2-June-2022 DC CAW
Several Open Source Tools have been made available on GitHub to ease the use of CSAF. Please find a list below:
Secvisogram is an online editor for creating CSAF documents. It can also check whether a given CSAF document is valid and display a human-readable preview. It is written in JavaScript and therefore client-based. You can run your own version of it and modify the HTML template for the preview to your needs. Source Code is available under MIT.
The repo CSAF Distribution contains several tools around the distribution, discovery and retrieval of CSAF documents. It contributes to the understanding of Section 7 in the CSAF standard. Even though it is officially still “work in progress” it can already be used. Guidance on the build, setup and usage of the Go applications is provided in the repo. Source Code is available under MIT.
is an implementation of the role CSAF trusted provider, also offering a simple HTTPS based management service. It is more or less a static site generator.
is a command line tool that uploads CSAF documents to the csaf_provider.
is an implementation of the role CSAF Aggregator.
is a tool for testing a CSAF trusted provider according to Section 7 of the CSAF standard.
csaf-validator-lib is Node.js implementation of a CSAF full validator and therefore validates whether a given CSAF document is valid and passes all tests. As it is currently still work in progress only the functionality of a CSAF basic validator is completely implemented. Nevertheless, other tests have been added or are in the process of being added. Source Code is available under MIT.
CSAF Validator Service is a service to validate documents against the CSAF standard. It uses the csaf-validator-lib under the hood which is included as a git subtree module. Source Code is available under MIT.
[CSAF CMS Backend] is a backend providing part of the CSAF content management system support to authors of CSAF documents. It is still work in progress. An integration with Secvisogram is planned but it can also be used with other frontend systems as it is completely REST-based. See the documentation for more details. Source Code is available under MIT.
A list of real security advisories written in CSAF is available at the OASIS TC repository. This also includes one from BSI.
A list of generic VEX documents written in CSAF is available at the OASIS TC repository. One for Secvisogram is available in the repo as well.