Giter Club home page Giter Club logo

csaf-walker's Introduction

CSAF Walker

crates.io docs.rs GitHub release (latest SemVer) CI

"Walk" CSAF data from a remote server, allowing one to work with the data.

In addition, this repository also has a tool for working with SBOM data. Most of the options explained are valid for both SBOM and CSAF.

From the command line

There's a command line tool, which can be used right away.

Installation

cargo install csaf-cli
cargo install sbom-cli

You can also install this using cargo binstall:

cargo binstall csaf-cli
cargo binstall sbom-cli

Usage

You can download all documents be providing a link to the metadata endpoint:

csaf download -3 -v -d out/ https://www.redhat.com

It is also possible to only download validated files:

csaf sync -3 -v -d out/ https://www.redhat.com

Note

In cases where data is signed with a GPG v3 signature, you can use the -3 flag, which considers this still valid.

An alternative is to use the --policy-date argument, and provide a manual policy date. Also see: https://docs.sequoia-pgp.org/sequoia_openpgp/policy/struct.StandardPolicy.html.

Differential sync

By default, timestamps reported by the HTTP server will be applied to the downloaded files. When re-running, the changes.csv file will be used as a source to discover when a file was changed. If a file is already present and has a newer modification timestamp in the changes.csv file, then it will be downloaded again. Otherwise, it will be skipped.

Using the --since option, it is possible to provide a start timestamp, which will skip all changes reported before this timestamp, and force all changes after this timestamp (independent of the file local file timestamp) to be re-synced.

Using the --since-file option, it is possible to automate the "since" value, by initially loading the "since" value from a file, and storing it into a file at the end of a successful run. The timestamp stored will be the timestamp, when the application started processing.

If both --since and --since-file are provided, then the "since file" will be used first, and the "since" value will act as a fallback if the file is not present.

Sending data

Instead of storing, it is also possible to send data to a remote instance (using the Vexination or Bombastic API).

csaf send -3 https://www.redhat.com http://localhost:8083

Of course, it is also possible use the filesystem as source:

csaf send -3 out/ http://localhost:8083

As a library

Using the crate csaf-walker, this can also be used as a library:

use anyhow::Result;
use url::Url;
use csaf_walker::source::HttpSource;
use csaf_walker::walker::Walker;
use csaf_walker::retrieve::RetrievingVisitor;
use csaf_walker::validation::{ValidatedAdvisory, ValidationError, ValidationVisitor};
use walker_common::fetcher::Fetcher;

async fn walk() -> Result<()> {
  let fetcher = Fetcher::new(Default::default()).await?;
  let source = HttpSource {
    url: Url::parse("https://www.redhat.com/.well-known/csaf/provider-metadata.json")?,
    fetcher,
  };

  Walker::new(source.clone())
    .walk(RetrievingVisitor::new(
        source.clone(),
        ValidationVisitor::new(
            move |advisory: Result<ValidatedAdvisory, ValidationError>| async move {
                log::info!("Found advisory: {advisory:?}");
                Ok::<_, anyhow::Error>(())
            },
        )
    ))
    .await?;

  Ok(())
}

TODOs

  • Support ROLIE

csaf-walker's People

Contributors

bxf12315 avatar ctron avatar lulf avatar

Stargazers

 avatar  avatar  avatar

Watchers

 avatar  avatar  avatar

csaf-walker's Issues

Panic when parsing CPE

Most likely not an direct issue of csaf-walker, but still:

 on a `None` value', /cargo/registry/src/index.crates.io-6f17d22bba15001f/cpe-0.1.2/src/cpe.rs:187:15)

Implement DNS and security.txt discovery

Currently we only support the .well-known way of discovering the entry point. We also allow the user to provide the specific URL directly.

However, we should also support:

  • DNS discovery
  • security.txt discovery

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.