Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate new CSAF field #47

Closed
WKobes opened this issue Mar 23, 2023 · 4 comments
Closed

Validate new CSAF field #47

WKobes opened this issue Mar 23, 2023 · 4 comments
Assignees
@DigitalTrustCenter

Comments

@WKobes
Copy link

WKobes commented Mar 23, 2023

The 'CSAF'-field is now part of the security.txt fields registry (https://www.iana.org/assignments/security-txt-fields/security-txt-fields.xhtml). This field should be accepted without raising the unknown_field notification.

It was added on 2023-02-15.

Validating it as a URI-field should be sufficient, as it probably goes beyond the scope of this parser to check if the field complies with the OASIS specification.
@baknu
Copy link
Collaborator

baknu commented Mar 23, 2023
edited
Loading

For some further details see CSAF specification under:

See also: https://www.rfc-editor.org/rfc/rfc9116.html#section-2.4 ("Any fields registered via that process MUST be considered optional.")

Possible additional checks:

  • URI to begin with "https://"
  • URI to end with "provider-metadata.json"
  • In case of multiple CSAF fields maybe give a notification

Example of a security.txt with CSAF field: https://www.bsi.bund.de/.well-known/security.txt

@SanderKools-Ordina SanderKools-Ordina mentioned this issue Apr 13, 2023
Merged
@DigitalTrustCenter
Copy link
Owner

#47 Validate new CSAF field
new key for CSAF field, it is considered optional as per the section 2.4 mentioned by @baknu. If not present a recommendation is added:

new recommendation.

  • "no_csaf": 'CSAF' field should appear at least once.
  • If no CSAF field is found this recommendation is given.
    new error:
  • no_csaf_file: All CSAF field in the securtiy.txt must point to a provider-metadata.json file
    new notification:
  • multiple_csaf_fields: It is allowed to have more than one CSAF field, however this should be removed if possible.
    added multiple tests for the new key and added recommdation, error and notification.

@baknu
Copy link
Collaborator

baknu commented Apr 14, 2023
edited
Loading

Thanks.

Some remarks:

  1. As the CSAF field is OPTIONAL (thus MAY, and not SHOULD or MUST), it should be treated the same way as other optional fields (like "Acknowledgments" and "Hiring"). So there should not be a given a recommendation message when the CSAF field is missing.
    However when it is present then indeed the "no_csaf_file" message and the "multiple_csaf_fields" message could be given in case deviations are detected.

  2. The "multiple_csaf_fields" message should be a recommendation, as the used language (also in the specification) is SHOULD (NOT).

  3. Some textual nits:

  • "All CSAF field in the security.txt must point to a provider-metadata.json file" --> "All CSAF fields must point to a provider-metadata.json file."

@baknu baknu reopened this Apr 14, 2023
@SanderKools-Ordina SanderKools-Ordina mentioned this issue Apr 17, 2023
Merged
@DigitalTrustCenter
Copy link
Owner

These changes have been applied in the new release.

  • The CSAF field is now optional (like "Acknowledgments" and "Hiring") so the recommendation is removed. The errors remain, if the field is listed with an issue it will throw an error.
  • The "multiple_csaf_fields" has been moved from a notification to a recommendation.
  • The "no_csaf_file" text has been updated to be more clear.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DigitalTrustCenter DigitalTrustCenter

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WKobes @baknu @DigitalTrustCenter