├── .github └── workflows │ ├── python-app.yml │ ├── python-package.yml │ └── python-publish.yml ├── .gitignore ├── CONTRIBUTING.md ├── CREDITS.md ├── LICENSE ├── MANIFEST.in ├── README.md ├── __init__.py ├── __version__.py ├── cvrf_util.py ├── examples ├── .DS_Store ├── 1.1 │ ├── CVRF-1.1-cisco-sa-20110525-rvs4000-invalid.xml │ ├── CVRF-1.1-cisco-sa-20110525-rvs4000-notwellformed.xml │ ├── CVRF-1.1-cisco-sa-20110525-rvs4000.xml │ ├── mitre-allitems-cvrf-year-2018.xml │ ├── ms_cvrf.xml │ ├── oracle_cvrf.xml │ └── redhat_cvrf_2018.xml └── 1.2 │ ├── cvrf_example_a.xml │ ├── cvrf_example_b.xml │ ├── cvrf_example_c.xml │ ├── cvrf_example_d.xml │ └── cvrf_example_e.xml ├── requirements-dev.txt ├── requirements-test.txt ├── requirements.txt ├── schemata ├── catalog_1_1.xml ├── catalog_1_2.xml ├── common │ ├── .svn │ │ ├── all-wcprops │ │ └── entries │ ├── 1.1 │ │ ├── .svn │ │ │ ├── all-wcprops │ │ │ ├── entries │ │ │ └── text-base │ │ │ │ └── common.xsd.svn-base │ │ └── common.xsd │ └── 1.2 │ │ └── common.xsd ├── cvrf │ ├── .svn │ │ ├── all-wcprops │ │ └── entries │ ├── 1.1 │ │ ├── .svn │ │ │ ├── all-wcprops │ │ │ ├── entries │ │ │ └── text-base │ │ │ │ └── cvrf.xsd.svn-base │ │ └── cvrf.xsd │ └── 1.2 │ │ └── cvrf.xsd ├── dublincore │ └── dc.xsd ├── prod │ ├── .svn │ │ ├── all-wcprops │ │ └── entries │ ├── 1.1 │ │ ├── .svn │ │ │ ├── all-wcprops │ │ │ ├── entries │ │ │ ├── prop-base │ │ │ │ └── prod.xsd.svn-base │ │ │ └── text-base │ │ │ │ └── prod.xsd.svn-base │ │ └── prod.xsd │ └── 1.2 │ │ └── prod.xsd ├── scap │ ├── cpe-language_2.2a.xsd │ ├── cvss-v2_0.9.xsd │ ├── cvss-v3.0.xsd │ └── scap-core_0.9.xsd ├── vuln │ ├── .svn │ │ ├── all-wcprops │ │ └── entries │ ├── 1.1 │ │ ├── .svn │ │ │ ├── all-wcprops │ │ │ ├── entries │ │ │ └── text-base │ │ │ │ └── vuln.xsd.svn-base │ │ └── vuln.xsd │ ├── 1.2 │ │ └── vuln.xsd │ └── vuln.xsd └── w3.org │ └── xml.xsd ├── setup.py └── tests ├── __init__.py ├── context.py └── test_cli.py /.github/workflows/python-app.yml: -------------------------------------------------------------------------------- 1 | # This workflow will install Python dependencies, run tests and lint with a single version of Python 2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions 3 | 4 | name: Python application 5 | 6 | on: 7 | push: 8 | branches: [ master ] 9 | pull_request: 10 | branches: [ master ] 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - uses: actions/checkout@v2 19 | - name: Set up Python 3.9 20 | uses: actions/setup-python@v2 21 | with: 22 | python-version: 3.9 23 | - name: Install dependencies 24 | run: | 25 | python -m pip install --upgrade pip 26 | pip install flake8 pytest 27 | if [ -f requirements.txt ]; then pip install -r requirements.txt; fi 28 | if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi 29 | - name: Lint with flake8 30 | run: | 31 | # stop the build if there are Python syntax errors or undefined names 32 | flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics 33 | # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide 34 | flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics 35 | - name: Test with pytest 36 | run: | 37 | pytest 38 | -------------------------------------------------------------------------------- /.github/workflows/python-package.yml: -------------------------------------------------------------------------------- 1 | # This workflow will install Python dependencies, run tests and lint with a variety of Python versions 2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions 3 | 4 | name: Python package 5 | 6 | on: 7 | push: 8 | branches: [ master ] 9 | pull_request: 10 | branches: [ master ] 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-latest 16 | strategy: 17 | matrix: 18 | python-version: [3.7, 3.8, 3.9] 19 | 20 | steps: 21 | - uses: actions/checkout@v2 22 | - name: Set up Python ${{ matrix.python-version }} 23 | uses: actions/setup-python@v2 24 | with: 25 | python-version: ${{ matrix.python-version }} 26 | - name: Install dependencies 27 | run: | 28 | python -m pip install --upgrade pip 29 | python -m pip install flake8 pytest 30 | if [ -f requirements.txt ]; then pip install -r requirements.txt; fi 31 | - name: Lint with flake8 32 | run: | 33 | # stop the build if there are Python syntax errors or undefined names 34 | flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics 35 | # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide 36 | flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics 37 | - name: Test with pytest 38 | run: | 39 | pytest 40 | -------------------------------------------------------------------------------- /.github/workflows/python-publish.yml: -------------------------------------------------------------------------------- 1 | # This workflow will upload a Python Package using Twine when a release is created 2 | # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries 3 | 4 | name: Upload Python Package 5 | 6 | on: 7 | release: 8 | types: [created] 9 | 10 | jobs: 11 | deploy: 12 | 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - uses: actions/checkout@v2 17 | - name: Set up Python 18 | uses: actions/setup-python@v2 19 | with: 20 | python-version: '3.x' 21 | - name: Install dependencies 22 | run: | 23 | python -m pip install --upgrade pip 24 | pip install setuptools wheel twine 25 | - name: Build and publish 26 | env: 27 | TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} 28 | TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} 29 | run: | 30 | python setup.py sdist bdist_wheel 31 | twine upload dist/* 32 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | 49 | # Translations 50 | *.mo 51 | *.pot 52 | 53 | # Django stuff: 54 | *.log 55 | .static_storage/ 56 | .media/ 57 | local_settings.py 58 | 59 | # Sphinx documentation 60 | docs/_build/ 61 | 62 | # Jupyter Notebook 63 | .ipynb_checkpoints 64 | 65 | # pyenv 66 | .python-version 67 | 68 | # Environments 69 | .env 70 | .venv 71 | env/ 72 | venv/ 73 | ENV/ 74 | env.bak/ 75 | venv.bak/ 76 | 77 | # mypy 78 | .mypy_cache/ 79 | 80 | # Editor files 81 | .idea/ 82 | *.swp 83 | 84 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 |
2 |

Contributing

3 | 4 |
5 |

Public Participation Invited

6 | 7 |

This OASIS TC TC Open Repository ( github.com/oasis-open/csaf-parser ) is a community public repository that supports participation by anyone, whether affiliated with OASIS or not. Substantive contributions (repository "code") and related feedback is invited from all parties, following the common conventions for participation in GitHub public repository projects. Participation is expected to be consistent with the OASIS TC TC Open Repository Guidelines and Procedures, the LICENSE designated for this particular repository (BSD-3-Clause License), and the requirement for an Individual Contributor License Agreement. Please see the repository README document for other details.

8 |
9 | 10 | 11 |
12 |

Governance Distinct from OASIS TC Process

13 |

Content accepted as "contributions" to this TC TC Open Repository, as defined below, are distinct from any Contributions made to the associated OASIS Common Security Advisory Framework (CSAF) TC itself. Participation in the associated Technical Committee is governed by the OASIS Bylaws, OASIS TC Process, IPR Policy, and related policies. This TC TC Open Repository is not subject to the OASIS TC-related policies. TC TC Open Repository governance is defined by separate participation and contribution guidelines as referenced in the OASIS TC TC Open Repositories Overview.

14 |
15 | 16 |
17 |

Licensing Distinct from OASIS IPR Policy

18 |

Because different licenses apply to the OASIS TC's specification work, and this TC TC Open Repository, there is no guarantee that the licensure of specific repository material will be compatible with licensing requirements of an implementation of a TC's specification. Please refer to the LICENSE file for the terms of this material, and to the OASIS IPR Policy for the terms applicable to the TC's specifications, including any applicable declarations.

19 |
20 | 21 |
22 |

Contributions Subject to Individual CLA

23 | 24 |

Formally, "contribution" to this TC TC Open Repository refers to content merged into the "Code" repository (repository changes represented by code commits), following the GitHub definition of contributor: "someone who has contributed to a project by having a pull request merged but does not have collaborator [i.e., direct write] access." Anyone who signs the TC TC Open Repository Individual Contributor License Agreement (CLA), signifying agreement with the licensing requirement, may contribute substantive content — subject to evaluation of a GitHub pull request. The main web page for this repository, as with any GitHub public repository, displays a link to a document listing contributions to the repository's default branch (filtered by Commits, Additions, and Deletions).

