Tech Support
Documentation
Login
Contact Us
TuxCare now provides Common Security Advisory Framework (CSAF) data as part of our security measures for Endless Lifecycle Support for OS and Endless Lifecycle Support for PHP.
CSAF is a machine-readable format, standardized by OASIS. It’s designed to enable consistent and automated sharing of security advisory information. The published CSAF files follow the Vulnerability Exploitability eXchange (VEX) profile and provide per-CVE status information across supported products and components.
Why CSAF Matters
CSAF is a structured, machine-readable format that makes it easier to integrate security information into tools and automation workflows. This helps organizations respond to vulnerabilities faster and more reliably, reduce manual effort, and improve overall security management.
How to Integrate
TuxCare publishes the following CSAF files at security.tuxcare.com in JSON format which is easy to parse and integrate with other tools:
- CSAF VEX files – indexed by CVE VEX documents are available in CSAF 2.0 format, including past CVEs.
- CSAF Security Advisory files – advisories are published in CSAF 2.0 format and indexed by Security Advisory:
provider-matadata.json– this file contains information for tools and users about where and how to retrieve CSAF advisories published by TuxCare. By OASIS requirements, it is available at two URLs (both serving the same file):
OASIS provides a list of reference tools that support CSAF.
Technical Overview
TuxCare provides CSAF data in two document types: Security Advisories and VEX (Vulnerability Exploitability eXchange) profiles.
- CSAF Security Advisories provide a summary of what was fixed in a particular update.
- VEX profiles are focused on individual CVEs and provide detailed information about which products and components are affected by a specific vulnerability. CSAF VEX documents can also serve as an alternative to OVAL files.
Both CSAF Security Advisories and CSAF VEX documents are published when a CVE is fixed and the corresponding package is released.
How to Contact Us
If you have any security-related questions or have faced an issue, please, contact https://tuxcare.com/support-portal/.
Final Thoughts
TuxCare continues its mission of taking the best care of its customers by now providing CSAF data along with other security measures. CSAF works together with SBOMs by adding important details about which known vulnerabilities affect specific products. While it’s different from OVAL, which is used to check for vulnerabilities on a particular system, CSAF with VEX profiles share vulnerability information that can be used in tracking tools and automation. In many cases, CSAF with VEX profiles can be used as an alternative to OVAL.
