Hello people involved in distros and/or CVEs! Is CSAF something you care about? Should projects such as #curl bother about it and perhaps even provide CVE data in this format?
This entry was edited (1 day ago)
⇧
Hello people involved in distros and/or CVEs! Is CSAF something you care about? Should projects such as #curl bother about it and perhaps even provide CVE data in this format?
Seth Larson
in reply to daniel:// stenberg:// • • •Marcus Meissner
in reply to daniel:// stenberg:// • • •CSAF VEX format is one of the VEX formats the industry currently wants to have as a interchange format.
So I would say yes, generating and providing CSAF VEX seems a good idea.
(I am currently overseeing the 76000 CSAF files for SUSE.)
Friedrich Delgado ✔️🎀
in reply to daniel:// stenberg:// • • •I've asked at work as I remember we have one or two projects consuming CSAF, but tomorrow is a public holiday in our part of Germany and I guess there won't be an answer before next week. 😄
(I'm personally not working with CVEs any more.)
(My guess is that it would be useful.)
Jens Wiesner
in reply to daniel:// stenberg:// • • •Community Days 2025
www.csaf.ioCedric 🏴
in reply to daniel:// stenberg:// • • •As you might probably know it is often used to communicate full security advisory details in a structured way. And can references several CVEs.... Maybe it's interesting for curl. And since curl is already CNA, why not publishing a CSAF feeds.
At @circl we are maintaining Vulnerability-Lookup and we already monitor several CSAF feeds (Cisco, @bsi, Red Hat, etc). The interesting thing, is that we correlate automatically with the CVE.
For example:
vulnerability.circl.lu/recent#…
Recent vulnerabilities - Vulnerability-Lookup
vulnerability.circl.ludaniel:// stenberg://
in reply to Cedric 🏴 • • •Cedric 🏴
in reply to daniel:// stenberg:// • • •And I think the quality of the advisories of the curl project as a CNA is already high. I am currently checking various advisories related to curl. I like this kind of pages curl.se/docs/CVE-2025-10148.ht…
curl - predictable WebSocket mask - CVE-2025-10148
curl.seJens Wiesner
in reply to daniel:// stenberg:// • • •PS: CVSS is not mandatory, you can use aggregated_severity or in upcoming CSAF 2.1 qualitative_severity_rating 😉
Common Security Advisory Framework Version 2.0
docs.oasis-open.orgBSI
in reply to daniel:// stenberg:// • • •Great that you are considering #CSAF. We think that CSAF is a gamechanger: CSAF works for open source as well as closed source, hardware, specifications etc. - basically anything you can think of writing a security advisory or #VEX for.
Supply Chain Security: No one can secure single handed - everyone is needed. A single format: You can profit from the upstream CSAFs, your downstream users profit from your CSAFs.
(1/2)
BSI
in reply to BSI • • •However, it's the classic chicken-egg problem: Why should I start? The answer is: #curl is a mature project and can lead the way.
We are happy to help you and others getting started. Feel free to reach out to our #CSAF team at csaf@bsi.bund.de.
(2/2)
daniel:// stenberg://
in reply to BSI • • •@bsi we're entirely open source and so is our website and the tools generating the content on the site, so anyone can step forward and contribute a CSAF format generator.
The OSV JSON generator script is a perl thing that looks like this: github.com/curl/curl-www/blob/…
curl-www/docs/vuln2json.pl at master · curl/curl-www
GitHub