25 | 26 |

This TC TC Open Repository, as with GitHub public repositories generally, also accepts public feedback from any GitHub user. Public feedback includes opening issues, authoring and editing comments, participating in conversations, making wiki edits, creating repository stars, and making suggestions via pull requests. Such feedback does not constitute an OASIS TC TC Open Repository contribution. Some details are presented under "Read permissions" in the table of permission levels for a GitHub organization. Technical content intended as a substantive contribution (repository "Code") to an TC TC Open Repository is subject to evaluation, and requires a signed Individual CLA.

27 | 28 | 29 |
30 | 31 |
32 |

Fork-and-Pull Collaboration Model

33 | 34 |

OASIS TC TC Open Repositories use the familiar fork-and-pull collaboration model supported by GitHub and other distributed version-control systems. Any GitHub user wishing to contribute should fork the repository, make additions or other modifications, and then submit a pull request. GitHub pull requests should be accompanied by supporting comments and/or issues. Community conversations about pull requests, supported by GitHub notifications, will provide the basis for a consensus determination to merge, modify, close, or take other action, as communicated by the repository Maintainers.

35 |
36 | 37 |
38 |

Feedback

39 | 40 |

Questions or comments about this TC TC Open Repository's activities should be composed as GitHub issues or comments. If use of an issue/comment is not possible or appropriate, questions may be directed by email to the repository Maintainer(s). Please send general questions about TC TC Open Repository participation to OASIS Staff at repository-admin@oasis-open.org and any specific CLA-related questions to repository-cla@oasis-open.org.

41 | 42 |
43 | -------------------------------------------------------------------------------- /CREDITS.md: -------------------------------------------------------------------------------- 1 | # Thanks to: 2 | 3 | * Mike Schiffman of Farsight Security for creating the original 4 | [`cvrfparse`](https://github.com/mschiffm/cvrfparse) this tool 5 | started from. 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Cisco PSIRT 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include README.md LICENSE CONTRIBUTING.md 2 | recursive-include examples/ * 3 | recursive-include schemata/ * 4 | 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 |

README

3 | 4 |
5 |

OASIS TC Open Repository: csaf-parser

6 | 7 |

This GitHub public repository ( https://github.com/oasis-open/csaf-parser ) was created at the request of the OASIS Common Security Advisory Framework (CSAF) TC as an OASIS TC Open Repository to support development of open source resources related to Technical Committee work.

8 | 9 | **NOTE**: The current version of this parser only supports [CVRF 1.2 (XML-based specification)](http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html). It does not support the [CSAF 2.0 JSON schema](https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/json_schema/csaf_json_schema.json). To obtain information about several tools to parse, create, and validate CSAF 2.0 content go to https://csaf.io. 10 | 11 |

While this TC Open Repository remains associated with the sponsor TC, its development priorities, leadership, intellectual property terms, participation rules, and other matters of governance are separate and distinct from the OASIS TC Process and related policies.

12 | 13 |

All contributions made to this TC Open Repository are subject to open source license terms expressed in the BSD-3-Clause License. That license was selected as the declared "Applicable License" when the TC Open Repository was created.

14 | 15 |

As documented in "Public Participation Invited", contributions to this OASIS TC Open Repository are invited from all parties, whether affiliated with OASIS or not. Participants must have a GitHub account, but no fees or OASIS membership obligations are required. Participation is expected to be consistent with the OASIS TC Open Repository Guidelines and Procedures, the open source LICENSE designated for this particular repository, and the requirement for an Individual Contributor License Agreement that governs intellectual property.

16 | 17 |
18 | 19 |
20 |

Statement of Purpose

21 | 22 |

Statement of Purpose for this OASIS TC Open Repository (csaf-parser) as proposed and approved [bis] by the TC:

23 | 24 |

The CSAF Parser (and validator) under development in this repository is a software tool for parsing and checking the syntax of the Common Vulnerability Reporting Framework (CVRF) machine readable security advisory content. The repository contains source code and associated documentation for the tool. The CSAF Parser can be used as a command-line tool or as a Python library which can be included in other applications.

25 | 26 |

[Earlier incarnations of the parser code included cvrf-util and Mike Schiffman's cvrfparse]

27 | 28 | 35 | 36 |
37 | 38 |
39 |

CVRF Parsing Examples

40 |

Common use-case command-line examples

41 |

One fairly common use-case would be to query a document and pull out the unique set of products with related fields from all vulnerabilities and save to excel file as shown below: 42 | 43 | `python cvrf_util.py --file examples/1.1/ms_cvrf.xml --schema schemata/cvrf/1.1/cvrf.xsd --cvrf-version 1.1 --output-format csv --output-file ms_cvrf.csv --vuln ProductID --include-related-product-elements --unique-products --related-product-tags all` 44 |

45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 |
Where the following command line parameters were applied:
--file examples/1.1/ms_cvrf.xmlSpecify the document we are parsing
--schema schemata/cvrf/1.1/cvrf.xsdSpecify the schema
--cvrf-version 1.1Specify the CVRF version
--output-format csvSpecify output format to CVS
--output-file ms_cvrf.csvSpecify the output file
--vuln ProductIDSpecify elements to parse
--include-related-product-elementsTell output to include related product elements
--unique-productsSpecify that we want unique product rows per vulnerability
--related-product-tags allSpecify which related product element tags to include for each product row
58 |

59 | 60 |
61 |

Another common example is to query a document and parse out all of the elements in each vulnerability and save to html file as shown below: 62 |

63 | 64 | `python cvrf_util.py --file examples/1.1/ms_cvrf.xml --cvrf-version 1.1 --output-format html --output-file ms_cvrf.html --vuln Vulnerability --cvrf all --prod all` 65 |

66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 |
Where the following command line parameters were applied:
--file examples/1.1/ms_cvrf.xmlSpecify the document we are parsing
--cvrf-version 1.1Specify the CVRF version
--output-format htmlSpecify output format to HTML
--output-file ms_cvrf.htmlSpecify the output file
--vuln VulnerabilitySpecify elements to parse
--cvrf allSpecify elements to parse
--prod allSpecify elements to parse
77 | 78 | 79 |

80 | 81 |

Additions to Statement of Purpose

82 | 83 |

Repository Maintainers may include here any clarifications — any additional sections, subsections, and paragraphs that the Maintainer(s) wish to add as descriptive text, reflecting (sub-) project status, milestones, releases, modifications to statement of purpose, etc. The project Maintainers will create and maintain this content on behalf of the participants.

84 |
85 | 86 |
87 |

Maintainers

88 | 89 |

TC Open Repository Maintainers are responsible for oversight of this project's community development activities, including evaluation of GitHub pull requests and preserving open source principles of openness and fairness. Maintainers are recognized and trusted experts who serve to implement community goals and consensus design preferences.

90 | 91 |

Initially, the associated TC members have designated one or more persons to serve as Maintainer(s); subsequently, participating community members may select additional or substitute Maintainers, per consensus agreements.

92 | 93 |

Current Maintainers of this TC Open Repository

94 | 95 | 101 | 102 |
103 | 104 |

About OASIS TC Open Repositories

105 | 106 |

113 | 114 |
115 | 116 |

Feedback

117 | 118 |

Questions or comments about this TC Open Repository's activities should be composed as GitHub issues or comments. If use of an issue/comment is not possible or appropriate, questions may be directed by email to the Maintainer(s) listed above. Please send general questions about TC Open Repository participation to OASIS Staff at repository-admin@oasis-open.org and any specific CLA-related questions to repository-cla@oasis-open.org.

