06:01:00Z ``` +> Note: As CSAF 2.0 requires quotes, an [cite](#RFC4180) parser can read both format revisions. + ### Requirement 14: Directory listings Directory listing SHALL be enabled to support manual navigation. diff --git a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md index ea6e9114e..1cba83b15 100644 --- a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md @@ -21,6 +21,9 @@ RFC2119 RFC3339 : Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, . +RFC4180 +: Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, . + RFC7464 : Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, . From 15a2cafce368a20115206bbef8d12db98b7cc6b6 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Wed, 20 Nov 2024 12:08:32 +0100 Subject: [PATCH 25/49] Example values should be sorted --- csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index 833f43dd3..bd658d30a 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -162,8 +162,8 @@ Therefore, the Sharing Group MAY also be used to convey special TLP restrictions *Examples 1:* ``` - Only releasable to European Energy sector E-ISAC members-only + Only releasable to European Energy sector Releasable to NATO countries ``` From ca1f51e4af83b2e9df6aeb29c93959fa63090ee4 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 23 Nov 2024 22:10:14 +0100 Subject: [PATCH 26/49] Date-time - addresses parts of oasis-tcs/csaf#469 - add links to standards - add rules regarding separator --- .../prose/edit/src/design-considerations-02-date-time.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md b/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md index 422b0657d..9395aacc8 100644 --- a/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md +++ b/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md @@ -1,13 +1,14 @@ ## Date and Time This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1. -In accordance with RFC 3339 and ISO 8601, the following rules apply: +In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply: * The letter `T` separating the date and time SHALL be upper case. +* The separator between date and time MUST be the letter `T`. * The letter `Z` indicating the timezone UTC SHALL be upper case. * Fractions of seconds are allowed as specified in the standards mention above with the full stop (`.`) as separator. * Leap seconds are supported. However, they SHOULD be avoided if possible. -* Empty timezones are prohibited. +* Empty timezones MUST NOT be used. * The ABNF of RFC 3339, section 5.6 applies. ------- From a231be09dab400dd6d257c5d12c08ef77cd7bee9 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 23 Nov 2024 22:15:03 +0100 Subject: [PATCH 27/49] Date-time - addresses parts of oasis-tcs/csaf#469 - add mandatory test to check date-time rules - add invalid example - add valid example --- .../src/tests-01-mndtr-37-date-and-time.md | 26 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json | 32 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json | 32 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 16 ++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 5 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md new file mode 100644 index 000000000..a56a13bf0 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md @@ -0,0 +1,26 @@ +### Date and Time{#mandatory-tests--date-and-time} + +For each item of type `string` and format `date-time` it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}. + +The relevant path for this test is: + +``` + /document/tracking/current_release_date + /document/tracking/generator/date + /document/tracking/initial_release_date + /document/tracking/revision_history[]/date + /vulnerabilities[]/discovery_date + /vulnerabilities[]/flags[]/date + /vulnerabilities[]/release_date + /vulnerabilities[]/involvements[]/date + /vulnerabilities[]/remediations[]/date + /vulnerabilities[]/threats[]/date +``` + +*Example 1 (which fails the test):* + +``` + "current_release_date": "2024-01-24 10:00:00.000Z", +``` + +> The `current_release_date` uses a whitespace as separator instead the letter `T`. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json new file mode 100644 index 000000000..b715f8fd8 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Date and Time (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24 10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-01", + "initial_release_date": "2024-01-24 10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24 10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json new file mode 100644 index 000000000..17aaa9a97 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Date and Time (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index db1a06fb0..09542f24f 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1100,6 +1100,22 @@ } ] }, + { + "id": "6.1.37", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 567312972..3abcba8c6 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-7]))$" }, "valid": { "title": "List of valid examples", From 5b99dc3a3cace1fd2ec1f3b29128fa55b7fddea1 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 23 Nov 2024 22:22:49 +0100 Subject: [PATCH 28/49] Date-time - addresses parts of oasis-tcs/csaf#469 - exclude schema test failing testfile --- csaf_2.1/test/validator/run_tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh index c9a0791bc..1c287c799 100755 --- a/csaf_2.1/test/validator/run_tests.sh +++ b/csaf_2.1/test/validator/run_tests.sh @@ -10,7 +10,7 @@ CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py TESTPATH=csaf_2.1/test/validator/data/$1/*.json -EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json' +EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json' EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json FAIL=0 From ba60e10501f47892cba3a54d1d881bbf8c72e0aa Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 29 Nov 2024 01:42:21 +0100 Subject: [PATCH 29/49] Clarify Inclusion of Open Source - addresses parts of oasis-tcs/csaf#790 - add open source projects --- .../prose/edit/src/schema-elements-02-props-02-document.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index b271922bb..3053a1efc 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -314,8 +314,8 @@ and miscellaneous contributors. The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. -This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and -product resellers and distributors, including authoritative vendor partners. +This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), +open source projects, and product resellers and distributors, including authoritative vendor partners. ##### Document Property - Publisher - Contact Details From 6d112000ec703ed3466140a26ebe91b468ba5696 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Fri, 29 Nov 2024 16:57:12 +0100 Subject: [PATCH 30/49] Nit: lower case general terms and clarify listing --- .../prose/edit/src/schema-elements-02-props-02-document.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index 3053a1efc..5f7a2950c 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -314,8 +314,8 @@ and miscellaneous contributors. The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. -This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), -open source projects, and product resellers and distributors, including authoritative vendor partners. +This includes all authoritative product vendors, product security incident response teams (PSIRTs), +open source projects, product resellers, and product distributors, including authoritative vendor partners. ##### Document Property - Publisher - Contact Details From b339fc6c60c2f58214c5e05cc69acb7a89602072 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Fri, 29 Nov 2024 18:05:54 +0100 Subject: [PATCH 31/49] Restored binding of including --- csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index 5f7a2950c..74587e9f1 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -315,7 +315,7 @@ The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, product security incident response teams (PSIRTs), -open source projects, product resellers, and product distributors, including authoritative vendor partners. +open source projects as well as product resellers and distributors, including authoritative vendor partners. ##### Document Property - Publisher - Contact Details From e20ba3b949eb62133456a9c6b04822350ca5563d Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 4 Nov 2024 10:31:10 +0100 Subject: [PATCH 32/49] Editor Revision 2024-11-27 - update dates - insert new revision for tracking --- csaf_2.1/prose/edit/src/frontmatter.md | 4 ++-- csaf_2.1/prose/edit/src/revision-history.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md index fa74a710c..bb09f4017 100644 --- a/csaf_2.1/prose/edit/src/frontmatter.md +++ b/csaf_2.1/prose/edit/src/frontmatter.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 30 October 2024 +## 27 November 2024 #### This stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \ @@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used **[csaf-v2.1]** -_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. +_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html. ------- diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md index 525db7592..7e7744c44 100644 --- a/csaf_2.1/prose/edit/src/revision-history.md +++ b/csaf_2.1/prose/edit/src/revision-history.md @@ -19,5 +19,6 @@ toc: | csaf-v2.0-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | +| csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision | ------- From a8d58d52ce728c654634409cf60c765eeb426260 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Mon, 18 Nov 2024 23:47:19 +0100 Subject: [PATCH 33/49] Test 6.1.31 - addresses parts of oasis-tcs/csaf#825 - improve wording in prose Co-authored-by: Christian Banse --- ...dtr-31-version-range-in-product-version.md | 36 +++++++++++-------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md index 663f1b64f..f11d444c7 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md @@ -3,22 +3,28 @@ For each element of type `/$defs/branches_t` with `category` of `product_version` it MUST be tested that the value of `name` does not contain a version range. -> To implement this test it is deemed sufficient that, when converted to lower case, -> the value of `name` does not contain any of the following strings: +> To implement this test it is deemed sufficient that, when converted to lower case, the value of `name` satisfies the two requirements below: > -> ``` -> < -> <= -> > -> >= -> after -> all -> before -> earlier -> later -> prior -> versions -> ``` +> 1. It does not contain any of the following operators: +> +> ``` +> < +> <= +> > +> >= +> ``` +> +> 2. If interpreted as individual word separated by whitespace, it does not contain any of the following keywords: +> +> ``` +> after +> all +> before +> earlier +> later +> prior +> versions +> ``` The relevant paths for this test are: From b03b34840133bd1bd5489d01a7b2e6c2ad591e68 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 19 Nov 2024 00:10:40 +0100 Subject: [PATCH 34/49] Test 6.1.31 - addresses parts of oasis-tcs/csaf#825 - add additional valid example --- ...oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json | 56 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 4 ++ 2 files changed, 60 insertions(+) create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json new file mode 100644 index 000000000..9185702eb --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Version Range in Product Version (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-31-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "branches": [ + { + "category": "vendor", + "name": "Example Company", + "branches": [ + { + "category": "product_name", + "name": "Product A", + "branches": [ + { + "category": "product_version", + "name": "overall otter", + "product": { + "product_id": "CSAFPID-9080700", + "name": "Example Company Product A overall otter" + } + } + ] + } + ] + } + ] + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index ebe4df440..27052ae59 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -969,6 +969,10 @@ { "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-12.json", "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-31-13.json", + "valid": true } ] }, From 14beb9de164ad7ba069cefa4629b8e07dd185de0 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 19 Nov 2024 10:24:08 +0100 Subject: [PATCH 35/49] Rephrase word to list of words Co-authored-by: Christian Banse --- .../src/tests-01-mndtr-31-version-range-in-product-version.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md index f11d444c7..d13929fc8 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-31-version-range-in-product-version.md @@ -14,7 +14,7 @@ the value of `name` does not contain a version range. > >= > ``` > -> 2. If interpreted as individual word separated by whitespace, it does not contain any of the following keywords: +> 2. If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords: > > ``` > after From 95d37cb86df6faebd9ca600d8ca99cad9d3d80b1 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 23 Nov 2024 22:10:14 +0100 Subject: [PATCH 36/49] Date-time - addresses parts of oasis-tcs/csaf#469 - add links to standards - add rules regarding separator --- .../prose/edit/src/design-considerations-02-date-time.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md b/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md index 422b0657d..9395aacc8 100644 --- a/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md +++ b/csaf_2.1/prose/edit/src/design-considerations-02-date-time.md @@ -1,13 +1,14 @@ ## Date and Time This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1. -In accordance with RFC 3339 and ISO 8601, the following rules apply: +In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply: * The letter `T` separating the date and time SHALL be upper case. +* The separator between date and time MUST be the letter `T`. * The letter `Z` indicating the timezone UTC SHALL be upper case. * Fractions of seconds are allowed as specified in the standards mention above with the full stop (`.`) as separator. * Leap seconds are supported. However, they SHOULD be avoided if possible. -* Empty timezones are prohibited. +* Empty timezones MUST NOT be used. * The ABNF of RFC 3339, section 5.6 applies. ------- From 9b35b83416bd7234b60dfbbf0d860f34d03952f9 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 3 Dec 2024 00:36:37 +0100 Subject: [PATCH 37/49] Date-time - addresses parts of oasis-tcs/csaf#469 - add mandatory test to check date-time rules - add invalid example - add valid example --- .../src/tests-01-mndtr-37-date-and-time.md | 26 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json | 32 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json | 32 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 16 ++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 5 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md new file mode 100644 index 000000000..a56a13bf0 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md @@ -0,0 +1,26 @@ +### Date and Time{#mandatory-tests--date-and-time} + +For each item of type `string` and format `date-time` it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}. + +The relevant path for this test is: + +``` + /document/tracking/current_release_date + /document/tracking/generator/date + /document/tracking/initial_release_date + /document/tracking/revision_history[]/date + /vulnerabilities[]/discovery_date + /vulnerabilities[]/flags[]/date + /vulnerabilities[]/release_date + /vulnerabilities[]/involvements[]/date + /vulnerabilities[]/remediations[]/date + /vulnerabilities[]/threats[]/date +``` + +*Example 1 (which fails the test):* + +``` + "current_release_date": "2024-01-24 10:00:00.000Z", +``` + +> The `current_release_date` uses a whitespace as separator instead the letter `T`. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json new file mode 100644 index 000000000..b715f8fd8 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Date and Time (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24 10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-01", + "initial_release_date": "2024-01-24 10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24 10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json new file mode 100644 index 000000000..17aaa9a97 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Date and Time (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-37-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + } +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 27052ae59..77bd0e40a 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1100,6 +1100,22 @@ } ] }, + { + "id": "6.1.37", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-37-11.json", + "valid": true + } + ] + }, { "id": "6.1.39", "group": "mandatory", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index fe815cb5d..c6fbb97f9 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-69])|(2\\.30)|(1\\.4[0-2]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-79])|(2\\.30)|(1\\.4[0-2]))$" }, "valid": { "title": "List of valid examples", From fe86df15a64640b9745fde298944a4eb70153c1d Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 23 Nov 2024 22:22:49 +0100 Subject: [PATCH 38/49] Date-time - addresses parts of oasis-tcs/csaf#469 - exclude schema test failing testfile --- csaf_2.1/test/validator/run_tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh index c9a0791bc..1c287c799 100755 --- a/csaf_2.1/test/validator/run_tests.sh +++ b/csaf_2.1/test/validator/run_tests.sh @@ -10,7 +10,7 @@ CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py TESTPATH=csaf_2.1/test/validator/data/$1/*.json -EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json' +EXCLUDE='oasis_csaf_tc-csaf_2_1-2024-6-1-08-01.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-02.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-03.json|oasis_csaf_tc-csaf_2_1-2024-6-1-08-04.json|oasis_csaf_tc-csaf_2_1-2024-6-1-09-05.json|oasis_csaf_tc-csaf_2_1-2024-6-1-37-01.json|oasis_csaf_tc-csaf_2_1-2024-6-2-10-01.json' EXCLUDE_STRICT=oasis_csaf_tc-csaf_2_1-2024-6-2-20-01.json FAIL=0 From 78023c349a11205c5a7e70de32664919e7bbac39 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 20 Nov 2024 10:50:20 +0100 Subject: [PATCH 39/49] Changes.csv - addresses parts of oasis-tcs/csaf#768 - change changes.csv to non-quoted - clarify wording - add normative reference to RFC 4180 --- csaf_2.1/prose/edit/src/distributing.md | 17 ++++++++++++----- .../src/introduction-03-normative-references.md | 3 +++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 8dfb5d209..3bb154b33 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -194,18 +194,25 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents ### Requirement 13: changes.csv -The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each +The file `changes.csv` contains a list of CSAF documents in the current TLP level that were changed recently. +Therefore, it MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first. +The `changes.csv` SHALL be a valid comma separated values format as defined by [cite](#RFC4180) without double quotes. + +> Note: As a consequence of section [sec](#requirement-2-filename) Requirement 2 for filenames and section [sec](#requirement-11-one-folder-per-year) +> Requirement for directory names, there must not be any characters within the `changes.csv` that would require quoting. *Example 1:* ``` -"2023/esa-2023-09953.json","2023-07-01T10:09:07Z" -"2021/esa-2021-03676.json","2023-07-01T10:09:01Z" -"2022/esa-2022-02723.json","2022-04-17T15:08:41Z" -"2021/esa-2021-31916.json","2022-03-01T06:01:00Z" +2023/esa-2023-09953.json,2023-07-01T10:09:07Z +2021/esa-2021-03676.json,2023-07-01T10:09:01Z +2022/esa-2022-02723.json,2022-04-17T15:08:41Z +2021/esa-2021-31916.json,2022-03-01T06:01:00Z ``` +> Note: As CSAF 2.0 requires quotes, an [cite](#RFC4180) parser can read both format revisions. + ### Requirement 14: Directory listings Directory listing SHALL be enabled to support manual navigation. diff --git a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md index d90250dbc..e07e63171 100644 --- a/csaf_2.1/prose/edit/src/introduction-03-normative-references.md +++ b/csaf_2.1/prose/edit/src/introduction-03-normative-references.md @@ -21,6 +21,9 @@ RFC2119 RFC3339 : Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, . +RFC4180 +: Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, . + RFC7464 : Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, . From 58565c0b964aa59956b06a4ac77e00e5ab26561f Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 19 Nov 2024 00:46:16 +0100 Subject: [PATCH 40/49] ASCII armored OpenPGP - resolves oasis-tcs/csaf#797 - add explicit statements about OpenPGP signatures and key files being ASCII armored --- csaf_2.1/prose/edit/src/distributing.