{"id":18638507,"url":"https://github.com/anthonyharrison/csaf","last_synced_at":"2025-06-12T04:14:33.488Z","repository":{"id":64508521,"uuid":"574621238","full_name":"anthonyharrison/csaf","owner":"anthonyharrison","description":"CSAF generator and validator","archived":false,"fork":false,"pushed_at":"2024-10-16T07:25:37.000Z","size":72,"stargazers_count":6,"open_issues_count":4,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-15T05:09:41.321Z","etag":null,"topics":["csaf","devsecops","sbom","security","vex","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anthonyharrison.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["anthonyharrison"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2022-12-05T17:59:31.000Z","updated_at":"2025-01-31T14:07:48.000Z","dependencies_parsed_at":"2024-11-07T05:42:19.840Z","dependency_job_id":"3bd06ae3-f9bf-4ac0-87bf-5fee725eefa5","html_url":"https://github.com/anthonyharrison/csaf","commit_stats":{"total_commits":22,"total_committers":2,"mean_commits":11.0,"dds":0.09090909090909094,"last_synced_commit":"dd8645f8db81152dae62339fb6243df15a79c188"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/anthonyharrison/csaf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fcsaf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fcsaf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fcsaf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fcsaf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anthonyharrison","download_url":"https://codeload.github.com/anthonyharrison/csaf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fcsaf/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259395459,"owners_count":22850833,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csaf","devsecops","sbom","security","vex","vulnerabilities"],"created_at":"2024-11-07T05:42:11.650Z","updated_at":"2025-06-12T04:14:33.444Z","avatar_url":"https://github.com/anthonyharrison.png","language":"Python","funding_links":["https://github.com/sponsors/anthonyharrison"],"categories":[],"sub_categories":[],"readme":"# CSAF-Tool\n\nThe CSAF-Tool generates a [CSAF 2.0 file](https://www.csaf.io) including product tree and vulnerabilities associated with products\nspecified in the product tree. It can also be used to generate a human-readable output of a CSAF document.\n\n## Installation\n\nTo install use the following command:\n\n`pip install csaf-tool`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: csaf-tool [-h] [-g] [-i INPUT_FILE] [-p PRODUCT] [-v VULNERABILITIES] [-t TITLE] [--header HEADER] [--id ID] [-C CONFIG] [-o OUTPUT_FILE] [-V]\n\nCSAF-tool generates a CSAF 2.0 file including product tree and vulnerabilities associated with products specified in the product tree.\n\noptions:\n  -h, --help            show this help message and exit\n  -C CONFIG, --config CONFIG\n                        name of config file\n  -V, --version         show program's version number and exit\n\nInput:\n  -g, --generate        generate CSAF file\n  -i INPUT_FILE, --input-file INPUT_FILE\n                        CSAF filename to be analysed\n  -p PRODUCT, --product PRODUCT\n                        product tree\n  -v VULNERABILITIES, --vulnerabilities VULNERABILITIES\n                        list of vulnerabilities\n  -t TITLE, --title TITLE\n                        CSAF title\n  --header HEADER       CSAF heading\n  --id ID               CSAF document identifier\n\n\nOutput:\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        CSAF filename\n```\n\n## Operation\n\nThe CSAF tool can be used as a command line tool to generate or analyse a CSAF document. It can also be used as a Python library\nto programmatically generate a CSAF document.\n\n### CSAF Generation using command line\n\nThe `--generate` option is used to indicate that a CSAF file is to be produced.\n\nThe following parameters are mandatory:\n\n1. The `--product` option is used to specify the products to be included in the CSAF product tree. The file\nis a CSV file and consists of one entry per line per product which specifies the product name, the name of the vendor and the release.\nMultiple releases of a product should be specified as separate entries. The first line of the file contains the\nheader `product,vendor,release`. The following is an example product file.\n\n```\nproduct,vendor,release\nproduct_1,AVendor,1.1\nproduct_1,AVendor,1.2\nproduct_1,AVendor,2.0\nproduct_2,AVendor1,1\nproduct_3,AVendor,2022H2\n\n```\n\n2. The `--vulnerabilities` option is used to specify the vulnerabilities to be included in the CSAF document. The file\nis a CSV file and consists of one entry per line per vulnerability which specifies the product name, the release of the product,\nthe identity of the vulnerability (e.g. CVE number), a brief description of the vulnerability, the status of the vulnerability (one of\n\"mitigation\", \"no_fix_planned\", \"none_available\", \"vendor_fix\" or \"workaround\") and an associated comment. Multiple vulnerabilities for a product should be specified as separate entries. The first line of the file contains the\nheader `product,release,id,description,status,comment`. The following is an example vulnerabilities file.\n\n```\nproduct,release,id,description,status,comment\nproduct_1,1.1,CVE-2020-1234,This is a simple description,vendor_fix,Customers should upgrade to the latest version of the product\nproduct_1,1.1,CVE-2020-9876,This is another vulnerabilty description,none_available,Still under investigation\n```\n\n3. The `--output-file` option is used to specify the filename for the generated CSAF document.\n\nThe `--header` option is used to specify a title for the document generated by the tool. It is recommended that this is\nsufficiently unique to distinguish it from similar documents.\n\nThe `--title` option is used to provide a brief summary note of the document generated by the tool.\n\nThe `--id` option is used to provide a unique document identifier for the document. If this is not provided a default\nidentifier of _**CSAF-Document-YYYYMMDDHHMMSS**_ is used.\n\nThe `--config` option is used to specify the [configuration file](#configuration-file) to be used.\nThis is required when the  `--generate` option is specified and is used to specify static information included\nin the CSAF document. If this is not specified, a default filename of _**csaf.ini**_ in the current directory shall be assumed.\nIf the filename cannot be found, default values shall be used in the generation of the document.\n\nExample usage:\n\n```\ncsaf-tool --generate --product product.csv --vulnerabilities vulnerability.csv --id \"Avendor-advisory-0004\" --title \"Technical summary\" --header \"Product backdoor identified\" --output-file \"test-csaf.json\"\n```\n\nThere is no output unless an error is detected due to missing parameters e.g.\n\n```\n[ERROR] Vulnerabilties filename not specified\n```\n\n#### Configuration File\n\nA configuration file is used to specify a number of fixed parameters to be used in the generation of the CSAF document. The following is an example file.\n\n```\n# CSAF configuration file\n[publisher]\n# This is a comment which is ignored\ncategory = vendor\nname = Organisation\nurl = https://psirt.example.com\n```\n\nComments are indicated by lines starting with '#'. All content is ignored.\n\nThe options are grouped into a single section **publisher**.\n\nThe following options are supported:\n\n- *category* is used to specify the type of organisation publishing the CSAF document. Valid values for this are\n\"coordinator\", \"discoverer\", \"other\", \"translator\", \"user\" or \"vendor\"\n\n- *name* is used to specify the name of organisation publishing the CSAF document.\n\n- *url* is used to specify a URL under the control of the organisation publishing the CSAF document.\n\n\n### CSAF Analysis using command line\n\nThe `--input-file` option is used to specify the name of the CSAF document to be analysed by the tool.\n\nOther parameters will be ignored.\n\nExample usage:\n\n```\ncsaf-tool --input-file test_pv.json\n```\n\nSample output\n\n```\n                                                                                                                                             1 ⨯\n╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ CSAF HEADER                                                                                                                                                                                │\n╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Item                            ┃ Details                                ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ CSAF Version                    │ 2.0                                    │\n│ Title                           │ Product backdoor identified            │\n│ Category                        │ csaf_vex                               │\n│ Date                            │ 2022-12-09T15-58-39Z                   │\n│ Technical summary               │ Auto generated CSAF document           │\n│ Publisher                       │ Organisation https://psirt.example.com │\n│ Generator                       │ csaf-tool version 0.1.0                │\n│ Id                              │ CSAF-Document-20221209155839           │\n│ Revision 1 2022-12-09T15-58-39Z │ Initial version                        │\n│ Status                          │ final                                  │\n│ Version                         │ 1                                      │\n└─────────────────────────────────┴────────────────────────────────────────┘\n╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ PRODUCT TREE                                                                                                                                                                               │\n╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯\n┏━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┓\n┃ Family ┃ Product   ┃ Vendor   ┃ Release ┃\n┡━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━┩\n│        │ product_1 │ AVendor  │ 1.1     │\n│        │ product_1 │ AVendor  │ 1.2     │\n│        │ product_1 │ AVendor  │ 2.0     │\n│        │ product_2 │ AVendor1 │ 1       │\n│        │ product_3 │ AVendor  │ 2022H2  │\n└────────┴───────────┴──────────┴─────────┘\n╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ VULNERABILITIES                                                                                                                                                                            │\n╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯\n╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ VULNERABILITY CVE-2020-1234                                                                                                                                                                │\n╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯\n┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Item            ┃ Details                      ┃\n┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ CVE ID          │ CVE-2020-1234                │\n│ CVE description │ This is a simple description │\n└─────────────────┴──────────────────────────────┘\n\nKNOWN_AFFECTED\n--------------\n\n┏━━━━━━━━━━━┳━━━━━━━━━┓\n┃ Product   ┃ Release ┃\n┡━━━━━━━━━━━╇━━━━━━━━━┩\n│ product_1 │ 1.1     │\n└───────────┴─────────┘\n\nRemediations\n------------\n\nVENDOR_FIX                               : Customers should upgrade to the latest version of the product\n┏━━━━━━━━━━━┳━━━━━━━━━┓\n┃ Product   ┃ Release ┃\n┡━━━━━━━━━━━╇━━━━━━━━━┩\n│ product_1 │ 1.1     │\n└───────────┴─────────┘\n╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ VULNERABILITY CVE-2020-9876                                                                                                                                                                │\n╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯\n┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Item            ┃ Details                                  ┃\n┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ CVE ID          │ CVE-2020-9876                            │\n│ CVE description │ This is another vulnerabilty description │\n└─────────────────┴──────────────────────────────────────────┘\n\nKNOWN_AFFECTED\n--------------\n\n┏━━━━━━━━━━━┳━━━━━━━━━┓\n┃ Product   ┃ Release ┃\n┡━━━━━━━━━━━╇━━━━━━━━━┩\n│ product_1 │ 1.1     │\n└───────────┴─────────┘\n\nRemediations\n------------\n\nNONE_AVAILABLE                           : Still under investigation\n┏━━━━━━━━━━━┳━━━━━━━━━┓\n┃ Product   ┃ Release ┃\n┡━━━━━━━━━━━╇━━━━━━━━━┩\n│ product_1 │ 1.1     │\n└───────────┴─────────┘\n```\n\nAn error message is reported if the specified file is not found.\n\n```\n[ERROR] CSAF filename not found\n```\n\n### CSAF Generation using the csaf library\n\nThe following example shows the generation of a CSAF document.\n\n```\nfrom csaf.generator import CSAFGenerator\n\ncsaf_gen = CSAFGenerator(\"csaf.ini\")\n# Define header information\ncsaf_gen.set_title(\"Test CSAF document\")\ncsaf_gen.set_header_title(\"Example VEX Document Use Case 1 - Affected\")\n\n# Define product tree\ncsaf_gen.add_product(product_name = \"product1\", vendor = \"Avendor\", release = 1 )\ncsaf_gen.add_product(product_name = \"product1\", vendor = \"Avendor\", release = 2 )\ncsaf_gen.add_product(product_name = \"product1\", vendor = \"Avendor\", release = 3 )\ncsaf_gen.add_product(product_name = \"product2\", vendor = \"Avendor1\", release = 1.0 )\ncsaf_gen.add_product(product_name = \"product2\", vendor = \"Avendor1\", release = 1.1 )\ncsaf_gen.add_product(product_name = \"product3\", vendor = \"Avendor\", release = 1 )\ncsaf_gen.add_product(product_name = \"product3\", vendor = \"Avendor\", release = 2 )\ncsaf_gen.add_product(product_name = \"product3\", vendor = \"Avendor\", release = 3 )\n\n# Add vulnerabilities \ncsaf_gen.add_vulnerability(product_name = \"product2\", release = 1.1, id=\"CVE-2020-1234\", description=\"A simple example\", status=\"vendor_fix\", comment=\"Upgrade product to latest version.\")\ncsaf_gen.add_vulnerability(product_name = \"product2\", release = 1.1, id=\"CVE-2020-9876\", description=\"Another simple example\", status=\"none_available\", comment=\"Still under review.\")\n\n# Generate the CSAF\ncsaf_gen.generate_csaf()\n# And publish to file\ncsaf_gen.publish_csaf(\"test_csaf.json\")\n```\n\n### CSAF Analysis using the csaf library\n\nThe following code sample can be used to analyse a CSAF file. It can be used to confirm that the CSAF file conforms with the CSAF specification\n\n```\nfrom csaf.analyser import CSAFAnalyser\n\ntry:\n    csaf_filename = \"test_csaf.json\"\n    csaf = CSAFAnalyser(csaf_filename)\n    print (f\"Is {csaf_filename} a valid CSAF document : {csaf.validate()}\")\n    csaf.analyse()\nexcept FileNotFoundError:\n    print (\"[ERROR] CSAF filename not found\")\n```\n\n## Licence\n\nLicenced under the MIT Licence.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonyharrison%2Fcsaf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanthonyharrison%2Fcsaf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonyharrison%2Fcsaf/lists"}