119 | 120 |
121 | -------------------------------------------------------------------------------- /__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oasis-open/csaf-parser/bf730688e3e377cf55651269e6095fd7a444a597/__init__.py -------------------------------------------------------------------------------- /__version__.py: -------------------------------------------------------------------------------- 1 | 2 | VERSION = (1, 2, 0) 3 | 4 | __version__ = '.'.join(map(str, VERSION)) 5 | -------------------------------------------------------------------------------- /examples/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oasis-open/csaf-parser/bf730688e3e377cf55651269e6095fd7a444a597/examples/.DS_Store -------------------------------------------------------------------------------- /examples/1.2/cvrf_example_a.xml: -------------------------------------------------------------------------------- 1 | 2 | 18 | 19 | AppY Stream Control Transmission Protocol 20 | Security Advisory 21 | 22 | Emergency Support: ... 23 | ... Team (PSIRT).... 24 | 25 | 26 | 27 | vendorix-sa-20170301-abc 28 | 29 | Final 30 | 1.0 31 | 32 | 33 | 1.0 34 | 2017-03-01T14:58:48 35 | Initial public release. 36 | 37 | 38 | 2017-03-01T16:00:00 39 | 2017-03-01T14:58:48 40 | 41 | TVCE 42 | 43 | 44 | 45 | A vulnerability... 46 | ... 47 | 48 | 49 | 50 | https://example.com/sec/vendorix-sa-20170301-abc 51 | Vendorix Foo AppY... 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | ... 61 | AppY 1.0.0 62 | 63 | 64 | ... 65 | AppY 1.0(2) 66 | 67 | 68 | 69 | 70 | ... 71 | AppY 1.1.0 72 | 73 | 74 | ... 75 | AppY 1.1(1) 76 | 77 | 78 | 79 | 80 | 81 | 82 | 84 | ... Transmission Protocol ... 85 | VDXvc83320 86 | 87 | A vuln ... 88 | 89 | VDXvc83320 90 | 91 | CVE-2017-3826 92 | 93 | 94 | CVRFPID-223152 95 | CVRFPID-223153 96 | CVRFPID-223155 97 | CVRFPID-223156 98 | 99 | 100 | 101 | 102 | 7.5 103 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 104 | 105 | 106 | 107 | 108 | There are no workarounds that ... 109 | 110 | 111 | 112 | 113 | https://example.com/sec/vendorix-sa-20170301-abc 114 | ... AppY Stream ... 115 | 116 | 117 | 118 | 119 | 120 | -------------------------------------------------------------------------------- /examples/1.2/cvrf_example_b.xml: -------------------------------------------------------------------------------- 1 | 2 | 18 | 19 | Red Hat Security Advisory: python-oslo-middleware security update 20 | Security Advisory 21 | 22 | secalert@redhat.com 23 | Red Hat Product Security 24 | 25 | 26 | 27 | RHSA-2017:0435 28 | 29 | Final 30 | 1 31 | 32 | 33 | 1 34 | 2017-03-02T21:13:00Z 35 | Current version 36 | 37 | 38 | 2017-03-02T21:13:00Z 39 | 2017-03-02T21:13:00Z 40 | 41 | Red Hat rhsa-to-cvrf 2.0 42 | 2017-03-04T05:06:05Z 43 | 44 | 45 | 46 | 47 | An update for python-oslo-middleware is now available for Red Hat OpenStack Platform 9.0 (Mitaka). 48 | 49 | Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 50 | 51 | The OpenStack Oslo Middleware library provides components that can be injected into WSGI pipelines to intercept request and response flows. The base class can be enhanced with functionality like adding or updating HTTP headers, or to offer support for limiting size or connections. 52 | 53 | Security Fix(es): 54 | 55 | * An information-disclosure flaw was found in oslo.middleware. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens). (CVE-2017-2592) 56 | Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Divya K Konoor (IBM) as the original reporter. 57 | Please see https://www.redhat.com/footer/terms-of-use.html 58 | 59 | Copyright 2017 Red Hat, Inc. All rights reserved. 60 | Moderate 61 | 62 | 63 | https://rhn.redhat.com/errata/RHSA-2017-0435.html 64 | https://rhn.redhat.com/errata/RHSA-2017-0435.html 65 | 66 | 67 | https://access.redhat.com/security/updates/classification/#moderate 68 | https://access.redhat.com/security/updates/classification/#moderate 69 | 70 | 71 | 72 | 73 | 74 | 75 | Red Hat OpenStack Platform 9.0 76 | 77 | 78 | 79 | python-oslo-middleware-3.7.0-2.el7ost.src.rpm 80 | 81 | 83 | python-oslo-middleware-3.7.0-2.el7ost as a component of Red Hat OpenStack Platform 9.0 84 | 85 | 86 | 87 | 89 | 90 | An information-disclosure flaw was found in oslo.middleware. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens). 91 | 92 | 2017-01-18T00:00:00Z 93 | 2017-01-26T00:00:00Z 94 | 95 | 96 | 97 | CVE-2017-2592 98 | 99 | 100 | 7Server-RH7-RHOS-9.0:python-oslo-middleware-3.7.0-2.el7ost 101 | 102 | 103 | 104 | 105 | Moderate 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | For details on how to apply this update, which includes the changes described in this advisory, refer to: 114 | 115 | https://access.redhat.com/articles/11258 116 | https://rhn.redhat.com/errata/RHSA-2017-0435.html 117 | 118 | 119 | 120 | 121 | https://access.redhat.com/security/cve/CVE-2017-2592 122 | CVE-2017-2592 123 | 124 | 125 | https://bugzilla.redhat.com/show_bug.cgi?id=1414698 126 | bz#1414698: CVE-2017-2592 python-oslo-middleware: CatchErrors leaks sensitive values into error logs 127 | 128 | 129 | 130 | 131 | Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Divya K Konoor (IBM) as the original reporter. 132 | 133 | 134 | 135 | 136 | 137 | -------------------------------------------------------------------------------- /examples/1.2/cvrf_example_c.xml: -------------------------------------------------------------------------------- 1 | 2 | 18 | 19 | Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products 20 | Cisco Security Advisory 21 | 22 | Emergency Support: 23 | +1 877 228 7302 (toll-free within North America) 24 | +1 408 525 6532 (International direct-dial) 25 | Non-emergency Support: 26 | Email: psirt@cisco.com 27 | Support requests that are received via e-mail are typically acknowledged within 48 hours. 28 | Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks. 29 | More information can be found in Cisco Security Vulnerability Policy available at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html 30 | 31 | 32 | 33 | cisco-sa-20170310-struts2 34 | 35 | Interim 36 | 1.4 37 | 38 | 39 | 1.0 40 | 2017-03-10T20:43:55 41 | Initial public release. 42 | 43 | 44 | 1.1 45 | 2017-03-11T23:37:26 46 | Updated product lists. 47 | 48 | 49 | 1.2 50 | 2017-03-13T00:06:20 51 | Updated product lists. 52 | 53 | 54 | 1.3 55 | 2017-03-13T22:24:49 56 | Updated product lists. 57 | 58 | 59 | 60 | 1.4 61 | 2017-03-14T21:03:12 62 | Updated product lists. 63 | 64 | 65 | 2017-03-10T19:30:00 66 | 2017-03-14T21:03:12 67 | 68 | TVCE 69 | 70 | 71 | 72 | On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system using a crafted Content-Type header value. 73 | 74 | This vulnerability has been assigned CVE-ID CVE-2017-5638. 75 | 76 | This advisory is available at the following link: 77 | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2 ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2"] 78 | Although CVRF version 1.1 does not support CVSS version 3, the CVSS score in this CVRF file is a CVSSv3 base and temporal score, as Cisco is now scoring vulnerabilities in CVSSv3. 79 | 80 | 81 | 82 | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2 83 | Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products 84 | 85 | 86 | 87 | 89 | Apache Struts Jakarta Multipart Parser File Upload Code Execution Vulnerability 90 | 91 | A vulnerability in the Jakarta multipart parser of Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. 92 | 93 | 94 | 95 | The vulnerability is due to improper handling of the Content-Type header value when performing a file upload based on the Jakarta multipart parser of the affected software. An attacker could exploit this vulnerability by persuading a targeted user to upload a malicious file. Once the Jakarta multipart parser of the affected application uploads the file, the attacker could have the ability to execute arbitrary code. 96 | 97 | CVE-2017-5638 98 | 99 | 100 | Any workarounds, when available, are documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool ["https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID"]. 101 | 102 | 103 | 104 | 105 | 106 | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2 107 | Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /examples/1.2/cvrf_example_d.xml: -------------------------------------------------------------------------------- 1 | 2 | 18 | DocumentTitle0 19 | DocumentType0 20 | 21 | 22 | 23 | 24 | ID0 25 | 26 | Draft 27 | 1 28 | 29 | 30 | 1.0 31 | 2038-05-04T18:13:51.0 32 | Something wrong with some product 33 | 34 | 35 | 1.1 36 | 2038-05-04T18:13:52.0 37 | We excluded some products, but still in the fog 38 | 39 | 40 | 2038-05-04T18:13:51.0 41 | 2038-05-04T18:13:52.0 42 | 43 | 44 | -------------------------------------------------------------------------------- /examples/1.2/cvrf_example_e.xml: -------------------------------------------------------------------------------- 1 | 2 | 18 | 19 | 20 | Acme Security Advisory for foo on bar - March 2017 - CSAF CVRF 21 | Acme Security Advisory 22 | 23 | 24 | 25 | acme-2017-42 26 | 27 | Final 28 | 1.0 29 | 30 | 31 | 1.0 32 | 2017-03-17T12:34:56-06:00 33 | Initial Distribution 34 | 35 | 36 | 1.1 37 | 2017-03-18T01:23:45-06:00 38 | Corrected Distribution 39 | 40 | 41 | 2017-01-17T12:34:56-06:00 42 | 2017-01-18T01:23:34-06:00 43 | 44 | 45 | 46 | This document contains descriptions of Acme product security vulnerabilities with details on impacted and non-impacted platform product combinations. 47 | Additional information regarding these vulnerabilities including fix distribution information can be found at the Acme sites referenced in this document. 48 | 49 | This document is published at: https://acme.example.com/sa/acme-2017-42-1-1.xml 50 | 51 | 52 | https://acme.example.com/sa/acme-2017-42-1-1.json 53 | URL to JSON version of Advisory 54 | 55 | 56 | 57 | 58 | Some One (not to be named explicitly) 59 | 60 | 61 | Jane Employee 62 | Acme Inc. 