kotlin-csaf
0.5.1indexedImplements the CSAF standard, offering modules for document retrieval, schema representation, and validation. Supports integration into projects for enhanced security advisories management.
Implements the CSAF standard, offering modules for document retrieval, schema representation, and validation. Supports integration into projects for enhanced security advisories management.
A kotlin implementation of the CSAF standard. This library is currently being developed. We will continuously update this README file with the progress.
In order to use or develop this library, Java needs to be installed in your target machine. This project is currently aiming at a minimum required JDK version of 21. Please follow instructions for your operating system how to download and install an appropriate JDK version, through a package manager such as apt or homebrew.
The main use case for this project is for developers who want to integrate support for CSAF in their Java/Kotlin-based project. In order to do so, the following will serve as a quickstart guide.
First, kotlin-csaf needs to be added as a dependency in your build system, such as Maven or Gradle. We currently publish artefacts on Maven Central under the namespace io.csaf, so they can be easily specified as a dependency, for example in Gradle using the Kotlin syntax:
repositories {
mavenCentral()
}
dependencies {
implementation("io.csaf:csaf-schema:0.3.0")
implementation("io.csaf:csaf-import:0.3.0")
implementation("io.csaf:csaf-validation:0.3.0")
}
The project itself is split into three modules, which can be (more or less) imported independently:
csaf-import contains the logic to retrieve CSAF documents from a providercsaf-schema contains generated types to represent the CSAF schemas (document, provider, aggregator)csaf-validation contains the logic needed to validate CSAF documents according to a role, e.g., trusted providerOnce the dependency has been imported, one of the first things to try out would be to import/fetch CSAF documents from a provider using a domain. The following code snippet illustrates some key concepts:
runBlocking {
// Create a new "RetrievedProvider" from a domain. This will automatically discover a
RetrievedProvider.from(args[])
.onSuccess { provider ->
println()
(result provider.fetchDocuments()) {
result.onSuccess { doc ->
println()
}
result.onFailure { ex ->
println()
}
}
}
.onFailure {
println()
it.printStackTrace()
}
}
We welcome all kinds of contributions, just be aware that we are still in the early stage of development and things might move or change very quickly. Especially the API design will be very fluid until we reach a stable 1.0 version.
We make heavy use of the CSAF TC repo for test cases and other files. So before starting the development you need to initialize the git submodules
git submodule update --init
We use the canonical source of CWEs from https://cwe.mitre.org/data/downloads.html and store a minified version of it in the cwe.json file. This file needs to be updated whenever a new version of the CWE database comes out. There is a special gradle task to do so:
./gradlew createJWEJson
git add ./csaf-validation/src/main/resources/cwe.json
git commit -m "Updated CWE database"
Feel free to create a Pull Request based on this new commit.
The full list of dependencies is automatically populated by Dependabot and Gradle and can be viewed here.
Surfaced from shared tags and platforms — no rankings paid for.