Merge pull request #1033 from oasis-tcs/20250603-fixes-to-produce-csd01-rc2

20250603 fixes to produce csd01 rc2

Author: tschmidtb51

csaf_2.1/prose/edit/bin/toccata.py

@@ -6,10 +6,14 @@
 
 ENCODING = 'utf-8'
 NL = '\n'
+SP = ' '
 COLON = ':'
 DASH = '-'
 DOT = '.'
 
+LANG_PATCH = '<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">'
+LOGO_TARGET = 'https://docs.oasis-open.org/templates/OASISLogo-v3.0.png'
+
 TOC_STARTSWITH_TRIGGER = '<h1 id="table-of-contents'
 INTRO_STARTSWITH_TRIGGER = '<h1 id="1-introduction'
 
@@ -91,6 +95,14 @@ def main(argv: list[str]) -> int:
     # print(toc_db[-1])
     the_toc = generate_toc(toc_db)
     # print(the_toc)
+
+    with open('../share/style/base.css', 'rt', encoding=ENCODING) as handle:
+        base_css = handle.read()
+    with open('../share/style/skin.css', 'rt', encoding=ENCODING) as handle:
+        skin_css = handle.read()
+    with open(LOGO_AT, 'rt', encoding=ENCODING) as handle:
+        logo_data = handle.read().strip()
+
     with open('build/tmp.html', 'rt', encoding=ENCODING) as handle:
         incoming = handle.readlines()
 
@@ -109,6 +121,17 @@ def main(argv: list[str]) -> int:
             outgoing.append(line)
             outgoing.append(the_toc)
             continue
+        if line.startswith('<html xmlns'):
+            line = LANG_PATCH
+        elif '</style>' in line:
+            line = NL + base_css + NL + skin_css + NL + line
+        elif 'style/base.css' in line:
+            continue
+        elif 'style/skin.css' in line:
+            continue
+        elif LOGO_TARGET in line:
+            line = line.replace(LOGO_TARGET, logo_data)
+
         outgoing.append(line)
 
     with open('build/injected.html', 'wt', encoding=ENCODING) as handle:

csaf_2.1/prose/edit/etc/section-display-to-label.json

@@ -278,8 +278,8 @@
   "7.1.1": "requirement-1-valid-csaf-document",
   "7.1.2": "requirement-2-filename",
   "7.1.3": "requirement-3-tls",
-  "7.1.4": "requirement-4-tlp-white",
-  "7.1.5": "requirement-5-tlp-amber-and-tlp-red",
+  "7.1.4": "requirement-4-tlp-clear",
+  "7.1.5": "requirement-5-tlp-amber-tlp-amber-strict-and-tlp-red",
   "7.1.6": "requirement-6-no-redirects",
   "7.1.7": "requirement-7-provider-metadata-json",
   "7.1.8": "requirement-8-security-txt",
@@ -307,6 +307,11 @@
   "7.3": "retrieving-rules",
   "7.3.1": "finding-provider-metadata.json",
   "7.3.2": "retrieving-csaf-documents",
+  "7.4": "transition-between-csaf-2-0-and-csaf-2-1",
+  "7.4.1": "announcing-the-transition",
+  "7.4.2": "transition-process-for-a-csaf-provider",
+  "7.4.3": "archive-of-csaf-document-from-previous-version",
+  "7.4.4": "transition-process-for-a-csaf-aggregator",
   "8": "safety-security-and-data-protection-considerations",
   "9": "conformance",
   "9.1": "conformance-targets",