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md index 3bb154b33..32fe3e3ce 100644 --- a/csaf_2.1/prose/edit/src/distributing.md +++ b/csaf_2.1/prose/edit/src/distributing.md @@ -420,7 +420,9 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ ### Requirement 19: Signatures All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is -extended by the appropriate extension. See [cite](#RFC4880) for more details. +extended by the appropriate extension. +This signature SHALL be presented as an ASCII armored file. +See [cite](#RFC4880) for more details. *Example 1:* @@ -444,6 +446,7 @@ Tools SHOULD treat the violation of the rules given in the first sentence as: ### Requirement 20: Public OpenPGP Key The public part of the OpenPGP key used to sign the CSAF documents MUST be available. +This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server. > For example, the public part of the OpenPGP key could be placed in a directory `openpgp` adjacent to the `provider-metadata.json`. From 1f9211a6c5f2504fbfe0b6741051a62f8832c072 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Fri, 29 Nov 2024 01:42:21 +0100 Subject: [PATCH 41/49] Clarify Inclusion of Open Source - addresses parts of oasis-tcs/csaf#790 - add open source projects --- .../prose/edit/src/schema-elements-02-props-02-document.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index bd658d30a..b2510745a 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -391,8 +391,8 @@ and miscellaneous contributors. The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. -This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and -product resellers and distributors, including authoritative vendor partners. +This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), +open source projects, and product resellers and distributors, including authoritative vendor partners. ##### Document Property - Publisher - Contact Details From 73520e9a2f86234615bee5c1dba26e4c43e459e8 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Fri, 29 Nov 2024 16:57:12 +0100 Subject: [PATCH 42/49] Nit: lower case general terms and clarify listing --- .../prose/edit/src/schema-elements-02-props-02-document.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index b2510745a..809f5089b 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -391,8 +391,8 @@ and miscellaneous contributors. The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. -This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), -open source projects, and product resellers and distributors, including authoritative vendor partners. +This includes all authoritative product vendors, product security incident response teams (PSIRTs), +open source projects, product resellers, and product distributors, including authoritative vendor partners. ##### Document Property - Publisher - Contact Details From bf252efde40fd60d5a8a2f287c98b28c29ef46b8 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Fri, 29 Nov 2024 18:05:54 +0100 Subject: [PATCH 43/49] Restored binding of including --- csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md index 809f5089b..e8e3f8645 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-02-document.md @@ -392,7 +392,7 @@ The value `user` indicates anyone using a vendor’s product. The value `vendor` indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, product security incident response teams (PSIRTs), -open source projects, product resellers, and product distributors, including authoritative vendor partners. +open source projects as well as product resellers and distributors, including authoritative vendor partners. ##### Document Property - Publisher - Contact Details From 6a6df780395067cd7c03a421dd77206cc3bd4994 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 3 Dec 2024 00:38:01 +0100 Subject: [PATCH 44/49] Date-time - addresses parts of oasis-tcs/csaf#469 - add test into bind.txt --- csaf_2.1/prose/edit/etc/bind.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index f5ac69f8e..8ff6dbf72 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -67,6 +67,7 @@ tests-01-mndtr-33-multiple-flags-with-vex-justification-codes-per-product.md tests-01-mndtr-34-branches-recursion-depth.md tests-01-mndtr-35-contradicting-remediations.md tests-01-mndtr-36-contradicting-product-status-remediation-combination.md +tests-01-mndtr-37-date-and-time.md tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md tests-01-mndtr-41-invalid-sharing-group-name.md From c4ef71dee4bc205dcfdb84ec37515ae0f8573b87 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Tue, 3 Dec 2024 08:40:02 +0100 Subject: [PATCH 45/49] Document-technical edits and delivery items - fixed file numbering (maintainability) - fixed example labels - added section and example labels for new and changed sections - added explicit section link for title containing TLP:CLEAR (ease of use) - updated binder with changed file names - generated label maps and inversions - derived HTML and single markdown file delivery items Signed-off-by: Stefan Hagen --- csaf_2.1/prose/edit/etc/bind.txt | 8 +- .../edit/etc/example-global-to-local.json | 259 +++--- .../edit/etc/example-local-to-global.json | 259 +++--- .../edit/etc/section-display-to-label.json | 17 +- .../edit/etc/section-label-to-display.json | 17 +- ...non-public-sharing-group-with-max-uuid.md} | 0 ...-public-sharing-group-with-no-max-uuid.md} | 0 ...01-mndtr-40-invalid-sharing-group-name.md} | 0 ...01-mndtr-41-missing-sharing-group-name.md} | 0 csaf_2.1/prose/edit/src/tests-02-optional.md | 2 +- csaf_2.1/prose/share/csaf-v2.1-draft.html | 860 +++++++++++++----- csaf_2.1/prose/share/csaf-v2.1-draft.md | 732 +++++++++++---- 12 files changed, 1469 insertions(+), 685 deletions(-) rename csaf_2.1/prose/edit/src/{tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md => tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md} (100%) rename csaf_2.1/prose/edit/src/{tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md => tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md} (100%) rename csaf_2.1/prose/edit/src/{tests-01-mndtr-41-invalid-sharing-group-name.md => tests-01-mndtr-40-invalid-sharing-group-name.md} (100%) rename csaf_2.1/prose/edit/src/{tests-01-mndtr-42-missing-sharing-group-name.md => tests-01-mndtr-41-missing-sharing-group-name.md} (100%) diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index 8ff6dbf72..d6fed1872 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -68,10 +68,10 @@ tests-01-mndtr-34-branches-recursion-depth.md tests-01-mndtr-35-contradicting-remediations.md tests-01-mndtr-36-contradicting-product-status-remediation-combination.md tests-01-mndtr-37-date-and-time.md -tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md -tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md -tests-01-mndtr-41-invalid-sharing-group-name.md -tests-01-mndtr-42-missing-sharing-group-name.md +tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md +tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md +tests-01-mndtr-40-invalid-sharing-group-name.md +tests-01-mndtr-41-missing-sharing-group-name.md tests-02-optional.md tests-03-informative.md distributing.md diff --git a/csaf_2.1/prose/edit/etc/example-global-to-local.json b/csaf_2.1/prose/edit/etc/example-global-to-local.json index e56dbae97..022cdc52e 100644 --- a/csaf_2.1/prose/edit/etc/example-global-to-local.json +++ b/csaf_2.1/prose/edit/etc/example-global-to-local.json @@ -31,130 +31,139 @@ "29": "version-type-semantic-versioning-eg-6", "30": "document-property-aggregate-severity-eg-1", "31": "document-property-category-eg-1", - "32": "document-property-distribution-text-eg-1", - "33": "document-property-distribution-tlp-eg-1", - "34": "document-property-publisher-contact-details-eg-1", - "35": "document-property-publisher-name-eg-1", - "36": "document-property-publisher-namespace-eg-1", - "37": "document-property-title-eg-1", - "38": "document-property-tracking-aliases-eg-1", - "39": "document-property-tracking-generator-eg-1", - "40": "document-property-tracking-generator-eg-2", - "41": "document-property-tracking-id-eg-1", - "42": "product-tree-property-product-groups-eg-1", - "43": "product-tree-property-relationships-eg-1", - "44": "vulnerabilities-property-cwes-eg-1", - "45": "vulnerabilities-property-cwes-eg-2", - "46": "vulnerabilities-property-cwes-eg-3", - "47": "vulnerabilities-property-ids-eg-1", - "48": "vulnerabilities-property-ids-eg-2", - "49": "filename-eg-1", - "50": "filename-eg-2", - "51": "missing-definition-of-product-id-eg-1", - "52": "multiple-definition-of-product-id-eg-1", - "53": "circular-definition-of-product-id-eg-1", - "54": "missing-definition-of-product-group-id-eg-1", - "55": "multiple-definition-of-product-group-id-eg-1", - "56": "contradicting-product-status-eg-1", - "57": "multiple-scores-with-same-version-per-product-eg-1", - "58": "invalid-cvss-eg-1", - "59": "invalid-cvss-computation-eg-1", - "60": "inconsistent-cvss-eg-1", - "61": "cwe-eg-1", - "62": "language-eg-1", - "63": "purl-eg-1", - "64": "sorted-revision-history-eg-1", - "65": "translator-eg-1", - "66": "latest-document-version-eg-1", - "67": "document-status-draft-eg-1", - "68": "released-revision-history-eg-1", - "69": "revision-history-entries-for-pre-release-versions-eg-1", - "70": "non-draft-document-version-eg-1", - "71": "missing-item-in-revision-history-eg-1", - "72": "multiple-definition-in-revision-history-eg-1", - "73": "multiple-use-of-same-cve-eg-1", - "74": "multiple-definition-in-involvements-eg-1", - "75": "multiple-use-of-same-hash-algorithm-eg-1", - "76": "prohibited-document-category-name-eg-1", - "77": "prohibited-document-category-name-eg-2", - "78": "document-notes-eg-1", - "79": "document-references-eg-1", - "80": "vulnerabilities-for-informational-advisory-eg-1", - "81": "product-tree-eg-1", - "82": "vulnerability-notes-eg-1", - "83": "product-status-eg-1", - "84": "vex-product-status-eg-1", - "85": "vulnerability-id-eg-1", - "86": "impact-statement-eg-1", - "87": "action-statement-eg-1", - "88": "vulnerabilities-for-security-advisory-or-vex-eg-1", - "89": "translation-eg-1", - "90": "remediation-without-product-reference-eg-1", - "91": "mixed-integer-and-semantic-versioning-eg-1", - "92": "version-range-in-product-version-eg-1", - "93": "flag-without-product-reference-eg-1", - "94": "multiple-flags-with-vex-justification-codes-per-product-eg-1", - "95": "mandatory-tests--branches-recursion-depth-eg-1", - "96": "contradicting-remediations-eg-1", - "97": "contradicting-product-status-remediation-combination-eg-1", + "32": "document-property-distribution-eg-1", - "98": "unused-definition-of-product-id-eg-1", - "99": "missing-remediation-eg-1", - "100": "missing-metric-eg-1", - "101": "build-metadata-in-revision-history-eg-1", - "102": "older-initial-release-date-than-revision-history-eg-1", - "103": "older-current-release-date-than-revision-history-eg-1", - "104": "missing-date-in-involvements-eg-1", - "105": "use-of-md5-as-the-only-hash-algorithm-eg-1", - "106": "use-of-sha-1-as-the-only-hash-algorithm-eg-1", - "107": "missing-tlp-label-eg-1", - "108": "missing-canonical-url-eg-1", - "109": "missing-document-language-eg-1", - "110": "optional-tests--sorting-eg-1", - "111": "use-of-private-language-eg-1", - "112": "use-of-default-language-eg-1", - "113": "missing-product-identification-helper-eg-1", - "114": "cve-in-field-ids-eg-1", - "115": "product-version-range-without-vers-eg-1", - "116": "cvss-for-fixed-products-eg-1", - "117": "additional-properties-eg-1", - "118": "same-timestamps-in-revision-history-eg-1", - "119": "document-tracking-id-in-title-eg-1", - "120": "usage-of-deprecated-cwe-eg-1", - "121": "usage-of-non-latest-cwe-version-eg-1", - "122": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1", - "123": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1", - "124": "discouraged-product-status-remediation-combination-eg-1", - "125": "use-of-cvss-v2-as-the-only-scoring-system-eg-1", - "126": "use-of-cvss-v3-0-eg-1", - "127": "missing-cve-eg-1", - "128": "missing-cwe-eg-1", - "129": "use-of-short-hash-eg-1", - "130": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1", - "131": "use-of-self-referencing-urls-failing-to-resolve-eg-1", - "132": "spell-check-eg-1", - "133": "branch-categories-eg-1", - "134": "usage-of-product-version-range-eg-1", - "135": "usage-of-v-as-version-indicator-eg-1", - "136": "missing-cvss-v4-0-eg-1", - "137": "requirement-7-provider-metadata-json-eg-1", - "138": "requirement-8-security-txt-eg-1", - "139": "requirement-9-well-known-url-for-provider-metadata-json-eg-1", - "140": "requirement-11-one-folder-per-year-eg-1", - "141": "requirement-12-index-txt-eg-1", - "142": "requirement-13-changes-csv-eg-1", - "143": "requirement-15-rolie-feed-eg-1", - "144": "requirement-16-rolie-service-document-eg-1", - "145": "requirement-17-rolie-category-document-eg-1", - "146": "requirement-17-rolie-category-document-eg-2", - "147": "requirement-17-rolie-category-document-eg-3", - "148": "requirement-18-integrity-eg-1", - "149": "requirement-18-integrity-eg-2", - "150": "requirement-19-signatures-eg-1", - "151": "requirement-21-list-of-csaf-providers-eg-1", - "152": "requirement-23-mirror-eg-1", - "153": "conformance-clause-5-cvrf-csaf-converter-eg-1", - "154": "conformance-clause-5-cvrf-csaf-converter-eg-2", - "155": "conformance-clause-5-cvrf-csaf-converter-eg-3", - "156": "conformance-clause-5-cvrf-csaf-converter-eg-4" + "33": "document-property-distribution-text-eg-1", + "34": "document-property-distribution-tlp-eg-1", + "35": "document-property-publisher-contact-details-eg-1", + "36": "document-property-publisher-name-eg-1", + "37": "document-property-publisher-namespace-eg-1", + "38": "document-property-title-eg-1", + "39": "document-property-tracking-aliases-eg-1", + "40": "document-property-tracking-generator-eg-1", + "41": "document-property-tracking-generator-eg-2", + "42": "document-property-tracking-id-eg-1", + "43": "product-tree-property-product-groups-eg-1", + "44": "product-tree-property-relationships-eg-1", + "45": "vulnerabilities-property-cwes-eg-1", + "46": "vulnerabilities-property-cwes-eg-2", + "47": "vulnerabilities-property-cwes-eg-3", + "48": "vulnerabilities-property-ids-eg-1", + "49": "vulnerabilities-property-ids-eg-2", + "50": "filename-eg-1", + "51": "filename-eg-2", + "52": "missing-definition-of-product-id-eg-1", + "53": "multiple-definition-of-product-id-eg-1", + "54": "circular-definition-of-product-id-eg-1", + "55": "missing-definition-of-product-group-id-eg-1", + "56": "multiple-definition-of-product-group-id-eg-1", + "57": "contradicting-product-status-eg-1", + "58": "multiple-scores-with-same-version-per-product-eg-1", + "59": "invalid-cvss-eg-1", + "60": "invalid-cvss-computation-eg-1", + "61": "inconsistent-cvss-eg-1", + "62": "cwe-eg-1", + "63": "language-eg-1", + "64": "purl-eg-1", + "65": "sorted-revision-history-eg-1", + "66": "translator-eg-1", + "67": "latest-document-version-eg-1", + "68": "document-status-draft-eg-1", + "69": "released-revision-history-eg-1", + "70": "revision-history-entries-for-pre-release-versions-eg-1", + "71": "non-draft-document-version-eg-1", + "72": "missing-item-in-revision-history-eg-1", + "73": "multiple-definition-in-revision-history-eg-1", + "74": "multiple-use-of-same-cve-eg-1", + "75": "multiple-definition-in-involvements-eg-1", + "76": "multiple-use-of-same-hash-algorithm-eg-1", + "77": "prohibited-document-category-name-eg-1", + "78": "prohibited-document-category-name-eg-2", + "79": "document-notes-eg-1", + "80": "document-references-eg-1", + "81": "vulnerabilities-for-informational-advisory-eg-1", + "82": "product-tree-eg-1", + "83": "vulnerability-notes-eg-1", + "84": "product-status-eg-1", + "85": "vex-product-status-eg-1", + "86": "vulnerability-id-eg-1", + "87": "impact-statement-eg-1", + "88": "action-statement-eg-1", + "89": "vulnerabilities-for-security-advisory-or-vex-eg-1", + "90": "translation-eg-1", + "91": "remediation-without-product-reference-eg-1", + "92": "mixed-integer-and-semantic-versioning-eg-1", + "93": "version-range-in-product-version-eg-1", + "94": "flag-without-product-reference-eg-1", + "95": "multiple-flags-with-vex-justification-codes-per-product-eg-1", + "96": "mandatory-tests--branches-recursion-depth-eg-1", + "97": "contradicting-remediations-eg-1", + "98": "contradicting-product-status-remediation-combination-eg-1", + "99": "mandatory-tests--date-and-time-eg-1", + "100": "non-public-sharing-group-with-max-uuid-eg-1", + "101": "public-sharing-group-with-no-max-uuid-eg-1", + "102": "invalid-sharing-group-name-eg-1", + "103": "missing-sharing-group-name-eg-1", + "104": "unused-definition-of-product-id-eg-1", + "105": "missing-remediation-eg-1", + "107": "missing-metric-eg-1", + "108": "build-metadata-in-revision-history-eg-1", + "109": "older-initial-release-date-than-revision-history-eg-1", + "110": "older-current-release-date-than-revision-history-eg-1", + "111": "missing-date-in-involvements-eg-1", + "112": "use-of-md5-as-the-only-hash-algorithm-eg-1", + "113": "use-of-sha-1-as-the-only-hash-algorithm-eg-1", + "114": "missing-tlp-label-eg-1", + "115": "missing-canonical-url-eg-1", + "116": "missing-document-language-eg-1", + "117": "optional-tests--sorting-eg-1", + "118": "use-of-private-language-eg-1", + "119": "use-of-default-language-eg-1", + "120": "missing-product-identification-helper-eg-1", + "121": "cve-in-field-ids-eg-1", + "122": "product-version-range-without-vers-eg-1", + "123": "cvss-for-fixed-products-eg-1", + "124": "additional-properties-eg-1", + "125": "same-timestamps-in-revision-history-eg-1", + "126": "document-tracking-id-in-title-eg-1", + "127": "usage-of-deprecated-cwe-eg-1", + "128": "usage-of-non-latest-cwe-version-eg-1", + "129": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1", + "130": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1", + "131": "discouraged-product-status-remediation-combination-eg-1", + "132": "usage-of-max-uuid-eg-1", + "133": "usage-of-nil-uuid-eg-1", + "134": "usage-of-sharing-group-on-tlp-clear-eg-1", + "135": "use-of-cvss-v2-as-the-only-scoring-system-eg-1", + "136": "use-of-cvss-v3-0-eg-1", + "137": "missing-cve-eg-1", + "138": "missing-cwe-eg-1", + "139": "use-of-short-hash-eg-1", + "140": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1", + "141": "use-of-self-referencing-urls-failing-to-resolve-eg-1", + "142": "spell-check-eg-1", + "143": "branch-categories-eg-1", + "144": "usage-of-product-version-range-eg-1", + "145": "usage-of-v-as-version-indicator-eg-1", + "146": "missing-cvss-v4-0-eg-1", + "147": "requirement-7-provider-metadata-json-eg-1", + "148": "requirement-8-security-txt-eg-1", + "149": "requirement-9-well-known-url-for-provider-metadata-json-eg-1", + "150": "requirement-11-one-folder-per-year-eg-1", + "151": "requirement-12-index-txt-eg-1", + "152": "requirement-13-changes-csv-eg-1", + "153": "requirement-15-rolie-feed-eg-1", + "154": "requirement-16-rolie-service-document-eg-1", + "155": "requirement-17-rolie-category-document-eg-1", + "156": "requirement-17-rolie-category-document-eg-2", + "157": "requirement-17-rolie-category-document-eg-3", + "158": "requirement-18-integrity-eg-1", + "159": "requirement-18-integrity-eg-2", + "160": "requirement-19-signatures-eg-1", + "161": "requirement-21-list-of-csaf-providers-eg-1", + "162": "requirement-23-mirror-eg-1", + "163": "conformance-clause-5-cvrf-csaf-converter-eg-1", + "164": "conformance-clause-5-cvrf-csaf-converter-eg-2", + "165": "conformance-clause-5-cvrf-csaf-converter-eg-3", + "166": "conformance-clause-5-cvrf-csaf-converter-eg-4" } diff --git