New importer: ncsc.nl CSAF

[Rafiot]

Thanks for looking into it, the advisory feed is probably a better option then:
https://advisories.ncsc.nl/csaf/

After publication of CSAF 2.1 advisories are created also in that standard. Further, new features will be added in the 2.1 version, likely including also a new score. As part of the change it is also planned to change the assessment method for advisories from probability/severity to urgency with three proposed levels.

Originally posted by @jonite in #84 (comment)

[Rafiot]

@jonite the source doesn't seem to work with the default downloader, could you have a look at it? As it is seems to be the same issue as the Microsoft one, I'm stating to suspect there is a tool used to generate CSAF repos that isn't following the specs somewhere.

Logfile: downloader.log

[bernhardreiter]

Looking at your downloader.log:

"message":"/last_updated: '2024-18-04T11:00:00.0Z' is not valid 'date-time'"}

is different from Microsoft, this time you have invented an eighteenth month. ;)

The date part must be 2024-04-18 with month and day switched.

[Rafiot]

LOL, ok, right, I didn't look particularly close. That is an interesting way to generate an isoformat indeed.

[jaccoNCSCNL]

Hi,

A watcher of this project dropped me a mail.
This issue should be fixed at our side now.

Jacco

[Rafiot]

Thanks!

{"time":"2024-12-04T11:16:52+01:00","level":"INFO","msg":"Download statistics","succeeded":165,"total_failed":81,"filename_failed":0,"download_failed":0,"schema_failed":0,"remote_failed":0,"sha256_failed":0,"sha512_failed":0,"signature_failed":81}

I get a bunch of files where the signature cannot be verified:

{"time":"2024-12-04T11:16:52+01:00","level":"ERROR","msg":"Validation check failed","error":"cannot verify signature for https://advisories.ncsc.nl/csaf/v2/2024/ncsc-2024-0217.json: Signature Verification Error: Invalid signature caused by openpgp: invalid signature: RSA verification failure"}

@jaccoNCSCNL can you have a look?

[jaccoNCSCNL]

That is strange, there are quite some tests involved in making sure the signing is correct.

As it turns out there is an encoding issue 'somewhere' that breaks the signing. Not yet sure where.
I'll get back when I know more.

In the original signed text there is often a word with an ë which gets changed to ë :(

[Rafiot]

Ahh, the fun with encoding... :(

Good luck and thank you!

[jaccoNCSCNL]

Took longer than expected, but it should be fixed for the future and the old data is also corrected.

[Rafiot]

thanks! I'll setup the importer tomorrow.

[jaccoNCSCNL]

@Rafiot is it working now?

[Rafiot]

@jaccoNCSCNL yep, all good, thanks! Adding the source now.