Merge pull request #1292 from oasis-tcs/editor-revision-2026-02-25

Editor revision for TC meeting 2026-02-25

Author: sthagen

.github/workflows/csaf_2.1_extensions.yml

@@ -0,0 +1,58 @@
+name: CSAF Extensions Test (CSAF 2.1)
+
+on:
+  push:
+    paths:
+      - 'csaf_2.1/**'
+  pull_request:
+    paths:
+      - 'csaf_2.1/**'
+
+jobs:
+  metaschema-test:
+    runs-on: ubuntu-latest
+    name: Test Extension JSON schemas against extension-metaschema
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Prepare environment
+      run: |
+        sudo apt-get remove python3-jsonschema
+        sudo apt-get update -q && sudo apt-get install -y --no-install-recommends -qq \
+          python3 \
+          python3-simplejson \
+          python3-jsonpath-rw \
+          python3-pip \
+          python3-setuptools \
+          python3-wheel
+        pip3 install jsonschema[format]
+    - name: Check jsonschema version
+      run: python3 -c "from importlib.metadata import version; print(version('jsonschema'))"
+    - name: Test extensions in extension/data/valid/*/*.json
+      run: ./csaf_2.1/test/extension/metaschema/run_tests.sh ./csaf_2.1/test/extension/data/valid/*/*-content_*.json
+    - name: Test extensions in extension/data/valid/*/*.json
+      run: ./csaf_2.1/test/extension/metaschema/run_invalid_tests.sh ./csaf_2.1/test/extension/data/invalid/*/*-content_*.json
+
+  metadata-test:
+    runs-on: ubuntu-latest
+    name: Test Extension Metadata JSON against extension-metadata schema
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Prepare environment
+      run: |
+        sudo apt-get remove python3-jsonschema
+        sudo apt-get update -q && sudo apt-get install -y --no-install-recommends -qq \
+          python3 \
+          python3-simplejson \
+          python3-jsonpath-rw \
+          python3-pip \
+          python3-setuptools \
+          python3-wheel
+        pip3 install jsonschema[format]
+    - name: Check jsonschema version
+      run: python3 -c "from importlib.metadata import version; print(version('jsonschema'))"
+    - name: Test extension metadata in extension/data/valid/*/*.json
+      run: ./csaf_2.1/test/extension/metadata/run_tests.sh ./csaf_2.1/test/extension/data/valid/*/*-metadata_*.json
+    - name: Test extension metadata in extension/data/valid/*/*.json
+      run: ./csaf_2.1/test/extension/metadata/run_invalid_tests.sh ./csaf_2.1/test/extension/data/invalid/*/*-metadata_*.json

.github/workflows/csaf_2.1_filenames.yml

@@ -24,6 +24,8 @@ jobs:
       run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/examples/csaf/*.json
     - name: Test filenames of CSAF examples - profile specific folders
       run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/examples/csaf/csaf_*/*.json
+    - name: Test filenames of CSAF examples - appendix folders
+      run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/examples/csaf/appendix/*.json
     - name: Test filenames of CSAF test files in validator/data/mandatory
       run: ./csaf_2.1/test/filenames/run_tests.sh ./csaf_2.1/test/validator/data/mandatory/*.json
     - name: Test filenames of CSAF test files in validator/data/recommended

.github/workflows/csaf_2.1_main.yml

@@ -32,6 +32,8 @@ jobs:
       run: ./csaf_2.1/test/csaf_schema/run_tests.sh
     - name: Test VEX examples against CSAF schema
       run: ./csaf_2.1/test/csaf_schema/run_tests.sh csaf_vex
+    - name: Test Appendix examples against CSAF schema
+      run: ./csaf_2.1/test/csaf_schema/run_tests.sh appendix
     - name: Test examples against Provider Metadata schema
       run: ./csaf_2.1/test/provider_schema/run_tests.sh
     - name: Test examples against Aggregator schema