a/csaf_2.1/prose/edit/etc/example-local-to-global.json b/csaf_2.1/prose/edit/etc/example-local-to-global.json index b5dddb861..248dea51d 100644 --- a/csaf_2.1/prose/edit/etc/example-local-to-global.json +++ b/csaf_2.1/prose/edit/etc/example-local-to-global.json @@ -3,46 +3,47 @@ "acknowledgments-type-names-eg-1": "1", "acknowledgments-type-organization-eg-1": "2", "acknowledgments-type-summary-eg-1": "3", - "action-statement-eg-1": "87", - "additional-properties-eg-1": "117", - "branch-categories-eg-1": "133", + "action-statement-eg-1": "88", + "additional-properties-eg-1": "124", + "branch-categories-eg-1": "143", "branches-type-name-eg-1": "5", "branches-type-name-under-product-version-eg-1": "6", "branches-type-name-under-product-version-eg-2": "7", "branches-type-name-under-product-version-range-eg-1": "8", "branches-type-name-under-product-version-range-eg-2": "9", - "build-metadata-in-revision-history-eg-1": "101", - "circular-definition-of-product-id-eg-1": "53", - "conformance-clause-5-cvrf-csaf-converter-eg-1": "153", - "conformance-clause-5-cvrf-csaf-converter-eg-2": "154", - "conformance-clause-5-cvrf-csaf-converter-eg-3": "155", - "conformance-clause-5-cvrf-csaf-converter-eg-4": "156", - "contradicting-product-status-eg-1": "56", - "contradicting-product-status-remediation-combination-eg-1": "97", - "contradicting-remediations-eg-1": "96", - "cve-in-field-ids-eg-1": "114", - "cvss-for-fixed-products-eg-1": "116", - "cwe-eg-1": "61", - "discouraged-product-status-remediation-combination-eg-1": "124", - "document-notes-eg-1": "78", + "build-metadata-in-revision-history-eg-1": "108", + "circular-definition-of-product-id-eg-1": "54", + "conformance-clause-5-cvrf-csaf-converter-eg-1": "163", + "conformance-clause-5-cvrf-csaf-converter-eg-2": "164", + "conformance-clause-5-cvrf-csaf-converter-eg-3": "165", + "conformance-clause-5-cvrf-csaf-converter-eg-4": "166", + "contradicting-product-status-eg-1": "57", + "contradicting-product-status-remediation-combination-eg-1": "98", + "contradicting-remediations-eg-1": "97", + "cve-in-field-ids-eg-1": "121", + "cvss-for-fixed-products-eg-1": "123", + "cwe-eg-1": "62", + "discouraged-product-status-remediation-combination-eg-1": "131", + "document-notes-eg-1": "79", "document-property-aggregate-severity-eg-1": "30", "document-property-category-eg-1": "31", - "document-property-distribution-text-eg-1": "32", - "document-property-distribution-tlp-eg-1": "33", - "document-property-publisher-contact-details-eg-1": "34", - "document-property-publisher-name-eg-1": "35", - "document-property-publisher-namespace-eg-1": "36", - "document-property-title-eg-1": "37", - "document-property-tracking-aliases-eg-1": "38", - "document-property-tracking-generator-eg-1": "39", - "document-property-tracking-generator-eg-2": "40", - "document-property-tracking-id-eg-1": "41", - "document-references-eg-1": "79", - "document-status-draft-eg-1": "67", - "document-tracking-id-in-title-eg-1": "119", - "filename-eg-1": "49", - "filename-eg-2": "50", - "flag-without-product-reference-eg-1": "93", + "document-property-distribution-eg-1": "32", + "document-property-distribution-text-eg-1": "33", + "document-property-distribution-tlp-eg-1": "34", + "document-property-publisher-contact-details-eg-1": "35", + "document-property-publisher-name-eg-1": "36", + "document-property-publisher-namespace-eg-1": "37", + "document-property-title-eg-1": "38", + "document-property-tracking-aliases-eg-1": "39", + "document-property-tracking-generator-eg-1": "40", + "document-property-tracking-generator-eg-2": "41", + "document-property-tracking-id-eg-1": "42", + "document-references-eg-1": "80", + "document-status-draft-eg-1": "68", + "document-tracking-id-in-title-eg-1": "126", + "filename-eg-1": "50", + "filename-eg-2": "51", + "flag-without-product-reference-eg-1": "94", "full-product-name-type-name-eg-1": "10", "full-product-name-type-product-identification-helper-generic-uris-eg-1": "16", "full-product-name-type-product-identification-helper-generic-uris-eg-2": "17", @@ -51,94 +52,102 @@ "full-product-name-type-product-identification-helper-hashes-eg-3": "13", "full-product-name-type-product-identification-helper-model-numbers-eg-1": "14", "full-product-name-type-product-identification-helper-sbom-urls-eg-1": "15", - "impact-statement-eg-1": "86", - "inconsistent-cvss-eg-1": "60", - "invalid-cvss-computation-eg-1": "59", - "invalid-cvss-eg-1": "58", - "language-eg-1": "62", + "impact-statement-eg-1": "87", + "inconsistent-cvss-eg-1": "61", + "invalid-cvss-computation-eg-1": "60", + "invalid-cvss-eg-1": "59", + "invalid-sharing-group-name-eg-1": "102", + "language-eg-1": "63", "language-type-eg-1": "18", - "latest-document-version-eg-1": "66", - "mandatory-tests--branches-recursion-depth-eg-1": "95", - "missing-canonical-url-eg-1": "108", - "missing-cve-eg-1": "127", - "missing-cvss-v4-0-eg-1": "136", - "missing-cwe-eg-1": "128", - "missing-date-in-involvements-eg-1": "104", - "missing-definition-of-product-group-id-eg-1": "54", - "missing-definition-of-product-id-eg-1": "51", - "missing-document-language-eg-1": "109", - "missing-item-in-revision-history-eg-1": "71", - "missing-metric-eg-1": "100", - "missing-product-identification-helper-eg-1": "113", - "missing-remediation-eg-1": "99", - "missing-tlp-label-eg-1": "107", - "mixed-integer-and-semantic-versioning-eg-1": "91", - "multiple-definition-in-involvements-eg-1": "74", - "multiple-definition-in-revision-history-eg-1": "72", - "multiple-definition-of-product-group-id-eg-1": "55", - "multiple-definition-of-product-id-eg-1": "52", - "multiple-flags-with-vex-justification-codes-per-product-eg-1": "94", - "multiple-scores-with-same-version-per-product-eg-1": "57", - "multiple-use-of-same-cve-eg-1": "73", - "multiple-use-of-same-hash-algorithm-eg-1": "75", - "non-draft-document-version-eg-1": "70", + "latest-document-version-eg-1": "67", + "mandatory-tests--branches-recursion-depth-eg-1": "96", + "mandatory-tests--date-and-time-eg-1": "99", + "missing-canonical-url-eg-1": "115", + "missing-cve-eg-1": "137", + "missing-cvss-v4-0-eg-1": "146", + "missing-cwe-eg-1": "138", + "missing-date-in-involvements-eg-1": "111", + "missing-definition-of-product-group-id-eg-1": "55", + "missing-definition-of-product-id-eg-1": "52", + "missing-document-language-eg-1": "116", + "missing-item-in-revision-history-eg-1": "72", + "missing-metric-eg-1": "107", + "missing-product-identification-helper-eg-1": "120", + "missing-remediation-eg-1": "105", + "missing-sharing-group-name-eg-1": "103", + "missing-tlp-label-eg-1": "114", + "mixed-integer-and-semantic-versioning-eg-1": "92", + "multiple-definition-in-involvements-eg-1": "75", + "multiple-definition-in-revision-history-eg-1": "73", + "multiple-definition-of-product-group-id-eg-1": "56", + "multiple-definition-of-product-id-eg-1": "53", + "multiple-flags-with-vex-justification-codes-per-product-eg-1": "95", + "multiple-scores-with-same-version-per-product-eg-1": "58", + "multiple-use-of-same-cve-eg-1": "74", + "multiple-use-of-same-hash-algorithm-eg-1": "76", + "non-draft-document-version-eg-1": "71", + "non-public-sharing-group-with-max-uuid-eg-1": "100", "notes-type-eg-1": "19", "notes-type-eg-2": "20", - "older-current-release-date-than-revision-history-eg-1": "103", - "older-initial-release-date-than-revision-history-eg-1": "102", - "optional-tests--sorting-eg-1": "110", + "older-current-release-date-than-revision-history-eg-1": "110", + "older-initial-release-date-than-revision-history-eg-1": "109", + "optional-tests--sorting-eg-1": "117", "product-group-id-type-eg-1": "21", "product-id-type-eg-1": "22", - "product-status-eg-1": "83", - "product-tree-eg-1": "81", - "product-tree-property-product-groups-eg-1": "42", - "product-tree-property-relationships-eg-1": "43", - "product-version-range-without-vers-eg-1": "115", - "prohibited-document-category-name-eg-1": "76", - "prohibited-document-category-name-eg-2": "77", - "purl-eg-1": "63", - "released-revision-history-eg-1": "68", - "remediation-without-product-reference-eg-1": "90", - "requirement-11-one-folder-per-year-eg-1": "140", - "requirement-12-index-txt-eg-1": "141", - "requirement-13-changes-csv-eg-1": "142", - "requirement-15-rolie-feed-eg-1": "143", - "requirement-16-rolie-service-document-eg-1": "144", - "requirement-17-rolie-category-document-eg-1": "145", - "requirement-17-rolie-category-document-eg-2": "146", - "requirement-17-rolie-category-document-eg-3": "147", - "requirement-18-integrity-eg-1": "148", - "requirement-18-integrity-eg-2": "149", - "requirement-19-signatures-eg-1": "150", - "requirement-21-list-of-csaf-providers-eg-1": "151", - "requirement-23-mirror-eg-1": "152", - "requirement-7-provider-metadata-json-eg-1": "137", - "requirement-8-security-txt-eg-1": "138", - "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "139", - "revision-history-entries-for-pre-release-versions-eg-1": "69", - "same-timestamps-in-revision-history-eg-1": "118", - "sorted-revision-history-eg-1": "64", - "spell-check-eg-1": "132", - "translation-eg-1": "89", - "translator-eg-1": "65", + "product-status-eg-1": "84", + "product-tree-eg-1": "82", + "product-tree-property-product-groups-eg-1": "43", + "product-tree-property-relationships-eg-1": "44", + "product-version-range-without-vers-eg-1": "122", + "prohibited-document-category-name-eg-1": "77", + "prohibited-document-category-name-eg-2": "78", + "public-sharing-group-with-no-max-uuid-eg-1": "101", + "purl-eg-1": "64", + "released-revision-history-eg-1": "69", + "remediation-without-product-reference-eg-1": "91", + "requirement-11-one-folder-per-year-eg-1": "150", + "requirement-12-index-txt-eg-1": "151", + "requirement-13-changes-csv-eg-1": "152", + "requirement-15-rolie-feed-eg-1": "153", + "requirement-16-rolie-service-document-eg-1": "154", + "requirement-17-rolie-category-document-eg-1": "155", + "requirement-17-rolie-category-document-eg-2": "156", + "requirement-17-rolie-category-document-eg-3": "157", + "requirement-18-integrity-eg-1": "158", + "requirement-18-integrity-eg-2": "159", + "requirement-19-signatures-eg-1": "160", + "requirement-21-list-of-csaf-providers-eg-1": "161", + "requirement-23-mirror-eg-1": "162", + "requirement-7-provider-metadata-json-eg-1": "147", + "requirement-8-security-txt-eg-1": "148", + "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "149", + "revision-history-entries-for-pre-release-versions-eg-1": "70", + "same-timestamps-in-revision-history-eg-1": "125", + "sorted-revision-history-eg-1": "65", + "spell-check-eg-1": "142", + "translation-eg-1": "90", + "translator-eg-1": "66", "typographical-conventions-eg-1": "4321", - "unused-definition-of-product-id-eg-1": "98", - "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "123", - "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "122", - "usage-of-deprecated-cwe-eg-1": "120", - "usage-of-non-latest-cwe-version-eg-1": "121", - "usage-of-product-version-range-eg-1": "134", - "usage-of-v-as-version-indicator-eg-1": "135", - "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "125", - "use-of-cvss-v3-0-eg-1": "126", - "use-of-default-language-eg-1": "112", - "use-of-md5-as-the-only-hash-algorithm-eg-1": "105", - "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "130", - "use-of-private-language-eg-1": "111", - "use-of-self-referencing-urls-failing-to-resolve-eg-1": "131", - "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "106", - "use-of-short-hash-eg-1": "129", - "version-range-in-product-version-eg-1": "92", + "unused-definition-of-product-id-eg-1": "104", + "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "130", + "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "129", + "usage-of-deprecated-cwe-eg-1": "127", + "usage-of-max-uuid-eg-1": "132", + "usage-of-nil-uuid-eg-1": "133", + "usage-of-non-latest-cwe-version-eg-1": "128", + "usage-of-product-version-range-eg-1": "144", + "usage-of-sharing-group-on-tlp-clear-eg-1": "134", + "usage-of-v-as-version-indicator-eg-1": "145", + "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "135", + "use-of-cvss-v3-0-eg-1": "136", + "use-of-default-language-eg-1": "119", + "use-of-md5-as-the-only-hash-algorithm-eg-1": "112", + "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "140", + "use-of-private-language-eg-1": "118", + "use-of-self-referencing-urls-failing-to-resolve-eg-1": "141", + "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "113", + "use-of-short-hash-eg-1": "139", + "version-range-in-product-version-eg-1": "93", "version-type-eg-1": "23", "version-type-semantic-versioning-eg-1": "24", "version-type-semantic-versioning-eg-2": "25", @@ -146,14 +155,14 @@ "version-type-semantic-versioning-eg-4": "27", "version-type-semantic-versioning-eg-5": "28", "version-type-semantic-versioning-eg-6": "29", - "vex-product-status-eg-1": "84", - "vulnerabilities-for-informational-advisory-eg-1": "80", - "vulnerabilities-for-security-advisory-or-vex-eg-1": "88", - "vulnerabilities-property-cwes-eg-1": "44", - "vulnerabilities-property-cwes-eg-2": "45", - "vulnerabilities-property-cwes-eg-3": "46", - "vulnerabilities-property-ids-eg-1": "47", - "vulnerabilities-property-ids-eg-2": "48", - "vulnerability-id-eg-1": "85", - "vulnerability-notes-eg-1": "82" + "vex-product-status-eg-1": "85", + "vulnerabilities-for-informational-advisory-eg-1": "81", + "vulnerabilities-for-security-advisory-or-vex-eg-1": "89", + "vulnerabilities-property-cwes-eg-1": "45", + "vulnerabilities-property-cwes-eg-2": "46", + "vulnerabilities-property-cwes-eg-3": "47", + "vulnerabilities-property-ids-eg-1": "48", + "vulnerabilities-property-ids-eg-2": "49", + "vulnerability-id-eg-1": "86", + "vulnerability-notes-eg-1": "83" } \ No newline at end of file diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json index e28c2a37f..fbf248489 100644 --- a/csaf_2.1/prose/edit/etc/section-display-to-label.json +++ b/csaf_2.1/prose/edit/etc/section-display-to-label.json @@ -53,8 +53,9 @@ "3.2.2.3": "document-property-category", "3.2.2.4": "document-property-csaf-version", "3.2.2.5": "document-property-distribution", - "3.2.2.5.1": "document-property-distribution-text", - "3.2.2.5.2": "document-property-distribution-tlp", + "3.2.2.5.1": "document-property-distribution-sharing-group", + "3.2.2.5.2": "document-property-distribution-text", + "3.2.2.5.3": "document-property-distribution-tlp", "3.2.2.6": "document-property-language", "3.2.2.7": "document-property-notes", "3.2.2.8": "document-property-publisher", @@ -166,6 +167,11 @@ "6.1.34": "mandatory-tests--branches-recursion-depth", "6.1.35": "contradicting-remediations", "6.1.36": "contradicting-product-status-remediation-combination", + "6.1.37": "mandatory-tests--date-and-time", + "6.1.38": "non-public-sharing-group-with-max-uuid", + "6.1.39": "public-sharing-group-with-no-max-uuid", + "6.1.40": "invalid-sharing-group-name", + "6.1.41": "missing-sharing-group-name", "6.2": "optional-tests", "6.2.1": "unused-definition-of-product-id", "6.2.2": "missing-remediation", @@ -194,6 +200,9 @@ "6.2.25": "usage-of-cwe-not-allowed-for-vulnerability-mapping", "6.2.26": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping", "6.2.27": "discouraged-product-status-remediation-combination", + "6.2.28": "usage-of-max-uuid", + "6.2.29": "usage-of-nil-uuid", + "6.2.30": "usage-of-sharing-group-on-tlp-clear", "6.3": "informative-test", "6.3.1": "use-of-cvss-v2-as-the-only-scoring-system", "6.3.2": "use-of-cvss-v3-0", @@ -273,7 +282,7 @@ "C.1": "file-size", "C.2": "array-length", "C.3": "string-length", - "C.4": "uri-length", + "C.4": "date", "C.5": "enum", - "C.6": "date" + "C.6": "uri-length" } diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json index 6a6e39183..d22cf8838 100644 --- a/csaf_2.1/prose/edit/etc/section-label-to-display.json +++ b/csaf_2.1/prose/edit/etc/section-label-to-display.json @@ -54,7 +54,7 @@ "cve-in-field-ids": "6.2.17", "cvss-for-fixed-products": "6.2.19", "cwe": "6.1.11", - "date": "C.6", + "date": "C.4", "date-and-time": "2.2", "definitions": "3.1", "design-considerations": "2", @@ -67,8 +67,9 @@ "document-property-category": "3.2.2.3", "document-property-csaf-version": "3.2.2.4", "document-property-distribution": "3.2.2.5", - "document-property-distribution-text": "3.2.2.5.1", - "document-property-distribution-tlp": "3.2.2.5.2", + "document-property-distribution-sharing-group": "3.2.2.5.1", + "document-property-distribution-text": "3.2.2.5.2", + "document-property-distribution-tlp": "3.2.2.5.3", "document-property-language": "3.2.2.6", "document-property-notes": "3.2.2.7", "document-property-publisher": "3.2.2.8", @@ -117,12 +118,14 @@ "introduction": "1", "invalid-cvss": "6.1.8", "invalid-cvss-computation": "6.1.9", + "invalid-sharing-group-name": "6.1.40", "ipr-policy": "1.1", "language": "6.1.12", "language-type": "3.1.4", "latest-document-version": "6.1.16", "mandatory-tests": "6.1", "mandatory-tests--branches-recursion-depth": "6.1.34", + "mandatory-tests--date-and-time": "6.1.37", "missing-canonical-url": "6.2.11", "missing-cve": "6.3.3", "missing-cvss-v4-0": "6.3.12", @@ -135,6 +138,7 @@ "missing-product-identification-helper": "6.2.16", "missing-remediation": "6.2.2", "missing-metric": "6.2.3", + "missing-sharing-group-name": "6.1.41", "missing-tlp-label": "6.2.10", "mixed-integer-and-semantic-versioning": "6.1.30", "multiple-definition-in-involvements": "6.1.24", @@ -146,6 +150,7 @@ "multiple-use-of-same-cve": "6.1.23", "multiple-use-of-same-hash-algorithm": "6.1.25", "non-draft-document-version": "6.1.20", + "non-public-sharing-group-with-max-uuid": "6.1.38", "normative-references": "1.3", "notes-type": "3.1.5", "older-current-release-date-than-revision-history": "6.2.6", @@ -173,6 +178,7 @@ "profiles": "4", "prohibited-document-category-name": "6.1.26", "properties": "3.2", + "public-sharing-group-with-no-max-uuid": "6.1.39", "purl": "6.1.13", "references-type": "3.1.10", "released-revision-history": "6.1.18", @@ -224,12 +230,15 @@ "translator": "6.1.15", "typographical-conventions": "1.5", "unused-definition-of-product-id": "6.2.1", - "uri-length": "C.4", + "uri-length": "C.6", "usage-of-cwe-allowed-with-review-for-vulnerability-mapping": "6.2.26", "usage-of-cwe-not-allowed-for-vulnerability-mapping": "6.2.25", "usage-of-deprecated-cwe": "6.2.23", + "usage-of-max-uuid": "6.2.28", + "usage-of-nil-uuid": "6.2.29", "usage-of-non-latest-cwe-version": "6.2.24", "usage-of-product-version-range": "6.3.10", + "usage-of-sharing-group-on-tlp-clear": "6.2.30", "usage-of-v-as-version-indicator": "6.3.11", "use-of-cvss-v2-as-the-only-scoring-system": "6.3.1", "use-of-cvss-v3-0": "6.3.2", diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md similarity index 100% rename from csaf_2.1/prose/edit/src/tests-01-mndtr-39-non-public-sharing-group-with-max-uuid.md rename to csaf_2.1/prose/edit/src/tests-01-mndtr-38-non-public-sharing-group-with-max-uuid.md diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md similarity index 100% rename from csaf_2.1/prose/edit/src/tests-01-mndtr-40-public-sharing-group-with-no-max-uuid.md rename to csaf_2.1/prose/edit/src/tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md similarity index 100% rename from csaf_2.1/prose/edit/src/tests-01-mndtr-41-invalid-sharing-group-name.md rename to csaf_2.1/prose/edit/src/tests-01-mndtr-40-invalid-sharing-group-name.md diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-41-missing-sharing-group-name.md similarity index 100% rename from csaf_2.1/prose/edit/src/tests-01-mndtr-42-missing-sharing-group-name.md rename to csaf_2.1/prose/edit/src/tests-01-mndtr-41-missing-sharing-group-name.md diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 1b6b3547d..f3304ea77 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -892,7 +892,7 @@ The relevant path for this test is: > A tool MAY remove the property `sharing_group` as a quick fix. -### Usage of Sharing Group on TLP:CLEAR +### Usage of Sharing Group on TLP:CLEAR{#usage-of-sharing-group-on-tlp-clear} It MUST be tested that no sharing group is used if the document is `TLP:CLEAR`. diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html index c99352a0c..a7440bdd4 100644 --- a/csaf_2.1/prose/share/csaf-v2.1-draft.html +++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html @@ -41,8 +41,8 @@

