Dear members,
with CSAF v2.1 work start we included a required $schema element
for all valid instance documents.
I like our description of this element in the schema and as extract
in the prose. Maybe we should write some more about this in the
prose to help the participants in the ecosystem sail around
misunderstandings of the intended purpose.
Like with XML schema specifications in instance documents
themselves there was never the expectation, that consumers
of such documents will automatically trust the document,
download that schema from the claimed location, and then
validate the instance against that schema.
Instead, the main purpose in my experience was alwayis
exactly what we write "a claim of the instance, stating
a schema to be valid against". The consumer can always
use their own schema instance they trust, compare if that
claim is the same schema (and version!) and then validate
against that "local/trusted" version.
In the currend CSAF v2.1 CSDPR01 section 3.2.1 Schema Property
we have added the informal text:
|> This value allows for tools to identify that a JSON document is
|> meant to be valid against this schema. Tools can use that to
|> support users by automatically checking whether the CSAF
|> adheres to the JSON schema identified by this URL
I think, that this is already a very good guidance.
Thanks, and sorry for the 10% test part of this email.
Cheers,
Stefan.