csaf_2.1/prose/edit/etc/section-label-to-display.json

@@ -13,6 +13,8 @@
   "additional-presets": "6.4.3",
   "additional-properties": "6.2.20",
   "affected-products": "6.1.27.12",
+  "announcing-the-transition": "7.4.1",
+  "archive-of-csaf-document-from-previous-version": "7.4.3",
   "array-length": "C.2",
   "branch-categories": "6.3.9",
   "branch-recursion": "5.5",
@@ -241,8 +243,8 @@
   "requirement-22-two-disjoint-issuing-parties": "7.1.22",
   "requirement-23-mirror": "7.1.23",
   "requirement-3-tls": "7.1.3",
-  "requirement-4-tlp-white": "7.1.4",
-  "requirement-5-tlp-amber-and-tlp-red": "7.1.5",
+  "requirement-4-tlp-clear": "7.1.4",
+  "requirement-5-tlp-amber-tlp-amber-strict-and-tlp-red": "7.1.5",
   "requirement-6-no-redirects": "7.1.6",
   "requirement-7-provider-metadata-json": "7.1.7",
   "requirement-8-security-txt": "7.1.8",
@@ -270,6 +272,9 @@
   "string-length": "C.3",
   "terminology": "1.2",
   "tests": "6",
+  "transition-between-csaf-2-0-and-csaf-2-1": "7.4",
+  "transition-process-for-a-csaf-aggregator": "7.4.4",
+  "transition-process-for-a-csaf-provider": "7.4.2",
   "translation": "6.1.28",
   "translator": "6.1.15",
   "typographical-conventions": "1.5",

csaf_2.1/prose/edit/src/distributing-01-requirements.md

@@ -29,7 +29,7 @@ However, there MUST be one copy of the document available for people without acc
 > Reasoning: If an advisory is already in the media, an end user should not be forced to collect the pieces of information from a
 > press release but be able to retrieve the CSAF document.
 
-### Requirement 5: TLP:AMBER, TLP:AMBER+STRICT and TLP:RED
+### Requirement 5: TLP:AMBER, TLP:AMBER+STRICT and TLP:RED{#requirement-5-tlp-amber-tlp-amber-strict-and-tlp-red}
 