Committee Specification Draft 01

-

- 30 October 2024 +

+ 27 November 2024

This stage: @@ -160,7 +160,7 @@

[csaf-v2.1]

- Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: Common Security Advisory Framework Version 2.1. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.

@@ -338,9 +338,11 @@

  • 3.2.2.5 Document Property - Distribution
    • @@ -594,6 +596,16 @@

  • 6.1.36 Contradicting Product Status Remediation Combination
    • +
  • 6.1.37 Date and Time +
    • +
  • 6.1.38 Non-Public Sharing Group with Max UUID +
    • +
  • 6.1.39 Public Sharing Group with no Max UUID +
    • +
  • 6.1.40 Invalid Sharing Group Name +
    • +
  • 6.1.41 Missing Sharing Group Name +
  • 6.2 Optional Tests @@ -652,6 +664,12 @@

  • 6.2.27 Discouraged Product Status Remediation Combination
    • +
  • 6.2.28 Usage of Max UUID +
    • +
  • 6.2.29 Usage of Nil UUID +
    • +
  • 6.2.30 Usage of Sharing Group on TLP:CLEAR +
  • 6.3 Informative Test @@ -823,18 +841,20 @@

  • Appendix B. Revision History
  • Appendix C. Guidance on the Size of CSAF Documents +
    • +
  • Appendix C. File Size +
    • +
  • Appendix C. Array Length +
    • +
  • Appendix C. String Length
    • @@ -1380,6 +1400,9 @@

    [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, https://www.rfc-editor.org/info/rfc3339.

    +

    + [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, https://www.rfc-editor.org/info/rfc4180. +

    [RFC7464] Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, https://www.rfc-editor.org/info/rfc7464.

    @@ -1389,6 +1412,9 @@

    [RFC8259] T. Bray, Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, DOI 10.17487/RFC8259, December 2017, https://www.rfc-editor.org/info/rfc8259.

    +

    + [RFC9562] Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, https://www.rfc-editor.org/info/rfc9562. +

    1.4 Informative References

    @@ -1472,6 +1498,9 @@

    [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, https://www.rfc-editor.org/info/rfc3986.

    +

    + [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, https://www.rfc-editor.org/info/rfc4122. +

    [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, https://www.rfc-editor.org/info/rfc4880.

    @@ -1686,18 +1715,20 @@

    2.2 Date and Time

    - This standard uses the date-time format as defined in JSON Schema Draft 2020-12 Section 7.3.1. In accordance with RFC 3339 and ISO 8601, the following rules apply: + This standard uses the date-time format as defined in JSON Schema Draft 2020-12 Section 7.3.1. In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply:

    • The letter T separating the date and time SHALL be upper case.
      • +
    • The separator between date and time MUST be the letter T. +
    • The letter Z indicating the timezone UTC SHALL be upper case.
    • Fractions of seconds are allowed as specified in the standards mention above with the full stop (.) as separator.
    • Leap seconds are supported. However, they SHOULD be avoided if possible.
      • -
    • Empty timezones are prohibited. +
    • Empty timezones MUST NOT be used.
    • The ABNF of RFC 3339, section 5.6 applies.
      • @@ -3078,11 +3109,14 @@

      3.2.2.5 Document Property - Distribution

      - Rules for sharing document (distribution) of value type object with the mandatory property Traffic Light Protocol (TLP) (tlp) and the optional property Text (text) describes any constraints on how this document might be shared. + Rules for sharing document (distribution) of value type object with the mandatory property Traffic Light Protocol (TLP) (tlp) and the optional properties Sharing Group (Sharing Group) and Text (text) describes any constraints on how this document might be shared. 

          "distribution": {
       // ...
       "properties": {
+        "sharing_group": {
+          // ...
+        },
         "text": {
           // ...
         },
@@ -3092,22 +3126,111 @@ 
      
       }
     },

      - If both values are present, the TLP information SHOULD be preferred as this aids in automation. + If multiple values are present, the TLP information SHOULD be preferred as this aids in automation. The Sharing Group SHALL be interpreted as specification to the TLP information. Therefore, the Sharing Group MAY also be used to convey special TLP restrictions: +

      +

      + Examples 1:

      -
      - 3.2.2.5.1 Document Property - Distribution - Text + 
          E-ISAC members-only
+    Only releasable to European Energy sector
+    Releasable to NATO countries
      +
      +

      + Note that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation. +

      +
      +
      + 3.2.2.5.1 Document Property - Distribution - Sharing Group +
      +

      + Sharing Group (sharing_group) of value type object with the mandatory property Sharing Group ID (id) and the optional property Sharing Group Name (name) contains information about the group this document is intended to be shared with. +

      + 
              "sharing_group": {
+          // ...
+          "properties": {
+            "id": {
+              // ...
+            },
+            "name": {
+              // ...
+            }
+          }
+        },
      +

      + Sharing Group ID (id) of value type string with format uuid and pattern (regular expression): +

      + 
          ^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$
      +

      + Sharing Group ID provides the unique ID for the sharing group. This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group, e.g. during a Multi-Party Coordinated Vulnerability Disclosure case. +

      +
      +

      + Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case. Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered. +

      +
      +

      + The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed. It MUST differ if a different sharing group is addressed. +

      +

      + The ID SHALL be valid according to [RFC9562] and recorded in the 8-4-4-4-12 notation in lower case. The ID SHALL be a UUID Version 4 for any closed sharing group, i.e. TLP:GREEN and above. +

      +

      + The following ID values SHOULD NOT be used unless there are technical reasons for them. Therefore, they are reserved for implementation-specific situations: +

      +
        +
      • A system MAY use the Max UUID for TLP:CLEAR CSAF documents. +
        +

        + For example, the system uses the UUID as an indication whether a user allowed to see the document. The security considerations from [RFC9562] should be reflected on. +

        +
        +
        • +
      • A system MAY use the Nil UUID for CSAF documents that MUST NOT be shared. +
        +

        + For example, the CSAF document is just being drafted and the accidental leakage should be prevented. +

        +
        +
        • +
      +
      +

      + Note, that both values do not indicate a closed sharing group. +

      +
      +

      + A CSAF document with TLP:CLEAR SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (ffffffff-ffff-ffff-ffff-ffffffffffff). +

      +

      + If an issuing party distributes multiple versions of a single CSAF document to different sharing groups, the rules for CSAF modifier (cf. section sec) regarding the generation of the value of /document/tracking/id SHALL be applied. This implies that usually the sharing group + ID is used as a prefix to the original /document/tracking/id. +

      +

      + Sharing Group Name (name) of value type string with one or more characters contains a human-readable name for the sharing group. +

      +

      + The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group. However, the following values are reserved for the conditions below: +

      +
        +
      • For the Max UUID, the value of name SHALL exist and be Public. +
        • +
      • For the Nil UUID, the value of name SHALL exist and be No sharing allowed. +
        • +
      +
      + 3.2.2.5.2 Document Property - Distribution - Text

      The Textual description (text) of value type string with 1 or more characters provides a textual description of additional constraints.

      - Examples 1: + Examples 1: 

          Copyright 2024, Example Company, All Rights Reserved.
     Distribute freely.
     Share only on a need-to-know-basis only.
      -
      - 3.2.2.5.2 Document Property - Distribution - TLP +
      + 3.2.2.5.3 Document Property - Distribution - TLP

      Traffic Light Protocol (TLP) (tlp) of value type object with the mandatory property Label (label) and the optional property URL (url) provides details about the TLP classification of the document. @@ -3149,7 +3272,7 @@ 

          https://www.first.org/tlp/

      - Examples 1: + Examples 1: 

          https://www.us-cert.gov/tlp
     https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
      @@ -3288,7 +3411,7 @@
      The value user indicates anyone using a vendor’s product.

      - The value vendor indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and product resellers and distributors, including authoritative vendor partners. + The value vendor indicates developers or maintainers of information system products or services. This includes all authoritative product vendors, product security incident response teams (PSIRTs), open source projects as well as product resellers and distributors, including authoritative vendor partners.

      3.2.2.8.2 Document Property - Publisher - Contact Details @@ -3297,7 +3420,7 @@
      Contact details (contact_details) of value type string with 1 or more characters provides information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.

      - Example 1: + Example 1: 

          Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
      @@ -3313,7 +3436,7 @@
      The Name of publisher (name) of value type string with 1 or more characters contains the name of the issuing party.

      - Example 1: + Example 1: 

           BSI
      Cisco PSIRT
@@ -3342,7 +3465,7 @@

    - Examples 1: + Examples 1: 

        https://csaf.io
     https://www.example.com
    @@ -3377,7 +3500,7 @@

    Title of this document (title) of value type string with 1 or more characters SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.

    - Examples 1: + Examples 1: 

        Cisco IPv6 Crafted Packet Denial of Service Vulnerability
     Example Company Cross-Site-Scripting Vulnerability in Example Generator
    @@ -3433,7 +3556,7 @@

    Every such Alternate Name of value type string with 1 or more characters specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.

    - Example 1: + Example 1: 

        CVE-2019-12345
    @@ -3482,7 +3605,7 @@
    Engine name (name) of value type string with 1 or more characters represents the name of the engine that generated the CSAF document.

    - Examples 1: + Examples 1: 

        Red Hat rhsa-to-cvrf
     Secvisogram
@@ -3496,7 +3619,7 @@ 
    
       
    
     
     
    
-      Examples 2:
+      Examples 2:
     
    
     
        0.6.0
     1.0.0-beta+exp.sha.a1c44f85
@@ -3520,7 +3643,7 @@ 
    
       The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
     
    
     
    
-      Examples 1:
+      Examples 1:
     
    
     
        Example Company - 2019-YH3234
     RHBA-2019:0024
@@ -3685,7 +3808,7 @@ 
    
       The summary of the product group (summary) of value type string with 1 or more characters gives a short, optional description of the group.
     
    
     
    
-      Examples 1:
+      Examples 1:
     
    
     
        Products supporting Modbus.
     The x64 versions of the operating system.
    
@@ -3763,7 +3886,7 @@ 
    
       Relates to Product Reference (relates_to_product_reference) of value type Product ID (product_id_t) holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.
     
    
     
    
-      Examples 1:
+      Examples 1:
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -3916,7 +4039,7 @@ 
    
       It holds the ID for the weakness associated.
     
    
     
    
-      Examples 1:
+      Examples 1:
     
    
     
        CWE-22
     CWE-352
@@ -3925,7 +4048,7 @@ 
    
       The Weakness name (name) has value type string with 1 or more characters and holds the full name of the weakness as given in the CWE specification.
     
    
     
    
-      Examples 2:
+      Examples 2:
     
    
     
        Cross-Site Request Forgery (CSRF)
     Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
@@ -3938,7 +4061,7 @@ 
    
       It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
     
    
     
    
-      Examples 3:
+      Examples 3:
     
    
     
        "1.0",
     "3.4.1",
@@ -4063,7 +4186,7 @@ 
    
       System name (system_name) of value type string with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
     
    
     
    
-      Examples 1:
+      Examples 1:
     
    
     
        Cisco Bug ID
     GitHub Issue
    
@@ -4071,7 +4194,7 @@ 
    
       Text (text) of value type string with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
     
    
     
    
-      Examples 2:
+      Examples 2:
     
    
     
        CSCso66472
     oasis-tcs/csaf#210
    
@@ -5403,7 +5526,7 @@

    • - Examples 1: + Examples 1: 

      cisco-sa-20190513-secureboot.json
   example_company_-_2019-yh3234.json
@@ -5414,7 +5537,7 @@ 
    
       
    
     
     
    
-      Examples 2:
+      Examples 2:
     
    
     
      cisco-sa-20190513-secureboot_invalid.json
   example_company_-_2019-yh3234_invalid.json
@@ -5500,7 +5623,7 @@ 
    
   /vulnerabilities[]/remediations[]/product_ids[]
   /vulnerabilities[]/threats[]/product_ids[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "product_groups": [
@@ -5531,7 +5654,7 @@ 
    
   /product_tree/full_product_names[]/product_id
   /product_tree/relationships[]/full_product_name/product_id
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -5567,7 +5690,7 @@ 
    
       
    
     
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -5606,7 +5729,7 @@ 
    
     
      /vulnerabilities[]/remediations[]/group_ids
   /vulnerabilities[]/threats[]/group_ids
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -5645,7 +5768,7 @@ 
    
     
    
     
        /product_tree/product_groups[]/group_id
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -5728,7 +5851,7 @@ 
    
       
    
     
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -5771,7 +5894,7 @@ 
    
     
    
     
        /vulnerabilities[]/metrics[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -5831,7 +5954,7 @@ 
    
   /vulnerabilities[]/metrics[]/content/cvss_v3
   /vulnerabilities[]/metrics[]/content/cvss_v4
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "cvss_v3": {
     "version": "3.1",
@@ -5878,7 +6001,7 @@ 
    
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalScore
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "cvss_v3": {
     "version": "3.1",
@@ -5909,7 +6032,7 @@ 
    
   /vulnerabilities[]/metrics[]/content/cvss_v3
   /vulnerabilities[]/metrics[]/content/cvss_v4
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "cvss_v3": {
     "version": "3.1",
@@ -5946,7 +6069,7 @@ 
    
     
    
     
        /vulnerabilities[]/cwes[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "cwes": [
     {
@@ -5972,7 +6095,7 @@ 
    
     
      /document/lang
   /document/source_lang
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "lang": "EZ"
    
     
    
@@ -5998,7 +6121,7 @@ 
    
   /product_tree/full_product_names[]/product_identification_helper/purl
   /product_tree/relationships[]/full_product_name/product_identification_helper/purl
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -6027,7 +6150,7 @@ 
    
     
    
     
        /document/tracking/revision_history
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "revision_history": [
     {
@@ -6057,7 +6180,7 @@ 
    
     
    
     
        /document/source_lang
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     // ...
@@ -6086,7 +6209,7 @@ 
    
     
    
     
        /document/tracking/version
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "tracking": {
     // ...
@@ -6121,7 +6244,7 @@ 
    
     
    
     
        /document/tracking/status
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "tracking": {
       // ...
@@ -6144,7 +6267,7 @@ 
    
     
    
     
        /document/tracking/revision_history[]/number
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "tracking": {
       // ...
@@ -6179,7 +6302,7 @@ 
    
     
    
     
        /document/tracking/revision_history[]/number
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "revision_history": [
       {
@@ -6209,7 +6332,7 @@ 
    
     
    
     
        /document/tracking/version
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "tracking": {
       // ...
@@ -6233,7 +6356,7 @@ 
    
     
    
     
        /document/tracking/revision_history
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "revision_history": [
       {
@@ -6263,7 +6386,7 @@ 
    
     
    
     
        /document/tracking/revision_history
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
       "revision_history": [
       {
@@ -6293,7 +6416,7 @@ 
    
     
    
     
        /vulnerabilities[]/cve
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -6319,7 +6442,7 @@ 
    
     
    
     
        /vulnerabilities[]/involvements
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -6356,7 +6479,7 @@ 
    
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -6416,7 +6539,7 @@ 
    
     
    
     
      /document/category
    
     
    
-      Examples 1 (for currently prohibited values):
+      Examples 1 (for currently prohibited values):
     
    
     
      Csaf_a
   Informational Advisory
@@ -6425,7 +6548,7 @@ 
    
   veX
   V_eX
    
     
    
