Skip to main content

Converts CVRF XML documents to CSAF JSON documents

Project description

CVRF-CSAF-Converter

Introduction

CVRF-CSAF-converter is a Python tool for converting CSAF CVRF 1.2 documents in CSAF 2.0 documents. It fulfills the conformance target CVRF CSAF converter.

Note: The project is currently still under development. Not all features have been implemented and therefore the conformance goal is not yet fulfilled.

Getting started

Ensure that you have installed python3 (version >= 3.6), python3-pip and python3-venv.

Assume your current directory is also avaliable at the environment variable $ROOT_DIR.

Check out the repository and navigate to the working directory.

   git clone https://github.com/csaf-tools/CVRF-CSAF-Converter.git
   cd CVRF-CSAF-Converter

Afterwards, create a virtual environment and install the package there:

   python3 -m venv venv
   . venv/bin/activate
   pip install .

Hint: If you would like to get the debugger running, try to install the code as follows: pip install -e .

How to use CVRF-CSAF-converter

Usage as CLI tool

To convert the CVRF CSAF 1.2 document $ROOT_DIR/CVRF-CSAF-Converter/examples/1.2/cvrf_example_a.xml use the following command:

   cvrf2csaf --input-file $ROOT_DIR/CVRF-CSAF-Converter/examples/1.2/cvrf_example_a.xml

The default output directory is ./, it can be set using --output-dir.

The output filename is derived from the CSAF field /document/tracking/id.

If there is an ERROR during conversion, the output file will not be written unless --force option is used.

The rest of the options can be shown with:

   cvrf2csaf -h

Config

The config file is installed inside the Python package. For the installation using venv, the config file is located in $PATH_TO_THE_VENV/lib/python3.X/site-packages/cvrf2csaf/config/config.yaml. When installing the PyPI package with pip (--user), the config file is located in $HOME/.local/lib/python3.X/site-packages/cvrf2csaf/config/config.yaml Converter options can be changed there, or overridden by command line arguments/options.

Specifications

We follow the official OASIS specifications in order to provide as much acceptance on the user base as possible.

Developing CVRF-CSAF-converter

Developer Guide, Architecture and Technical Design

The converter uses lxml.objectify to parse the whole input document.

Parsing and conversion of the following CSAF CVRF 1.2 XML elements are handled by separate section handlers. These section handlers process the elements recursively (converting also all their sub-elements). These elements are the direct children of the root XML element (<cvrfdoc>).

Vulnerability handler is reusing Acknowledgments, References and Notes handlers for its child elements.

Each of these section handlers is implemented by own class inheriting from SectionHandler class. This base class contains _process_mandatory_elements and _process_optional_elements methods which are parsing and converting mandatory/optional elements/attributes. Each subclass must implement these methods.

SectionHandler class holds error_occurred class variable. This variable is overwritten by any children class in case some error resulting in invalid output json happened. Depending on --force commandline parameter, the program either quits with error log message without producing output or produce invalid output and warning log message.

Complete conversion together with input and output validation against schemata is handled by the DocumentHandler class.

Security Considerations

These are the TOP OWASP categories of vulnerabilities which potentially affect the CVRF-CSAF-Converter. We are omitting those which do not apply (most of them), since it's a plain command-line tool (e.g. authentication failures)

A03:2021 – Injection

The XML input for the converter is strictly validated for CSAF CVRF 1.2. The converter rejects invalid inputs.

However, there is a known issue for inserting HTML with code/script, which could be executed by a CSAF consumer: Encode HTML in JSON output

A06:2021 - Vulnerable and Outdated Components

A CodeQL action is set in this project to spot vulnerabilities in 3rd party libraries. Especially the lxml library can be susceptible.

A4:2017 - XML External Entities (XXE)

XXE vulnerability present in releases <1.0.0rc2 was fixed in this commit

CVE report: https://nvd.nist.gov/vuln/detail/CVE-2022-27193

Contributing

Please refer to CONTRIBUTING.md for details about how to contribute to the development of CVRF-CSAF-converter.

Project

CVRF-CSAF-Converter is a project between Deutsche Telekom Security GmbH and the Federal Office for Information Security. It aims to provide a CVRF 1.x to CSAF 2.0 converter.

Realization is taking place 100% Open Source. The final delivery will be in Q1/2022.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cvrf2csaf-1.0.0.tar.gz (271.5 kB view details)

Uploaded Source

File details

Details for the file cvrf2csaf-1.0.0.tar.gz.

File metadata

  • Download URL: cvrf2csaf-1.0.0.tar.gz
  • Upload date:
  • Size: 271.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.25.0 requests-toolbelt/0.9.1 urllib3/1.26.3 tqdm/4.60.0 importlib-metadata/4.11.1 keyring/18.0.1 rfc3986/2.0.0 colorama/0.4.3 CPython/3.8.10

File hashes

Hashes for cvrf2csaf-1.0.0.tar.gz
Algorithm Hash digest
SHA256 40ee32cfeb4b5f403f332f00ab09c7c8ce5ea5e28fc77f382f61c3ff434001e3
MD5 e4b0453fe4a54844252eb89bdf2c7527
BLAKE2b-256 2bf419853493c84d0829e15f306b3f2643e430028e27e365caf7377d4a15b1f2

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page