From 2087c2f0aedaee0e2653ffe739c220b96c11cd5f Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 25 Oct 2024 23:42:12 +0200
Subject: [PATCH] CSAF Downloader

- addresses parts of oasis-tcs/csaf#674
- add conformance target CSAF Downloader
---
 csaf_2.1/prose/edit/src/conformance.md                | 11 +++++++++++
 .../edit/src/introduction-02-terminology-glossary.md  |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index e619fdf4d..4880da0ac 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -27,6 +27,7 @@ This document defines requirements for the CSAF file format and for certain soft
 The entities ("conformance targets") for which this document defines requirements are:
 
 * **CSAF document**: A security advisory text document in the format defined by this document.
+* **CSAF downloader**: A program that retrieves CSAF documents in an automated fashion.
 * **CSAF producer**: A program which emits output in the CSAF format.
 * **CSAF direct producer**: An analysis tool which acts as a CSAF producer.
 * **CSAF converter**: A CSAF producer that transforms the output of an analysis tool from its native output format into the CSAF format.
@@ -627,4 +628,14 @@ A CSAF library satisfies the "CSAF library with extended validation" conformance
 A CSAF library does not satisfies the "CSAF library with full validation" conformance profile if the CSAF library uses an external library or
 program for the "CSAF full validator" part and does not enforce its presence.
 
+### Conformance Clause 23: CSAF downloader
+
+A program satisfies the "CSAF downloader" conformance profile if the program:
+
+* conforms to the process defined in section [sec](#retrieving-rules) by executing all parts that are applicable to the given role.
+* supports directory-based and ROLIE-based retrieval.
+* is able to execute both steps from section [sec](#retrieving-rules) separately.
+* uses a program-specific HTTP User Agent, e.g. consisting of the name and version of the program.
+
+> A tool MAY implement an option to store CSAF documents that fail any of the steps in section [sec](#retrieving-csaf-documents)
 -------
diff --git a/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md b/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md
index 9a4da5021..9ed7f3a68 100644
--- a/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md
+++ b/csaf_2.1/prose/edit/src/introduction-02-terminology-glossary.md
@@ -47,6 +47,9 @@ CSAF direct producer
 CSAF document
 :    security advisory text document in the format defined by this document.
 
+CSAF downloader
+:    A program that retrieves CSAF documents in an automated fashion.
+
 CSAF extended validator
 :    A CSAF basic validator that additionally performs optional tests.