.github/workflows/csaf_2.1_mandatory-tests.yml

@@ -38,3 +38,12 @@ jobs:
           printf "%s%s\n" "Starting test of " $i
           ../csaf-validator-lib/scripts/runTest.js -f $i -t base -c 2.1
         done
+    # Commented out as not yet supported by the test tools
+    # Only temporary until examples in the repo are reorganized
+    #- name: Run mandatory tests on examples/appendix
+    #  run:  |
+    #    for i in `ls -1 ../csaf/csaf_2.1/examples/csaf/appendix/*.json`
+    #    do
+    #      printf "%s%s\n" "Starting test of " $i
+    #      ../csaf-validator-lib/scripts/runTest.js -f $i -t base -c 2.1
+    #    done

.github/workflows/registry_id_mapping.yml

@@ -27,5 +27,5 @@ jobs:
         pip3 install jsonschema[format]
     - name: Check jsonschema version
       run: python3 -c "from importlib.metadata import version; print(version('jsonschema'))"
-    - name: Test registry/id/id-mapping.json against RVISC Mapping schema and for consistency
-      run: ./registry/id/test/check_id-mapping.sh
+    - name: Test registry/id/mapping.json against RVISC Mapping schema and for consistency
+      run: ./registry/id/test/check_mapping.sh

.github/workflows/registry_id_registry.yml

@@ -1,4 +1,4 @@
-name: RVISC ID Test (Registry)
+name: RVISC Registry Test (Registry)
 
 on:
   push:
@@ -27,5 +27,5 @@ jobs:
         pip3 install jsonschema[format]
     - name: Check jsonschema version
       run: python3 -c "from importlib.metadata import version; print(version('jsonschema'))"
-    - name: Test registry/id/id-registry.json against RVISC schema and for consistency
-      run: ./registry/id/test/check_id-registry.sh
+    - name: Test registry/id/registry.json against RVISC schema and for consistency
+      run: ./registry/id/test/check_registry.sh

.gitignore

@@ -23,3 +23,4 @@ venv.bak/
 local*
 .vscode/
 build/
+outline/

csaf_2.0/known_issues.md

@@ -37,3 +37,12 @@
 - The last informative comment in [test 6.2.18](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#6218-product-version-range-without-vers)
   contains a typo, stating `vsl` instead of `vls`.
   See [#1265](https://github.com/oasis-tcs/csaf/issues/1265).
+- Confusion could occur around the depth of PURL checking in test [6.1.13](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#6113-purl).
+  See [#1303](https://github.com/oasis-tcs/csaf/issues/1303).
+- The test [6.1.25](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#6125-multiple-use-of-same-hash-algorithm)
+  is missing the word "file" in the description and explanation but shows the correct relevant paths.
+  See [#1330](https://github.com/oasis-tcs/csaf/issues/1330).
+- The expectations to differentiate the error messages for CSAF Validators regarding the phrase "present and set" where not stated clearly.
+  See [#1345](https://github.com/oasis-tcs/csaf/issues/1345).
+- The case handling requirements of subtags for languages was unclear.
+  See [#1347](https://github.com/oasis-tcs/csaf/issues/1347).

