Added new presentation and CSAF webview tool #61
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
santosomar
added
Videos
Closed
tschmidtb51
requested changes
Aug 16, 2024
| <div class="media-container-row align-center mbr-white"> | ||
| <div class="col-12"> | ||
| <p class="mbr-text mb-0 mbr-fonts-style display-7"> | ||
| © Copyright 2025 OASIS CSAF TC - All Rights Reserved |
There was a problem hiding this comment.
Looks like we are a little bit ahead of ourselves. According to my calendar, it is still 2024. 😜
Comment on lines
+1
to
+153
|
|
||
| <div class="navbar-nav-container"> | ||
| <ul class="navbar-nav nav-dropdown nav-right" data-app-modern-menu="true"><li class="nav-item"><a class="nav-link link text-primary display-7" href="https://docs.oasis-open.org/csaf/csaf/v2.0/os/schemas/" target="_blank"><span class="fa fa-file-code-o mbr-iconfont mbr-iconfont-btn"></span> | ||
| Schemas</a></li> | ||
| <li class="nav-item"><a class="nav-link link text-primary display-7" href="specification.html" target="_blank"><span class="icon54-v1-document-file mbr-iconfont mbr-iconfont-btn"></span> | ||
| Specification</a></li> | ||
| <li class="nav-item"><a class="nav-link link text-primary display-7" href="https://github.com/oasis-tcs/csaf" target="_blank"><span class="mbri-github mbr-iconfont mbr-iconfont-btn"></span> | ||
| GitHub</a> </li> | ||
| <li class="nav-item"><a class="nav-link link text-primary display-7" href="faq.html"><span class="mbrib-question mbr-iconfont mbr-iconfont-btn"></span>FAQ</a> | ||
| </li></ul> | ||
|
|
||
| </div> | ||
|
|
||
|
|
||
| </div> | ||
| </div> | ||
| </nav> | ||
| </section> | ||
|
|
||
| <section class="features9 cid-toxCmSo3BF" id="features9-i"> | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| <div class="container-fluid"> | ||
| <div class="row justify-content-center"> | ||
| <div class="content-wrap"> | ||
| <div class="col-12 col-lg-8 col-text"> | ||
| <div class="text-wrapper"> | ||
| <p class="mbr-text mbr-fonts-style mb-0 display-2">Frequently Asked Questions | ||
| </p> | ||
| </div> | ||
| </div> | ||
| <div class="col-12 col-lg-4 image-wrapper"> | ||
| <div class="btn-container"> | ||
|
|
||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </section> | ||
|
|
||
| <section class="features2 cid-toxDrh6fJv" id="features2-l"> | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| <div class="container-fluid"> | ||
| <div class="row justify-content-center"> | ||
| <div class="col-12 col-md col-text"> | ||
| <div class="text-wrapper"> | ||
| <p class="mbr-text mbr-fonts-style mb-0 display-7"><strong>What is the Common Advisory Security Framework (CSAF)?</strong><br>The Common Security Advisory Framework (CSAF) is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. You can <a href="https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html" class="text-primary" target="_blank">access the CSAF 2.0 standard here</a>.<br><br><strong>What problems are addressed by CSAF? </strong><br>CSAF enable individuals and organizations to successfully disclose and consume security advisories in machine readable format. It also specifies the distribution and discovery of CSAF documents<br><br><strong>Is CSAF a replacement for CVE? </strong><br>No. CSAF is not a replacement for CVE. A CSAF document may include one or many security vulnerabilities that have been assigned a CVE. Not all vulnerabilities are assigned a CVE. CSAF also allows for any organization to be able to disclose or consume security vulnerabilities or responses that do not have an assigned CVE.<br><br><strong>What is VEX and how is it supported in CSAF?</strong><br>The Vulnerability Exploitability eXchange (VEX) allows a software supplier or other parties to assert the status of specific vulnerabilities in a particular product. CSAF supports VEX to allow suppliers and other parties to provide the status of the vulnerabilities that may affect a product. As stated i<a href="https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf" class="text-primary" target="_blank">n CISA's VEX Use Case documentation</a>, VEX is a form of a security advisory, similar to those already issued by mature product security teams today. There are a few important improvements for the VEX model over ‘traditional’ security advisories. First, VEX documents are machine readable, built to support integration into existing and novel security management tools, as well as broader vulnerability tracking platforms. Second, VEX data can support more effective use of <a href="https://www.cisa.gov/sbom" class="text-primary" target="_blank">Software Bills of Materials (SBOM) data</a>. <br><br><strong>Is CSAF the replacement for CVRF?</strong><br>Yes. CSAF is the replacement for the Common Vulnerability Reporting Framework (CVRF). It enhances the capabilities of CVRF including different profiles (e.g., CSAF Base, Informational Advisory, Incident Response, VEX, etc.). Each profile extends the base profile "CSAF Base" - directly or indirect through another profile from the standard - by making additional fields from the standard mandatory. A profile can always add, but never subtract nor overwrite requirements defined in the profile it extends. CSAF also provides several additional enhancements that were not supported in CVRF. In addition, CSAF uses JSON vs. XML (which was used in CVRF).</p> | ||