-      Example 2 (which fails the test):
+      Example 2 (which fails the test):
     
    
     
      "category": "Security_Incident_Response"
    
     
    
@@ -6460,7 +6583,7 @@ 
    
     
    
     
      /document/notes
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "notes": [
     {
@@ -6490,7 +6613,7 @@ 
    
     
    
     
      /document/references
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "references": [
     {
@@ -6519,7 +6642,7 @@ 
    
     
    
     
      /vulnerabilities
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -6552,7 +6675,7 @@ 
    
     
    
     
      /product_tree
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      {
     "document": {
@@ -6583,7 +6706,7 @@ 
    
     
    
     
      /vulnerabilities[]/notes
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -6610,7 +6733,7 @@ 
    
     
    
     
      /vulnerabilities[]/product_status
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -6640,7 +6763,7 @@ 
    
   /vulnerabilities[]/product_status/known_not_affected
   /vulnerabilities[]/product_status/under_investigation
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_status": {
     "first_fixed": [
@@ -6671,7 +6794,7 @@ 
    
     
      /vulnerabilities[]/cve
   /vulnerabilities[]/ids
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -6699,7 +6822,7 @@ 
    
     
      /vulnerabilities[]/flags
   /vulnerabilities[]/threats
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -6770,7 +6893,7 @@ 
    
     
    
     
      /vulnerabilities[]/remediations
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -6843,7 +6966,7 @@ 
    
     
    
     
      /vulnerabilities
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      {
     "document": {
@@ -6870,7 +6993,7 @@ 
    
     
      /document/lang
   /document/source_lang
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     // ...
@@ -6903,7 +7026,7 @@ 
    
     
    
     
      /vulnerabilities[]/remediations[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "remediations": [
         {
@@ -6933,7 +7056,7 @@ 
    
     
      /document/tracking/revision_history[]/number
   /document/tracking/version
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "tracking": {
       // ...
@@ -6970,26 +7093,38 @@ 
    
     
    
     
    
       
    
-        To implement this test it is deemed sufficient that, when converted to lower case, the value of name does not contain any of the following strings:
+        To implement this test it is deemed sufficient that, when converted to lower case, the value of name satisfies the two requirements below:
       
    
-      
      <
+      
      
+        
    1. 
+          
      
+            It does not contain any of the following operators:
+          
      
+          
        <
   <=
   >
-  >=
-  after
+  >=
      
+        
      2. 
+        
    2. 
+          
      
+            If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords:
+          
      
+          
        after
   all
   before
   earlier
   later
   prior
   versions
      
+        
      3. 
+      
    
     
    
     
    
       The relevant paths for this test are:
     
    
     
      /product_tree/branches[](/branches[])*/name
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
                "branches": [
               {
@@ -7014,7 +7149,7 @@ 
    
     
    
     
      /vulnerabilities[]/flags[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "flags": [
         {
@@ -7042,7 +7177,7 @@ 
    
     
    
     
      /vulnerabilities[]/flags
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -7107,7 +7242,7 @@ 
    
     
    
     
      /product_tree/branches[](/branches[])*/product
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "branches": [
@@ -7317,7 +7452,7 @@ 
    
     
    
     
      /vulnerabilities[]/remediations[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "remediations": [
         {
@@ -7357,7 +7492,7 @@ 
    
     
    
     
      /vulnerabilities[]/remediations[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "product_status": {
         "known_not_affected": [
@@ -7378,6 +7513,156 @@ 
    
         For the product with product ID CSAFPID-908070 a vendor_fix is given but the product was not affected at all.
       
    
     
    
+    
    
+      6.1.37 Date and Time 
+    
    
+    
    
+      For each item of type string and format date-time it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/tracking/current_release_date
+  /document/tracking/generator/date
+  /document/tracking/initial_release_date
+  /document/tracking/revision_history[]/date
+  /vulnerabilities[]/discovery_date
+  /vulnerabilities[]/flags[]/date
+  /vulnerabilities[]/release_date
+  /vulnerabilities[]/involvements[]/date
+  /vulnerabilities[]/remediations[]/date
+  /vulnerabilities[]/threats[]/date
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
          "current_release_date": "2024-01-24 10:00:00.000Z",
    
+    
    
+      
    
+        The current_release_date uses a whitespace as separator instead the letter T.
+      
    
+    
    
+    
    
+      6.1.38 Non-Public Sharing Group with Max UUID 
+    
    
+    
    
+      It MUST be tested that a CSAF document using Max UUID as sharing group ID has the TLP label CLEAR.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/distribution/tlp/label
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
        "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      "tlp": {
+        "label": "RED"
+      }
+    },
    
+    
    
+      
    
+        The sharing group uses the Max UUID but the CSAF document is labeled as TLP:RED.
+      
    
+    
    
+    
    
+      
    
+        A tool MAY remove the property sharing_group as a quick fix.
+      
    
+    
    
+    
    
+      6.1.39 Public Sharing Group with no Max UUID 
+    
    
+    
    
+      It MUST be tested that a CSAF document with the TLP label CLEAR use the Max UUID as sharing group ID if any. The test SHALL pass if no sharing group is present or the Nil UUID is used and the document status is draft.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/distribution/sharing_group/id
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
        "distribution": {
+      "sharing_group": {
+        "id": "5868d6be-b28a-404e-a245-0b5093b31b8b"
+      },
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
    
+    
    
+      
    
+        The sharing group is present for the TLP:CLEAR document but it differs from the Max UUID.
+      
    
+    
    
+    
    
+      
    
+        A tool MAY update the sharing group id as a quick fix.
+      
    
+    
    
+    
    
+      6.1.40 Invalid Sharing Group Name 
+    
    
+    
    
+      It MUST be tested that the value of sharing group name does not equal the reserved values from section 3.2.2.5.1 if the precondition is not fulfilled.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/distribution/sharing_group/name
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
        "distribution": {
+      "sharing_group": {
+        "id": "5868d6be-b28a-404e-a245-0b5093b31b8b",
+        "name": "Public"
+      },
+      // ...
+    },
    
+    
    
+      
    
+        The sharing group name is Public but it does not use the Max UUID.
+      
    
+    
    
+    
    
+      
    
+        A tool MAY update the sharing group name as a quick fix.
+      
    
+    
    
+    
    
+      6.1.41 Missing Sharing Group Name 
+    
    
+    
    
+      It MUST be tested that the sharing group name exists and equals the predefined reserved value from section 3.2.2.5.1 if the precondition is fulfilled.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/distribution/sharing_group/name
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
        "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff"
+      },
+      // ...
+    },
    
+    
    
+      
    
+        The Max UUID is used but the sharing group name does not exist.
+      
    
+    
    
+    
    
+      
    
+        A tool MAY add the corresponding sharing group name as a quick fix.
+      
    
+    
    
     
    
       6.2 Optional Tests 
     
    
@@ -7400,7 +7685,7 @@ 
    
   /product_tree/full_product_names[]/product_id
   /product_tree/relationships[]/full_product_name/product_id
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -7439,7 +7724,7 @@ 
    
   /vulnerabilities[]/product_status/last_affected[]
   /vulnerabilities[]/product_status/under_investigation[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -7476,7 +7761,7 @@ 
    
   /vulnerabilities[]/product_status/known_affected[]
   /vulnerabilities[]/product_status/last_affected[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -7511,7 +7796,7 @@ 
    
     
    
     
        /document/tracking/revision_history[]/number
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "revision_history": [
       {
@@ -7536,7 +7821,7 @@ 
    
     
    
     
        /document/tracking/initial_release_date
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "tracking": {
       // ...
@@ -7571,7 +7856,7 @@ 
    
     
    
     
        /document/tracking/current_release_date
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "tracking": {
       "current_release_date": "2023-09-06T10:00:00.000Z",
@@ -7606,7 +7891,7 @@ 
    
     
    
     
        /vulnerabilities[]/involvements
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -7641,7 +7926,7 @@ 
    
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -7687,7 +7972,7 @@ 
    
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -7747,7 +8032,7 @@ 
    
     
    
     
      /document/references
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     // ...
@@ -7783,7 +8068,7 @@ 
    
     
    
     
      /document/lang
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     "category": "csaf_base",
@@ -7814,7 +8099,7 @@ 
    
     
    
     
      /
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     "csaf_version": "2.1",
@@ -7843,7 +8128,7 @@ 
    
     
      /document/lang
   /document/source_lang
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "lang": "qtx"
    
     
    
@@ -7868,7 +8153,7 @@ 
    
     
      /document/lang
   /document/source_lang
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "lang": "i-default"
    
     
    
@@ -7894,7 +8179,7 @@ 
    
   /product_tree/full_product_names[]
   /product_tree/relationships[]/full_product_name
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "full_product_names": [
       {
@@ -7923,7 +8208,7 @@ 
    
     
    
     
      /vulnerabilities[]/ids[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "ids": [
         {
@@ -7958,7 +8243,7 @@ 
    
     
    
     
      /product_tree/branches[](/branches[])*/name
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
                "branches": [
               {
@@ -7985,7 +8270,7 @@ 
    
     
      /vulnerabilities[]/product_status/first_fixed[]
   /vulnerabilities[]/product_status/fixed[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -8045,7 +8330,7 @@ 
    
       
    
     
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     "category": "csaf_base",
@@ -8074,7 +8359,7 @@ 
    
     
    
     
      /document/tracking/revision_history[]/date
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "revision_history": [
     {
@@ -8104,7 +8389,7 @@ 
    
     
    
     
      /document/title
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
     "tracking": {
@@ -8133,7 +8418,7 @@ 
    
     
    
     
      /vulnerabilities[]/cwes[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
         "cwes": [
         {
@@ -8163,7 +8448,7 @@ 
    
     
    
     
      /vulnerabilities[]/cwes[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     // ...
@@ -8209,7 +8494,7 @@ 
    
     
    
     
      /vulnerabilities[]/cwes[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "cwes": [
         {
@@ -8239,7 +8524,7 @@ 
    
     
    
     
      /vulnerabilities[]/cwes[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "cwes": [
         {
@@ -8264,7 +8549,7 @@ 
    
     
    
     
      /vulnerabilities[]/remediations[]
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
          "product_status": {
         "known_not_affected": [
@@ -8285,6 +8570,98 @@ 
    
         For the product with product ID CSAFPID-908070 a fix is planned but the product was not affected at all.
       
    
     
+    
    
+      6.2.28 Usage of Max UUID 
+    
    
+    
    
+      It MUST be tested that the Max UUID is not used as sharing group id.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/distribution/sharing_group/id
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
        "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      // ...
+    },
    
+    
    
+      
    
+        The sharing group id uses the Max UUID.
+      
    
+    
    
+    
    
+      
    
+        A tool MAY remove the property sharing_group as a quick fix.
+      
    
+    
    
+    
    
+      6.2.29 Usage of Nil UUID 
+    
    
+    
    
+      It MUST be tested that the Nil UUID is not used as sharing group id.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/distribution/sharing_group/id
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
        "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      // ...
+    },
    
+    
    
+      
    
+        The sharing group id uses the Nil UUID.
+      
    
+    
    
+    
    
+      
    
+        A tool MAY remove the property sharing_group as a quick fix.
+      
    
+    
    
+    
    
+      6.2.30 Usage of Sharing Group on TLP:CLEAR 
+    
    
+    
    
+      It MUST be tested that no sharing group is used if the document is TLP:CLEAR.
+    
    
+    
    
+      The relevant path for this test is:
+    
    
+    
      /document/distribution/sharing_group
    
+    
    
+      Example 1 (which fails the test):
+    
    
+    
        "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
    
+    
    
+      
    
+        The CSAF document is TLP:CLEAR but a sharing group is given.
+      
    
+    
    
+    
    
+      
    
+        A tool MAY remove the property sharing_group as a quick fix.
+      
    
+    
    
     
    
       6.3 Informative Test 
     
    
@@ -8308,7 +8685,7 @@ 
    
     
    
     
        /vulnerabilities[]/metrics
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -8359,7 +8736,7 @@ 
    
     
      /vulnerabilities[]/metrics[]/content/cvss_v3/version
   /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "cvss_v3": {
     "version": "3.0",
@@ -8395,7 +8772,7 @@ 
    
     
    
     
      /vulnerabilities[]/cve
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -8424,7 +8801,7 @@ 
    
     
    
     
      /vulnerabilities[]/cwe
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "vulnerabilities": [
     {
@@ -8450,7 +8827,7 @@ 
    
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -8513,7 +8890,7 @@ 
    
   /vulnerabilities[]/references[]/url
   /vulnerabilities[]/remediations[]/url
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "references": [
       {
@@ -8543,7 +8920,7 @@ 
    
     
      /document/references[]/url
   /vulnerabilities[]/references[]/url
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "references": [
       {
@@ -8604,7 +8981,7 @@ 
    
   /vulnerabilities[]/threats[]/details
   /vulnerabilities[]/title
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "document": {
     // ...
@@ -8639,7 +9016,7 @@ 
    
     
    
     
      /product_tree/branches
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
        "branches": [
       {
@@ -8684,7 +9061,7 @@ 
    
     
    
     
      /product_tree/branches[](/branches[])*/category
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
                    "category": "product_version_range",
    
     
    
@@ -8709,7 +9086,7 @@ 
    
     
    
     
      /product_tree/branches[](/branches[])*/name
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
                "branches": [
               {
@@ -8734,7 +9111,7 @@ 
    
     
    
     
        /vulnerabilities[]/metrics[]/content
    
     
    
-      Example 1 (which fails the test):
+      Example 1 (which fails the test):
     
    
     
      "product_tree": {
     "full_product_names": [
@@ -8868,7 +9245,7 @@ 
    
       
     
    
     
    
-      Example 1 (minimal with ROLIE document):
+      Example 1 (minimal with ROLIE document):
     
    
     
      {
     "canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
@@ -8926,7 +9303,7 @@ 
    
       
    
     
     
    
-      Examples 1:
+      Examples 1:
     
    
     
    CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
 CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
@@ -8944,7 +9321,7 @@ 
    
       details.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      https://www.example.com/.well-known/csaf/provider-metadata.json
    
     
    
@@ -8960,7 +9337,7 @@ 
    
       The CSAF documents MUST be located within folders named <YYYY> where <YYYY> is the year given in the value of /document/tracking/initial_release_date.
     
    
     
    
-      Examples 1:
+      Examples 1:
     
    
     
    2024
 2023
    
@@ -8971,7 +9348,7 @@ 
    
       The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
    2023/esa-2023-09953.json
 2022/esa-2022-02723.json
@@ -8986,15 +9363,26 @@ 
    
       7.1.13 Requirement 13: changes.csv 
     
    
     
    
-      The file changes.csv MUST contain the filename as well as the value of /document/tracking/current_release_date for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the current_release_date timestamp with the latest one first.
+      The file changes.csv contains a list of CSAF documents in the current TLP level that were changed recently. Therefore, it MUST contain the filename as well as the value of /document/tracking/current_release_date for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the
+      current_release_date timestamp with the latest one first. The changes.csv SHALL be a valid comma separated values format as defined by [RFC4180] without double quotes.
     
    
+    
    
+      
    
+        Note: As a consequence of section sec Requirement 2 for filenames and section sec Requirement for directory names, there must not be any characters within the changes.csv that would require quoting.
+      
    
+    
    
     
    
-      Example 1:
+      Example 1:
     
    
-    
    "2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
-"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
-"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
-"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
    
+    
    2023/esa-2023-09953.json,2023-07-01T10:09:07Z
+2021/esa-2021-03676.json,2023-07-01T10:09:01Z
+2022/esa-2022-02723.json,2022-04-17T15:08:41Z
+2021/esa-2021-31916.json,2022-03-01T06:01:00Z
    
+    
    
+      
    
+        Note: As CSAF 2.0 requires quotes, an [RFC4180] parser can read both format revisions.
+      
    
+    
    
     
    
       7.1.14 Requirement 14: Directory listings 
     
    
@@ -9020,7 +9408,7 @@ 
    
       MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "feed": {
@@ -9086,7 +9474,7 @@ 
    
       the filename service.json and reside next to the provider-metadata.json.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "service": {
@@ -9153,7 +9541,7 @@ 
    
           type of product
         
    
         
    
-          Examples 1:
+          Examples 1:
         
    
         
      CPU
   Firewall
@@ -9169,7 +9557,7 @@ 
    
           areas or sectors, the products are used in
         
    
         
    
-          Examples 2:
+          Examples 2:
         
    
         
      Chemical
   Commercial
@@ -9187,7 +9575,7 @@ 
    
       
     
     
    
-      Example 3:
+      Example 3:
     
    
     
      {
     "categories": {
@@ -9211,7 +9599,7 @@ 
    
       MD5 and SHA1 SHOULD NOT be used.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
    File name of CSAF document: esa-2022-02723.json
 File name of SHA-256 hash file: esa-2022-02723.json.sha256
@@ -9220,7 +9608,7 @@ 
    
       The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
     
    
     
    
-      Example 2:
+      Example 2:
     
    
     
    ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
    
     
    
@@ -9230,10 +9618,10 @@ 
    
       7.1.19 Requirement 19: Signatures 
     
    
     
    
-      All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. See [RFC4880] for more details.
+      All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. This signature SHALL be presented as an ASCII armored file. See [RFC4880] for more details.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
    File name of CSAF document: esa-2022-02723.json
 File name of signature file: esa-2022-02723.json.asc
    
@@ -9255,7 +9643,7 @@ 
    
       7.1.20 Requirement 20: Public OpenPGP Key 
     
    
     
    
-      The public part of the OpenPGP key used to sign the CSAF documents MUST be available. It SHOULD also be available at a public key server.
+      The public part of the OpenPGP key used to sign the CSAF documents MUST be available. This key file SHALL be presented as an ASCII armored file. It SHOULD also be available at a public key server.
     
    
     
    
       
    
@@ -9299,7 +9687,7 @@ 
    
       The file aggregator.json SHOULD only list the latest version of the metadata of a CSAF provider.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "aggregator": {
@@ -9356,7 +9744,7 @@ 
    
       
     
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "aggregator": {
@@ -9921,7 +10309,7 @@ 
    
                   Retrieve the CVSS version from the CVSS vector, if present.
                 
