CSAF Documents
When a vulnerability becomes known in one of the components of a product that you use, one of the most natural questions to ask is “What do I have to do now?”. The Common Security Advisory Format (CSAF) aims to provide an answer to that question in an automated fashion. It is a mainly machine-readable format for exchanging advisories about security vulnerabilities.
One of the main functionalities of BOMnipotent is to make distribution of CSAF documents as easy as possible. Any running instance of BOMnipotent Server acts as a “CSAF Provider” according to the OASIS standard .
List
Running
./bomnipotent_client csaf listwill give you a list of all CSAF documents accessible to you.
╭───────────────┬───────────────────────────┬──────────────────────┬──────────────────────┬────────┬───────────╮
│ ID │ Title │ Initial Release │ Current Release │ Status │ TLP │
├───────────────┼───────────────────────────┼──────────────────────┼──────────────────────┼────────┼───────────┤
│ BSI-2022-0001 │ CVRF-CSAF-Converter: XML │ 2022-03-17 13:03 UTC │ 2022-07-14 08:20 UTC │ final │ TLP:WHITE │
│ │ External Entities Vulnera │ │ │ │ │
│ │ bility │ │ │ │ │
╰───────────────┴───────────────────────────┴──────────────────────┴──────────────────────┴────────┴───────────╯Accesible CSAF documents are those that are either labeled TLP:WHITE/TLP:CLEAR, or that concern a product that you have been granted access to.
Download
To locally mirror all CSAF documents accessible to you, run
bomnipotent_client csaf download ./csaf[INFO] Storing CSAF documents under ./csafThis will store th CSAF documents in the provided folder ("./csaf", in this example). It will create the folder structure if it does not already exist. The CSAF documents are stored in file paths following the naming scheme {tlp}/{initial_release_year}/{csaf_id}.json.
The filenames of CSAF documents follow a naming scheme defined by the OASIS standard : The ids are converted into lowercase, and most special characters are replaced by an underscore ‘_’. This means that, in principle, different CSAF documents could lead to the same filepath. In that case, BOMnipotent will display an error instead of silently overwriting a file.
tree ./csaf/./csaf/
└── white
└── 2022
└── bsi-2022-0001.jsonBefore requesting files for download, BOMnipotent Client makes an inventory of the CSAF documents already present in the folder, and downloads only the missing ones.
It is possible to only download a single file by providing the path as an additional argument:
bomnipotent_client csaf download ./csaf white/2022/bsi-2022-0001.jsonBOMnipotent does not automatically replace existing files, even if they have changed on the server. It instead prints a warning message:
[WARN] File ./csaf/white/2023/wid-sec-w-2023-0001.json already exists.
Use the "--overwrite" flag to replace it.
Skipping download to prevent data loss.You can tell BOMnipotent that you really want this file overwritten by using the “–overwrite” flag:
bomnipotent_client csaf download ./csaf --overwritebomnipotent_client csaf download ./csaf -oGet
You can directly display the contents of a single CSAF doc to the consolte output by calling
bomnipotent_client csaf get <ID>{
"document" : {
"aggregate_severity" : {
"text" : "mittel"
},
"category" : "csaf_base",
"csaf_version" : "2.0",
"distribution" : {
"tlp" : {
"label" : "WHITE",
...This is especially useful if you want to use the contents of this CSAF doc in a script.