~sthagen/csaf

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
3 3

[PATCH csaf 0/1] A patch request with added support of model_numbers list

Details
Message ID
<173324245538.15711.12134484190116316732-0@git.sr.ht>
DKIM signature
missing
Download raw message
Hello Stefan,
we are using your csaf package to work with csaf files. It would be
great if we could have a support of model_numbers list in the package.
We are currently working with Aruba data who uses which list to limit
impact of vulnerability to specific product models/series. Currently,
the data are stripped as the field is not defined. I have created a
patchset with adds the support of this list. I added the "product_"
prefix to the attribute to avoid conflict with pydantic protected
nameset. The alias argument ensures the field is parsed correctly.
Thank you for considering this patchset.
Best regards
Jiří

Jiří Pešík (1):
  Added support of the model_numbers list in the
    product_identification_helper

 csaf/product.py                 | 27 ++++++++++++++++++++++++++-
 csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

-- 
2.45.2

[PATCH csaf 1/1] Added support of the model_numbers list in the product_identification_helper

Details
Message ID
<173324245538.15711.12134484190116316732-1@git.sr.ht>
In-Reply-To
<173324245538.15711.12134484190116316732-0@git.sr.ht> (view parent)
DKIM signature
missing
Download raw message
Patch: +39 -1
From: Jiří Pešík <jiri_pesik@rapid7.com>

---
 csaf/product.py                 | 27 ++++++++++++++++++++++++++-
 csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/csaf/product.py b/csaf/product.py
index ce48750f..fcd4e2b6 100644
--- a/csaf/product.py
+++ b/csaf/product.py
@@ -111,6 +111,21 @@ class SerialNumber(
    pass


class ProductModelNumber(
    RootModel[
        Annotated[
            str,
            Field(
                description='Contains a full or abbreviated (partial) model number of the component to identify.',
                min_length=1,
                title='Model number',
            ),
        ]
    ]
):
    pass


class StockKeepingUnit(
    RootModel[
        Annotated[
@@ -188,6 +203,16 @@ class HelperToIdentifyTheProduct(BaseModel):
            title='List of serial numbers',
        ),
    ] = None
    # Prefix product is added to prevent a conflict with the protected namespace "model" of pydantic
    product_model_numbers: Annotated[
        Optional[Sequence[ProductModelNumber]],
        Field(
            alias='model_numbers',
            description='Contains a list of full or abbreviated (partial) model numbers.',
            # min_items=1,
            title='List of model numbers',
        ),
    ] = None
    skus: Annotated[
        Optional[Sequence[StockKeepingUnit]],
        Field(
@@ -210,7 +235,7 @@ class HelperToIdentifyTheProduct(BaseModel):

    @classmethod
    @no_type_check
    @field_validator('hashes', 'sbom_urls', 'serial_numbers', 'skus', 'x_generic_uris')
    @field_validator('hashes', 'sbom_urls', 'serial_numbers', 'model_numbers', 'skus', 'x_generic_uris')
    def check_len(cls, v):
        if not v:
            raise ValueError('optional element present but empty')
diff --git a/csaf/schema_proxy/csaf_2_0.json b/csaf/schema_proxy/csaf_2_0.json
index 83f08f35..65001093 100644
--- a/csaf/schema_proxy/csaf_2_0.json
+++ b/csaf/schema_proxy/csaf_2_0.json
@@ -232,6 +232,19 @@
                }
              }
            },
            "model_numbers": {
              "title": "List of models",
              "description": "Contains a list of full or abbreviated (partial) model numbers.",
              "type": "array",
              "minItems": 1,
              "uniqueItems": true,
              "items": {
                "title": "Model number",
                "description": "Contains a full or abbreviated (partial) model number of the component to identify.",
                "type": "string",
                "minLength": 1
              }
            },
            "purl": {
              "title": "package URL representation",
              "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
-- 
2.45.2

Re: [PATCH csaf 0/1] A patch request with added support of model_numbers list

Details
Message ID
<3972674c-f33a-4b1d-8bc3-8bce8d641c8b@app.fastmail.com>
In-Reply-To
<173324245538.15711.12134484190116316732-0@git.sr.ht> (view parent)
DKIM signature
pass
Download raw message
Hello Jiří,

On Tue, Dec 3, 2024, at 17:14, ~jpesik-r7 wrote:
> Hello Stefan,
> we are using your csaf package to work with csaf files. It would be
> great if we could have a support of model_numbers list in the package.
> We are currently working with Aruba data who uses which list to limit
> impact of vulnerability to specific product models/series. Currently,
> the data are stripped as the field is not defined. I have created a
> patchset with adds the support of this list. I added the "product_"
> prefix to the attribute to avoid conflict with pydantic protected
> nameset. The alias argument ensures the field is parsed correctly.
> Thank you for considering this patchset.
> Best regards
> Jiří
> 
> Jiří Pešík (1):
>   Added support of the model_numbers list in the
>     product_identification_helper
> 
> csaf/product.py                 | 27 ++++++++++++++++++++++++++-
> csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++
> 2 files changed, 39 insertions(+), 1 deletion(-)
> 
> -- 
> 2.45.2 

so, you want to parse advisories like:
https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.json

that Aruba Networks maps to the text version:
https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.txt

as random examples from Aruba Networks, right?