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | Foo 1.9 on bar 73 | 74 | 75 | Foo 2.1 on bar 76 | 77 | 78 | 79 | 80 | Foo 1.9 on baz 81 | 82 | 83 | Foo 2.1 on baz 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | Vulnerability in the TCP component of Acme foo (CVE-2017-99999) 93 | 94 | 95 | Vulnerability in the TCP component of Acme foo. 96 | Supported versions that are affected are 1.9, and 2.0 when installed on bar but not affected when on baz. 97 | Easily exploitable vulnerability allows unauthenticated attacker with network access via a single 0x42 value payload byte to compromise Acme foo. 98 | Successful attacks of this vulnerability can result in unauthorized read access to a subset of Acme foo accessible data and unauthorized ability to cause a complete denial of service (DOS) of Acme foo. 99 | CVSS 3.0 Base Score 9.8 (Confidentiality and Availability impacts). 100 | CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 101 | 102 | 103 | 104 | Fix has been released 105 | 106 | 107 | CVE-2017-99999 108 | 109 | 110 | AC-FOO-1.9-on-bar 111 | AC-FOO-2.1-on-bar 112 | 113 | 114 | AC-FOO-1.9-on-baz 115 | AC-FOO-2.1-on-baz 116 | 117 | 118 | 119 | 120 | 9.8 121 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 122 | 123 | 124 | 125 | 126 | acme-2017-42 127 | Tutte le persone su questo pianeta 128 | https://acme.example.com/sa/acme-2017-42-1-1.html 129 | AC-FOO-1.9-on-bar 130 | AC-FOO-2.1-on-bar 131 | 132 | 133 | 134 | 135 | 136 | -------------------------------------------------------------------------------- /requirements-dev.txt: -------------------------------------------------------------------------------- 1 | black 2 | flake8 3 | mypy 4 | pylint 5 | -r requirements-test.txt 6 | -------------------------------------------------------------------------------- /requirements-test.txt: -------------------------------------------------------------------------------- 1 | coverage 2 | pytest 3 | pytest-coverage 4 | pytest-flake8 5 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | lxml==4.9.1 -------------------------------------------------------------------------------- /schemata/catalog_1_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /schemata/catalog_1_2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /schemata/common/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 49 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/common 5 | END 6 | -------------------------------------------------------------------------------- /schemata/common/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/common 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | 1.1 30 | dir 31 | 32 | -------------------------------------------------------------------------------- /schemata/common/1.1/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 53 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/common/1.1 5 | END 6 | common.xsd 7 | K 25 8 | svn:wc:ra_dav:version-url 9 | V 64 10 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/common/1.1/common.xsd 11 | END 12 | -------------------------------------------------------------------------------- /schemata/common/1.1/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/common/1.1 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | common.xsd 30 | file 31 | 32 | 33 | 34 | 35 | 2012-05-07T19:31:33.000000Z 36 | 147cabf59262af5377f122b3103b8e31 37 | 2012-05-07T17:25:01.568574Z 38 | 82 39 | xorrkaz 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 8547 62 | 63 | -------------------------------------------------------------------------------- /schemata/common/1.1/.svn/text-base/common.xsd.svn-base: -------------------------------------------------------------------------------- 1 | 2 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | This is the XML schema for the Common Vulerability Reporting Framework's common data types. 21 | 22 | Brian Schafer <bschafer@microsoft.com> 23 | Joe Clarke <jclarke@cisco.com> 24 | Joe Hemmerlein <Joe.Hemmerlein@microsoft.com> 25 | 2012-05-07 26 | CVRF Common Data Types 27 | 1.1 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | A normalized string type that cannot be empty. 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | A string type that cannot be empty. 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | String type with an optional language attribute. The default language is English. 52 | 53 | 54 | 55 | 56 | 57 | Locale code used for the string value. The default is "en". 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | Normalized string type with an optional language attribute. The default language is English. This string cannot be empty. 66 | 67 | 68 | 69 | 70 | 71 | Locale code used for the string value. The default is "en". 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | Dotted string representing the document revision 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | Types enumerating the type of reference document 88 | 89 | 90 | 91 | 92 | This document is an external reference to the current vulnerability. 93 | 94 | 95 | 96 | 97 | This document is a reference to this same vulnerability. 98 | 99 | 100 | 101 | 102 | 103 | 104 | Types enumerating the various publishers of a document. 105 | 106 | 107 | 108 | 109 | Developers or maintainers of information system products or services. 110 | 111 | 112 | 113 | 114 | Individuals or organizations that find vulnerabilities or security weaknesses. 115 | 116 | 117 | 118 | 119 | Individuals or organizations that manage a single vendor's response or multiple vendors' responses to a vulnerability, a security flaw, or an incident. 120 | 121 | 122 | 123 | 124 | Everyone using a vendor's product. 125 | 126 | 127 | 128 | 129 | Catchall for everyone else. Currently this includes forwarders, re-publishers, language translators and miscellaneous contributors. 130 | 131 | 132 | 133 | 134 | 135 | 136 | Allowed type values for CVRF notes. 137 | 138 | 139 | 140 | 141 | A general, high-level note (Title may have more information). 142 | 143 | 144 | 145 | 146 | A low-level detailed discussion (Title may have more information). 147 | 148 | 149 | 150 | 151 | A description of something (Title may have more information). 152 | 153 | 154 | 155 | 156 | A summary of something (Title may have more information). 157 | 158 | 159 | 160 | 161 | A list of frequently asked questions. 162 | 163 | 164 | 165 | 166 | Any possible legal discussion, including constraints, surrounding the document. 167 | 168 | 169 | 170 | 171 | Something that doesn’t fit (Title should have more information). 172 | 173 | 174 | 175 | 176 | 177 | -------------------------------------------------------------------------------- /schemata/common/1.1/common.xsd: -------------------------------------------------------------------------------- 1 | 2 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | This is the XML schema for the Common Vulerability Reporting Framework's common data types. 21 | 22 | Brian Schafer <bschafer@microsoft.com> 23 | Joe Clarke <jclarke@cisco.com> 24 | Joe Hemmerlein <Joe.Hemmerlein@microsoft.com> 25 | 2012-05-07 26 | CVRF Common Data Types 27 | 1.1 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | A normalized string type that cannot be empty. 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | A string type that cannot be empty. 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | String type with an optional language attribute. The default language is English. 52 | 53 | 54 | 55 | 56 | 57 | Locale code used for the string value. The default is "en". 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | Normalized string type with an optional language attribute. The default language is English. This string cannot be empty. 66 | 67 | 68 | 69 | 70 | 71 | Locale code used for the string value. The default is "en". 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | Dotted string representing the document revision 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | Types enumerating the type of reference document 88 | 89 | 90 | 91 | 92 | This document is an external reference to the current vulnerability. 93 | 94 | 95 | 96 | 97 | This document is a reference to this same vulnerability. 98 | 99 | 100 | 101 | 102 | 103 | 104 | Types enumerating the various publishers of a document. 105 | 106 | 107 | 108 | 109 | Developers or maintainers of information system products or services. 110 | 111 | 112 | 113 | 114 | Individuals or organizations that find vulnerabilities or security weaknesses. 115 | 116 | 117 | 118 | 119 | Individuals or organizations that manage a single vendor's response or multiple vendors' responses to a vulnerability, a security flaw, or an incident. 120 | 121 | 122 | 123 | 124 | Everyone using a vendor's product. 125 | 126 | 127 | 128 | 129 | Catchall for everyone else. Currently this includes forwarders, re-publishers, language translators and miscellaneous contributors. 130 | 131 | 132 | 133 | 134 | 135 | 136 | Allowed type values for CVRF notes. 137 | 138 | 139 | 140 | 141 | A general, high-level note (Title may have more information). 142 | 143 | 144 | 145 | 146 | A low-level detailed discussion (Title may have more information). 147 | 148 | 149 | 150 | 151 | A description of something (Title may have more information). 152 | 153 | 154 | 155 | 156 | A summary of something (Title may have more information). 157 | 158 | 159 | 160 | 161 | A list of frequently asked questions. 162 | 163 | 164 | 165 | 166 | Any possible legal discussion, including constraints, surrounding the document. 167 | 168 | 169 | 170 | 171 | Something that doesn’t fit (Title should have more information). 172 | 173 | 174 | 175 | 176 | 177 | -------------------------------------------------------------------------------- /schemata/common/1.2/common.xsd: -------------------------------------------------------------------------------- 1 | 2 | 11 | 16 | 17 | 18 | 19 | 21 | 23 | 24 | 25 | 26 | 27 | This is the XML schema for data types shared by the domain 28 | specific schemas of the OASIS Common Security Advisory Framework (CSAF) TC's 29 | CVRF (Common Vulnerability Reporting Framework). 30 | 31 | Feng Cao (feng.cao@oracle.com) 32 | Stefan Hagen (stefan@hagen.link) 33 | 2017-05-24 34 | CSAF CVRF Common Data Types 35 | 1.2 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | A normalized string type that cannot be 44 | empty. 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | A string type that cannot be empty. 