Note: This is a work-in-progress and may be incomplete. Please see https://loopback.io/doc/en/sec/index.html for a canonical list of security advisories.
This section of the Git repository is where all LBSAs are stored. They are written as CSAF 2.0 documents and OSV 1.2.0.
The naming convention is as follows:
lbsa-YYYYMMDD.csaf.json <-- CSAF 2.0
lbsa-YYYYMMDD.osv.json <-- OSV 1.2.0
Where:
YYYY
is the year ofMM
is the monthDD
is the day
Validation of the CSAF 2.0 documents are done by
<../scripts/advisories/validate-csaf20.ts>. This is triggered automatically
during a Git commit, and as part of the
CI pipeline. It can also be triggered by running
npm run validate-csaf20
.
Validation of OSV 1.2.0 documents are done by
<../scripts/advisories/validate-osv.ts>. This is triggered automatically during
a Git commit, and as aprt of the CI pipeline. It
can also be triggered by running npm run validate-osv
.
CSAF 2.0 acts as the "source of truth" of which the other formats are validated against as it is the most comprehensive format. Hence, any deviations from the CSAF 2.0 document must also be reflected back in the CSAF 2.0 document itself.
This section depends on Secvisogram for validation, its ports of JSON Schemas from Draft-04 (No first-class AJV support) to Draft-2019, and for a strict variant of CSAF 2.0 JSON Schema. There are plans to utilise the other parts of the codebase for more thorough validation.
It also depends on Open Source Vulnerability schema for JSON Schema-based OSV validation.
There's current no known dependents on these CSAF 2.0 documents. However, there are future plans to add integration:
Integration | Status |
---|---|
Generation of security advisories on loopback.io website | Planned |
Publishing as a CSAF Provider through csaf.data.loopback.io | Planned |
Down-conversion and publication of CVRF 1.2 | Planned |
Sync with Gitlab Advisory Database | Planned |