And https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31333-full-product-name-type---product-identification-helper---model-numbers defines that already in the specification prose.

And we have the schema member:

"model_numbers": {
  "title": "List of models",
  "description": "Contains a list of full or abbreviated (partial) model numbers.",
  "type": "array",
  "minItems": 1,
  "uniqueItems": true,
  "items": {
    "title": "Model number",
    "description": "Contains a full or abbreviated (partial) model number of the component to identify.",
    "type": "string",
    "minLength": 1
  }
}

And the provided schema in the csaf/schema_proxy folder is definitely
missing that member, which is a bug in the CSAF package of mine.

Thank you for reporting and providing a patch.

I will try to find some time to see what else I forgot to include
in the proxy schema, and then review the proposed patch for
the parser. 

I created the ticket https://todo.sr.ht/~sthagen/csaf/8 for tracking.

Thanks a lot.

Best,
Stefan.

Re: [PATCH csaf 0/1] A patch request with added support of model_numbers list

Details
Message ID
<CAEOe0C0dLBid6w4OSw6T92ZsV2FwfMcS1E2X4GQkCp9sqaZgug@mail.gmail.com>
In-Reply-To
<3972674c-f33a-4b1d-8bc3-8bce8d641c8b@app.fastmail.com> (view parent)
DKIM signature
pass
Download raw message
Hello Stefan,

Thank you very much for your response. The CSAF you linked is exactly
one of those I want to process and you are referencing the correct
schema member.

Thank you once again for reviewing my patch request.

Best regards,
Jiří

On Wed, Dec 4, 2024 at 7:56 PM Stefan Hagen <stefan@hagen.link> wrote:
>
> Hello Jiří,
>
> On Tue, Dec 3, 2024, at 17:14, ~jpesik-r7 wrote:
> > Hello Stefan,
> > we are using your csaf package to work with csaf files. It would be
> > great if we could have a support of model_numbers list in the package.
> > We are currently working with Aruba data who uses which list to limit
> > impact of vulnerability to specific product models/series. Currently,
> > the data are stripped as the field is not defined. I have created a
> > patchset with adds the support of this list. I added the "product_"
> > prefix to the attribute to avoid conflict with pydantic protected
> > nameset. The alias argument ensures the field is parsed correctly.
> > Thank you for considering this patchset.
> > Best regards
> > Jiří
> >
> > Jiří Pešík (1):
> >   Added support of the model_numbers list in the
> >     product_identification_helper
> >
> > csaf/product.py                 | 27 ++++++++++++++++++++++++++-
> > csaf/schema_proxy/csaf_2_0.json | 13 +++++++++++++
> > 2 files changed, 39 insertions(+), 1 deletion(-)
> >
> > --
> > 2.45.2
>
> so, you want to parse advisories like:
> https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.json
>
> that Aruba Networks maps to the text version:
> https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-010.txt
>
> as random examples from Aruba Networks, right?
>
> And https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31333-full-product-name-type---product-identification-helper---model-numbers defines that already in the specification prose.
>
> And we have the schema member:
>
> "model_numbers": {
>   "title": "List of models",
>   "description": "Contains a list of full or abbreviated (partial) model numbers.",
>   "type": "array",
>   "minItems": 1,
>   "uniqueItems": true,
>   "items": {
>     "title": "Model number",
>     "description": "Contains a full or abbreviated (partial) model number of the component to identify.",
>     "type": "string",
>     "minLength": 1
>   }
> }
>
> And the provided schema in the csaf/schema_proxy folder is definitely
> missing that member, which is a bug in the CSAF package of mine.
>
> Thank you for reporting and providing a patch.
>
> I will try to find some time to see what else I forgot to include
> in the proxy schema, and then review the proposed patch for
> the parser.
>
> I created the ticket https://todo.sr.ht/~sthagen/csaf/8 for tracking.
>
> Thanks a lot.
>
> Best,
> Stefan.

-- 
NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, 
partners, and employees is paramount. If you received this email in error, 
please notify the sender and delete it from your inbox right away. Learn 
how Rapid7 handles privacy at rapid7.com/privacy-policy 
<https://www.rapid7.com/privacy-policy/>. To opt-out of Rapid7 marketing 
emails, please click here 
<https://information.rapid7.com/communication-preferences.html> or email 
privacy@rapid7.com <privacy@rapid7.com>.
Reply to thread Export thread (mbox)