Red Hat Product Security is pleased to announce that a new security metadata offering, the Common Security Advisory Framework (CSAF), is now available in beta form. CSAF 2.0 is the successor to the Common Vulnerability Reporting Framework (CVRF) version 1.2, and contains many enhancements to the information provided in each CSAF file. Additionally, CSAF uses the JSON format instead of the XML format used by CVRF.
About CSAF
CSAF provides a structured, machine-readable way of representing information contained in security advisories. This design enables automated sharing of security information, based on a set of released errata.
For more information on the new CSAF files and all security metadata offerings, visit the Security Data page on the Red Hat Customer Portal. To view and download the beta version of the CSAF files, visit the Security Data CSAF Beta directory.
Although the data is published to the Red Hat Customer Portal, security metadata is freely available even if you do not have an active Red Hat subscription or an active Red Hat account. Developers of security scanning tools will likely find CSAF files most useful.
Due to CSAF being in beta at this time, the CSAF data may change in the future if we identify improvements or bugs that need to be fixed. These changes are not guaranteed to be backward-compatible, so you should not consume or rely on CSAF data in production yet.
The CSAF beta is designed to give users a chance to build integrations in non-production systems, test the data and confirm they can consume it successfully. The plan is to run the beta until the end of 2022. We will write another blog post when the CSAF data is ready for production, which will summarize any breaking changes from the beta period.
Because CSAF is a future replacement for CVRF, the CVRF data will eventually be deprecated. Immediately after the CSAF beta ends, we will begin publishing production-ready CSAF data and continue publishing CVRF data.
Nine months after the CSAF beta ends, we will stop updating CVRF data and redirect all CVRF pages to the CVRF FAQ. The old CVRF data will remain available in an archived form.
Implementation details
CSAF files are published as JSON documents, while CVRF files are XML documents. Other than the format, most of the reported information is similar but with enhancements made according to the new CSAF specification.
The largest difference is for advisories that provide updates to RPM-based products, such as Red Hat Enterprise Linux (RHEL). When listing packages that were affected by a CVE, we now report information about architecture-specific binary RPMs instead of source RPMs that apply to all architectures. This change provides more detailed information about which package versions on which architectures are affected by particular CVEs.
Note that most of our CSAF files are "security advisories", which report information about fixed CVEs. However, some are "informational advisories" for end-of-life products and revoked SSL/TLS certificates. These do not include any CVEs, but do contain security-relevant information. An example is this Red Hat OpenShift 3.6 / 3.7 end-of-life notification, and its corresponding CSAF file.
As of May 18th, 2022, CSAF files are available for most Red Hat Security Advisories. CSAF files are also available for most Red Hat Bugfix / Enhancement Advisories which ship CVE fixes. For an explanation on the differences between the different advisory types, please see Explaining Red Hat Errata.
CSAF files are individual JSON documents, with a separate file for each advisory.
Advisories are grouped by year in a simple directory listing, without registration requirements, to aid automatic downloading. Our CSAF documents are created automatically and should usually be accessible within an hour of a new advisory being made available via the Red Hat Customer Portal.
Because our CSAF documents are created and published automatically, they may contain errors or omissions.
At this time, Red Hat does not ship a CSAF parser. As CSAF is an open JSON standard, we expect third parties and customers will create their own parsers. Visit the OASIS CSAF website for more documentation as well as links to existing third-party tools.
Red Hat Security Advisories will continue to be available on the web, by email, and displayed via various in-product tools. The CSAF documents provide an alternative way to consume our security advisories which some customers and researchers may find useful.
More information
For more detailed information, including the full schema, visit the OASIS CSAF website. If you wish to submit corrections, ask questions, or get more information about the Red Hat implementation of CSAF, contact Red Hat Product Security at secalert@redhat.com or file an issue in the SECDATA Jira project.
저자 소개
채널별 검색
오토메이션
기술, 팀, 환경을 포괄하는 자동화 플랫폼에 대한 최신 정보
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
클라우드 서비스
관리형 클라우드 서비스 포트폴리오에 대해 더 보기
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.