    
                 
    
-                  Example 1:
+                  Example 1:
                 
    
                 
      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
    
               
@@ -9930,7 +10318,7 @@ 
    
                   Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
                 
    
                 
    
-                  Example 2:
+                  Example 2:
                 
    
                 
      xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
   <!-- -->
@@ -9939,7 +10327,7 @@ 
    
                   is handled the same as
                 
    
                 
    
-                  Example 3:
+                  Example 3:
                 
    
                 
      <ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">
    
               
@@ -9949,7 +10337,7 @@ 
    
                   decision.
                 
    
                 
    
-                  Example 4:
+                  Example 4:
                 
    
                 
      xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
    
               
@@ -12324,6 +12712,20 @@ 
    
             Next Editor Revision
           
         
+        
+          
+            csaf-v2.0-wd20241127-dev
+          
+          
+            2024-11-27
+          
+          
+            Stefan Hagen and Thomas Schmidt
+          
+          
+            Next Editor Revision
+          
+        
       
     
     
    
@@ -12345,8 +12747,8 @@ 
    
         If you come across a case where these limits are exceeded, please provide feedback to the TC.
       
    
     
    
-    
    
-      C.1 File size 
+    
    
+      Appendix C. File Size 
     
    
     
    
       A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content, e.g.: 50 MiB.
@@ -12357,8 +12759,8 @@ 
    
         small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.
       
    
     
-    
    
-      C.2 Array length 
+    
    
+      Appendix C. Array Length 
     
    
     
    
       An array SHOULD NOT have more than:
@@ -12610,8 +13012,8 @@ 
    
         
       
     
-    
    
-      C.3 String length 
+    
    
+      Appendix C. String Length 
     
    
     
    
       A string SHOULD NOT have a length greater than:
@@ -12634,6 +13036,9 @@ 
    
           
  • 
             /document/category
           
    • 
+          
  • 
+            /document/distribution/sharing_group/name
+          
    • 
           
  • 
             /document/lang
           
    • 
@@ -12970,75 +13375,42 @@ 
    
         
       
     
-    
    
-      C.4 URI length 
+    
    
+      C.6 Date 
     
    
     
    
-      A string with format uri SHOULD NOT have a length greater than 20000. This applies to:
+      The maximum length of strings representing a temporal value is given by the format specifier. This applies to:
     
    
     
      
       
    • 
-        /document/acknowledgments[]/urls[]
-      
      • 
-      
    • 
-        /document/aggregate_severity/namespace
-      
      • 
-      
    • 
-        /document/distribution/tlp/url
-      
      • 
-      
    • 
-        /document/references[]/url
-      
      • 
-      
    • 
-        /document/publisher/namespace
-      
      • 
-      
    • 
-        /product_tree/branches[]/product/product_identification_helper/sbom_urls[]
-      
      • 
-      
    • 
-        /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace
-      
      • 
-      
    • 
-        /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri
-      
      • 
-      
    • 
-        /product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]
-      
      • 
-      
    • 
-        /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace
-      
      • 
-      
    • 
-        /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri
-      
      • 
-      
    • 
-        /product_tree/full_product_names[]/product_identification_helper/sbom_urls[]
+        /document/tracking/current_release_date
       
      • 
       
    • 
-        /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace
+        /document/tracking/generator/date
       
      • 
       
    • 
-        /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri
+        /document/tracking/initial_release_date
       
      • 
       
    • 
-        /product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]
+        /document/tracking/revision_history[]/date
       
      • 
       
    • 
-        /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace
+        /vulnerabilities[]/discovery_date
       
      • 
       
    • 
-        /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri
+        /vulnerabilities[]/flags[]/date
       
      • 
       
    • 
-        /vulnerabilities[]/acknowledgments[]/urls[]
+        /vulnerabilities[]/release_date
       
      • 
       
    • 
-        /vulnerabilities[]/metrics[]/source
+        /vulnerabilities[]/involvements[]/date
       
      • 
       
    • 
-        /vulnerabilities[]/references[]/url
+        /vulnerabilities[]/remediations[]/date
       
      • 
       
    • 
-        /vulnerabilities[]/remediations[]/url
+        /vulnerabilities[]/threats[]/date
       
      • 
     
    
     
    
@@ -13347,42 +13719,86 @@ 
    
         /vulnerabilities[]/threats[]/category (14)
       
     
-    
    
-      C.6 Date 
+    
    
+      C.5 URI Length 
     
    
     
    
-      The maximum length of strings representing a temporal value is given by the format specifier. This applies to:
+      A string with format uri SHOULD NOT have a length greater than 20000. This applies to:
     
    
     
      
       
    • 
-        /document/tracking/current_release_date
+        /document/acknowledgments[]/urls[]
       
      • 
       
    • 
-        /document/tracking/generator/date
+        /document/aggregate_severity/namespace
       
      • 
       
    • 
-        /document/tracking/initial_release_date
+        /document/distribution/tlp/url
       
      • 
       
    • 
-        /document/tracking/revision_history[]/date
+        /document/references[]/url
       
      • 
       
    • 
-        /vulnerabilities[]/discovery_date
+        /document/publisher/namespace
       
      • 
       
    • 
-        /vulnerabilities[]/flags[]/date
+        /product_tree/branches[]/product/product_identification_helper/sbom_urls[]
       
      • 
       
    • 
-        /vulnerabilities[]/release_date
+        /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace
       
      • 
       
    • 
-        /vulnerabilities[]/involvements[]/date
+        /product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri
       
      • 
       
    • 
-        /vulnerabilities[]/remediations[]/date
+        /product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]
       
      • 
       
    • 
-        /vulnerabilities[]/threats[]/date
+        /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace
+      
      • 
+      
    • 
+        /product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri
+      
      • 
+      
    • 
+        /product_tree/full_product_names[]/product_identification_helper/sbom_urls[]
+      
      • 
+      
    • 
+        /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace
+      
      • 
+      
    • 
+        /product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri
+      
      • 
+      
    • 
+        /product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]
+      
      • 
+      
    • 
+        /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace
+      
      • 
+      
    • 
+        /product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri
+      
      • 
+      
    • 
+        /vulnerabilities[]/acknowledgments[]/urls[]
+      
      • 
+      
    • 
+        /vulnerabilities[]/metrics[]/source
+      
      • 
+      
    • 
+        /vulnerabilities[]/references[]/url
+      
      • 
+      
    • 
+        /vulnerabilities[]/remediations[]/url
+      
      • 
+    
    
+    
    
+      C.5 UUID Length 
+    
    
+    
    
+      A string with format uuid SHOULD NOT have a length greater than 50. This applies to:
+    
    
+    
      
+      
    • 
+        /document/distribution/sharing_group/id (36)
       
      • 
     
    
   
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index efb046758..93e50d895 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## 30 October 2024
+## 27 November 2024
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 27 November 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------
@@ -156,8 +156,9 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 			3.2.2.3 [Document Property - Category](#document-property-category)  
 			3.2.2.4 [Document Property - CSAF Version](#document-property-csaf-version)  
 			3.2.2.5 [Document Property - Distribution](#document-property-distribution)  
-				3.2.2.5.1 [Document Property - Distribution - Text](#document-property-distribution-text)  
-				3.2.2.5.2 [Document Property - Distribution - TLP](#document-property-distribution-tlp)  
+				3.2.2.5.1 [Document Property - Distribution - Sharing Group](#document-property-distribution-sharing-group)  
+				3.2.2.5.2 [Document Property - Distribution - Text](#document-property-distribution-text)  
+				3.2.2.5.3 [Document Property - Distribution - TLP](#document-property-distribution-tlp)  
 			3.2.2.6 [Document Property - Language](#document-property-language)  
 			3.2.2.7 [Document Property - Notes](#document-property-notes)  
 			3.2.2.8 [Document Property - Publisher](#document-property-publisher)  
@@ -271,6 +272,11 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.1.34 [Branches Recursion Depth](#mandatory-tests--branches-recursion-depth)  
 		6.1.35 [Contradicting Remediations](#contradicting-remediations)  
 		6.1.36 [Contradicting Product Status Remediation Combination](#contradicting-product-status-remediation-combination)  
+		6.1.37 [Date and Time](#mandatory-tests--date-and-time)  
+		6.1.38 [Non-Public Sharing Group with Max UUID](#non-public-sharing-group-with-max-uuid)  
+		6.1.39 [Public Sharing Group with no Max UUID](#public-sharing-group-with-no-max-uuid)  
+		6.1.40 [Invalid Sharing Group Name](#invalid-sharing-group-name)  
+		6.1.41 [Missing Sharing Group Name](#missing-sharing-group-name)  
 	6.2 [Optional Tests](#optional-tests)  
 		6.2.1 [Unused Definition of Product ID](#unused-definition-of-product-id)  
 		6.2.2 [Missing Remediation](#missing-remediation)  
@@ -299,6 +305,9 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.2.25 [Usage of CWE Not Allowed for Vulnerability Mapping](#usage-of-cwe-not-allowed-for-vulnerability-mapping)  
 		6.2.26 [Usage of CWE Allowed with Review for Vulnerability Mapping](#usage-of-cwe-allowed-with-review-for-vulnerability-mapping)  
 		6.2.27 [Discouraged Product Status Remediation Combination](#discouraged-product-status-remediation-combination)  
+		6.2.28 [Usage of Max UUID](#usage-of-max-uuid)  
+		6.2.29 [Usage of Nil UUID](#usage-of-nil-uuid)  
+		6.2.30 [Usage of Sharing Group on TLP:CLEAR](#usage-of-sharing-group-on-tlp-clear)  
 	6.3 [Informative Test](#informative-test)  
 		6.3.1 [Use of CVSS v2 as the only Scoring System](#use-of-cvss-v2-as-the-only-scoring-system)  
 		6.3.2 [Use of CVSS v3.0](#use-of-cvss-v3-0)  
@@ -377,12 +386,13 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 Appendix A. [Acknowledgments](#acknowledgments)  
 Appendix B. [Revision History](#revision-history)  
 Appendix C. [Guidance on the Size of CSAF Documents](#guidance-on-the-size-of-csaf-documents)  
-	C.1 [File size](#file-size)  
-	C.2 [Array length](#array-length)  
-	C.3 [String length](#string-length)  
-	C.4 [URI length](#uri-length)  
-	C.5 [Enum](#enum)  
+Appendix C. [File Size](#file-size)  
+Appendix C. [Array Length](#array-length)  
+Appendix C. [String Length](#string-length)  
 	C.6 [Date](#date)  
+	C.5 [Enum](#enum)  
+C.5 [URI Length](#uri-length)  
+C.5 [UUID Length](#uuid-length)  
 -------
 
 # 1. Introduction 
@@ -618,12 +628,16 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[****RFC3339\]** Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, .
 
+**\[****RFC4180\]** Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, .
+
 **\[****RFC7464\]** Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, .
 
 **\[****RFC8174\]** Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, .
 
 **\[****RFC8259\]** T. Bray, Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, DOI 10.17487/RFC8259, December 2017, .
 
+**\[****RFC9562\]** Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, .
+
 ## 1.4 Informative References 
 
 **\[****CPE23-A\]** _Common Platform Enumeration: Applicability Language Specification Version 2.3 (NISTIR 7698)_, D. Waltermire, P. Cichonski, K. Scarfone, Editors, NIST Interagency Report 7698, August 2011, https://dx.doi.org/10.6028/NIST.IR.7698.
@@ -672,6 +686,8 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[****RFC3986\]** Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, .
 
+**\[****RFC4122\]** Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, .
+
 **\[****RFC4880\]** Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, .
 
 **\[****RFC7231\]** Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, .
@@ -827,13 +843,14 @@ Finally, a set of conformance targets describes tools in the ecosystem.
 ## 2.2 Date and Time 
 
 This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1.
-In accordance with RFC 3339 and ISO 8601, the following rules apply:
+In accordance with [cite]{#RFC3339} and [cite]{#ISO8601}, the following rules apply:
 
 * The letter `T` separating the date and time SHALL be upper case.
+* The separator between date and time MUST be the letter `T`.
 * The letter `Z` indicating the timezone UTC SHALL be upper case.
 * Fractions of seconds are allowed as specified in the standards mention above with the full stop (`.`) as separator.
 * Leap seconds are supported. However, they SHOULD be avoided if possible.
-* Empty timezones are prohibited.
+* Empty timezones MUST NOT be used.
 * The ABNF of RFC 3339, section 5.6 applies.
 
 -------
@@ -2195,12 +2212,15 @@ The single valid value for this `enum` is:
 #### 3.2.2.5 Document Property - Distribution 
 
 Rules for sharing document (`distribution`) of value type `object` with the mandatory property Traffic Light Protocol (TLP) (`tlp`) and the
-optional property Text (`text`) describes any constraints on how this document might be shared.
+optional properties Sharing Group (`Sharing Group`) and Text (`text`) describes any constraints on how this document might be shared.
 
 ```
     "distribution": {
       // ...
       "properties": {
+        "sharing_group": {
+          // ...
+        },
         "text": {
           // ...
         },
@@ -2211,13 +2231,87 @@ optional property Text (`text`) describes any constraints on how this document m
     },
 ```
 
-If both values are present, the TLP information SHOULD be preferred as this aids in automation.
+If multiple values are present, the TLP information SHOULD be preferred as this aids in automation.
+The Sharing Group SHALL be interpreted as specification to the TLP information.
+Therefore, the Sharing Group MAY also be used to convey special TLP restrictions:
+
+*Examples 1:*
+
+```
+    E-ISAC members-only
+    Only releasable to European Energy sector
+    Releasable to NATO countries
+```
+
+> Note that for such restrictions the Sharing Group Name MUST exist and all participants MUST know the associated Sharing Group IDs to allow for automation.
+
+##### 3.2.2.5.1 Document Property - Distribution - Sharing Group 
+
+Sharing Group (`sharing_group`) of value type `object` with the mandatory property Sharing Group ID (`id`) and
+the optional property Sharing Group Name (`name`) contains information about the group this document is intended to be shared with.
+
+```
+        "sharing_group": {
+          // ...
+          "properties": {
+            "id": {
+              // ...
+            },
+            "name": {
+              // ...
+            }
+          }
+        },
+```
+
+Sharing Group ID (`id`) of value type `string` with format `uuid` and `pattern` (regular expression):
+
+```
+    ^(([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})|([0]{8}-([0]{4}-){3}[0]{12})|([f]{8}-([f]{4}-){3}[f]{12}))$
+```
+
+Sharing Group ID provides the unique ID for the sharing group.
+This ID is intended to be globally unique and MAY also be used by different issuing parties to share CSAF data within a closed group,
+e.g. during a Multi-Party Coordinated Vulnerability Disclosure case.
+
+> Note, that participants in such cases usually differ. Therefore, it is advised to use one ID per case.
+> Otherwise, the consequences of adding or removing parties from a case and the implications to other cases have to be considered.
+
+The ID SHOULD NOT change throughout different CSAF documents, if the same sharing group is addressed.
+It MUST differ if a different sharing group is addressed.
 
-##### 3.2.2.5.1 Document Property - Distribution - Text 
+The ID SHALL be valid according to \[[RFC9562](#RFC9562)\] and recorded in the 8-4-4-4-12 notation in lower case.
+The ID SHALL be a UUID Version 4 for any closed sharing group, i.e. `TLP:GREEN` and above.
+
+The following ID values SHOULD NOT be used unless there are technical reasons for them.
+Therefore, they are reserved for implementation-specific situations:
+
+- A system MAY use the Max UUID for `TLP:CLEAR` CSAF documents.
+  > For example, the system uses the UUID as an indication whether a user allowed to see the document.
+  > The security considerations from \[[RFC9562](#RFC9562)\] should be reflected on.
+- A system MAY use the Nil UUID for CSAF documents that MUST NOT be shared.
+  > For example, the CSAF document is just being drafted and the accidental leakage should be prevented.
+
+> Note, that both values do not indicate a closed sharing group.
+
+A CSAF document with `TLP:CLEAR` SHOULD NOT contain a sharing group value and SHALL NOT contain any other value for the Sharing Group ID than Max UUID (`ffffffff-ffff-ffff-ffff-ffffffffffff`).
+
+If an issuing party distributes multiple versions of a single CSAF document to different sharing groups, the rules for CSAF modifier (cf. section [sec](#conformance-clause-8-csaf-modifier)) regarding the generation of the value of `/document/tracking/id` SHALL be applied.
+This implies that usually the sharing group ID is used as a prefix to the original `/document/tracking/id`.
+
+Sharing Group Name (`name`) of value type `string` with one or more characters contains a human-readable name for the sharing group.
+
+The Sharing Group Name is optional and can be chosen freely by the entity establishing the sharing group.
+However, the following values are reserved for the conditions below:
+
+- For the Max UUID, the value of `name` SHALL exist and be `Public`.
+- For the Nil UUID, the value of `name` SHALL exist and be `No sharing allowed`.
+
+##### 3.2.2.5.2 Document Property - Distribution - Text 
 
 The Textual description (`text`) of value type `string` with 1 or more characters provides a textual description of additional constraints.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Copyright 2024, Example Company, All Rights Reserved.
@@ -2225,7 +2319,7 @@ The Textual description (`text`) of value type `string` with 1 or more character
     Share only on a need-to-know-basis only.
 ```
 
-##### 3.2.2.5.2 Document Property - Distribution - TLP 
+##### 3.2.2.5.3 Document Property - Distribution - TLP 
 
 Traffic Light Protocol (TLP) (`tlp`) of value type `object` with the mandatory property Label (`label`) and
 the optional property URL (`url`) provides details about the TLP classification of the document.
@@ -2272,7 +2366,7 @@ The default value is the URL to the definition by FIRST:
     https://www.first.org/tlp/
 ```
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     https://www.us-cert.gov/tlp
@@ -2373,15 +2467,15 @@ and miscellaneous contributors.
 The value `user` indicates anyone using a vendor’s product.
 
 The value `vendor` indicates developers or maintainers of information system products or services.
-This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and
-product resellers and distributors, including authoritative vendor partners.
+This includes all authoritative product vendors, product security incident response teams (PSIRTs),
+open source projects as well as product resellers and distributors, including authoritative vendor partners.
 
