Question regarding minimum elements in a Security Advisory artifact

[rjb4standards]

Hello Everyone,

Today I did a presentation to the OpenSSF Vulnerability Management group that is working on EU CRA initiatives regarding a VDR proposal

A question was asked "Can a CSAF Security Advisory can contain 0 vulnerabilities and still be considered valid"?

I deferred to this group for an answer, as this is well beyond my CSAF knowledge. My only comment was that this would seem to change the semantics of what a Security Advisory represents. Was I correct?

[tschmidtb51]

A CSAF document can contain an arbitrary number of vulnerabilities - also none - and still be valid.

A CSAF document using profile "Security Advisory" needs to contain at least one vulnerability. If there is no vulnerability, there is also no security advisory, as the purpose of a security advisory is to advise on vulnerabilities. Note that CSAF uses a vulnerability definition conforming to ISO/IEC 29147 [ISO29147] which is broader than the scope of CVEs (on purpose).
Please note, that a security advisory can contain multiple vulnerabilities, not just one.

Other CSAF profiles allow for CSAF documents without vulnerabilities (e.g. CSAF Base) or even require the absence of vulnerabilities (e.g. Informational Advisory).

Does that answer your question?