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | String type with an optional language attribute. The default 61 | language is English. 62 | 63 | 64 | 65 | 66 | 67 | Locale code used for the string value. The default is 68 | "en". 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Normalized string type with an optional language attribute. 77 | The default language is English. This string cannot be empty. 78 | 79 | 80 | 81 | 82 | 83 | Locale code used for the string value. The default is 84 | "en". 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | Dotted string representing the document 93 | revision 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | Types enumerating the type of reference 102 | document 103 | 104 | 105 | 106 | 107 | This document is an external reference to the current 108 | vulnerability. 109 | 110 | 111 | 112 | 113 | This document is a reference to this same 114 | vulnerability. 115 | 116 | 117 | 118 | 119 | 120 | 121 | Types enumerating the various publishers of a 122 | document. 123 | 124 | 125 | 126 | 127 | Developers or maintainers of information system products 128 | or services. 129 | 130 | 131 | 132 | 133 | Individuals or organizations that find vulnerabilities or 134 | security weaknesses. 135 | 136 | 137 | 138 | 139 | Individuals or organizations that manage a single vendor's 140 | response or multiple vendors' responses to a vulnerability, a security flaw, or an 141 | incident. 142 | 143 | 144 | 145 | 146 | Everyone using a vendor's product. 147 | 148 | 149 | 150 | 151 | Catchall for everyone else. Currently this includes 152 | forwarders, re-publishers, language translators and miscellaneous 153 | contributors. 154 | 155 | 156 | 157 | 158 | 159 | 160 | Allowed type values for CSAF CVRF notes. 161 | 162 | 163 | 164 | 165 | A general, high-level note (Title may have more 166 | information). 167 | 168 | 169 | 170 | 171 | A low-level detailed discussion (Title may have more 172 | information). 173 | 174 | 175 | 176 | 177 | A description of something (Title may have more 178 | information). 179 | 180 | 181 | 182 | 183 | A summary of something (Title may have more 184 | information). 185 | 186 | 187 | 188 | 189 | A list of frequently asked questions. 190 | 191 | 192 | 193 | 194 | Any possible legal discussion, including constraints, 195 | surrounding the document. 196 | 197 | 198 | 199 | 200 | Something that doesnt fit (Title should have more 201 | information). 202 | 203 | 204 | 205 | 206 | 207 | -------------------------------------------------------------------------------- /schemata/cvrf/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 47 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/cvrf 5 | END 6 | -------------------------------------------------------------------------------- /schemata/cvrf/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/cvrf 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | 1.1 30 | dir 31 | 32 | -------------------------------------------------------------------------------- /schemata/cvrf/1.1/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 51 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/cvrf/1.1 5 | END 6 | cvrf.xsd 7 | K 25 8 | svn:wc:ra_dav:version-url 9 | V 60 10 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/cvrf/1.1/cvrf.xsd 11 | END 12 | -------------------------------------------------------------------------------- /schemata/cvrf/1.1/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/cvrf/1.1 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | cvrf.xsd 30 | file 31 | 32 | 33 | 34 | 35 | 2012-05-07T19:31:33.000000Z 36 | ef42ad30fddcf86a18ad5833962d5011 37 | 2012-05-07T17:25:01.568574Z 38 | 82 39 | xorrkaz 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 27764 62 | 63 | -------------------------------------------------------------------------------- /schemata/dublincore/dc.xsd: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | DCMES 1.1 XML Schema 11 | XML Schema for http://purl.org/dc/elements/1.1/ namespace 12 | 13 | Created 2008-02-11 14 | 15 | Created by 16 | 17 | Tim Cole (t-cole3@uiuc.edu) 18 | Tom Habing (thabing@uiuc.edu) 19 | Jane Hunter (jane@dstc.edu.au) 20 | Pete Johnston (p.johnston@ukoln.ac.uk), 21 | Carl Lagoze (lagoze@cs.cornell.edu) 22 | 23 | This schema declares XML elements for the 15 DC elements from the 24 | http://purl.org/dc/elements/1.1/ namespace. 25 | 26 | It defines a complexType SimpleLiteral which permits mixed content 27 | and makes the xml:lang attribute available. It disallows child elements by 28 | use of minOcccurs/maxOccurs. 29 | 30 | However, this complexType does permit the derivation of other complexTypes 31 | which would permit child elements. 32 | 33 | All elements are declared as substitutable for the abstract element any, 34 | which means that the default type for all elements is dc:SimpleLiteral. 35 | 36 | 37 | 38 | 39 | 40 | 41 | 43 | 44 | 45 | 46 | 47 | 48 | This is the default type for all of the DC elements. 49 | It permits text content only with optional 50 | xml:lang attribute. 51 | Text is allowed because mixed="true", but sub-elements 52 | are disallowed because minOccurs="0" and maxOccurs="0" 53 | are on the xs:any tag. 54 | 55 | This complexType allows for restriction or extension permitting 56 | child elements. 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | This group is included as a convenience for schema authors 92 | who need to refer to all the elements in the 93 | http://purl.org/dc/elements/1.1/ namespace. 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | This complexType is included as a convenience for schema authors who need to define a root 108 | or container element for all of the DC elements. 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | -------------------------------------------------------------------------------- /schemata/prod/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 47 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/prod 5 | END 6 | -------------------------------------------------------------------------------- /schemata/prod/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/prod 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | 1.1 30 | dir 31 | 32 | -------------------------------------------------------------------------------- /schemata/prod/1.1/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 51 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/prod/1.1 5 | END 6 | prod.xsd 7 | K 25 8 | svn:wc:ra_dav:version-url 9 | V 60 10 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/prod/1.1/prod.xsd 11 | END 12 | -------------------------------------------------------------------------------- /schemata/prod/1.1/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/prod/1.1 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | prod.xsd 30 | file 31 | 32 | 33 | 34 | 35 | 2012-05-07T19:31:33.000000Z 36 | af4c32fc699ecfd62880f88ccddf3208 37 | 2012-05-07T17:25:01.568574Z 38 | 82 39 | xorrkaz 40 | has-props 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 15519 62 | 63 | -------------------------------------------------------------------------------- /schemata/prod/1.1/.svn/prop-base/prod.xsd.svn-base: -------------------------------------------------------------------------------- 1 | K 14 2 | svn:executable 3 | V 1 4 | * 5 | END 6 | -------------------------------------------------------------------------------- /schemata/prod/1.1/.svn/text-base/prod.xsd.svn-base: -------------------------------------------------------------------------------- 1 | 2 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | This is the XML schema for the Common Vulnerability Reporting Framework's Product model. For more information, see the CVRF whitepaper. 29 | 30 | Joe Hemmerlein <joe.hemmerlein@microsoft.com> 31 | Joe Clarke <jclarke@cisco.com> 32 | 2012-05-07 33 | CVRF Product Dictionary 34 | 1.1 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | Types enumerating the individual parts (stubs) that comprise a product name. 43 | 44 | 45 | 46 | 47 | The name of the vendor or manufacturer that makes the product . 48 | 49 | 50 | 51 | 52 | The product family that the product falls into. 53 | 54 | 55 | 56 | 57 | The name of the product. 58 | 59 | 60 | 61 | 62 | The version of the product. This can be a numeric or other descriptor. 63 | 64 | 65 | 66 | 67 | The patch level of the product. 68 | 69 | 70 | 71 | 72 | The service pack of the product. 73 | 74 | 75 | 76 | 77 | The architecture for which the product is intended. 78 | 79 | 80 | 81 | 82 | The language of the product. 83 | 84 | 85 | 86 | 87 | A non-specific legacy entry. 88 | 89 | 90 | 91 | 92 | A specification such as a standard, best common practice, etc. 93 | 94 | 95 | 96 | 97 | The host name of a system/service. 98 | 99 | 100 | 101 | 102 | The URI component of a system/service. 103 | 104 | 105 | 106 | 107 | The file name component of a system/service. 108 | 109 | 110 | 111 | 112 | 113 | 114 | Types enumerating the ways products can be related to each other. 115 | 116 | 117 | 118 | 119 | This product is a default component of the referenced product. 120 | 121 | 122 | 123 | 124 | This product is an optional component of the referenced product. 125 | 126 | 127 | 128 | 129 | This product is an external component of the referenced product. 130 | 131 | 132 | 133 | 134 | This product is installed on the referenced product. 135 | 136 | 137 | 138 | 139 | This product is installed with the referenced product. 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | Neutral product tree to streamline product entries that can be referenced elsewhere in the document. The end of each branch ("FullProductName") represents a referrenceable product. 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | Defines how this product is related to another product. 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | The ProductReference refers to the unique ProductID of the product that is to which another product will be related. 174 | 175 | 176 | 177 | 178 | The RelationType attribute defines how the two products are related. 179 | 180 | 181 | 182 | 183 | RelatesToProductReference refers to the unique ProductID of the product to which the ProductReference attribute value relates. 