- Meeting Date: January 31, 2024
- Time: 18:00 UTC (19:00 CET, 13:00 EST, 10:00 PST)
Meeting called to order @ 18:04 UTC
All participants recorded their attendance on the OASIS meeting calendar. All participants were kindly encouraged to register themselves to optimize the use of the shared time during the meeting in one of two ways:
- Clicking the link with the text "Register my attendance" on the top of the event page.
- Or directly visiting the per event direct "record my attendance link."
Quorum was reached as 12 of 19 voting members were present.
Given Name | Family Name | Affiliation | Role |
---|---|---|---|
Christoph | Plutte | Ericsson | Member |
Denny | Page | Individual | Voting Member |
Dina | Truxius | Federal Office for Information Security (BSI) | Voting Member |
Feng | Cao | Oracle | Voting Member |
Jane | Ginn | Cyber Threat Intelligence Network, Inc. (CTIN) | Voting Member |
Justin | Murphy | DHS Cybersecurity and Infrastructure Security Agency (CISA) | Voting Member |
Martin | Prpic | Red Hat | Voting Member |
Michael | Reeder | Dell | Voting Member |
Sonny | van Lingen | Huawei Technologies Co., Ltd. | Voting Member |
Stefan | Hagen | Individual | Voting Member, taking notes |
Thomas | Proell | Siemens AG | Voting Member |
Thomas | Schaffer | Cisco Systems | Voting Member |
Thomas | Schmidt | Federal Office for Information Security (BSI) | Voting Member |
Tobias | Limmer | Siemens AG | Voting Member |
Vivek | Nair | Microsoft | Member |
- Jared Bird, Hewlett Packard Enterprise
- Tyler Townes, Blackberry Limited
Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.
- Roll Call via self registration
- Select acting minute taker
- Select acting chair
- Approve previous Meeting Minutes
- News from the community:
- VEX questionnaire
- Managed service providers for CSAF trusted providers
- New tools:
- CSAF Workshops in Munich (Germany) 2023-12-12 - 2023-12-15
- Idea:
- Community days
- Mailing list
- CSAF 2.0 Errata 01
- CSAF 2.1
- GitHub Issues Labeled for TC Discussion
- Discuss next steps
- Adjourn
-
Motion to select Stefan Hagen as acting minute taker for today's meeting passes with no objections, no discussion, and unanimous consent
-
Motion to select Thomas Schmidt as acting chair for today's meeting passes with no objections, no discussion, and unanimous consent
-
Agenda approved
-
No meeting minutes from previous meeting available.
-
News from the community:
- VEX questionnaire
- currently done by CISA VEX WG
- goal: get an overview how VEX and machine-readable security advisories are used today
- each CSAF answer (even if you are just planning to use it) helps
- Justin adds details on the questionnaire
- Thomas Schmidt: February 29, 2024 is the deadline
- Managed service providers for CSAF trusted providers:
- at least 2 organizations offer a CSAF trusted provider as managed service:
- CERT@VDE
- Intevation (last paragraph)
- Any other offers known?
