← All tools
Free Tool
CSAF 2.0 Advisory Validator
Paste your CSAF 2.0 JSON advisory and instantly validate the structure against the OASIS CSAF 2.0 schema. Identifies missing mandatory fields, invalid values, and flags common issues that would cause rejection by automated consumers and ENISA tooling.
Paste CSAF 2.0 JSON
Paste your complete CSAF advisory document below
Note: This validator checks for the presence of mandatory CSAF 2.0 fields. For full schema validation, use the official OASIS JSON Schema. CVD Portal generates schema-valid CSAF 2.0 advisories automatically.
Frequently asked
What is CSAF 2.0?
CSAF 2.0 (Common Security Advisory Framework) is an OASIS standard for machine-readable security advisories. It replaces CVRF 1.2 and is increasingly required by EU procurement frameworks and referenced in the CRA's Annex I as part of expected security advisory practices. A CSAF advisory is a JSON document that describes one or more vulnerabilities, the affected products, and remediation guidance.
Is CSAF publication required under the CRA?
The CRA does not explicitly mandate CSAF 2.0 for all manufacturers, but Annex I references the expected security practices around advisory publication. CSAF 2.0 is increasingly required by public procurement frameworks (Germany's BSI requires it for products sold to the German government) and is the format used by ENISA for machine-readable vulnerability data.
What are the mandatory fields in a CSAF 2.0 document?
A CSAF 2.0 document requires at minimum: a document section (with title, type, publisher, tracking, and distribution), a product_tree section (defining affected products), and a vulnerabilities section (with CVE ID, discovery date, disclosure date, scores, and remediations). This validator checks for all mandatory fields.
What CSAF document types exist?
CSAF 2.0 defines five profile types: Base (csaf_base), Security Incident Response (csaf_security_incident_response), Informational Advisory (csaf_informational_advisory), Security Advisory (csaf_security_advisory), and VEX (csaf_vex — Vulnerability Exploitability eXchange). Most vulnerability disclosures use csaf_security_advisory.
Where should I publish my CSAF advisory?
CSAF 2.0 advisories should be published at a well-known location: `/.well-known/csaf/` on your domain, with a `provider-metadata.json` index file. The BSI and ENISA tooling will discover advisories via this path. CVD Portal generates and hosts your CSAF feed automatically.
Ready to automate your CVD programme?
CVD Portal integrates all these tools and handles your Article 13 and 14 obligations automatically.
Start your free portal →