184 | 185 | 186 | 187 | 188 | 189 | 190 | Container for grouping products to be used in vulnerabilities. 191 | 192 | 193 | 194 | 195 | 196 | A named container to associate two or more product IDs together for use in vulnerabilities. 197 | 198 | 199 | 200 | 201 | 202 | Optional textual description for this group. 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | The ID of an existing product in this tree that is to be a member of this group. 213 | 214 | 215 | 216 | 217 | 218 | The unique identifier used to reference this group. 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | This is to ensure that each FullProductName uses a unique ProductID value. 231 | 232 | 233 | 234 | 235 | 236 | 237 | This is to ensure that each Group uses a unique GroupID value. 238 | 239 | 240 | 241 | 242 | 243 | 244 | A key to reference a specific product. 245 | 246 | 247 | 248 | 249 | 250 | 251 | An instance of the ProductKey used to define a relationship product. 252 | 253 | 254 | 255 | 256 | 257 | 258 | An instance of the ProductKey used to define a related product. 259 | 260 | 261 | 262 | 263 | 264 | 265 | An instance of the ProductKey used to define a product group membership list. 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | Endpoint of product tree - this is an actual product entry. The string represents the friendly product name (i.e. the way it would be printed in other publications) 274 | 275 | 276 | 277 | 278 | 279 | 280 | A value that uniquely identifies this Product entry in the scope of this document. Whenever a reference to this Product entry is needed anywhere in this document, its unique ID will be referenced. 281 | 282 | 283 | 284 | 285 | The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms. The structure for CPE is described at http://cpe.mitre.org. 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | -------------------------------------------------------------------------------- /schemata/prod/1.1/prod.xsd: -------------------------------------------------------------------------------- 1 | 2 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | This is the XML schema for the Common Vulnerability Reporting Framework's Product model. For more information, see the CVRF whitepaper. 29 | 30 | Joe Hemmerlein <joe.hemmerlein@microsoft.com> 31 | Joe Clarke <jclarke@cisco.com> 32 | 2012-05-07 33 | CVRF Product Dictionary 34 | 1.1 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | Types enumerating the individual parts (stubs) that comprise a product name. 43 | 44 | 45 | 46 | 47 | The name of the vendor or manufacturer that makes the product . 48 | 49 | 50 | 51 | 52 | The product family that the product falls into. 53 | 54 | 55 | 56 | 57 | The name of the product. 58 | 59 | 60 | 61 | 62 | The version of the product. This can be a numeric or other descriptor. 63 | 64 | 65 | 66 | 67 | The patch level of the product. 68 | 69 | 70 | 71 | 72 | The service pack of the product. 73 | 74 | 75 | 76 | 77 | The architecture for which the product is intended. 78 | 79 | 80 | 81 | 82 | The language of the product. 83 | 84 | 85 | 86 | 87 | A non-specific legacy entry. 88 | 89 | 90 | 91 | 92 | A specification such as a standard, best common practice, etc. 93 | 94 | 95 | 96 | 97 | The host name of a system/service. 98 | 99 | 100 | 101 | 102 | The URI component of a system/service. 103 | 104 | 105 | 106 | 107 | The file name component of a system/service. 108 | 109 | 110 | 111 | 112 | 113 | 114 | Types enumerating the ways products can be related to each other. 115 | 116 | 117 | 118 | 119 | This product is a default component of the referenced product. 120 | 121 | 122 | 123 | 124 | This product is an optional component of the referenced product. 125 | 126 | 127 | 128 | 129 | This product is an external component of the referenced product. 130 | 131 | 132 | 133 | 134 | This product is installed on the referenced product. 135 | 136 | 137 | 138 | 139 | This product is installed with the referenced product. 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | Neutral product tree to streamline product entries that can be referenced elsewhere in the document. The end of each branch ("FullProductName") represents a referrenceable product. 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | Defines how this product is related to another product. 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | The ProductReference refers to the unique ProductID of the product that is to which another product will be related. 174 | 175 | 176 | 177 | 178 | The RelationType attribute defines how the two products are related. 179 | 180 | 181 | 182 | 183 | RelatesToProductReference refers to the unique ProductID of the product to which the ProductReference attribute value relates. 184 | 185 | 186 | 187 | 188 | 189 | 190 | Container for grouping products to be used in vulnerabilities. 191 | 192 | 193 | 194 | 195 | 196 | A named container to associate two or more product IDs together for use in vulnerabilities. 197 | 198 | 199 | 200 | 201 | 202 | Optional textual description for this group. 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | The ID of an existing product in this tree that is to be a member of this group. 213 | 214 | 215 | 216 | 217 | 218 | The unique identifier used to reference this group. 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | This is to ensure that each FullProductName uses a unique ProductID value. 231 | 232 | 233 | 234 | 235 | 236 | 237 | This is to ensure that each Group uses a unique GroupID value. 238 | 239 | 240 | 241 | 242 | 243 | 244 | A key to reference a specific product. 245 | 246 | 247 | 248 | 249 | 250 | 251 | An instance of the ProductKey used to define a relationship product. 252 | 253 | 254 | 255 | 256 | 257 | 258 | An instance of the ProductKey used to define a related product. 259 | 260 | 261 | 262 | 263 | 264 | 265 | An instance of the ProductKey used to define a product group membership list. 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | Endpoint of product tree - this is an actual product entry. The string represents the friendly product name (i.e. the way it would be printed in other publications) 274 | 275 | 276 | 277 | 278 | 279 | 280 | A value that uniquely identifies this Product entry in the scope of this document. Whenever a reference to this Product entry is needed anywhere in this document, its unique ID will be referenced. 281 | 282 | 283 | 284 | 285 | The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms. The structure for CPE is described at http://cpe.mitre.org. 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | -------------------------------------------------------------------------------- /schemata/prod/1.2/prod.xsd: -------------------------------------------------------------------------------- 1 | 2 | 11 | 20 | 21 | 22 | 23 | 25 | 27 | 29 | 31 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | This is the XML schema for the Product Tree 41 | sub model of the OASIS Common Security Advisory Framework (CSAF) TC's 42 | CVRF (Common Vulnerability Reporting Framework). 43 | 44 | Feng Cao (feng.cao@oracle.com) 45 | Stefan Hagen (stefan@hagen.link() 46 | 2017-05-24 47 | CSAF CVRF Product Tree sub model 48 | 1.2 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | Types enumerating the individual parts (stubs) that comprise a 57 | product name. 58 | 59 | 60 | 61 | 62 | The name of the vendor or manufacturer that makes the 63 | product . 64 | 65 | 66 | 67 | 68 | The product family that the product falls 69 | into. 70 | 71 | 72 | 73 | 74 | The name of the product. 75 | 76 | 77 | 78 | 79 | The version of the product. This can be a numeric or other 80 | descriptor. 81 | 82 | 83 | 84 | 85 | The patch level of the product. 86 | 87 | 88 | 89 | 90 | The service pack of the product. 91 | 92 | 93 | 94 | 95 | The architecture for which the product is 96 | intended. 97 | 98 | 99 | 100 | 101 | The language of the product. 102 | 103 | 104 | 105 | 106 | A non-specific legacy entry. 107 | 108 | 109 | 110 | 111 | A specification such as a standard, best common practice, 112 | etc. 113 | 114 | 115 | 116 | 117 | The host name of a system/service. 118 | 119 | 120 | 121 | 122 | The URI component of a system/service. 123 | 124 | 125 | 126 | 127 | The file name component of a 128 | system/service. 129 | 130 | 131 | 132 | 133 | 134 | 135 | Types enumerating the ways products can be related to each 136 | other. 137 | 138 | 139 | 140 | 141 | This product is a default component of the referenced 142 | product. 143 | 144 | 145 | 146 | 147 | This product is an optional component of the referenced 148 | product. 149 | 150 | 151 | 152 | 153 | This product is an external component of the referenced 154 | product. 155 | 156 | 157 | 158 | 159 | This product is installed on the referenced 160 | product. 161 | 162 | 163 | 164 | 165 | This product is installed with the referenced 166 | product. 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | Neutral product tree to streamline product entries that can be 185 | referenced elsewhere in the document. The end of each branch ("FullProductName") represents 186 | a referrenceable product. 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | Defines how this product is related to another 195 | product. 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | The ProductReference refers to the unique ProductID 204 | of the product that is to which another product will be 205 | related. 206 | 207 | 208 | 209 | 210 | The RelationType attribute defines how the two 211 | products are related. 212 | 213 | 214 | 215 | 216 | RelatesToProductReference refers to the unique 217 | ProductID of the product to which the ProductReference attribute value 218 | relates. 219 | 220 | 221 | 222 | 223 | 224 | 225 | Container for grouping products to be used in 226 | vulnerabilities. 227 | 228 | 229 | 230 | 231 | 232 | A named container to associate two or more product 233 | IDs together for use in vulnerabilities. 234 | 235 | 236 | 237 | 238 | 239 | Optional textual description for this 240 | group. 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | The ID of an existing product in this tree 251 | that is to be a member of this group. 