Implements a CSAF (specification v2.0 and its errata) trusted provider, checker, aggregator and downloader. Includes an uploader command line tool for the trusted provider.
is a tool for downloading advisories from a provider. Can be used for automated forwarding of CSAF documents.
is a tool to validate local advisories files against the JSON Schema and an optional remote validator.
is an implementation of the role CSAF Trusted Provider, also offering a simple HTTPS based management service.
is a command line tool to upload CSAF documents to the csaf_provider.
is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard.
is a CSAF Aggregator, to list or mirror providers.
The modules of this repository can be used as library by other Go applications. ISDuBA does so, for example. But there is only limited support and thus it is not officially supported. There are plans to change this without a concrete schedule within a future major release, e.g. see #367.
Initially envisioned as a toolbox, it was not constructed as a library, and to name one issue, exposes too many functions. This leads to problems like #634, where we have to accept that with 3.2.0 there was an unintended API change.
are small examples of how to use github.com/gocsaf/csaf as an API. Currently this is a work in progress.
Binaries for the server side are only available and tested for GNU/Linux-Systems, e.g. Ubuntu LTS. They are likely to run on similar systems when build from sources.
The windows binary package only includes
csaf_downloader, csaf_validator, csaf_checker and csaf_uploader.
The MacOS binary archives come with the same set of client tools and are community supported. Which means: while they are expected to run fine, they are not at the same level of testing and maintenance as the Windows and GNU/Linux binaries.
Download the binaries from the most recent release assets on Github.
-
A recent version of Go (1.23+) should be installed. Go installation
-
Clone the repository
git clone https://github.com/gocsaf/csaf.git -
Build Go components Makefile supplies the following targets:
- Build for GNU/Linux system:
make build_linux - Build for Windows system (cross build):
make build_win - Build for macOS system on Intel Processor (AMD64) (cross build):
make build_mac_amd64 - Build for macOS system on Apple Silicon (ARM64) (cross build):
make build_mac_arm64 - Build For GNU/Linux, macOS and Windows:
make build - Build from a specific git tag by passing the intended tag to the
BUILDTAGvariable. E.g.make BUILDTAG=v1.0.0 buildormake BUILDTAG=1 build_linux. The special value1means checking out the highest git tag for the build. - Remove the generated binaries und their directories:
make mostlyclean
- Build for GNU/Linux system:
Binaries will be placed in directories named like bin-linux-amd64/ and bin-windows-amd64/.
- Install nginx
- To install a TLS server certificate on nginx see docs/install-server-certificate.md
- To configure nginx see docs/provider-setup.md
- To configure nginx for client certificate authentication see docs/client-certificate-setup.md
For further details of the development process consult our development page.
Note
To avoid future breakage, if you have csaf-poc in some of your URLs:
- Adjust your HTML links.
- Adjust your go module paths, see #579.
(This repository was moved here from https://github.com/csaf-poc/csaf_distribution on 2024-10-28. The old one is deprecated and redirection will be switched off sometime in 2025.)
-
csafis licensed as Free Software under the terms of the Apache License, Version 2.0. -
See the specific source files for details, the license itself can be found in the directory
LICENSES/. -
Contains third party Free Software components under licenses that to our best knowledge are compatible at time of adding the dependency, 3rdpartylicenses.md has the details.
-
Check the source file of each schema under
/csaf/schema/to see the source and license of each one.