Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIST.IR.8060 GEN-15 requires @version for File #42

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

NIST.IR.8060 GEN-15 requires @version for File #42

wants to merge 1 commit into from

Conversation

adelton
Copy link
Contributor

@adelton adelton commented Jul 10, 2018

The requirement is "include value if on exists for the file" but swidval reports

ERROR GEN-15-2: The <File> element with the @name 'alias' has a blank @version attribute value.

if the attribute is not used or is set to empty string so it is not easy to silence it with empty string.
Since there is no reasonable version value and the type is xs:string, using 'none'.

@strongX509
Copy link
Contributor

strongX509 commented Jul 10, 2018 via email

@adelton
Copy link
Contributor Author

adelton commented Jul 11, 2018

NIST.IR.8060 explicitly says: "include value if on exists for the file" so I'm not ready to use a default value of type 'none'. The linux-image and linux-header packages comprise several thousands files, so I don't want any default version strings to be included.

Undestood. What is you opinion about NIST's swidval's behaviour when it produces GEN-15-* errors unconditionally, without really taking into account the "if one exists for the file", while not allowing us to specify empty attribute value to show that we know that the attribute should be specified but no value for the file exists? Would something different than the string none be acceptable for swid_generator?

@adelton
NIST.IR.8060 GEN-15 requires @Version for File
f8615fe 
The requirement is "include value if on exists for the file"
but swidval reports
ERROR GEN-15-2: The <File> element with the @name 'alias' has a blank @Version attribute value.
if the attribute is not used or is set to empty string. To allow the
user to specify some value for the attribute when no one exists for
the file, adding command line parameter --default-file-version.
@adelton
Copy link
Contributor Author

adelton commented Jul 12, 2018

Let me now propose approach with command line parameter --default-file-version which allows the user to specify the value in runtime while not changing the default output -> f8615fe.

@tobiasbrunner
Copy link
Member

I think the GEN-15-2 check in SWIDVal is wrong. If you have a look at requirements.xml in swidval-0.5.0.jar you see the two relevant derived-requirements, which in readable form look like this:

<derived-requirements>
  <derived-requirement id="GEN-15-1" type="MUST" conditional="true">
    <statement>
      Every <File> element provided within a <Payload> or <Evidence> element MUST provide a @version attribute.
    </statement>
    <message>
      The <File> element with the @name ''{0}'' does not provide a @version attribute
    </message>
  </derived-requirement>
  <derived-requirement id="GEN-15-2" type="MUST">
    <statement>
      If a <File> element provided within a <Payload> or <Evidence> element includes a @version attribute, this attribute must be non-blank.
    </statement>
    <message>
      The <File> element with the @name ''{0}'' has a blank @version attribute value.
    </message>
  </derived-requirement>
</derived-requirements>

GEN-15-1 is marked conditional, which I guess means it doesn't apply if the version attribute is absent (since you don't get an error for this that seems to work fine - although the requirement is kinda useless this way - then again, I don't really know how this verification is implemented). However, that's not the case for GEN-15-2, although its statement clearly says it only applies if there actually is a version attribute i.e. if one is there it MUST not be empty, but there is no restriction if the attribute is omitted (this seems to agree with the "if one exists for the file" part in NIST.IR.8060).

So to me it seems that second requirement is too restrictive, it should just not apply if the attribute is not there (not sure if simply adding conditional="true" would fix that). By the way, there are other requirements with the same construct (COR-2-1/2, PRI-2-1/2, PRI-4-1/2) where also only the first derived-requirement is marked conditional.

@adelton
Copy link
Contributor Author

adelton commented Jul 20, 2018

Thank you for the analysis. Have you guys talked to NIST about it or should we try to bring it up?

@tobiasbrunner
Copy link
Member

We currently have no plans to contact NIST about this. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adelton @strongX509 @tobiasbrunner