csaf-models 0.3.2

CSAF 2.0/2.1 data models, SQLite management, and user models
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2026 Pierre Gronau, ndaal in Cologne

//! CSAF provider metadata model.

use serde::{Deserialize, Serialize};

/// CSAF provider metadata document.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct ProviderMetadata {
    /// Canonical URL for this metadata file.
    pub canonical_url: String,

    /// Distribution endpoints.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub distributions: Vec<ProviderDistribution>,

    /// Last updated timestamp (ISO 8601).
    pub last_updated: String,

    /// Whether to list on CSAF aggregators.
    #[serde(default, rename = "list_on_CSAF_aggregators")]
    pub list_on_csaf_aggregators: bool,

    /// Metadata schema version.
    pub metadata_version: String,

    /// Whether to allow mirroring on CSAF aggregators.
    #[serde(default, rename = "mirror_on_CSAF_aggregators")]
    pub mirror_on_csaf_aggregators: bool,

    /// Public OpenPGP keys for signature verification.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub public_openpgp_keys: Vec<OpenPgpKey>,

    /// Publisher identity.
    pub publisher: ProviderPublisher,

    /// Publisher role (e.g. `csaf_publisher`, `csaf_provider`, `csaf_trusted_provider`).
    pub role: String,
}

/// A distribution endpoint for CSAF documents.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct ProviderDistribution {
    /// Directory URL where CSAF documents are published.
    pub directory_url: String,
}

/// An OpenPGP public key reference.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct OpenPgpKey {
    /// Key fingerprint (40 hex characters).
    pub fingerprint: String,

    /// URL to download the public key.
    pub url: String,
}

/// Publisher identity within provider metadata.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct ProviderPublisher {
    /// Publisher category.
    pub category: String,

    /// Contact email or details.
    pub contact_details: String,

    /// Publisher name.
    pub name: String,

    /// Publisher namespace URI.
    pub namespace: String,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_deserialize_provider_metadata() {
        let json = include_str!("../../../test/csaf/provider-metadata.json");
        let meta: ProviderMetadata =
            serde_json::from_str(json).expect("Failed to deserialize provider metadata");

        // The in-tree provider-metadata.json fixture advertises CSAF 2.1;
        // keep this assertion aligned with the fixture to avoid silent drift.
        assert_eq!(meta.metadata_version, "2.1");
        assert_eq!(meta.role, "csaf_publisher");
        assert_eq!(meta.publisher.category, "vendor");
        assert!(meta.list_on_csaf_aggregators);
        assert!(meta.mirror_on_csaf_aggregators);
        assert_eq!(meta.public_openpgp_keys.len(), 1);
        assert_eq!(
            meta.public_openpgp_keys[0].fingerprint,
            "D1DE14AA6D1980BD3FB67BF5C706DFBCAC5EFA64"
        );
    }

    #[test]
    fn test_roundtrip_provider_metadata() {
        let json = include_str!("../../../test/csaf/provider-metadata.json");
        let meta: ProviderMetadata = serde_json::from_str(json).expect("parse error");
        let serialized = serde_json::to_string_pretty(&meta).expect("serialize error");
        let meta2: ProviderMetadata = serde_json::from_str(&serialized).expect("re-parse error");
        assert_eq!(meta, meta2);
    }
}