CSAF 2.0

What is Common Security Advisory Framework Version 2.0

Pallavi Vishwakarma
July 3, 2023

Why do we need CSAF?

The process of handling vulnerabilities on the operator side doesn't end with a reported and fixed issue. The necessary update must be installed in order for users to be safeguarded against the vulnerability. An earlier risk evaluation makes it logical because updating software can have significant effects. The user must be promptly and effectively given all pertinent information regarding the vulnerability in order to conduct such an assessment. Until now, manufacturers or coordinating bodies have produced security advisories—human-readable security information—for this purpose. 

Automated processing by the evaluating body is either not possible or only partially viable because security warnings from different sources typically differ significantly in terms of file format, organizing, and quality of the material, as well as presentation. On the other hand, manual processing encumbers skilled professionals with pointless duties. Therefore, there was a need for Hardware and software vendors must disclose security flaws in a way that streamlines the process and gives users the ability to automate it.

What is CSAF?

The Common Security Advisory Framework (CSAF) is a standard for disclosing security flaws in a format that machines can read, enabling software and hardware manufacturers (as well as their clients) to automate vulnerability evaluation.

The information in each CSAF file has been dramatically improved in CSAF 2.0, which replaces the Common Vulnerability Reporting Framework (CVRF) version 1.2 and introduces the concept of provider metadata. In addition, CSAF utilizes the JSON format as opposed to CVRF's XML format.

How CSAF Version 2.0 is better?

More than only machine-readable advisory in JSON format, CSAF v2.0 also specifies the distribution method and how new CSAF papers can be found and made public. It is the outcome of a global, sector-wide initiative to standardize the reporting of security vulnerabilities. Software developers and users can update their vulnerability management and response strategies with the help of CSAF.

The automated system has the ability to prioritize and filter vulnerabilities according to business value and exposure for the targeted items. Administrators may now concentrate on controlling risk and addressing vulnerabilities as the review process is significantly sped up.

CSAF Details:

CSAF no longer lists source RPMs that apply to all architectures when listing packages that were impacted by a CVE; instead, they disclose information about binary RPMs that are specific to a given architecture. With this modification, it is now possible to see in greater detail which package versions and architectures are impacted by a certain CVE.

Each CSAF file is a distinct JSON document, one for each advisory. 

The CSAF schema structures its derived documents into three main classes of information conveyed:

  1. The frame, aggregation, and reference information of the document
  2. Product information considered relevant by the creator
  3. Vulnerability information and its relation to the products declared in 2.

Data repetition has been replaced whenever possible using linking through ID elements. The creator of such papers is therefore responsible for maintaining consistency at the content level, linking, for instance, vulnerability information to the appropriate product.

You can access the docs and related files here:

Editable source: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.md (Authoritative)

HTML: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html

Pdf: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.pdf

JSON schemas: 

Aggregator: https://docs.oasis-open.org/csaf/csaf/v2.0/aggregator_json_schema.json

CSAF: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json.

Provider: https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json.

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.

Related Blogs

No items found.