 ##### 3.2.2.8.2 Document Property - Publisher - Contact Details 
 
 Contact details (`contact_details`) of value type `string` with 1 or more characters provides information on how to contact the publisher,
 possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
 
-*Example 1:*
+*Example 1:*
 
 ```
     Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
@@ -2396,7 +2490,7 @@ the authority of the issuing party to release the document, in particular, the p
 
 The Name of publisher (`name`) of value type `string` with 1 or more characters contains the name of the issuing party.
 
-*Example 1:*
+*Example 1:*
 
 ```
      BSI
@@ -2423,7 +2517,7 @@ an incremented (patch) version which has no other changes than:
 * the updated item in `/document/references[]` which points to the new version of the CSAF document
 * an added item in `/document/references[]` which points to the previous version of the CSAF document (if the URL changed)
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     https://csaf.io
@@ -2458,7 +2552,7 @@ The property SHALL NOT be present if the document was not translated.
 Title of this document (`title`) of value type `string` with 1 or more characters SHOULD be a canonical name for the document,
 and sufficiently unique to distinguish it from similar documents.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Cisco IPv6 Crafted Packet Denial of Service Vulnerability
@@ -2521,7 +2615,7 @@ list of alternate names for the same document.
 Every such Alternate Name of value type `string` with 1 or more characters specifies a non-empty string that represents a
 distinct optional alternative ID used to refer to the document.
 
-*Example 1:*
+*Example 1:*
 
 ```
     CVE-2019-12345
@@ -2575,7 +2669,7 @@ optional property Engine version (`version`) contains information about the engi
 
 Engine name (`name`) of value type `string` with 1 or more characters represents the name of the engine that generated the CSAF document.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Red Hat rhsa-to-cvrf
@@ -2588,7 +2682,7 @@ Engine version (`version`) of value type `string` with 1 or more characters cont
 > Although it is not formally required, the TC suggests to use a versioning which is compatible with Semantic Versioning as described in
 > the external specification [SemVer]. This could help the end user to identify when CSAF consumers have to be updated.
 
-*Examples 2:*
+*Examples 2:*
 
 ```
     0.6.0
@@ -2611,7 +2705,7 @@ Unique identifier for the document holds the Identifier.
 The ID is a simple label that provides for a wide range of numbering values, types, and schemes.
 Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Example Company - 2019-YH3234
@@ -2779,7 +2873,7 @@ the optional Summary (`summary`) property.
 
 The summary of the product group (`summary`) of value type `string` with 1 or more characters gives a short, optional description of the group.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Products supporting Modbus.
@@ -2868,7 +2962,7 @@ which is referenced as the first element of the relationship.
 Relates to Product Reference (`relates_to_product_reference`) of value type Product ID (`product_id_t`) holds a Product ID that refers to
 the Full Product Name element, which is referenced as the second element of the relationship.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
   "product_tree": {
@@ -3034,7 +3128,7 @@ The Weakness ID (`id`) has value type `string` with `pattern` (regular expressio
 
 It holds the ID for the weakness associated.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     CWE-22
@@ -3045,7 +3139,7 @@ It holds the ID for the weakness associated.
 The Weakness name (`name`) has value type `string` with 1 or more characters and holds the full name of the weakness as given
 in the CWE specification.
 
-*Examples 2:*
+*Examples 2:*
 
 ```
     Cross-Site Request Forgery (CSRF)
@@ -3062,7 +3156,7 @@ The CWE version (`version`) has value type `string` with `pattern` (regular expr
 It holds the version string of the CWE specification this weakness was extracted from.
 When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
 
-*Examples 3:*
+*Examples 3:*
 
 ```
     "1.0",
@@ -3175,7 +3269,7 @@ tracking ID for the vulnerability.
 
 System name (`system_name`) of value type `string` with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
     Cisco Bug ID
@@ -3184,7 +3278,7 @@ System name (`system_name`) of value type `string` with 1 or more characters ind
 
 Text (`text`) of value type `string` with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
 
-*Examples 2:*
+*Examples 2:*
 
 ```
     CSCso66472
@@ -3963,7 +4057,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
    > As a result, a `/document/tracking/id` with the value `2022_#01-A` is converted into `2022_01-a` instead of `2022__01-a`.
 3. The file extension `.json` MUST be appended.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
   cisco-sa-20190513-secureboot.json
@@ -3974,7 +4068,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
 > It is currently considered best practice to indicate that a CSAF document is invalid by
 > inserting `_invalid` into the filename in front of the file extension.
 
-*Examples 2:*
+*Examples 2:*
 
 ```
   cisco-sa-20190513-secureboot_invalid.json
@@ -4059,7 +4153,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/threats[]/product_ids[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4090,7 +4184,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4124,7 +4218,7 @@ The relevant path for this test is:
 > a Product ID defined in a relationship item is used as `product_reference` or `relates_to_product_reference`.
 > Only for those which fulfill this condition it is necessary to run the full check following the references.
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4163,7 +4257,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/threats[]/group_ids
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4202,7 +4296,7 @@ The relevant path for this test is:
     /product_tree/product_groups[]/group_id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4278,7 +4372,7 @@ Contradiction groups are:
 > Note: An issuer might recommend (`/vulnerabilities[]/product_status/recommended`) a product version from any group - also from the affected group,
 > i.e. if it was discovered that fixed versions introduce a more severe vulnerability.
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4317,7 +4411,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4376,7 +4470,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -4417,7 +4511,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -4444,7 +4538,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -4478,7 +4572,7 @@ The relevant path for this test is:
     /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cwes": [
@@ -4503,7 +4597,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "lang": "EZ"
@@ -4525,7 +4619,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/purl
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4555,7 +4649,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "revision_history": [
@@ -4584,7 +4678,7 @@ The relevant path for this test is:
     /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -4615,7 +4709,7 @@ The relevant path for this test is:
     /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "tracking": {
@@ -4649,7 +4743,7 @@ The relevant path for this test is:
     /document/tracking/status
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -4671,7 +4765,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -4705,7 +4799,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "revision_history": [
@@ -4734,7 +4828,7 @@ The relevant path for this test is:
     /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -4760,7 +4854,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "revision_history": [
@@ -4789,7 +4883,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
    "revision_history": [
@@ -4818,7 +4912,7 @@ The relevant path for this test is:
     /vulnerabilities[]/cve
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -4843,7 +4937,7 @@ The relevant path for this test is:
     /vulnerabilities[]/involvements
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -4879,7 +4973,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -4939,7 +5033,7 @@ The relevant path for this test is:
   /document/category
 ```
 
-*Examples 1 (for currently prohibited values):*
+*Examples 1 (for currently prohibited values):*
 
 ```
   Csaf_a
@@ -4950,7 +5044,7 @@ The relevant path for this test is:
   V_eX
 ```
 
-*Example 2 (which fails the test):*
+*Example 2 (which fails the test):*
 
 ```
   "category": "Security_Incident_Response"
@@ -4984,7 +5078,7 @@ The relevant path for this test is:
   /document/notes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "notes": [
@@ -5015,7 +5109,7 @@ The relevant path for this test is:
   /document/references
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "references": [
@@ -5045,7 +5139,7 @@ The relevant path for this test is:
   /vulnerabilities
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5076,7 +5170,7 @@ The relevant path for this test is:
   /product_tree
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   {
@@ -5108,7 +5202,7 @@ The relevant path for this test is:
   /vulnerabilities[]/notes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5136,7 +5230,7 @@ The relevant path for this test is:
   /vulnerabilities[]/product_status
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5168,7 +5262,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/under_investigation
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_status": {
@@ -5200,7 +5294,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/ids
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -5231,7 +5325,7 @@ The relevant path for this test is:
   /vulnerabilities[]/threats
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5303,7 +5397,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5376,7 +5470,7 @@ The relevant path for this test is:
   /vulnerabilities
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   {
@@ -5402,7 +5496,7 @@ The relevant path for this test is:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -5430,7 +5524,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "remediations": [
@@ -5457,7 +5551,7 @@ The relevant paths for this test are:
   /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -5489,22 +5583,28 @@ The relevant paths for this test are:
 For each element of type `/$defs/branches_t` with `category` of `product_version` it MUST be tested that
 the value of `name` does not contain a version range.
 
-> To implement this test it is deemed sufficient that, when converted to lower case,
-> the value of `name` does not contain any of the following strings:
+> To implement this test it is deemed sufficient that, when converted to lower case, the value of `name` satisfies the two requirements below:
 >
-> ```
->   <
->   <=
->   >
->   >=
->   after
->   all
->   before
->   earlier
->   later
->   prior
->   versions
-> ```
+> 1. It does not contain any of the following operators:
+>
+>    ```
+>      <
+>      <=
+>      >
+>      >=
+>    ```
+>
+> 2. If interpreted as a list of individual words separated by whitespace, the list does not contain any of the following keywords:
+>
+>    ```
+>      after
+>      all
+>      before
+>      earlier
+>      later
+>      prior
+>      versions
+>    ```
 
 The relevant paths for this test are:
 
@@ -5512,7 +5612,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
             "branches": [
@@ -5536,7 +5636,7 @@ The relevant path for this test is:
   /vulnerabilities[]/flags[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "flags": [
@@ -5563,7 +5663,7 @@ The relevant path for this test is:
   /vulnerabilities[]/flags
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5628,7 +5728,7 @@ The relevant path for this test is:
   /product_tree/branches[](/branches[])*/product
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5838,7 +5938,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "remediations": [
@@ -5877,7 +5977,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "product_status": {
@@ -5898,6 +5998,140 @@ The relevant path for this test is:
 
 > For the product with product ID `CSAFPID-908070` a `vendor_fix` is given but the product was not affected at all.
 
+### 6.1.37 Date and Time 
+
+For each item of type `string` and format `date-time` it MUST be tested that it conforms to the rules given in section [sec]{#date-and-time}.
+
+The relevant path for this test is:
+
+```
+  /document/tracking/current_release_date
+  /document/tracking/generator/date
+  /document/tracking/initial_release_date
+  /document/tracking/revision_history[]/date
+  /vulnerabilities[]/discovery_date
+  /vulnerabilities[]/flags[]/date
+  /vulnerabilities[]/release_date
+  /vulnerabilities[]/involvements[]/date
+  /vulnerabilities[]/remediations[]/date
+  /vulnerabilities[]/threats[]/date
+```
+
+*Example 1 (which fails the test):*
+
+```
+      "current_release_date": "2024-01-24 10:00:00.000Z",
+```
+
+> The `current_release_date` uses a whitespace as separator instead the letter `T`.
+
+### 6.1.38 Non-Public Sharing Group with Max UUID 
+
+It MUST be tested that a CSAF document using Max UUID as sharing group ID has the TLP label `CLEAR`.
+
+The relevant path for this test is:
+
+```
+  /document/distribution/tlp/label
+```
+
+*Example 1 (which fails the test):*
+
+```
+    "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      "tlp": {
+        "label": "RED"
+      }
+    },
+```
+
+> The sharing group uses the Max UUID but the CSAF document is labeled as `TLP:RED`.
+
+> A tool MAY remove the property `sharing_group` as a quick fix.
+
+### 6.1.39 Public Sharing Group with no Max UUID 
+
+It MUST be tested that a CSAF document with the TLP label `CLEAR` use the Max UUID as sharing group ID if any.
+The test SHALL pass if no sharing group is present or the Nil UUID is used and the document status is `draft`.
+
+The relevant path for this test is:
+
+```
+  /document/distribution/sharing_group/id
+```
+
+*Example 1 (which fails the test):*
+
+```
+    "distribution": {
+      "sharing_group": {
+        "id": "5868d6be-b28a-404e-a245-0b5093b31b8b"
+      },
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+```
+
+> The sharing group is present for the `TLP:CLEAR` document but it differs from the Max UUID.
+
+> A tool MAY update the sharing group id as a quick fix.
+
+### 6.1.40 Invalid Sharing Group Name 
+
+It MUST be tested that the value of sharing group name does not equal the reserved values from section [3.2.2.5.1](#document-property-distribution-sharing-group) if the precondition is not fulfilled.
+
+The relevant path for this test is:
+
+```
+  /document/distribution/sharing_group/name
+```
+
+*Example 1 (which fails the test):*
+
+```
+    "distribution": {
+      "sharing_group": {
+        "id": "5868d6be-b28a-404e-a245-0b5093b31b8b",
+        "name": "Public"
+      },
+      // ...
+    },
+```
+
+> The sharing group name is `Public` but it does not use the Max UUID.
+
+> A tool MAY update the sharing group name as a quick fix.
+
+### 6.1.41 Missing Sharing Group Name 
+
+It MUST be tested that the sharing group name exists and equals the predefined reserved value from section [3.2.2.5.1](#document-property-distribution-sharing-group) if the precondition is fulfilled.
+
+The relevant path for this test is:
+
+```
+  /document/distribution/sharing_group/name
+```
+
+*Example 1 (which fails the test):*
+
+```
+    "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff"
+      },
+      // ...
+    },
+```
+
+> The Max UUID is used but the sharing group name does not exist.
+
+> A tool MAY add the corresponding sharing group name as a quick fix.
+
 ## 6.2 Optional Tests 
 
 Optional tests SHOULD NOT fail at a valid CSAF document without a good reason. Failing such a test does not make the CSAF document invalid.
@@ -5919,7 +6153,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5952,7 +6186,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/under_investigation[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -5989,7 +6223,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/last_affected[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6023,7 +6257,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "revision_history": [
@@ -6048,7 +6282,7 @@ The relevant path for this test is:
     /document/tracking/initial_release_date
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -6084,7 +6318,7 @@ The relevant path for this test is:
     /document/tracking/current_release_date
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "tracking": {
@@ -6119,7 +6353,7 @@ The relevant path for this test is:
     /vulnerabilities[]/involvements
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -6151,7 +6385,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6194,7 +6428,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6243,7 +6477,7 @@ The relevant path for this test is:
   /document/references
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6278,7 +6512,7 @@ The relevant path for this test is:
   /document/lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6308,7 +6542,7 @@ The relevant path for this test is:
   /
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6333,7 +6567,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "lang": "qtx"
@@ -6354,7 +6588,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "lang": "i-default"
@@ -6376,7 +6610,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "full_product_names": [
@@ -6401,7 +6635,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/ids[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "ids": [
@@ -6434,7 +6668,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
             "branches": [
@@ -6462,7 +6696,7 @@ The relevant path for this test is:
   /vulnerabilities[]/product_status/fixed[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6518,7 +6752,7 @@ The relevant path for this test is:
 > To implement this test it is deemed sufficient to validate the CSAF document against a "strict" version schema that
 > sets `additionalProperties` to `false` for every key of type `object`.
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6544,7 +6778,7 @@ The relevant path for this test is:
   /document/tracking/revision_history[]/date
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "revision_history": [
@@ -6573,7 +6807,7 @@ The relevant path for this test is:
   /document/title
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
@@ -6599,7 +6833,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
      "cwes": [
@@ -6626,7 +6860,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -6666,7 +6900,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "cwes": [
@@ -6693,7 +6927,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "cwes": [
@@ -6719,7 +6953,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
       "product_status": {
@@ -6740,6 +6974,86 @@ The relevant path for this test is:
 
 > For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all.
 
+### 6.2.28 Usage of Max UUID 
+
+It MUST be tested that the Max UUID is not used as sharing group id.
+
+The relevant path for this test is:
+
+```
+  /document/distribution/sharing_group/id
+```
+
+*Example 1 (which fails the test):*
+
+```
+    "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      // ...
+    },
+```
+
+> The sharing group id uses the Max UUID.
+
+> A tool MAY remove the property `sharing_group` as a quick fix.
+
+### 6.2.29 Usage of Nil UUID 
+
+It MUST be tested that the Nil UUID is not used as sharing group id.
+
+The relevant path for this test is:
+
+```
+  /document/distribution/sharing_group/id
+```
+
+*Example 1 (which fails the test):*
+
+```
+    "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      // ...
+    },
+```
+
+> The sharing group id uses the Nil UUID.
+
+> A tool MAY remove the property `sharing_group` as a quick fix.
+
+### 6.2.30 Usage of Sharing Group on TLP:CLEAR 
+
+It MUST be tested that no sharing group is used if the document is `TLP:CLEAR`.
+
+The relevant path for this test is:
+
+```
+  /document/distribution/sharing_group
+```
+
+*Example 1 (which fails the test):*
+
+```
+    "distribution": {
+      "sharing_group": {
+        "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
+        "name": "Public"
+      },
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+```
+
+> The CSAF document is `TLP:CLEAR` but a sharing group is given.
+
+> A tool MAY remove the property `sharing_group` as a quick fix.
+
 ## 6.3 Informative Test 
 
 Informative tests provide insights in common mistakes and bad practices.
@@ -6762,7 +7076,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6810,7 +7124,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "cvss_v3": {
@@ -6842,7 +7156,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cve
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -6870,7 +7184,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwe
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "vulnerabilities": [
@@ -6895,7 +7209,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -6956,7 +7270,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/remediations[]/url
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "references": [
@@ -6985,7 +7299,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/references[]/url
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "references": [
@@ -7046,7 +7360,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/title
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "document": {
@@ -7078,7 +7392,7 @@ The relevant paths for this test are:
   /product_tree/branches
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
     "branches": [
@@ -7120,7 +7434,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/category
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
                 "category": "product_version_range",
@@ -7145,7 +7459,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
             "branches": [
@@ -7169,7 +7483,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics[]/content
 ```
 
-*Example 1 (which fails the test):*
+*Example 1 (which fails the test):*
 
 ```
   "product_tree": {
@@ -7279,7 +7593,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA
 > * https://psirt.domain.tld/advisories/csaf/provider-metadata.json
 > * https://domain.tld/security/csaf/provider-metadata.json
 
-*Example 1 (minimal with ROLIE document):*
+*Example 1 (minimal with ROLIE document):*
 
 ```
   {
@@ -7340,7 +7654,7 @@ See \[[SECURITY-TXT](#SECURITY-TXT)\] for more details.
 > The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022.
 > The `CSAF` field was officially added through the IANA registry.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
 CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
@@ -7360,7 +7674,7 @@ The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of
 the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more details.
 
-*Example 1:*
+*Example 1:*
 
 ```
   https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -7377,7 +7691,7 @@ The use of the scheme "HTTPS" is required.
 The CSAF documents MUST be located within folders named `` where `` is the year given in the
 value of `/document/tracking/initial_release_date`.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
 2024
@@ -7388,7 +7702,7 @@ value of `/document/tracking/initial_release_date`.
 
