Re: [csaf] Overview of CSAF web sites

["Omar Santos (osantos)" <osantos@cisco.com>]

Hi Tobias,

Thank you for summarizing this so well. Please see some comments and updates inline:

On May 26, 2020, at 1:37 PM, Limmer, Tobias <tobias.limmer@siemens.com> wrote:

Colleagues,

to get an overview of the TC's work and available information, I browsed the public web sites and tried to gather all links. It wasn't easy for me to understand the current state of CSAF, and this is due to quite a lot of different Github repositories and confusing/outdated information in various places.
I would hope that it will be easier for other interested parties to get into CSAF more quickly if we clean up the current state.

In the following I will show you what I found, and I added some comments and suggestions for improvement to some of the locations.

Github:
â CSAF web site: https://oasis-open.github.io/csaf-documentation/
       â It is not clear that this web site belongs to CSAF, as the terms CVRF and CSAF are used in a confusing way:
               Â The site's title is "CSAF CVRF 1.2"
               Â Prominent link to "CVRF 1.2 Spec Doc"
               Â Paragraph about "CVRF Adoption"
       â Github project for web site: https://github.com/oasis-open/csaf-documentation/
       -> We should clean this site to make clear that the next version will be CSAF 2.0 based on the previous XML-based spec CVRF 1.2

I completely agree. I created the following Issue in the CSAF Documentation Open Repository at:

https://github.com/oasis-open/csaf-documentation/issues/3

Based on your feedback, I updated the website/documentation:

https://oasis-open.github.io/csaf-documentation/

â TC's main Github repository: https://github.com/oasis-tcs/csaf
       â Contains major work of TC: the JSON schema and examples
       â Many old artifacts in repository
       -> This should be cleaned up. Analysis and suggestions are below [1]

I also agree and created the following issue to track this:

https://github.com/oasis-tcs/csaf/issues/33

... and started re-organizing some of the legacy files/directories:

https://github.com/oasis-tcs/csaf

Letâs discuss in tomorrowâs meeting how to better organize the repository.

â CSAF parser: https://github.com/oasis-open/csaf-parser
       â What is the current state here? It seems to be only a CVRF parser, as it does not have references to JSON in its code

This is only a CVRF 1.2 parser. The goal is to change this Python-based parser to support CSAF 2.0 once the schema is completed.

       -> Add prominent statement in README of repository to make this clear?

Good point. I created the following issue:

https://github.com/oasis-open/csaf-parser/issues/8

And documented the README.md accordingly: https://github.com/oasis-open/csaf-parser

â External web site: https://github.com/TIBCOSoftware/vulnrep
       â CVRF/CSAF importer/exporter by Eric

Google Docs:
â Draft spec: https://docs.google.com/document/d/1Dk7kslzyX6UDueFXWE4Cz6Erp3oSWuqQ5kHaV_JuApM
â TODO: https://docs.google.com/document/d/1jB-XH6GX79zfOWtV-QasbNjsD9V91Qjjl1PkX10kCZ0


Please tell me if I missed some places.
I propose to talk about my suggestions in the meeting tomorrow!


Best regards,
Tobi


[1]
Detailed analysis of the main Github repo:
â /artifact_linkage
       Â Proposal from Stefan Hagen in 2016 to streamline committee work
       -> Is this still current? Do we need to keep it?
â /cvrf_1.2
       Â Old CVRF spec
â /issue_processing
       Â Another proposal from Stefan Hagen in 2016 to streamline committee work
       -> Is this still current? Do we need to keep it?
â /meeting_minutes
       Â Minutes from TC meetings (latest from 10 months ago)
â /sandbox
       Â ./CVRF_repositories.md
               â Contains list of CVRF repositories -> should be moved to /cvrf_1.2
       Â ./csaf_2.0/
               -> Contains major work for CSAF 2.0. We should move this directory to the root of the repository
               â ./Cvrf_1_2_errata.md
                       Â Erratas for CVRF 1.2 -> should be moved to /cvrf_1.2
               â ./cvrf_1_2_doc_elements.png
                       Â Some graph from the CVRF spec -> delete?
               â ./json_schema/
                       Â ./csaf_json_schema.json
                               â Draft JSON schema for CSAF 2.0
                       Â ./CVE-2018-0171-modified.json, ./cvrf-rhba-2018-0489-modified.json
                               â Examples for CSAF 2.0
                               -> Move examples to 'examples' directory inside /csaf_2.0, rename them in a consistent way?
                       Â ./NOTES.md
                               â Open issues in the draft
                               â Duplicate of https://docs.google.com/document/d/1jB-XH6GX79zfOWtV-QasbNjsD9V91Qjjl1PkX10kCZ0 ?
                               -> Do we want to merge both documents?

Attachment: signature.asc
Description: Message signed with OpenPGP