"Walk" CSAF data from a remote server, allowing one to work with the data.
In addition, this repository also has a tool for working with SBOM data. Most of the options explained are valid for both SBOM and CSAF.
There's a command line tool, which can be used right away.
cargo install csaf-cli
cargo install sbom-cliYou can also install this using cargo binstall:
cargo binstall csaf-cli
cargo binstall sbom-cliYou can download all documents be providing a link to the metadata endpoint:
csaf download -3 -v -d out/ https://www.redhat.comIt is also possible to only download validated files:
csaf sync -3 -v -d out/ https://www.redhat.comNote
In cases where data is signed with a GPG v3 signature, you can use the -3 flag, which considers this still valid.
An alternative is to use the --policy-date argument, and provide a manual policy date. Also see: https://docs.sequoia-pgp.org/sequoia_openpgp/policy/struct.StandardPolicy.html.
By default, timestamps reported by the HTTP server will be applied to the downloaded files. When re-running, the
changes.csv file will be used as a source to discover when a file was changed. If a file is already present and has
a newer modification timestamp in the changes.csv file, then it will be downloaded again. Otherwise, it will be
skipped.
Using the --since option, it is possible to provide a start timestamp, which will skip all changes reported before
this timestamp, and force all changes after this timestamp (independent of the file local file timestamp) to be
re-synced.
Using the --since-file option, it is possible to automate the "since" value, by initially loading the "since" value
from a file, and storing it into a file at the end of a successful run. The timestamp stored will be the timestamp,
when the application started processing.
If both --since and --since-file are provided, then the "since file" will be used first, and the "since" value will
act as a fallback if the file is not present.
Instead of storing, it is also possible to send data to a remote instance (using the Vexination or Bombastic API).
csaf send -3 https://www.redhat.com http://localhost:8083Of course, it is also possible use the filesystem as source:
csaf send -3 out/ http://localhost:8083Using the crate csaf-walker, this can also be used as a library:
use anyhow::Result;
use url::Url;
use csaf_walker::source::HttpSource;
use csaf_walker::walker::Walker;
use csaf_walker::retrieve::RetrievingVisitor;
use csaf_walker::validation::{ValidatedAdvisory, ValidationError, ValidationVisitor};
use walker_common::fetcher::Fetcher;
async fn walk() -> Result<()> {
let fetcher = Fetcher::new(Default::default()).await?;
let source = HttpSource {
url: Url::parse("https://www.redhat.com/.well-known/csaf/provider-metadata.json")?,
fetcher,
};
Walker::new(source.clone())
.walk(RetrievingVisitor::new(
source.clone(),
ValidationVisitor::new(
move |advisory: Result<ValidatedAdvisory, ValidationError>| async move {
log::info!("Found advisory: {advisory:?}");
Ok::<_, anyhow::Error>(())
},
)
))
.await?;
Ok(())
}- Support ROLIE
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent