Reported by Jacco:
[...] I found that CSAF documents generated with your library did not validate in the "official" validator (https://github.com/csaf-poc/csaf_distribution)
The issue was that CVSS items did not have the correct keywords according to the spec (https://www.first.org/cvss/cvss-v3.1.json)
I made a small patch for csaf and now it works for me. [...]
The use of
alias
to maintain internal app names (snake_case) while managing the external JSON keys (CamelCase) for in- and output has to be verified.
Fixed the CVSS Keywords in Generated CSAF Documents https://todo.sr.ht/~sthagen/csaf/2 per commit 68acc56. The release 2023.5.6 provides the fixed behavior.
Thanks to jaccol for reporting.
Hi sthagen,
I tested the fix, and I still see snake_case keywords in the resulting json. The internal app name has changed to CamelCase, though.
Jacco
Thanks for trying the new version, Jacco.
I cannot reproduce your observations on my side.
Using the basic test scenario in https://git.sr.ht/~sthagen/csaf/tree/default/item/test/test_cvss.py the following interactive session trace may help find the difference:
Python 3.11.2 (main, Mar 20 2023, 06:26:24) [GCC 7.5.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import json >>> import csaf.cvss as cvss >>> from csaf import __version__ >>> __version__ '2023.5.6+parent.75eb2ed8' >>> DATA = { ... 'baseScore': 10.0, ... 'baseSeverity': 'CRITICAL', ... 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H', ... 'version': '3.1', ... } >>> JSON = json.dumps(DATA) >>> c31 = cvss.CVSS31.parse_raw(JSON) >>> c31.vector_string # internal names are snake case OK 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H' >>> json_lines = c31.json(indent=2).split('\n') >>> json_rep_of_vs = [line for line in json_lines if 'vectorString' in line][0] >>> json_rep_of_vs # the external keys are camelCase OK ' "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",'Does the above code work similarly in your environment?
Can you maybe provide a minimal test (some lines of python) that reproduces the defect you observe?
Thanks a lot.
cf. 375939d - Added assertions from https://todo.sr.ht/~sthagen/csaf/2#event-237201 to CVSS test
To continue on your example:
>>> vul = Vulnerability( ... cve="CVE-2000-0001", ... scores=[Score(cvss_v3=c31, products=["sample"])], ... ) >>> v_json=vul.json(exclude_unset=True, indent=4) >>> v_json '{ "cve": "CVE-2000-0001", "scores": [ { "cvss_v3": { "version": "3.1", "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "base_score": 10.0, "base_severity": "CRITICAL" }, "products": [ "sample" ] } ] }'
As far as I understand is it this json that will be part of a final CSAF document. Here is the snake_case back ...
bummer, I missed the first line while cut-and-pasting:
>>> from csaf.vulnerability import Vulnerability, Score
Thank you Jacco, the mix-ins still lose their json specialty with the previous change. Re-open (because I have a fix ;-) ...)
Fixed CVSS camelCase keyword propagation as mix-ins of score and vulnerability objects https://todo.sr.ht/~sthagen/csaf/2#event-237257 per commit 15cbec18. The release 2023.5.8 provides the fixed behavior also for the top level objects.
I will take a look at further mix-in places of our borrowed camels on another day ...
Reopening again, because I found another instance of this issue in the code. Please add this patch:
--- a/csaf/csaf.py +++ b/csaf/csaf.py @@ -70,6 +70,11 @@ class CSAF(BaseModel): ), ] + @no_type_check + def json(self, *args, **kwargs): + kwargs.setdefault('by_alias', True) + return super().json(*args, **kwargs) + @no_type_check @validator('vulnerabilities') @classmethod
I will take a look at further mix-in places of our borrowed camels on another day ...
Preparing the next release ...
Fixed top level aggregator to consume and produce camelCase CVSS keys per commit 1b902885. The release 2023.5.9 provides the fixed behavior also for the top level CSAF object (root of the document).