 The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
 
-*Example 1:*
+*Example 1:*
 
 ```
 2023/esa-2023-09953.json
@@ -7401,18 +7715,25 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents
 
 ### 7.1.13 Requirement 13: changes.csv 
 
-The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each
+The file `changes.csv` contains a list of CSAF documents in the current TLP level that were changed recently.
+Therefore, it MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each
 CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first.
+The `changes.csv` SHALL be a valid comma separated values format as defined by \[[RFC4180](#RFC4180)\] without double quotes.
+
+> Note: As a consequence of section [sec](#requirement-2-filename) Requirement 2 for filenames and section [sec](#requirement-11-one-folder-per-year)
+> Requirement for directory names, there must not be any characters within the `changes.csv` that would require quoting.
 
-*Example 1:*
+*Example 1:*
 
 ```
-"2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
-"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
-"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
-"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
+2023/esa-2023-09953.json,2023-07-01T10:09:07Z
+2021/esa-2021-03676.json,2023-07-01T10:09:01Z
+2022/esa-2022-02723.json,2022-04-17T15:08:41Z
+2021/esa-2021-31916.json,2022-03-01T06:01:00Z
 ```
 
+> Note: As CSAF 2.0 requires quotes, an \[[RFC4180](#RFC4180)\] parser can read both format revisions.
+
 ### 7.1.14 Requirement 14: Directory listings 
 
 Directory listing SHALL be enabled to support manual navigation.
@@ -7431,7 +7752,7 @@ At least one of the feeds
 MUST exist.
 Each ROLIE feed document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\].
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -7500,7 +7821,7 @@ If it is used, each ROLIE service document MUST be a JSON file that conforms wit
 Additionally, it can also list the corresponding ROLIE category documents.
 The ROLIE service document SHOULD use the filename `service.json` and reside next to the `provider-metadata.json`.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -7544,7 +7865,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
   * `product_version`
 * type of product
 
-  *Examples 1:*
+  *Examples 1:*
 
   ```
     CPU
@@ -7559,7 +7880,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * areas or sectors, the products are used in
 
-  *Examples 2:*
+  *Examples 2:*
 
   ```
     Chemical
@@ -7574,7 +7895,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * any other categorization useful to the consumers
 
-*Example 3:*
+*Example 3:*
 
 ```
   {
@@ -7598,7 +7919,7 @@ to ensure their integrity. The filename is constructed by appending the file ext
 
 MD5 and SHA1 SHOULD NOT be used.
 
-*Example 1:*
+*Example 1:*
 
 ```
 File name of CSAF document: esa-2022-02723.json
@@ -7609,7 +7930,7 @@ File name of SHA-512 hash file: esa-2022-02723.json.sha512
 The file content SHALL start with the first byte of the hexadecimal hash value.
 Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
 
-*Example 2:*
+*Example 2:*
 
 ```
 ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
@@ -7620,9 +7941,11 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ
 ### 7.1.19 Requirement 19: Signatures 
 
 All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is
-extended by the appropriate extension. See \[[RFC4880](#RFC4880)\] for more details.
+extended by the appropriate extension.
+This signature SHALL be presented as an ASCII armored file.
+See \[[RFC4880](#RFC4880)\] for more details.
 
-*Example 1:*
+*Example 1:*
 
 ```
 File name of CSAF document: esa-2022-02723.json
@@ -7644,6 +7967,7 @@ Tools SHOULD treat the violation of the rules given in the first sentence as:
 ### 7.1.20 Requirement 20: Public OpenPGP Key 
 
 The public part of the OpenPGP key used to sign the CSAF documents MUST be available.
+This key file SHALL be presented as an ASCII armored file.
 It SHOULD also be available at a public key server.
 
 > For example, the public part of the OpenPGP key could be placed in a directory `openpgp` adjacent to the `provider-metadata.json`.
@@ -7667,7 +7991,7 @@ It MUST NOT be stored adjacent to a `provider-metadata.json`.
 
 The file `aggregator.json` SHOULD only list the latest version of the metadata of a CSAF provider.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -7723,7 +8047,7 @@ Each such folder MUST at least:
 * provide a `provider-metadata.json` for the current issuing party.
 * provide the ROLIE feed document according to requirement 15 which links to the local copy of the CSAF document.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -8153,7 +8477,7 @@ Secondly, the program fulfills the following for all items of:
     the CVRF CSAF converter uses the following steps:
     1. Retrieve the CVSS version from the CVSS vector, if present.
 
-        *Example 1:*
+        *Example 1:*
 
         ```
           CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -8162,7 +8486,7 @@ Secondly, the program fulfills the following for all items of:
     2. Retrieve the CVSS version from the CVSS element's namespace, if present.
        The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
 
-        *Example 2:*
+        *Example 2:*
 
         ```
           xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
@@ -8172,7 +8496,7 @@ Secondly, the program fulfills the following for all items of:
 
         is handled the same as
 
-        *Example 3:*
+        *Example 3:*
 
         ```
           
@@ -8183,7 +8507,7 @@ Secondly, the program fulfills the following for all items of:
        If more than one CVSS namespace is present and the element is not clearly defined via the namespace,
        this step MUST be skipped without a decision.
 
-        *Example 4:*
+        *Example 4:*
 
         ```
           xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -8785,6 +9109,7 @@ The following individuals were members of the OASIS CSAF Technical Committee dur
 | csaf-v2.0-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20241127-dev | 2024-11-27 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 
 -------
 
@@ -8802,7 +9127,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
 
 > If you come across a case where these limits are exceeded, please provide feedback to the TC.
 
-## C.1 File size 
+## Appendix C. File Size 
 
 A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
 e.g.: 50 MiB.
@@ -8815,7 +9140,7 @@ e.g.: 50 MiB.
 > In addition, the BSON format adds length information for the entries inside the document,
 > which adds to the size when storing CSAF document content in a BSON format.
 
-## C.2 Array length 
+## Appendix C. Array Length 
 
 An array SHOULD NOT have more than:
 
@@ -8899,7 +9224,7 @@ An array SHOULD NOT have more than:
   * `/vulnerabilities[]/threats[]/group_ids`
   * `/vulnerabilities[]/threats[]/product_ids`
 
-## C.3 String length 
+## Appendix C. String Length 
 
 A string SHOULD NOT have a length greater than:
 
@@ -8908,6 +9233,7 @@ A string SHOULD NOT have a length greater than:
   * `/document/acknowledgments[]/organization`
   * `/document/aggregate_severity/text`
   * `/document/category`
+  * `/document/distribution/sharing_group/name`
   * `/document/lang`
   * `/document/notes[]/audience`
   * `/document/notes[]/title`
@@ -9019,31 +9345,20 @@ A string SHOULD NOT have a length greater than:
   * `/vulnerabilities[]/remediations[]/restart_required/details`
   * `/vulnerabilities[]/threats[]/details`
 
-## C.4 URI length 
+## C.6 Date 
 
-A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to:
+The maximum length of strings representing a temporal value is given by the format specifier. This applies to:
 
-* `/document/acknowledgments[]/urls[]`
-* `/document/aggregate_severity/namespace`
-* `/document/distribution/tlp/url`
-* `/document/references[]/url`
-* `/document/publisher/namespace`
-* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]`
-* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace`
-* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri`
-* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]`
-* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace`
-* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri`
-* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]`
-* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace`
-* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri`
-* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]`
-* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace`
-* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri`
-* `/vulnerabilities[]/acknowledgments[]/urls[]`
-* `/vulnerabilities[]/metrics[]/source`
-* `/vulnerabilities[]/references[]/url`
-* `/vulnerabilities[]/remediations[]/url`
+* `/document/tracking/current_release_date`
+* `/document/tracking/generator/date`
+* `/document/tracking/initial_release_date`
+* `/document/tracking/revision_history[]/date`
+* `/vulnerabilities[]/discovery_date`
+* `/vulnerabilities[]/flags[]/date`
+* `/vulnerabilities[]/release_date`
+* `/vulnerabilities[]/involvements[]/date`
+* `/vulnerabilities[]/remediations[]/date`
+* `/vulnerabilities[]/threats[]/date`
 
 ## C.5 Enum 
 
@@ -9155,17 +9470,34 @@ This applies to:
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity` (8)
 * `/vulnerabilities[]/threats[]/category` (14)
 
-## C.6 Date 
+## C.5 URI Length 
 
-The maximum length of strings representing a temporal value is given by the format specifier. This applies to:
+A string with format `uri` SHOULD NOT have a length greater than 20000. This applies to:
 
-* `/document/tracking/current_release_date`
-* `/document/tracking/generator/date`
-* `/document/tracking/initial_release_date`
-* `/document/tracking/revision_history[]/date`
-* `/vulnerabilities[]/discovery_date`
-* `/vulnerabilities[]/flags[]/date`
-* `/vulnerabilities[]/release_date`
-* `/vulnerabilities[]/involvements[]/date`
-* `/vulnerabilities[]/remediations[]/date`
-* `/vulnerabilities[]/threats[]/date`
+* `/document/acknowledgments[]/urls[]`
+* `/document/aggregate_severity/namespace`
+* `/document/distribution/tlp/url`
+* `/document/references[]/url`
+* `/document/publisher/namespace`
+* `/product_tree/branches[]/product/product_identification_helper/sbom_urls[]`
+* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/namespace`
+* `/product_tree/branches[]/product/product_identification_helper/x_generic_uris[]/uri`
+* `/product_tree/branches[](/branches[])*/product/product_identification_helper/sbom_urls[]`
+* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/namespace`
+* `/product_tree/branches[](/branches[])*/product/product_identification_helper/x_generic_uris[]/uri`
+* `/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]`
+* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace`
+* `/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri`
+* `/product_tree/relationships[]/full_product_name/product_identification_helper/sbom_urls[]`
+* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace`
+* `/product_tree/relationships[]/full_product_name/product_identification_helper/x_generic_uris[]/uri`
+* `/vulnerabilities[]/acknowledgments[]/urls[]`
+* `/vulnerabilities[]/metrics[]/source`
+* `/vulnerabilities[]/references[]/url`
+* `/vulnerabilities[]/remediations[]/url`
+
+## C.5 UUID Length 
+
+A string with format `uuid` SHOULD NOT have a length greater than 50. This applies to:
+
+* `/document/distribution/sharing_group/id` (36)

From 79aa1a10533e1f55a45e4b8631459f9d84cd95e8 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 16 Dec 2024 17:26:55 +0100
Subject: [PATCH 46/49] Editor Revision 2024-11-27

- addresses parts of oasis-tcs/csaf#705, oasis-tcs/csaf#839
- rename test 6.1.39 to 6.1.38 to reflect structural change
---
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-01.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-02.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-03.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-04.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-11.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-12.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-13.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-14.json} |  2 +-
 ...asis_csaf_tc-csaf_2_1-2024-6-1-38-15.json} |  2 +-
 csaf_2.1/test/validator/data/testcases.json   | 20 +++++++++----------
 .../test/validator/testcases_json_schema.json |  2 +-
 11 files changed, 20 insertions(+), 20 deletions(-)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json} (93%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json => oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json} (94%)

diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json
index 771130e98..a6a78c90c 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json
index a717d6036..b653debce 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-02",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json
index fdc9774b0..56bf95437 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-03",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-03",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json
index 0fda4fdf2..f2151ea1e 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (failing example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-04",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-04",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json
index 0a621afeb..b3e21ee22 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json
index a88c2c2d2..3afcd47bd 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json
@@ -19,7 +19,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-12",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json
index 5de4604d1..0f020c83c 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-13",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-13",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json
similarity index 93%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json
index 3dad85df9..bd4f3b1d6 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json
@@ -16,7 +16,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-14",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-14",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json
index 074d3c37f..47a979198 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Non-Public Sharing Group with Max UUID (valid example 5)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-15",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-38-15",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 77bd0e40a..abd270eae 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1117,45 +1117,45 @@
       ]
     },
     {
-      "id": "6.1.39",
+      "id": "6.1.38",
       "group": "mandatory",
       "failures": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-01.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-02.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-03.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-03.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-04.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-04.json",
           "valid": false
         }
       ],
       "valid": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-11.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-12.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-13.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-13.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-14.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-14.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-15.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-38-15.json",
           "valid": true
         }
       ]
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index c6fbb97f9..b3688e169 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-79])|(2\\.30)|(1\\.4[0-2]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-8])|(2\\.30)|(1\\.4[0-2]))$"
         },
         "valid": {
           "title": "List of valid examples",

From d8c9ddc0511fefe2812c54ebac6fe93d9c19cc70 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 16 Dec 2024 17:32:08 +0100
Subject: [PATCH 47/49] Editor Revision 2024-11-27

- addresses parts of oasis-tcs/csaf#705, oasis-tcs/csaf#839
- rename test 6.1.40 to 6.1.39 to reflect structural change
---
 ...json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json} |  2 +-
 ...json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json} |  2 +-
 ...json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json} |  2 +-
 ...json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json} |  2 +-
 csaf_2.1/test/validator/data/testcases.json            | 10 +++++-----
 csaf_2.1/test/validator/testcases_json_schema.json     |  2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json => oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json} (94%)

diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json
index 2c880de0c..d43907285 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json
@@ -19,7 +19,7 @@
     "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json
index 927dc5c19..7c10469cd 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Public Sharing Group with no Max UUID (failing example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-02",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json
index 3a0e71eaa..65766abd9 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json
index 8efdd4695..db1f73d59 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Public Sharing Group with no Max UUID (valid example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-12",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-39-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index abd270eae..2f69ed5e9 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1161,25 +1161,25 @@
       ]
     },
     {
-      "id": "6.1.40",
+      "id": "6.1.39",
       "group": "mandatory",
       "failures": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-01.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-02.json",
           "valid": false
         }
       ],
       "valid": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-11.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-39-12.json",
           "valid": true
         }
       ]
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index b3688e169..1a234880f 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-8])|(2\\.30)|(1\\.4[0-2]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-9])|(2\\.30)|(1\\.4[1-2]))$"
         },
         "valid": {
           "title": "List of valid examples",

From 00e5c05c61b4f3bb94d2fb399930883839e09a97 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 16 Dec 2024 17:37:28 +0100
Subject: [PATCH 48/49] Editor Revision 2024-11-27

- addresses parts of oasis-tcs/csaf#705, oasis-tcs/csaf#839
- rename test 6.1.41 to 6.1.40 to reflect structural change
---
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json} |  2 +-
 csaf_2.1/test/validator/data/testcases.json        | 14 +++++++-------
 csaf_2.1/test/validator/testcases_json_schema.json |  2 +-
 8 files changed, 14 insertions(+), 14 deletions(-)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json => oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json => oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json => oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json => oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json => oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json => oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json} (94%)

diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json
index 6bddafe9e..eba1bc0b3 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Invalid Sharing Group Name (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json
index d4b9cc245..e96a3e9be 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Invalid Sharing Group Name (failing example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-02",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json
index 29ef03c04..6f1416409 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Invalid Sharing Group Name (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json
index 3773793ad..d6dab838c 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Invalid Sharing Group Name (valid example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-12",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json
index 4cd124091..576878cca 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json
@@ -19,7 +19,7 @@
     "title": "Mandatory test: Invalid Sharing Group Name (valid example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-13",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-13",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json
index b2384c54f..6ac651a65 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Invalid Sharing Group Name (valid example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-14",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-40-14",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 2f69ed5e9..05fde2bc1 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1185,33 +1185,33 @@
       ]
     },
     {
-      "id": "6.1.41",
+      "id": "6.1.40",
       "group": "mandatory",
       "failures": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-01.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-02.json",
           "valid": false
         }
       ],
       "valid": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-11.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-12.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-13.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-13.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-14.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-40-14.json",
           "valid": true
         }
       ]
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 1a234880f..1a9ff3e6a 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-9])|(2\\.30)|(1\\.4[1-2]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-9])|(2\\.30)|(1\\.4[02]))$"
         },
         "valid": {
           "title": "List of valid examples",

From 252e44cc5284ed1cf3c5634842ad313dab184dd9 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 16 Dec 2024 17:41:10 +0100
Subject: [PATCH 49/49] Editor Revision 2024-11-27

- addresses parts of oasis-tcs/csaf#705, oasis-tcs/csaf#839
- rename test 6.1.42 to 6.1.41 to reflect structural change
---
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json} |  2 +-
 ... => oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json} |  2 +-
 csaf_2.1/test/validator/data/testcases.json        | 14 +++++++-------
 csaf_2.1/test/validator/testcases_json_schema.json |  2 +-
 8 files changed, 14 insertions(+), 14 deletions(-)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json => oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json => oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json => oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json => oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json => oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json} (94%)
 rename csaf_2.1/test/validator/data/mandatory/{oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json => oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json} (94%)

diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json
index 8a74b252a..49ea1473e 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json
@@ -19,7 +19,7 @@
     "title": "Mandatory test: Missing Sharing Group Name (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-01",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-01",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json
index d693fe4b6..0c50385cb 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json
@@ -19,7 +19,7 @@
     "title": "Mandatory test: Missing Sharing Group Name (failing example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-02",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json
index b984b526a..f684e10d7 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Missing Sharing Group Name (failing example 3)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-03",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-03",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json
index 8967cac76..6699e8e73 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Missing Sharing Group Name (failing example 4)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-04",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-04",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json
index c4fdec312..27aa1691f 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Missing Sharing Group Name (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-11",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-11",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json
similarity index 94%
rename from csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json
rename to csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json
index fc5929109..5bddd0442 100644
--- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json
+++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json
@@ -20,7 +20,7 @@
     "title": "Mandatory test: Missing Sharing Group Name (valid example 2)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
-      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-42-12",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-41-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json
index 05fde2bc1..11d861926 100644
--- a/csaf_2.1/test/validator/data/testcases.json
+++ b/csaf_2.1/test/validator/data/testcases.json
@@ -1217,33 +1217,33 @@
       ]
     },
     {
-      "id": "6.1.42",
+      "id": "6.1.41",
       "group": "mandatory",
       "failures": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-01.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-01.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-02.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-02.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-03.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-03.json",
           "valid": false
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-04.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-04.json",
           "valid": false
         }
       ],
       "valid": [
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-11.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-11.json",
           "valid": true
         },
         {
-          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-42-12.json",
+          "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-41-12.json",
           "valid": true
         }
       ]
diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json
index 1a9ff3e6a..c7a0b3f66 100644
--- a/csaf_2.1/test/validator/testcases_json_schema.json
+++ b/csaf_2.1/test/validator/testcases_json_schema.json
@@ -62,7 +62,7 @@
           "title": "Number of the test",
           "description": "Contains the section number of the test in the specification.",
           "type": "string",
-          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-9])|(2\\.30)|(1\\.4[02]))$"
+          "pattern": "^6\\.(([1-3]\\.[1-9])|(1\\.10)|([12]\\.1[1-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|([12]\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-9])|(2\\.30)|(1\\.4[0-1]))$"
         },
         "valid": {
           "title": "List of valid examples",