Hello Stefan,
we are using your csaf package to work with csaf files. It would be
great if we could have a support of model_numbers list in the package.
We are currently working with Aruba data who uses which list to limit
impact of vulnerability to specific product models/series. Currently,
the data are stripped as the field is not defined. I have created a
patchset with adds the support of this list. I added the "product_"
prefix to the attribute to avoid conflict with pydantic protected
nameset. The alias argument ensures the field is parsed correctly.
Thank you for considering this patchset.
Best regards
Jiří
Jiří Pešík (1):
Added support of the model_numbers list in the
product_identification_helper
csaf/product.py | 27 ++++++++++++++++++++++++++-
csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++
2 files changed, 39 insertions(+), 1 deletion(-)
--
2.45.2
[PATCH csaf 1/1] Added support of the model_numbers list in the product_identification_helper
From: Jiří Pešík <jiri_pesik@rapid7.com>
---
csaf/product.py | 27 ++++++++++++++++++++++++++-csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/csaf/product.py b/csaf/product.py
index ce48750f..fcd4e2b6 100644
--- a/csaf/product.py+++ b/csaf/product.py
@@ -111,6 +111,21 @@ class SerialNumber(
pass
+class ProductModelNumber(+ RootModel[+ Annotated[+ str,+ Field(+ description='Contains a full or abbreviated (partial) model number of the component to identify.',+ min_length=1,+ title='Model number',+ ),+ ]+ ]+):+ pass++class StockKeepingUnit(
RootModel[
Annotated[
@@ -188,6 +203,16 @@ class HelperToIdentifyTheProduct(BaseModel):
title='List of serial numbers',
),
] = None
+ # Prefix product is added to prevent a conflict with the protected namespace "model" of pydantic+ product_model_numbers: Annotated[+ Optional[Sequence[ProductModelNumber]],+ Field(+ alias='model_numbers',+ description='Contains a list of full or abbreviated (partial) model numbers.',+ # min_items=1,+ title='List of model numbers',+ ),+ ] = None skus: Annotated[
Optional[Sequence[StockKeepingUnit]],
Field(
@@ -210,7 +235,7 @@ class HelperToIdentifyTheProduct(BaseModel):
@classmethod
@no_type_check
- @field_validator('hashes', 'sbom_urls', 'serial_numbers', 'skus', 'x_generic_uris')+ @field_validator('hashes', 'sbom_urls', 'serial_numbers', 'model_numbers', 'skus', 'x_generic_uris') def check_len(cls, v):
if not v:
raise ValueError('optional element present but empty')
diff --git a/csaf/schema_proxy/csaf_2_0.json b/csaf/schema_proxy/csaf_2_0.json
index 83f08f35..65001093 100644
--- a/csaf/schema_proxy/csaf_2_0.json+++ b/csaf/schema_proxy/csaf_2_0.json
@@ -232,6 +232,19 @@
}
}
},
+ "model_numbers": {+ "title": "List of models",+ "description": "Contains a list of full or abbreviated (partial) model numbers.",+ "type": "array",+ "minItems": 1,+ "uniqueItems": true,+ "items": {+ "title": "Model number",+ "description": "Contains a full or abbreviated (partial) model number of the component to identify.",+ "type": "string",+ "minLength": 1+ }+ }, "purl": {
"title": "package URL representation",
"description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
--
2.45.2
Re: [PATCH csaf 0/1] A patch request with added support of model_numbers list
Hello Jiří,
On Tue, Dec 3, 2024, at 17:14, ~jpesik-r7 wrote:
> Hello Stefan,> we are using your csaf package to work with csaf files. It would be> great if we could have a support of model_numbers list in the package.> We are currently working with Aruba data who uses which list to limit> impact of vulnerability to specific product models/series. Currently,> the data are stripped as the field is not defined. I have created a> patchset with adds the support of this list. I added the "product_"> prefix to the attribute to avoid conflict with pydantic protected> nameset. The alias argument ensures the field is parsed correctly.> Thank you for considering this patchset.> Best regards> Jiří> > Jiří Pešík (1):> Added support of the model_numbers list in the> product_identification_helper> > csaf/product.py | 27 ++++++++++++++++++++++++++-> csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++> 2 files changed, 39 insertions(+), 1 deletion(-)> > -- > 2.45.2
so, you want to parse advisories like:
https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.json
that Aruba Networks maps to the text version:
https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.txt
as random examples from Aruba Networks, right?