252 | 253 | 254 | 255 | 256 | 257 | The unique identifier used to reference this 258 | group. 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | This is to ensure that each FullProductName uses a unique 271 | ProductID value. 272 | 273 | 274 | 275 | 276 | 277 | 278 | This is to ensure that each Group uses a unique GroupID 279 | value. 280 | 281 | 282 | 283 | 284 | 285 | 286 | A key to reference a specific product. 287 | 288 | 289 | 290 | 291 | 292 | 293 | An instance of the ProductKey used to define a relationship 294 | product. 295 | 296 | 297 | 298 | 299 | 300 | 301 | An instance of the ProductKey used to define a related 302 | product. 303 | 304 | 305 | 306 | 307 | 308 | 309 | An instance of the ProductKey used to define a product group 310 | membership list. 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | Endpoint of product tree - this is an actual product entry. 319 | The string represents the friendly product name (i.e. the way it would be printed in other 320 | publications) 321 | 322 | 323 | 324 | 325 | 326 | 327 | A value that uniquely identifies this Product entry in 328 | the scope of this document. Whenever a reference to this Product entry is needed 329 | anywhere in this document, its unique ID will be referenced. 330 | 331 | 332 | 333 | 334 | The Common Platform Enumeration (CPE) attribute refers 335 | to a method for naming platforms. The structure for CPE is described at 336 | http://cpe.mitre.org. 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | -------------------------------------------------------------------------------- /schemata/scap/cpe-language_2.2a.xsd: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 10 | This XML Schema defines the CPE Language. An individual 11 | CPE Name addresses a single part of an actual system. To identify more complex 12 | platform types, there needs to be a way to combine different CPE Names using 13 | logical operators. For example, there may be a need to identify a platform with a 14 | particular operating system AND a certain application. The CPE Language exists to 15 | satisfy this need, enabling the CPE Name for the operating system to be combined 16 | with the CPE Name for the application. For more information, consult the CPE 17 | Specification document. 18 | 19 | CPE Language 20 | Neal Ziring, Andrew Buttner, David Waltermire 21 | 2.2 22 | 10/27/2008 10:00:00 AM 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | This element is the root element of a CPE 32 | Language XML documents and therefore acts as a container for child platform 33 | definitions. 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | The platform element represents the description 65 | or qualifications of a particular IT platform type. The platform is defined 66 | by the logical-test child element. 67 | 68 | 69 | 70 | 71 | The optional title element may appear as a child 72 | to a platform element. It provides a human-readable title for it. To support 73 | uses intended for multiple languages, this element supports the ‘xml:lang’ 74 | attribute. At most one title element can appear for each language. 75 | 76 | 77 | 78 | 79 | The optional remark element may appear as a child 80 | of a platform element. It provides some additional description. Zero or more 81 | remark elements may appear. To support uses intended for multiple languages, 82 | this element supports the ‘xml:lang’ attribute. There can be multiple 83 | remarks for a single language. 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | The id attribute holds a locally unique 95 | name for the platform. There is no defined format for this id, it just has 96 | to be unique to the containing language document. 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | The logical-test element appears as a child of a 105 | platform element, and may also be nested to create more complex logical 106 | tests. The content consists of one or more elements: fact-ref, and 107 | logical-test children are permitted. The operator to be applied, and 108 | optional negation of the test, are given as attributes. 109 | 110 | 111 | 113 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | The fact-ref element appears as a 126 | child of a logical-test element. It is simply a reference to a CPE Name that 127 | always evaluates to a Boolean result. 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | The OperatorEnumeration simple type defines 138 | acceptable operators. Each operator defines how to evaluate multiple 139 | arguments. 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | This type allows the xml:lang attribute to 152 | associate a specific language with an element's string 153 | content. 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | Define the format for acceptable CPE Names. A URN 167 | format is used with the id starting with the word cpe followed by :/ and 168 | then some number of individual components separated by 169 | colons. 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 182 | 183 | -------------------------------------------------------------------------------- /schemata/scap/cvss-v2_0.9.xsd: -------------------------------------------------------------------------------- 1 | 2 | 5 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | Indicates if the vector has been approximated as the result of an upgrade from a previous CVSS version 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | "This schema was intentionally designed to avoid mixing classes and attributes between CVSS version 1, CVSS version 2, and future versions. Scores in the CVSS system are interdependent. The temporal score is a multiplier of the base score. The environmental score, in turn, is a multiplier of the temporal score. The ability to transfer these scores independently is provided on the assumption that the user understands the business logic. For any given metric, it is preferred that the score, as a minimum is provided, however the score can be re-created from the metrics or the multiplier and any scores they are dependent on." 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | Base type for metrics that defines common attributes of all metrics. 332 | 333 | 334 | 335 | Indicates if the metrics have been upgraded from a previous version of CVSS. If fields that were approximated will have an approximated attribute set to 'true'. 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | Base severity score assigned to a vulnerability by a source 349 | 350 | 351 | 352 | 353 | Base exploit sub-score assigned to a vulnerability by a source 354 | 355 | 356 | 357 | 358 | Base impact sub-score assigned to a vulnerability by a source 359 | 360 | 361 | 362 | 363 | 364 | Data source the vector was obtained from. Example: http://nvd.nist.gov or com.symantec.deepsight 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | Data source the vector was obtained from. Example: gov.nist.nvd or com.symantec.deepsight 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | The temporal score is the temporal multiplier times the base score. 401 | 402 | 403 | 404 | 405 | The temporal multiplier is a number between zero and one. Reference the CVSS standard for computation. 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | -------------------------------------------------------------------------------- /schemata/scap/cvss-v3.0.xsd: -------------------------------------------------------------------------------- 1 | 2 | 23 | 26 | 27 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | -------------------------------------------------------------------------------- /schemata/scap/scap-core_0.9.xsd: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | Data type for the check element, a checking system specification URI, string content, and an optional external file reference. The checking system specification should be the URI for a particular version of OVAL or a related system testing language, and the content will be an identifier of a test written in that language. The external file reference could be used to point to the file in which the content test identifier is defined. 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability. May also be an OVAL definition and omit scanner name. 77 | Identifies a tool and any associated information about the tool, such as signature versions, that indicate the tool is capable or properly detecting and/or remdiating the vulnerability or misconfiguration 78 | 79 | 80 | 81 | 82 | Identifies a check that can be used to detect the vulnerability or misconfiguration 83 | 84 | 85 | 86 | 87 | The CPE name of the scanning tool. A value must be supplied for this element. The CPE name can be used for a CPE from the NVD. The CPE title attribute can be used for internal naming conventions. (or both, if possible) 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | Define the format for acceptable CPE Names. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'def', and ending with an integer. 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | Define the format for acceptable CPE Names. A URN format is used with the id starting with the word cpe followed by :/ and then some number of individual components separated by colons. 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | Define the format for acceptable 126 | searchableCPE Names. The URI escaped code '%25' may be used 127 | to represent the character '%' which will be interpreted as a 128 | wildcard. 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | The name pattern of a CPE component. 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | The name pattern of the CPE part component. 