| <div class="btn-container"> | ||
|
|
||
| </div> | ||
| </div> | ||
| </div> | ||
| <div class="col-12 col-md-4 image-wrapper"> | ||
| <img src="assets/images/mbr-600x600.png" alt="CSAF FAQ"> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </section> | ||
|
|
||
| <section data-bs-version="5.1" class="footer2 cid-sRAtK8mSnJ" once="footers" id="footer2-h"> | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| <div class="container"> | ||
| <div class="media-container-row align-center mbr-white"> | ||
| <div class="col-12"> | ||
| <p class="mbr-text mb-0 mbr-fonts-style display-7"> | ||
| © Copyright 2025 OASIS CSAF TC - All Rights Reserved | ||
| </p> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </section> | ||
|
|
||
|
|
||
| <script src="assets/web/assets/jquery/jquery.min.js"></script> | ||
| <script src="assets/bootstrap/js/bootstrap.bundle.min.js"></script> | ||
| <script src="assets/smoothscroll/smooth-scroll.js"></script> | ||
| <script src="assets/ytplayer/index.js"></script> | ||
| <script src="assets/dropdown/js/navbar-dropdown.js"></script> | ||
| <script src="assets/theme/js/script.js"></script> | ||
|
|
||
|
|
||
|
|
||
| </body> | ||
| </html> |
There was a problem hiding this comment.
This is the old FAQ. The TC decided to directly use the one from Github.
Comment on lines
+20
to
+22
| - CSAF Downloader"> | ||
|
|
||
|
|
There was a problem hiding this comment.
Looks like multiple tools have been removed.
Comment on lines
-212
to
-250
| <div class="card-box"> | ||
| <h4 class="card-title mbr-fonts-style display-5"><a href="https://github.com/ctron/csaf-walker" class="text-primary" target="_blank">CSAF Walker</a></h4> | ||
| <p class="card-text mbr-fonts-style display-4">A Rust library and command line tool for consuming and analyzing CSAF documents.</p> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| <div class="card"> | ||
| <div class="card-wrapper"> | ||
|
|
||
| <div class="card-box"> | ||
| <h4 class="card-title mbr-fonts-style display-5"><a href="https://github.com/clouditor/clouditor?tab=readme-ov-file#using-the-extra-discoverers-eg-csaf" class="text-primary" target="_blank">Clouditor</a></h4> | ||
| <p class="card-text mbr-fonts-style display-4">Clouditor is a tool for the continuous assurance of cloud and other backend services. It supports the conformance check of CSAF (trusted) providers as part of vulnerability management controls.</p> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| <div class="card"> | ||
| <div class="card-wrapper"> | ||
|
|
||
|
|
||
| <div class="card-box"> | ||
| <h4 class="card-title mbr-fonts-style display-5"><a href="https://github.com/MaibornWolff/SecObserve" class="text-primary" target="_blank">SecObserve</a></h4> | ||
| <p class="card-text mbr-fonts-style display-4">An open source vulnerability management system that can produce and consume CSAF VEX documents.</p> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| <div class="card"> | ||
| <div class="card-wrapper"> | ||
|
|
||
| <div class="card-box"> | ||
| <h4 class="card-title mbr-fonts-style display-5"><a href="https://aquasecurity.github.io/trivy/" class="text-primary" target="_blank">Trivy</a></h4> | ||
| <p class="card-text mbr-fonts-style display-4">A comprehensive and versatile security scanner that look for security issues.</p> | ||
| <h4 class="card-title mbr-fonts-style display-5"><a href="https://pypi.org/project/paikalta/" class="text-primary" target="_blank">paikalta</a></h4> | ||
| <p class="card-text mbr-fonts-style display-4">CSAF file testing tool available in <a href="https://pypi.org/project/paikalta/" class="text-primary" target="_blank">Pypi</a>.</p> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| <div class="card"> | ||
| <div class="card-wrapper"> | ||
|
|
||
|
|
||
| <div class="card-box"> | ||
| <h4 class="card-title mbr-fonts-style display-5"><a href="https://github.com/trustification/trustification" class="text-primary" target="_blank">Trustification</a></h4> | ||
| <p class="card-text mbr-fonts-style display-4">A collection of software that allow you to store bill of materials (SBOM), vulnerability information (VEX) for your organization and use that information to learn impact of vulnerabilities and dependency changes.</p> |
There was a problem hiding this comment.
Those tools should not be removed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added video: "VEXinating Your Container Images: The European Way" - fix Add video: "VEXinating Your Container Images: The European Way" #55
Added tool "CSAF webview" - fix Add tool "CSAF webview" #52