And https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31333-full-product-name-type---product-identification-helper---model-numbers defines that already in the specification prose.
And we have the schema member:
"model_numbers": {
"title": "List of models",
"description": "Contains a list of full or abbreviated (partial) model numbers.",
"type": "array",
"minItems": 1,
"uniqueItems": true,
"items": {
"title": "Model number",
"description": "Contains a full or abbreviated (partial) model number of the component to identify.",
"type": "string",
"minLength": 1
}
}
And the provided schema in the csaf/schema_proxy folder is definitely
missing that member, which is a bug in the CSAF package of mine.
Thank you for reporting and providing a patch.
I will try to find some time to see what else I forgot to include
in the proxy schema, and then review the proposed patch for
the parser.
I created the ticket https://todo.sr.ht/~sthagen/csaf/8 for tracking.
Thanks a lot.
Best,
Stefan.
Re: [PATCH csaf 0/1] A patch request with added support of model_numbers list
Hello Stefan,
Thank you very much for your response. The CSAF you linked is exactly
one of those I want to process and you are referencing the correct
schema member.
Thank you once again for reviewing my patch request.
Best regards,
Jiří
On Wed, Dec 4, 2024 at 7:56 PM Stefan Hagen <stefan@hagen.link> wrote:
>> Hello Jiří,>> On Tue, Dec 3, 2024, at 17:14, ~jpesik-r7 wrote:> > Hello Stefan,> > we are using your csaf package to work with csaf files. It would be> > great if we could have a support of model_numbers list in the package.> > We are currently working with Aruba data who uses which list to limit> > impact of vulnerability to specific product models/series. Currently,> > the data are stripped as the field is not defined. I have created a> > patchset with adds the support of this list. I added the "product_"> > prefix to the attribute to avoid conflict with pydantic protected> > nameset. The alias argument ensures the field is parsed correctly.> > Thank you for considering this patchset.> > Best regards> > Jiří> >> > Jiří Pešík (1):> > Added support of the model_numbers list in the> > product_identification_helper> >> > csaf/product.py | 27 ++++++++++++++++++++++++++-> > csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++> > 2 files changed, 39 insertions(+), 1 deletion(-)> >> > --> > 2.45.2>> so, you want to parse advisories like:> https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.json>> that Aruba Networks maps to the text version:> https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.txt>> as random examples from Aruba Networks, right?>> And https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31333-full-product-name-type---product-identification-helper---model-numbers defines that already in the specification prose.>> And we have the schema member:>> "model_numbers": {> "title": "List of models",> "description": "Contains a list of full or abbreviated (partial) model numbers.",> "type": "array",> "minItems": 1,> "uniqueItems": true,> "items": {> "title": "Model number",> "description": "Contains a full or abbreviated (partial) model number of the component to identify.",> "type": "string",> "minLength": 1> }> }>> And the provided schema in the csaf/schema_proxy folder is definitely> missing that member, which is a bug in the CSAF package of mine.>> Thank you for reporting and providing a patch.>> I will try to find some time to see what else I forgot to include> in the proxy schema, and then review the proposed patch for> the parser.>> I created the ticket https://todo.sr.ht/~sthagen/csaf/8 for tracking.>> Thanks a lot.>> Best,> Stefan.
--
NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers,
partners, and employees is paramount. If you received this email in error,
please notify the sender and delete it from your inbox right away. Learn
how Rapid7 handles privacy at rapid7.com/privacy-policy
<https://www.rapid7.com/privacy-policy/>. To opt-out of Rapid7 marketing
emails, please click here
<https://information.rapid7.com/communication-preferences.html> or email
privacy@rapid7.com <privacy@rapid7.com>.