Merge pull request #879 from tschmidtb51/disclosure_date

Disclosure date

Author: tschmidtb51

csaf_2.1/examples/csaf/rhsa-2021_5186.json

@@ -173,6 +173,7 @@
           "version": "4.6"
         }
       ],
+      "disclosure_date": "2021-12-10T00:00:00Z",
       "discovery_date": "2021-12-13T00:00:00Z",
       "ids": [
         {
@@ -228,7 +229,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667"
         }
       ],
-      "release_date": "2021-12-10T00:00:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -252,6 +252,7 @@
     },
     {
       "cve": "CVE-2021-4125",
+      "disclosure_date": "2021-12-16T00:00:00Z",
       "discovery_date": "2021-12-16T00:00:00Z",
       "ids": [
         {
@@ -297,7 +298,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121"
         }
       ],
-      "release_date": "2021-12-16T00:00:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -320,4 +320,4 @@
       "title": "CVE-2021-4125 kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046"
     }
   ]
-}
+}

csaf_2.1/examples/csaf/rhsa-2021_5217.json

@@ -124,6 +124,7 @@
           "version": "4.6"
         }
       ],
+      "disclosure_date": "2021-12-16T17:05:00Z",
       "discovery_date": "2021-12-17T00:00:00Z",
       "ids": [
         {
@@ -165,7 +166,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"
         }
       ],
-      "release_date": "2021-12-16T17:05:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -186,4 +186,4 @@
       "title": "CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users"
     }
   ]
-}
+}

csaf_2.1/examples/csaf/rhsa-2022_0011.json

@@ -348,6 +348,7 @@
           "version": "4.6"
         }
       ],
+      "disclosure_date": "2020-02-28T00:00:00Z",
       "discovery_date": "2020-03-06T00:00:00Z",
       "ids": [
         {
@@ -393,7 +394,6 @@
           "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811673"
         }
       ],
-      "release_date": "2020-02-28T00:00:00Z",
       "remediations": [
         {
           "category": "vendor_fix",
@@ -428,4 +428,4 @@
       "title": "CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code"
     }
   ]
-}
+}

csaf_2.1/json_schema/csaf_json_schema.json

@@ -1099,6 +1099,12 @@
               }
             }
           },
+          "disclosure_date": {
+            "title": "Disclosure date",
+            "description": "Holds the date and time the vulnerability was originally disclosed to the public.",
+            "type": "string",
+            "format": "date-time"
+          },
           "discovery_date": {
             "title": "Discovery date",
             "description": "Holds the date and time the vulnerability was originally discovered.",
@@ -1348,12 +1354,6 @@
             "description": "Holds a list of references associated with this vulnerability item.",
             "$ref": "#/$defs/references_t"
           },
-          "release_date": {
-            "title": "Release date",
-            "description": "Holds the date and time the vulnerability was originally released into the wild.",
-            "type": "string",
-            "format": "date-time"
-          },
           "remediations": {
             "title": "List of remediations",
             "description": "Contains a list of remediations.",

csaf_2.1/prose/edit/etc/bind.txt

@@ -75,6 +75,7 @@ tests-01-mndtr-41-missing-sharing-group-name.md
 tests-01-mndtr-42-purl-qualifiers.md
 tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
 tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
+tests-01-mndtr-45-inconsistent-disclosure-date.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

csaf_2.1/prose/edit/src/conformance.md

@@ -146,6 +146,7 @@ Secondly, the program fulfills the following for all items of:
     been removed.
   * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
     warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
+* `/vulnerabilities[]/disclosure_date`: If a `vuln:ReleaseDate` was given, the CVRF CSAF converter MUST convert its value into the `disclosure_date`.
 * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
 * `/vulnerabilities[]/remediations[]`:
   * If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under
@@ -604,7 +605,7 @@ Secondly, the program fulfills the following for all items of:
   > This is done to create a deterministic conversion.
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
-
+* `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as `disclosure_date`.
 * `/vulnerabilities[]/remediations[]`:
   * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
     if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.

