![image](https://user-images.githubusercontent.com/1690898/139102180-5c1e2583-14f1-4f58-ab2b-9e3807ed529c.png)

# Common Security Advisory Framework (CSAF) Technical Committee Monthly Meeting

- Meeting Date: March 30, 2022
- Time: 1:00 pm US EDT

## Call to Order and Welcome

Meeting called to order @ 1:04 PM US EDT

## Roll call

All participants recorded their attendance on the OASIS meeting calendar.
All participants were kindly encouraged to register themselves to optimize the use of the shared time during the meeting in one of two ways:

- Clicking the link with the text "Register my attendance" on the top of the event page.
- Or directly visiting the per event direct "record my attendance link."  

**Quorum was  reached.**

## Participants

- Will Rideout, Arista (Voting Member)
- Russ Selph, TIBCO (Voting Member)
- Patrick Maroney, AT&T (Voting Member)
- Martin Prpic, Red Hat (Voting Member)
- Robert Keith, Accenture (Voting Member)
- Denny Page, TIBCO Software, Inc. (Voting Member)
- Russ Selph, TIBCO Software, Inc. (Member)
- Thomas Proell, Siemens (Voting Member)
- Thomas Schmidt, Federal Office for Information Security (Voting Member)
- Robert Keith, Accenture (Voting Member)
- Rhonda Levy, Cisco Systems (Voting Member)
- Omar Santos, Cisco Systems (Chair)
- Feng Cao, Oracle (Voting Member)
- Vijay Sarvepalli, CERT/Carnegie Mellon University (Member)
- Duncan Sparrell, sFractal Consulting LLC (Member)

### Observers present

- Scott Robertson, Kaiser Permanente

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

## Agenda

- Roll Call via sef-registration
- Approval of previous TC minutes(February 2022): https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2022-02-23.md
- CSAF Version 2.0 Working Draft as Committee Specification Draft 02 material changes and review.
- Next Steps
- Adjourn


## Minutes of TC Meetings in GitHub

- Quorum was reached.
  - Omar set motion to approve minutes from February 2022 meeting uploaded on GitHub.
  - Thomas Schmidt approved motion
  - Denny second
  - Motion approved

## Meeting Notes

- CSAF Version 2.0 Working Draft as Committee Specification 02
  - The motion to approve CSAF Version 2.0 Working Draft as Committee Specification Draft 02 passed; however, when we submitted the information to OASIS and after further research, it was found that the changes were material (i.e., the CSAF aggregator and CSAF full validator (optional test) and some non-material changes (invalid timestamps, missing SBOM URI guidance), we decided to create a new editor revision.
    - See email from Thomas: https://oasis-open.org/apps/org/workgroup/csaf/email/archives/202203/msg00005.html
    - You can find the proposed changes in https://github.com/oasis-tcs/csaf/pull/502/files
    -  or read the whole document at https://github.com/oasis-tcs/csaf/blob/editor-revision-2022-03-29/csaf_2.0/prose/csaf-v2-editor-draft.md

- Pull Request 505 first part of 503
  - Issue https://github.com/oasis-tcs/csaf/issues/503
  - Pull Request https://github.com/oasis-tcs/csaf/pull/505/files
  - Thomas Schmidt Motion to accept pull request 505 as is addressed in pull request 503
  - Second Denny
  - Motion approved
  - Omar to merge

- Pull Request 506 second part of 503
  - Issue https://github.com/oasis-tcs/csaf/issues/503
  - Pull Request https://github.com/oasis-tcs/csaf/pull/506/files
  - Thomas asked and agreed to clean up namespace
  - Thomas Schmidt set motion to approve as stated  
  - Denny second
  - Motion approved
  - Omar to merge

- Pull request 502: Editor revision 2022-03-29
  - https://github.com/oasis-tcs/csaf/pull/502
  - Thomas Schmidt set motion to approve pull request 502 as it is and merge into master branch.
  - Feng: "Editor revision 2022 03 29 #502 CVSS-B score is only taking into consideration the Base Metrics. A CVSS-BTE score means that the consumer is taking into consideration not just the attributes of the vulnerability (Base metrics)… but are also taking Threat and Environmental attributes into account as well."
  - Feng will follow up with Thomas.
  - Available tools:
    - CSAF trusted provider: https://github.com/csaf-poc/csaf_distribution
    - CSAF content management system (Backend): https://github.com/secvisogram/csaf-cms-backend
    - CSAF full validator: https://github.com/secvisogram/csaf-validator-lib (PR for CSD02 pending)
  - Russ Selph second
  - Motion approved
  - Omar to merge

- Motion to approve the current CSAF 2.0 working draft and all associated artifacts / URLs to be listed in meeting minutes.
  - Thomas Schmidt moves that the TC approve CSAF Version 2.0 Working Draft and all associated artifacts uniquely identified by below listed URL and packaged together in a zip file [1] as Committee Specification Draft 02 and designate the markdown version of the specification as authoritative and direct the Chair supported by the Editors to perform any tasks as required by TC Admin to facilitate that issuance. I further move that the TC approve submitting CSAF Version 2.0 Committee Specification Draft 02 for public review and direct the Chair perform any tasks as required by TC Admin to facilitate that issuance.
  - The referenced URL for the archive containing all 4 artifacts is: https://github.com/oasis-tcs/csaf/releases/download/csd-02-20220329-rc2/csd-02-20220329-rc2.zip
  - More details may be found on the draft release page at: https://github.com/oasis-tcs/csaf/releases/tag/csd-02-20220329-rc2

    **SHA256 Checksums**

    Archive:

    ```
    25a5591111c8ae7f4296953b717dd056173b7fbf1bbd1174ae28ad6840691b17  csd-02-20220329-rc2.zip
    ```

    Included Artifacts:

    ```
    876548f33947186b2415bb1550a50348fe69b118309dad82e68f1eba3d679dca  aggregator_json_schema.json
    81ea3eee9ae11d85c083a01ad2c00e096ee5d4caa85a631bf75413bd36c3e936  csaf_json_schema.json
    07b8313146db1c58cb5095d94570d65202ae67d3ac36bce9efd958d6ba14ddb7  csaf-v2-editor-draft.md
    0270d0cfadf5202ff83a63502012a407e0e8ec3194a07296f13641c9f5630aba  provider_json_schema.json
    ```

  - Patrick Maroney second
  - Motion approved
  - Thomas and Omar to submit for public majority to review and then submit to OASIS.

- Thomas set motion to request TC admins to register “csaf” as ROLIE feed type [#314](https://github.com/oasis-tcs/csaf/issues/314)
  - Omar second
  - Motion passed
  - Will work with Chet and OASIS to complete

- Thomas set motion - Register path in .well-known [#317](https://github.com/oasis-tcs/csaf/issues/317)
  - Which will work with OASIS admins to register
  - Omar second
  - Motion approved

- Thomas set motion to approve CSAF in security.txt [#318](https://github.com/oasis-tcs/csaf/issues/318)
  - Issue https://github.com/oasis-tcs/csaf/issues/318
  - Omar second
  - Motion approved
  - Dependent on second standard
  - https://github.com/securitytxt/security-txt/issues/200

## Adjourn

- Omar set motion to adjourn meeting.
- Denny seconded to motion.
- The meeting adjourned at 2:02 PM US EDT

**Note:** All monthly meetings take place on the last Wednesday of each month at 1:00 PM US EDT.
The next meeting will be held on April 27, 2022.