Merge pull request #1325 from tschmidtb51/add-csaf-rvisc-id-updater

tschmidtb51 · web-flow · commit ac50d6eae736 · 2026-02-26T10:45:56.000+01:00
Add CSAF RVISC ID Updater
diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json
@@ -368,6 +368,7 @@
   "9.1.23": "conformance-clause-23-csaf-downloader",
   "9.1.24": "conformance-clause-24-csaf-withdrawer",
   "9.1.25": "conformance-clause-25-csaf-superseder",
+  "9.1.26": "conformance-clause-25-csaf-rvisc-id-updater",
   "Appendix A.": "acknowledgments",
   "Appendix B.": "revision-history",
   "Appendix C.": "guidance-on-the-size-of-csaf-documents",
diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
@@ -56,6 +56,7 @@ The entities ("conformance targets") for which this document defines requirement
 * **CSAF Downloader**: A program that retrieves CSAF Documents in an automated fashion.
 * **CSAF Withdrawer**: A CSAF Post-Processor that transforms a given CSAF into a Withdrawn one.
 * **CSAF Superseder**: A CSAF Post-Processor that transforms a given CSAF into a Superseded one.
+* **CSAF RVISC ID Updater**: A CSAF Post-Processor that updates vulnerability IDs in a given CSAF based on the entries in [cite](#RVISC).
 
 ### Conformance Clause 1: CSAF Document
 
@@ -1106,4 +1107,31 @@ A program satisfies the "CSAF Superseder" conformance profile if the program:
 
 > A tool MAY implement an option to additionally remove any element that would hinder the production of a valid CSAF.
 
+### Conformance Clause 26: CSAF RVISC ID Updater
+
+A program satisfies the "CSAF RVISC ID Updater" conformance profile if the program fulfills the two following groups of requirements:
+
+The program:
+
+* satisfies the "CSAF Post-Processor" conformance profile.
+* applies the corresponding assignment from [cite](#RVISC-M) to each item in `/vulnerabilities[]/ids[]`
+  whose `system_name` is not contained in [cite](#RVISC-R).
+* applies the corresponding assignment from [cite](#RVISC-M) to each item in `/vulnerabilities[]/ids[]`
+  whose `system_name` is contained in [cite](#RVISC-R) but the `text` does not conform the entry.
+* satisfies the normative requirements given below.
+
+The program MUST provide the following options:
+
+* an option to insert an automatically generated revision history entry detailing the changes applied and
+  make necessary updates to elements in `/document/tracking` (commit mode).
+* an option to set selected or all parameters for the commit mode manually which take precedence over the automated generated values.
+* an option to do a dry-run which does not apply the changes but just displays them.
+* an option to interactively accept or discard changes.
+* an option to ignore certain values for `system_name`.
+* an option to output all items in `/vulnerabilities[]/ids[]` whose `system_name` is not contained in [cite](#RVISC-R).
+* an option to output all items in `/vulnerabilities[]/ids[]` whose `system_name` is contained in [cite](#RVISC-R)
+  but the `text` does not conform the entry.
+* an option to map an existing `system_name` to a new value or apply a transformation to a `text`
+  based on the `system_name` value and a `precondition`.
+
 -------
diff --git a/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md b/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md
@@ -86,6 +86,9 @@ required by CSAF Management System as well as matching them to SBOM components o
 CSAF Producer
 :    program that emits output in the CSAF format.
 
+CSAF RVISC ID Updater
+:    A CSAF Post-Processor that updates vulnerability IDs in a given CSAF based on the entries in RVISC.
+
 CSAF Superseder
 :    A CSAF Post-Processor that transforms a given CSAF into a superseded one.
 
diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -109,7 +109,10 @@ RVISC
 :    _Registry for Vulnerability ID Systems for CSAF (RVISC)_, Part of the OASIS CSAF TC Registry, <https://registry.csaf.dev/id/>.
 
 RVISC-M
-:    _Mapping for RVISC_, Mapping Part of the OASIS CSAF TC Registry, <https://registry.csaf.dev/id/mapping/>.
+:    _Mapping for RVISC_, RVISC Mapping Part of the OASIS CSAF TC Registry, <https://registry.csaf.dev/id/mapping/>.
+
+RVISC-R
+:    _Registry for RVISC_, RVISC Registry Part of the OASIS CSAF TC Registry, <https://registry.csaf.dev/id/registry/>.
 
 SCAP12
 :    _The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2_, D. Waltermire, S. Quinn, K. Scarfone, A. Halbardier, Editors, NIST Spec. Publ. 800‑126 rev. 2, September 2011, <https://dx.doi.org/10.6028/NIST.SP.800-126r2>.