csaf_2.1/prose/edit/src/guidance-on-size.md

@@ -263,10 +263,10 @@ The maximum length of strings representing a temporal value is given by the form
 * `/document/tracking/generator/date`
 * `/document/tracking/initial_release_date`
 * `/document/tracking/revision_history[]/date`
+* `/vulnerabilities[]/disclosure_date`
 * `/vulnerabilities[]/discovery_date`
 * `/vulnerabilities[]/flags[]/date`
 * `/vulnerabilities[]/involvements[]/date`
-* `/vulnerabilities[]/release_date`
 * `/vulnerabilities[]/remediations[]/date`
 * `/vulnerabilities[]/threats[]/date`
 

csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md

@@ -15,8 +15,8 @@ properties represents a list of all relevant vulnerability information items.
 The Vulnerability item of value type `object` with 1 or more properties is a container for the aggregation of all fields that are related to
 a single vulnerability in the document.
 Any vulnerability MAY provide the optional properties Acknowledgments (`acknowledgments`), Common Vulnerabilities and Exposures (CVE) (`cve`),
-Common Weakness Enumeration (CWE) (`cwes`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`), Involvements (`involvements`),
-Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`), Release Date (`release_date`),
+Common Weakness Enumeration (CWE) (`cwes`), Disclosure Date (`disclosure_date`), Discovery Date (`discovery_date`), Flags (`flags`), IDs (`ids`),
+Involvements (`involvements`), Metrics (`metrics`), Notes (`notes`), Product Status (`product_status`), References (`references`),
 Remediations (`remediations`), Threats (`threats`), and Title (`title`).
 
 ```
@@ -30,6 +30,9 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
       "cwes": {
         // ...
       },
+      "disclosure_date": {
+        // ...
+      },
       "discovery_date": {
         // ...
       },
@@ -54,9 +57,6 @@ Remediations (`remediations`), Threats (`threats`), and Title (`title`).
       "references": {
         // ...
       },
-      "release_date": {
-        // ...
-      },
       "remediations": {
         // ...
       },
@@ -168,6 +168,15 @@ When creating or modifying a CSAF document, the latest published version of the
     "4.12"
 ```
 
+#### Vulnerabilities Property - Disclosure Date
+
+Disclosure date (`disclosure_date`) with value type `string` of format `date-time` holds the date and time
+the vulnerability was originally disclosed to the public.
+
+For vulnerabilities not yet disclosed to the public, a disclosure date in the future SHOULD indicate the intended date for disclosure of the vulnerability.
+As disclosure dates may change during a vulnerability disclosure process, an issuing party SHOULD produce an updated CSAF document to confirm that the
+vulnerability was in fact disclosed to the public at that time or update the `disclosure_date` with the new intended date in the future.
+
 #### Vulnerabilities Property - Discovery Date
 
 Discovery date (`discovery_date`) of value type `string` with format `date-time` holds the date and time the vulnerability was originally discovered.
@@ -569,11 +578,6 @@ list of references associated with this vulnerability item.
     },
 ```
 
-#### Vulnerabilities Property - Release Date
-
-Release date (`release_date`) with value type `string` of format `date-time` holds the date and time
-the vulnerability was originally released into the wild.
-
 #### Vulnerabilities Property - Remediations
 
 List of remediations (`remediations`) of value type `array` with 1 or more Remediation items of value type `object` contains a list of remediations.

csaf_2.1/prose/edit/src/tests-01-mndtr-37-date-and-time.md

@@ -9,9 +9,9 @@ The relevant path for this test is:
   /document/tracking/generator/date
   /document/tracking/initial_release_date
   /document/tracking/revision_history[]/date
+  /vulnerabilities[]/disclosure_date
   /vulnerabilities[]/discovery_date
   /vulnerabilities[]/flags[]/date
-  /vulnerabilities[]/release_date
   /vulnerabilities[]/involvements[]/date
   /vulnerabilities[]/remediations[]/date
   /vulnerabilities[]/threats[]/date

csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md

@@ -0,0 +1,44 @@
+### Inconsistent Disclosure Date
+
+For each vulnerability, it MUST be tested that the `disclosure_date` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document is labeled `TLP:CLEAR` and the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/disclosure_date
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "disclosure_date": "2024-02-24T10:00:00.000Z"
+    }
+  ]
+```
+
+> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the date of newest item in the `revision_history`.