 CSAF documents labeled TLP:AMBER, TLP:AMBER+STRICT or TLP:RED MUST be access protected.
 If they are provided via a web server this SHALL be done under a different path than for TLP:CLEAR,
@@ -166,7 +166,7 @@ The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details
   https://www.example.com/.well-known/csaf/provider-metadata.json
 ```
 
-As specified in [sec](#transition-between-csaf-20-and-csaf-21), the value of `canonical_url` MAY differ from the URL that was
+As specified in [sec](#transition-between-csaf-2-0-and-csaf-2-1), the value of `canonical_url` MAY differ from the URL that was
 requested as a part of this requirement.
 Such state is intended and MUST NOT be reported as error.
 

csaf_2.1/prose/edit/src/distributing-04-transition-20-21.md

@@ -1,4 +1,4 @@
-## Transition between CSAF 2.0 and CSAF 2.1
+## Transition between CSAF 2.0 and CSAF 2.1{#transition-between-csaf-2-0-and-csaf-2-1}
 
 This subsection details the process that SHOULD be followed when transitioning the distribution of documents from CSAF 2.0 to CSAF 2.1.
 Different scenarios can be encountered:
@@ -15,7 +15,6 @@ Different scenarios can be encountered:
 
 In the last scenario, a temporary parallel distribution of CSAF 2.0 and CSAF 2.1 documents and provider metadata is RECOMMENDED.
 The provider SHOULD announce a transition period containing three points in time:
-
 - The begin of the transition period, where the provider is starting to serve CSAF 2.1 documents, while CSAF 2.0 being authoritative.
   > It is expected that the CSAF 2.1 files can be used in production from this point onward.
 - The roll-over-date at which CSAF 2.1 becomes authoritative but CSAF 2.0 is still supported.
@@ -47,12 +46,12 @@ The following process SHOULD be followed:
 - At the begin of the transition period, a `provider-metadata.json` in conformance to CSAF 2.0 SHOULD be placed at `/.well-known/csaf/provider-metadata.json`.
   - The content of the resource SHALL be equal to the resource accessible at `/.well-known/csaf/v2.0/provider-metadata.json`.
   - For file-based distribution servers, this MAY be achieved by using a symlink.
-    Redirects SHALL NOT be used (cf. to requirement [sec](requirement-9-well-known-url-for-provider-metadata-json))
+    Redirects SHALL NOT be used (cf. to requirement [sec](#requirement-9-well-known-url-for-provider-metadata-json))
 - Sometime before the roll-over-date, all existing CSAF 2.0 documents SHOULD be converted to CSAF 2.1.
 - A the roll-over-date, a `provider-metadata.json` in conformance to CSAF 2.1 SHOULD be placed at `/.well-known/csaf/provider-metadata.json`.
   - The content of the resource SHALL be equal to the resource accessible at `/.well-known/csaf/v2.1/provider-metadata.json`.
   - For file-based distribution servers, this MAY be achieved by using a symlink.
-    Redirects SHALL NOT be used (cf. to requirement [sec](requirement-9-well-known-url-for-provider-metadata-json))
+    Redirects SHALL NOT be used (cf. to requirement [sec](#requirement-9-well-known-url-for-provider-metadata-json))
 - At the end of the transition period, the URL of the CSAF 2.0 `provider-metadata.json` SHOULD be removed from the `security.txt`.
   - The unmaintained CSAF 2.0 directory structure and files SHOULD be removed or made inaccessible.
   - The CSAF 2.0 documents MAY be archived.

csaf_2.1/prose/edit/src/introduction-03-normative-references.md

@@ -27,6 +27,9 @@ RFC3339
 RFC4180
 :    Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, <https://www.rfc-editor.org/info/rfc4180>.
 
+RFC7230
+:    Roy T. Fielding and Julian Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <https://www.rfc-editor.org/info/rfc7230>.
+
 RFC7464
 :    Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, <https://www.rfc-editor.org/info/rfc7464>.
 
@@ -40,4 +43,4 @@ RFC9562
 :    Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, <https://www.rfc-editor.org/info/rfc9562>.
 
 SPDX301
-:    _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, <https://spdx.github.io/spdx-spec/>.
+:    _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, <https://spdx.github.io/spdx-spec/>.

csaf_2.1/prose/edit/src/introduction-04-informative-references.md

@@ -28,7 +28,7 @@ CVRF-v1.2
 :    _CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2_. Edited by Stefan Hagen. 13 September 2017. OASIS Committee Specification 01. https://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html. Latest version: https://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.html.
 
 CVSS2
-:    _A Complete Guide to the Common Vulnerability Scoring System Version 2.0_, P. Mell, K. Scarfone, S. Romanosky, Editors, First.org, Inc., June 2007, https://www.first.org/cvss/cvss-v2-guide.pdf.
+:    _A Complete Guide to the Common Vulnerability Scoring System Version 2.0_, P. Mell, K. Scarfone, S. Romanosky, Editors, First.org, Inc., June 2007, https://www.first.org/cvss/v2/cvss-v2-guide.pdf.
 
 CVSS30
 :    _Common Vulnerability Scoring System v3.0: Specification Document_, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3.0/cvss-v30-specification_v1.9.pdf.
@@ -84,9 +84,6 @@ RFC4880
 RFC7231
 :    Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, <https://www.rfc-editor.org/info/rfc7231>.
 
-RFC7464
-:    N. Williams., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, <https://www.rfc-editor.org/info/rfc7464>.
-
 RFC8322
 :    Field, J., Banghart, S., and D. Waltermire, "Resource-Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018, <https://www.rfc-editor.org/info/rfc8322>.
 

csaf_2.1/prose/edit/src/tests-04-presets.md

@@ -48,7 +48,7 @@ Additional presets are defined as follows:
     > This is intended to be used for browser-based tools as external requests may result in CORS issues.
     > Request over network to a tool that is delivered with or an install requirement for a CSAF validator are not considered external.
   - Set: `full` excluding tests [sec](#use-of-non-self-referencing-urls-failing-to-resolve)
-    and [sec](use-of-self-referencing-urls-failing-to-resolve)
+    and [sec](#use-of-self-referencing-urls-failing-to-resolve)
 - `consistent-revision-history`:
   - Description: Any test that is related to the revision history and ensures consistence within it.
   - Set: