OASIS的动态

Excellent work Allan, thanks for sharing.

I'm not really sure that this is as valuable as it seems. Microsoft is notoriously vague in what files have issues - even the registry is often left with a severe version delta between a MSFT component or framework such as .NET and what is installed. Their versions are vague, their advisories wider than tall, and don't really tell you what was affected, plus, lots of stuff gets buried in rollups. CVE to KB to builds, to service pack, to X mappings... Csaf doesn't really solve the core issues - it's just a communication mechanism. But hey, what do I know?

I applaud Microsoft for moving towards a more machine readable format of a security advisory, but Ron Brash is right. Microsoft is atrocious for flooding NVD with vague advisories. Take CVE-2018-0786: "Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, .NET Core 1.0 and 2.0, and PowerShell Core 6.0.0 allow a security feature bypass vulnerability due to the way certificates are validated, aka ".NET Security Feature Bypass Vulnerability." So all of .NET Framework is vulnerable? .NET Framework is an absolute massive application. You might has well said "the internet is vulnerable, please update." Let's look at a more recent one: CVE-2024-43476: "Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability". That's it!?! Come on Microsoft, please give us more to work off here. Until the bigger issue of being more detailed in security advisories is addressed, repackaging vague information into a computer readable format does little to actually help researchers or AI systems hone in on problem software components. It is the equivalent of changing the siren for a researcher already overboard and drowning in false positive.

That’s great news! I actually just wrote a post explaining what CSAF is and the potential it holds for anyone wanting to learn more ??

oh wow