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 170 | 171 | -------------------------------------------------------------------------------- /schemata/vuln/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 47 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/vuln 5 | END 6 | -------------------------------------------------------------------------------- /schemata/vuln/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/vuln 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | 1.1 30 | dir 31 | 32 | -------------------------------------------------------------------------------- /schemata/vuln/1.1/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 51 4 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/vuln/1.1 5 | END 6 | vuln.xsd 7 | K 25 8 | svn:wc:ra_dav:version-url 9 | V 60 10 | /svn/icasi-cvrf/!svn/ver/84/trunk/schemata/vuln/1.1/vuln.xsd 11 | END 12 | -------------------------------------------------------------------------------- /schemata/vuln/1.1/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 91 5 | https://subversion.assembla.com/svn/icasi-cvrf/trunk/schemata/vuln/1.1 6 | https://subversion.assembla.com/svn/icasi-cvrf 7 | 8 | 9 | 10 | 2012-05-07T17:25:01.568574Z 11 | 82 12 | xorrkaz 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 085eb5b6-75e8-47bc-a513-804b55a9b1a4 28 | 29 | vuln.xsd 30 | file 31 | 32 | 33 | 34 | 35 | 2012-05-07T19:31:33.000000Z 36 | af8dd0239812a299f8ad2501d6c1d254 37 | 2012-05-07T17:25:01.568574Z 38 | 82 39 | xorrkaz 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 35659 62 | 63 | -------------------------------------------------------------------------------- /schemata/w3.org/xml.xsd: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | See http://www.w3.org/XML/1998/namespace.html and 8 | http://www.w3.org/TR/REC-xml for information about this namespace. 9 | 10 | This schema document describes the XML namespace, in a form 11 | suitable for import by other schema documents. 12 | 13 | Note that local names in this namespace are intended to be defined 14 | only by the World Wide Web Consortium or its subgroups. The 15 | following names are currently defined in this namespace and should 16 | not be used with conflicting semantics by any Working Group, 17 | specification, or document instance: 18 | 19 | base (as an attribute name): denotes an attribute whose value 20 | provides a URI to be used as the base for interpreting any 21 | relative URIs in the scope of the element on which it 22 | appears; its value is inherited. This name is reserved 23 | by virtue of its definition in the XML Base specification. 24 | 25 | lang (as an attribute name): denotes an attribute whose value 26 | is a language code for the natural language of the content of 27 | any element; its value is inherited. This name is reserved 28 | by virtue of its definition in the XML specification. 29 | 30 | space (as an attribute name): denotes an attribute whose 31 | value is a keyword indicating what whitespace processing 32 | discipline is intended for the content of the element; its 33 | value is inherited. This name is reserved by virtue of its 34 | definition in the XML specification. 35 | 36 | Father (in any context at all): denotes Jon Bosak, the chair of 37 | the original XML Working Group. This name is reserved by 38 | the following decision of the W3C XML Plenary and 39 | XML Coordination groups: 40 | 41 | In appreciation for his vision, leadership and dedication 42 | the W3C XML Plenary on this 10th day of February, 2000 43 | reserves for Jon Bosak in perpetuity the XML name 44 | xml:Father 45 | 46 | 47 | 48 | 49 | This schema defines attributes and an attribute group 50 | suitable for use by 51 | schemas wishing to allow xml:base, xml:lang or xml:space attributes 52 | on elements they define. 53 | 54 | To enable this, such a schema must import this schema 55 | for the XML namespace, e.g. as follows: 56 | <schema . . .> 57 | . . . 58 | <import namespace="http://www.w3.org/XML/1998/namespace" 59 | schemaLocation="http://www.w3.org/2001/03/xml.xsd"/> 60 | 61 | Subsequently, qualified reference to any of the attributes 62 | or the group defined below will have the desired effect, e.g. 63 | 64 | <type . . .> 65 | . . . 66 | <attributeGroup ref="xml:specialAttrs"/> 67 | 68 | will define a type which will schema-validate an instance 69 | element with any of those attributes 70 | 71 | 72 | 73 | In keeping with the XML Schema WG's standard versioning 74 | policy, this schema document will persist at 75 | http://www.w3.org/2001/03/xml.xsd. 76 | At the date of issue it can also be found at 77 | http://www.w3.org/2001/xml.xsd. 78 | The schema document at that URI may however change in the future, 79 | in order to remain compatible with the latest version of XML Schema 80 | itself. In other words, if the XML Schema namespace changes, the version 81 | of this document at 82 | http://www.w3.org/2001/xml.xsd will change 83 | accordingly; the version at 84 | http://www.w3.org/2001/03/xml.xsd will not change. 85 | 86 | 87 | 88 | 89 | 90 | In due course, we should install the relevant ISO 2- and 3-letter 91 | codes as the enumerated possible values . . . 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | See http://www.w3.org/TR/xmlbase/ for 107 | information about this attribute. 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | from __future__ import print_function 5 | 6 | # Note: To use the 'upload' functionality of this file, you must: 7 | # $ pip install twine 8 | 9 | import io 10 | import os 11 | import sys 12 | from shutil import rmtree 13 | 14 | from setuptools import find_packages, setup, Command 15 | 16 | # Package meta-data. 17 | NAME = 'csaf-parser' 18 | DESCRIPTION = 'CSAF Common Vulnerability Reporting Framework (CVRF) Viewer and Parser' 19 | URL = 'https://github.com/oasis-open/csaf-parser' 20 | EMAIL = 'osantos@cisco.com' 21 | AUTHOR = 'Omar Santos' 22 | 23 | # What packages are required for this module to be executed? 24 | REQUIRED = [ 25 | 'lxml', 26 | ] 27 | 28 | # The rest you shouldn't have to touch too much :) 29 | # ------------------------------------------------ 30 | # Except, perhaps the License and Trove Classifiers! 31 | # If you do change the License, remember to change the Trove Classifier for that! 32 | 33 | here = os.path.abspath(os.path.dirname(__file__)) 34 | 35 | # Import the README and use it as the long-description. 36 | # Note: this will only work if 'README.md' is present in your MANIFEST.in file! 37 | with io.open(os.path.join(here, 'README.md'), encoding='utf-8') as f: 38 | long_description = '\n' + f.read() 39 | 40 | # Load the __version__.py module as a dictionary. 41 | about = {} 42 | with open(os.path.join(here, '__version__.py')) as f: 43 | exec(f.read(), about) 44 | 45 | 46 | class UploadCommand(Command): 47 | """Support setup.py upload.""" 48 | 49 | description = 'Build and publish the package.' 50 | user_options = [] 51 | 52 | @staticmethod 53 | def status(s): 54 | """Prints things in bold.""" 55 | print('\033[1m{0}\033[0m'.format(s)) 56 | 57 | def initialize_options(self): 58 | pass 59 | 60 | def finalize_options(self): 61 | pass 62 | 63 | def run(self): 64 | try: 65 | self.status('Removing previous builds…') 66 | rmtree(os.path.join(here, 'dist')) 67 | except OSError: 68 | pass 69 | 70 | self.status('Building Source and Wheel (universal) distribution…') 71 | os.system('{0} setup.py sdist bdist_wheel --universal'.format(sys.executable)) 72 | 73 | self.status('Uploading the package to PyPi via Twine…') 74 | os.system('twine upload dist/*') 75 | 76 | sys.exit() 77 | 78 | 79 | setup( 80 | name=NAME, 81 | version=about['__version__'], 82 | description=DESCRIPTION, 83 | long_description=long_description, 84 | author=AUTHOR, 85 | author_email=EMAIL, 86 | url=URL, 87 | 88 | # If we create more modules, put them in a subdirectory and use 'packages' 89 | # instead of 'py_modules'. 90 | # packages=find_packages(exclude=('tests',)), 91 | py_modules=['cvrf_util'], 92 | 93 | entry_points={ 94 | 'console_scripts': ['cvrf_parse=cvrf_parse:main'], 95 | }, 96 | install_requires=REQUIRED, 97 | include_package_data=True, 98 | license='MIT', 99 | classifiers=[ 100 | # Trove classifiers 101 | # Full list: https://pypi.python.org/pypi?%3Aaction=list_classifiers 102 | 'License :: OSI Approved :: MIT License', 103 | 'Programming Language :: Python', 104 | 'Programming Language :: Python :: 2.7', 105 | # 'Programming Language :: Python :: 3', 106 | # 'Programming Language :: Python :: 3.3', 107 | # 'Programming Language :: Python :: 3.4', 108 | 'Programming Language :: Python :: 3.5', 109 | # 'Programming Language :: Python :: 3.6', 110 | 'Programming Language :: Python :: Implementation :: CPython', 111 | 'Programming Language :: Python :: Implementation :: PyPy' 112 | ], 113 | # $ setup.py publish support. 114 | cmdclass={ 115 | 'upload': UploadCommand, 116 | }, 117 | ) 118 | 119 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # pylint: disable=missing-docstring 3 | 4 | __version__ = "0" 5 | 6 | """Some packages' test package initialisation.""" 7 | -------------------------------------------------------------------------------- /tests/context.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oasis-open/csaf-parser/bf730688e3e377cf55651269e6095fd7a444a597/tests/context.py -------------------------------------------------------------------------------- /tests/test_cli.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # pylint: disable=missing-docstring,unused-import,reimported 3 | import pathlib 4 | import sys 5 | import pytest # type: ignore 6 | 7 | import cvrf_util as cli 8 | 9 | 10 | def test_main_nok_empty(capsys): 11 | with pytest.raises(SystemExit): 12 | cli.main([]) 13 | out, err = capsys.readouterr() 14 | for term in ('file', 'required'): 15 | assert term in err 16 | 17 | 18 | def test_main_nok_int(capsys): 19 | with pytest.raises(TypeError): 20 | cli.main(42) 21 | out, err = capsys.readouterr() 22 | assert not out 23 | assert not err 24 | 25 | 26 | def test_main_nok_ints(capsys): 27 | sequence_of_ints = [1, 2, 3] 28 | with pytest.raises(TypeError): 29 | cli.main(sequence_of_ints) 30 | out, err = capsys.readouterr() 31 | assert not out 32 | assert not err 33 | 34 | 35 | def test_main_nok_non_existing_folder(capsys): 36 | nef = non_existing_folder_path = 'folder_does_not_exist' 37 | a_name = 'my_script' 38 | assert pathlib.Path(nef).is_dir() is False, f"Unexpected folder {nef} exists which breaks this test" 39 | message = '%s: I/O error: "%s" does not exist' % (a_name, nef) 40 | sys.argv.append('--file') 41 | sys.argv.append(nef) 42 | with pytest.raises(SystemExit, match=message): 43 | cli.main(a_name) 44 | out, err = capsys.readouterr() 45 | --------------------------------------------------------------------------------