- at least 2 organizations offer a CSAF trusted provider as managed service:
- New tools:
- CSAF walker
- RUST implementation of a tool to retrieve and verify CSAF documents
- can be used as library
- already used in production, needs more help to implement all functions
- Trivy with CSAF support:
- contributed by Bitnami
- Should be available with next version
0.49.0
- currently working of the implementation of relationships
- should be added to tool list
- ISDuBA (WIP)
- just started
- will be implementation of a CSAF management system
- CSAF walker
- CSAF Workshops in Munich (Germany) 2023-12-12 - 2023-12-15:
- series of 3 workshops:
- CSAF boot camp
- CSAF writer's guild
- CSAF distribution
- 2 ask the expert sessions
- jointly done by CISA and BSI
- in general: positive feedback
- next time: more advertising in advance
- Justin reports that the workshops were great and the group was very motivated and it is plausible the participants will implement the learnings in their work field
- Justin reports on ideas to grow the success of the workshops and how to increase the frequency of such workshops
- Thomas Schaffer asks if maybe online on-demand trainings could be offered or did such a discussion already happen in the past
- Thomas Schmidt reports that all three workshops were recorded and currently the post production is working on publishing the material
- series of 3 workshops:
- VEX questionnaire
-
Idea:
- Community days:
- issue: exchange in the community is extremely important (networking, help with tools, convincing management)
- idea: community members host small (1 or 2 day) events
- content:
- presentations
- success stories
- new tools
- user feedback session
- networking
- Jane reports that the The Open Cybersecurity Alliance (OCA) Cybersecurity Automation Subproject (CASP) is planning a plug fest (near Washington DC area)
- in case of interest please contact Jane per email
- the date is April 11-12, 2024, with an optional setup-testing day on April 10th
- at the Peraton Offices, 1875 Explorer St, Reston, VA 20190
- Thomas kindly asks Jane to provide the info also on the TC mailing list
- Jane will do so (Update after meeting: mail sent and received: https://lists.oasis-open.org/archives/csaf/202401/msg00007.html)
- Mailing list
- issue: currently it is hard for community members to stay in touch / know about events
- idea: host a mailing list for announcements and one for user exchange
- Thomas Schmidt moves to establish a mailing list for announcements for non-tc-members to subscribe to and request the officers of the TC to implement that in collaboration with OASIS administration adn interested parties (for hosting)
- Tobias seconds
- All discuss who might offer hosting
- No further discussions, no objections, unanimous consent
- The motion passes
- Community days:
-
CSAF 2.0 Errata 01
- necessary as typo (missing
s
) prevented to produce validaggregator.json
- documentation in CSAF 2.0 Errata 01
- email motion and second for public review
- public review in December (up to January 4, 2024): no comments received
- email motion and second for publication
- necessary as typo (missing
-
CSAF 2.1
- Seeding CSAF 2.1 #680
- new structure of files
- smaller sources => generate artifacts
- setting up a CSAF 2.1 directory
- converting schemas to CSAF 2.1
- converting the prose to CSAF 2.1
- splitting the CSAF 2.1 source files into one per section
- adding scripts for generation of the Markdown and HTML version as one file (located at the
csaf_2.1/prose/share
directory) - adding examples and test from CSAF 2.0 and converting them to CSAF 2.1
- reorganizing test scripts and GitHub actions
- Thomas Schmidt asks if the TC likes to inspect the PR within the next week
- Justin expresses his trust that the transformation was correct
- Thomas moves to accept the seeding CSAF v2.1 proposal within PR #680 and merge it to the master branch
- Tobias seconds
- No further discussions, no objections, unanimous consent
- The motion passes (documented in the pull request merged to master during the meeting)
- Thomas presents Support CVSS 4.0 in CSAF 2.x #652 as "work in progress"
- Feng will review and provide his comments back to Thomas
- Seeding CSAF 2.1 #680
-
GitHub Issues Labeled for TC Discussion
- Skipping 3.2.3.12.1 Vulnerabilities Property - Remediations - Category # 665
- Thomas Schmidt introduces Enforce use of affected in csaf_security_advisory #672
- Denny and Tobias kindly ask for clarification on the proposal and Thomas Schmidt provides more detail
- Denny reminds all on prior discussions that requested to not force vendors to make any statements on products not-supported anymore
- Feng suggests that vendors provide at least one affected entry when providing a fixed section (so he is in favor of acceptance of the proposal)
- Feng aligns with the position brought up by Denny on suggesting to not force vendors to provide an affected "range"
- All discuss
- Issue deferred
- The meeting was adjourned.
Note: All monthly meetings take place on the last Wednesday of each month at 18:00 UTC (19:00 CET, 13:00 EST, 10:00 PST). The next meeting will be held on February 28, 2024.