csaf_2.1/examples/csaf/appendix/oasis_csaf_tc-csaf_2_1-2024-d-11.json

@@ -0,0 +1,266 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Collapsing Product Paths (example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-D-11",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "branches": [
+      {
+        "branches": [
+          {
+            "branches": [
+              {
+                "category": "product_version",
+                "name": "1.0.0",
+                "product": {
+                  "name": "Example Company Product A 1.0.0",
+                  "product_id": "CSAFPID-908070601"
+                }
+              },
+              {
+                "category": "product_version",
+                "name": "1.1.0",
+                "product": {
+                  "name": "Example Company Product A 1.1.0",
+                  "product_id": "CSAFPID-908070602"
+                }
+              }
+            ],
+            "category": "product_name",
+            "name": "Product A"
+          },
+          {
+            "branches": [
+              {
+                "category": "product_version",
+                "name": "2023",
+                "product": {
+                  "name": "Example Company Product B 2023",
+                  "product_id": "CSAFPID-908070603"
+                }
+              },
+              {
+                "category": "product_version",
+                "name": "2024",
+                "product": {
+                  "name": "Example Company Product B 2024",
+                  "product_id": "CSAFPID-908070604"
+                }
+              }
+            ],
+            "category": "product_name",
+            "name": "Product B"
+          },
+          {
+            "branches": [
+              {
+                "category": "product_version",
+                "name": "EU",
+                "product": {
+                  "name": "Example Company Product C EU",
+                  "product_id": "CSAFPID-908070605"
+                }
+              },
+              {
+                "category": "product_version",
+                "name": "US",
+                "product": {
+                  "name": "Example Company Product C US",
+                  "product_id": "CSAFPID-908070606"
+                }
+              }
+            ],
+            "category": "product_name",
+            "name": "Product C"
+          }
+        ],
+        "category": "vendor",
+        "name": "Example Company"
+      }
+    ],
+    "product_paths": [
+      {
+        "beginning_product_reference": "CSAFPID-908070601",
+        "full_product_name": {
+          "name": "Example Company Product A 1.0.0 installed on Example Company Product B 2023",
+          "product_id": "CSAFPID-908070607"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070603"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070601",
+        "full_product_name": {
+          "name": "Example Company Product A 1.0.0 installed on Example Company Product B 2024",
+          "product_id": "CSAFPID-908070608"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070604"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070602",
+        "full_product_name": {
+          "name": "Example Company Product A 1.1.0 installed on Example Company Product B 2023",
+          "product_id": "CSAFPID-908070609"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070603"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070602",
+        "full_product_name": {
+          "name": "Example Company Product A 1.1.0 installed on Example Company Product B 2024",
+          "product_id": "CSAFPID-908070610"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070604"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070607",
+        "full_product_name": {
+          "name": "Example Company Product A 1.0.0 installed on Example Company Product B 2023 installed on Example Company Product C EU",
+          "product_id": "CSAFPID-908070611"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070605"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070607",
+        "full_product_name": {
+          "name": "Example Company Product A 1.0.0 installed on Example Company Product B 2023 installed on Example Company Product C US",
+          "product_id": "CSAFPID-908070612"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070606"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070608",
+        "full_product_name": {
+          "name": "Example Company Product A 1.0.0 installed on Example Company Product B 2024 installed on Example Company Product C EU",
+          "product_id": "CSAFPID-908070613"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070605"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070608",
+        "full_product_name": {
+          "name": "Example Company Product A 1.0.0 installed on Example Company Product B 2024 installed on Example Company Product C US",
+          "product_id": "CSAFPID-908070614"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070606"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070609",
+        "full_product_name": {
+          "name": "Example Company Product A 1.1.0 installed on Example Company Product B 2023 installed on Example Company Product C EU",
+          "product_id": "CSAFPID-908070615"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070605"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070609",
+        "full_product_name": {
+          "name": "Example Company Product A 1.1.0 installed on Example Company Product B 2023 installed on Example Company Product C US",
+          "product_id": "CSAFPID-908070616"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070606"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070610",
+        "full_product_name": {
+          "name": "Example Company Product A 1.1.0 installed on Example Company Product B 2024 installed on Example Company Product C EU",
+          "product_id": "CSAFPID-908070617"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070605"
+          }
+        ]
+      },
+      {
+        "beginning_product_reference": "CSAFPID-908070610",
+        "full_product_name": {
+          "name": "Example Company Product A 1.1.0 installed on Example Company Product B 2024 installed on Example Company Product C US",
+          "product_id": "CSAFPID-908070618"
+        },
+        "subpaths": [
+          {
+            "category": "installed_on",
+            "next_product_reference": "CSAFPID-908070606"
+          }
+        ]
+      }
+    ]
+  }
+}