User:Csafedit/sandbox

Common Security Advisory Format (CSAF)
The Common Security Advisory Format (CSAF) is a JSON-based data format for exchanging security advisories for software vulnerabilities. In these advisory documents, products can be declared as affected or explicitly not affected by one or more vulnerabilities. The latter case is also known as Vulnerability Exploitability Exchange (VEX).

The CSAF schema is structured into three main classes of the information conveyed:


 * 1) The frame, aggregation, and reference information of the document
 * 2) Product information
 * 3) Vulnerability information and its relation to the products

The frame
The frame of the document holds information such as Acknowledgements (people who contributed to the content), branches (required to lay out the structure of the document), language and version of the document etc.

Product Property
The products that should be treated in the advisory are listed in the product tree and can be grouped into product families and different properties and relationships can be documented there.

Vulnerability Property
The vulnerabilities can also be described with a large amount of properties like [|CVE], [|CVSS], [|CWE], but also with remediations and references to which products are affected by each vulnerability.

SBOM