Common Security Advisory Framework (CSAF) beta files now available

Red Hat Product Security is pleased to announce that a new security metadata offering, the Common Security Advisory Framework (CSAF), is now available in beta form. CSAF 2.0 is the successor to the Common Vulnerability Reporting Framework (CVRF) version 1.2, and contains many enhancements to the information provided in each CSAF file. Additionally, CSAF uses the JSON format instead of the XML format used by CVRF.

About CSAF

CSAF provides a structured, machine-readable way of representing information contained in security advisories. This design enables automated sharing of security information, based on a set of released errata.

For more information on the new CSAF files and all security metadata offerings, visit the Security Data page on the Red Hat Customer Portal. To view and download the beta version of the CSAF files, visit the Security Data CSAF Beta directory.

Although the data is published to the Red Hat Customer Portal, security metadata is freely available even if you do not have an active Red Hat subscription or an active Red Hat account. Developers of security scanning tools will likely find CSAF files most useful.

Due to CSAF being in beta at this time, the CSAF data may change in the future if we identify improvements or bugs that need to be fixed. These changes are not guaranteed to be backward-compatible, so you should not consume or rely on CSAF data in production yet.

The CSAF beta is designed to give users a chance to build integrations in non-production systems, test the data and confirm they can consume it successfully. The plan is to run the beta until the end of 2022. We will write another blog post when the CSAF data is ready for production, which will summarize any breaking changes from the beta period.

Because CSAF is a future replacement for CVRF, the CVRF data will eventually be deprecated. Immediately after the CSAF beta ends, we will begin publishing production-ready CSAF data and continue publishing CVRF data. 

Nine months after the CSAF beta ends, we will stop updating CVRF data and redirect all CVRF pages to the CVRF FAQ. The old CVRF data will remain available in an archived form.

Implementation details

CSAF files are published as JSON documents, while CVRF files are XML documents. Other than the format, most of the reported information is similar but with enhancements made according to the new CSAF specification.

The largest difference is for advisories that provide updates to RPM-based products, such as Red Hat Enterprise Linux (RHEL). When listing packages that were affected by a CVE, we now report information about architecture-specific binary RPMs instead of source RPMs that apply to all architectures. This change provides more detailed information about which package versions on which architectures are affected by particular CVEs.

Note that most of our CSAF files are "security advisories", which report information about fixed CVEs. However, some are "informational advisories" for end-of-life products and revoked SSL/TLS certificates. These do not include any CVEs, but do contain security-relevant information. An example is this Red Hat OpenShift 3.6 / 3.7 end-of-life notification, and its corresponding CSAF file.

As of May 18th, 2022, CSAF files are available for most Red Hat Security Advisories. CSAF files are also available for most Red Hat Bugfix / Enhancement Advisories which ship CVE fixes. For an explanation on the differences between the different advisory types, please see Explaining Red Hat Errata.

CSAF files are individual JSON documents, with a separate file for each advisory. 

Advisories are grouped by year in a simple directory listing, without registration requirements, to aid automatic downloading. Our CSAF documents are created automatically and should usually be accessible within an hour of a new advisory being made available via the Red Hat Customer Portal.

Because our CSAF documents are created and published automatically, they may contain errors or omissions.

At this time, Red Hat does not ship a CSAF parser. As CSAF is an open JSON standard, we expect third parties and customers will create their own parsers. Visit the OASIS CSAF website for more documentation as well as links to existing third-party tools.

Red Hat Security Advisories will continue to be available on the web, by email, and displayed via various in-product tools. The CSAF documents provide an alternative way to consume our security advisories which some customers and researchers may find useful.

More information

For more detailed information, including the full schema, visit the OASIS CSAF website. If you wish to submit corrections, ask questions, or get more information about the Red Hat implementation of CSAF, contact Red Hat Product Security at secalert@redhat.com or file an issue in the SECDATA Jira project.