Update IT advisories

[justmurphy]

🗣 Description

💭 Motivation and context

🧪 Testing

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All future TODOs are captured in issues, which are referenced
  in code comments.
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated
  to reflect the changes in this PR.
• Tests have been added and/or modified to cover the changes in this PR.
• All new and existing tests pass.

✅ Pre-merge checklist

• Revert dependencies to default branches.
• Finalize version.

✅ Post-merge checklist

• Create a release.

[mstrad]

The CSAF itself looks good. However the hash file and signature file of the CSAF should be regenerated to reflect the changed CSAF.

[justmurphy]

https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31231-branches-type---name-under-product-version

"all versions" is invalid. See documentation above.

[mstrad]

I agree with the above change.

[amanion-cisa]

IIUC Adminer "4.8.1" happens to be a "Vers -like Specifier (vls)" so I think this change works syntactically and I understand that "all versions" is not valid.

However I'm slightly concerned with how to interpret this limit on the version range. The product is used in status and remediation elements. "<=4.8.1" might imply that there might be a more recent version, and is that more recent version fixed? We can't know the future at the time of publication, could update the CSAF if a new/fixed version is released, and the CSAF VEX profile has an explicit "Fixed" status, but at least for those familar with the CVE ecosystem, "<=4.8.1" could imply "fixed in >4.8.1, now go look to see if any such versions exist."

[justmurphy]

@amanion-cisa there is also this as an option:
Version Range Specifier (vers)
vers is an ongoing community effort to address the problem of version ranges. Its draft specification is available at [VERS].
vers MUST be used in its canonical form. To convey the term "all versions" the special string vers:all/* MUST be used.

[amanion-cisa]

I used vers:all/* for the Adminer advisory, I think this is more correct informationally, see develop...amanion-cisa:CSAF:jmfixes#diff-b68d7bbabc197e783ddff83a11b37d5c9e309aeec18c89cf5551b478586daac1L97-R166.

[justmurphy]

See above comment re: version:
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31231-branches-type---name-under-product-version

[mstrad]

I agree with the above change.

[justmurphy]

https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#311-acknowledgments-type

Properties for acknowledgements are names, organization, summary, and urls. Moved organization from names property to organization property.

[mstrad]

I agree with the above change.

[justmurphy]

See above comment:
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#311-acknowledgments-type

[mstrad]

I agree with the above change.

[justmurphy]

See above comment:
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#311-acknowledgments-type

[mstrad]

I agree with the above change.

[justmurphy]

The CSAF itself looks good. However the hash file and signature file of the CSAF should be regenerated to reflect the changed CSAF.

@mstrad the issue I am seeing is the product tree structure: vendor -> product_family -> product_name -> product_version.

Going to revise the advisory to meet recommended structure and will ping you for another review. I believe that all the IT advisories will need to be revised for product tree structure, and then small edits to the product_version_range and acknowledgement properties.

[mstrad]

The CSAF itself looks good. However the hash file and signature file of the CSAF should be regenerated to reflect the changed CSAF.

@mstrad the issue I am seeing is the product tree structure: vendor -> product_family -> product_name -> product_version.

Going to revise the advisory to meet recommended structure and will ping you for another review. I believe that all the IT advisories will need to be revised for product tree structure, and then small edits to the product_version_range and acknowledgement properties.

@justmurphy I see what you're saying. Initially I was only reviewing the proposed changes in this PR itself. All of which I agree with and offer the reminder that new hashes and signature files will need to be made and pushed to the repo when a CSAF file is updated. :)

To the comment above, I agree. I took a look at the raw CSAF file and I agree that following the recommended product tree structure should be followed with the ending leaf being a product_version or product_version_range. Will this recommendation become a requirement in future CSAF versions?

[amanion-cisa]

FWIW I'm fine with the changes, they are fixing technically incorrect CSAF. I can make the updates including new hashes, signatures, and ROLIE files if you'd like.

[amanion-cisa]

IIUC Adminer "4.8.1" happens to be a "Vers -like Specifier (vls)" so I think this change works syntactically and I understand that "all versions" is not valid.

However I'm slightly concerned with how to interpret this limit on the version range. The product is used in status and remediation elements. "<=4.8.1" might imply that there might be a more recent version, and is that more recent version fixed? We can't know the future at the time of publication, could update the CSAF if a new/fixed version is released, and the CSAF VEX profile has an explicit "Fixed" status, but at least for those familar with the CVE ecosystem, "<=4.8.1" could imply "fixed in >4.8.1, now go look to see if any such versions exist."

[amanion-cisa]

Here are fixes for version ranges and acknowledgments (and section headings, not initially part of this PR): develop...amanion-cisa:CSAF:jmfixes

I won't send a PR until we've reviewed these changes.