Usage

Examples for Verifications

Mandatory Rules from CSAF v2.0 CS01

$ turvallisuusneuvonta verify tests/fixtures/rules/invalid/upstream/6-1-01-01.json
using configuration ({})
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
advisory fails mandatory rules:
- undefined product ids
- invalid translator
$ turvallisuusneuvonta verify tests/fixtures/rules/invalid/upstream/6-1-02-01.json
using configuration ({})
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
advisory fails mandatory rules:
- invalid translator
- non-unique product ids
$ turvallisuusneuvonta verify tests/fixtures/rules/invalid/upstream/6-1-04-01.json
using configuration ({})
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
advisory fails mandatory rules:
- undefined group ids
- invalid translator
$ turvallisuusneuvonta verify tests/fixtures/rules/invalid/upstream/6-1-05-01.json
using configuration ({})
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
advisory fails mandatory rules:
- invalid translator
- non-unique group ids
$ turvallisuusneuvonta verify tests/fixtures/rules/invalid/upstream/6-1-15-01.json
using configuration ({})
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
advisory fails mandatory rules:
- invalid translator
$ turvallisuusneuvonta verify tests/fixtures/rules/invalid/upstream/6-1-26-01.json
using configuration ({})
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
advisory fails mandatory rules:
- invalid category
- invalid translator

Verification of Other Documents

$ turvallisuusneuvonta verify tests/fixtures/spam/advisory.json
using configuration ({})
OK
$ turvallisuusneuvonta verify tests/fixtures/a-game-log4j/some-vex-csaf-document.json
using configuration ({})
set of document.aggregate_severity properties only contains known properties
set of document.aggregate_severity properties is a proper subset of the known properties
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
advisory fails mandatory rules:
- undefined product ids
- invalid translator

General Use

Maybe not yet. But if:

$ turvallisuusneuvonta
Usage: turvallisuusneuvonta [OPTIONS] COMMAND [ARGS]...

  Security advisory (Finnish: turvallisuusneuvonta) audit tool.

Options:
  -V, --version  Display the turvallisuusneuvonta version and exit
  -h, --help     Show this message and exit.

Commands:
  verify   Answer the question if now is a working hour.
  version  Display the turvallisuusneuvonta version and exit

Asking for the version:

$ turvallisuusneuvonta version
Security advisory (Finnish: turvallisuusneuvonta) audit tool. version 2022.2.14

Minimal verification (WIP):

Succeeding with advisory (lacking any product or vulnerabilit information):

$ turvallisuusneuvonta verify tests/fixtures/example-com/example-com-123.json || echo "FAIL"
using configuration ({})
set of properties of document.acknowledgments[0] only contains known properties
set of document.aggregate_severity properties only contains known properties
set of document.aggregate_severity properties is a proper subset of the known properties
set of document properties only contains known properties
set of document properties is a proper subset of the known properties
OK

Empty object:

$ turvallisuusneuvonta verify tests/fixtures/empty/advisory.json || echo "FAIL"
using configuration ({})
advisory is too short to be valid
FAIL

Failing top level mandatory elements:

$ turvallisuusneuvonta verify tests/fixtures/spam/advisory.json || echo "FAIL"
using configuration ({})
missing document property (status)
FAIL