Collect information also directly from ANSSI/BSI pages

[J08nY]

For the Common Criteria certificates we currently collect information from:

1. the csv from the Common Criteria portal at https://www.commoncriteriaportal.org/products/certified_products.csv,
2. the html from the Common Criteria portal at https://www.commoncriteriaportal.org/products/,
3. the certificate report documents (PDF) linked from 1. and 2., and
4. the security target documents (PDF) linked from 1. and 2..

We should probably also collect information directly from the pages of big members of CC that produce the certifications (https://www.commoncriteriaportal.org/ccra/schemes/) like ANSSI and BSI. We can then cross-check this data with the data we collect using our existing method and possibly augment it using this new data source if we see some improvement.

The steps in this task are:

• Examine the pages of the CC members (e.g. ANSSI, BSI) that produce certifications (linked from https://www.commoncriteriaportal.org/ccra/schemes/) and see which ones have some sort of a listing of products they certified which has at least some minimal amount of information about the certificates.
  • Example for ANSSI: https://www.ssi.gouv.fr/en/products/certified-products/
  • Example for BSI: https://www.bsi.bund.de/EN/Topics/Certification/certified_products/certified_products_node.html
• Implement functionality that parses interesting data about the certificates out of the aforementioned pages.
  • Start with ANSSI and BSI pages.
  • Get inspired by the existing codebase and how it works with Certificate objects (but no need to be completely like the existing codebase at the start).
  • Also have the ability to export the results to JSON (like the current datasets and certificates).
• Compare the extracted data from the aforementioned pages with data collected using our current methods.
  • Do we correctly match the certificate id for the certificates?
  • Are the PDFs linked from the pages of the CC members the same as the ones linked from Common Criteria directly?
  • Is there some data that we are missing?
• Consider a way of enriching our current dataset collected from the CC with the data collected from the aforementioned pages.
  • Only makes sense if there is something we are missing or that we have wrong.

[adamjanovsky]

@KeleranV the first step could be to compare what information about certificates is available on BSI webpage and what information is available on CommonCriteria.org. Would these sources provide (nearly) identical info, I would suggest just to create new constructor similar to from_html_row().

In fact, even the certificates constructed from CommonCriteria webpage are fetched from two distinct sources:

1. from_html_row()
2. from csv.

We are then able to merge 2 partially parsed record of single certificates into one: merge()

Would there be a drastic difference (e.g. BSI providing only few pieces of information), I suggest to create all new class to parse the BSI pages and then create a method of CCDataset that would merge these objects into CC certificates.

Regarding branching, I suggest you work with dev branch. But you may want to take a look at the folder structure of cc-feature-parity. Practically, I just split multiple classes in one file into more files, nothing else changed. Your implementation should be easy-to-merge, but I guess that won't be difficult.

[adamjanovsky]

@KeleranV I won't be splitting the issues in the end, I'll just write the subtasks for ANSSI webpage here:

• Retreive dictionary of certificates for each category of https://www.ssi.gouv.fr/en/products/certified-products/
• For each certificate, e.g., https://www.ssi.gouv.fr/certification_cc/etravel-essential-1-2-bac-and-aa-activatedrelease-0300/ retreive all possible information
• Retrieve also maintenance reports
• Manually compare hashes of at least 3 different certificates (certificate report, security target) and report whether they match (by cryptographic hash) their twins on commoncriteria.org or not

The data does not need to be stored in fancy objects, just use dictionaries.

[J08nY]

Here are all the pages of the schemes analyzed for the interesting lists.

Australian Certification Authority (ACA)

Has a list of "products currently in evaluation" at:
https://www.cyber.gov.au/acsc/view-all-content/programs/australian-information-security-evaluation-program
No obvious list of all certified products.

Canadian Common Criteria Scheme

Products in evaluation:
https://www.cyber.gc.ca/en/tools-services/common-criteria/products-evaluation
Certified products list:
https://www.cyber.gc.ca/en/tools-services/common-criteria/certified-products

ANSSI

Certified products:
https://www.ssi.gouv.fr/en/products/certified-products/
No obvious list of products in evaluation.

BSI

Certified products:
https://www.bsi.bund.de/EN/Topics/Certification/certified_products/certified_products_node.html
Has sub pages for product categories.

Indian Common Criteria Certification Scheme (IC3S)

(has an expired TLS cert)

Certified products:
https://www.commoncriteria-india.gov.in/product-certified
Archived products:
https://www.commoncriteria-india.gov.in/archived-prod-cer

OCSI - Organismo di Certificazione della Sicurezza Informatica

Certified products:
https://ocsi.isticom.it/index.php/elenchi-certificazioni/prodotti-certificati
Products in evaluation:
https://ocsi.isticom.it/index.php/elenchi-certificazioni/in-corso-di-valutazione

JISEC - Japan IT Security Evaluation and Certification Scheme

Certified products:
https://www.ipa.go.jp/security/jisec/jisec_e/certified_products/certfy_list_e31.html
Archived products:
https://www.ipa.go.jp/security/jisec/jisec_e/certified_products/certfy_list_e_archive.html
Products in evaluation:
https://www.ipa.go.jp/security/jisec/jisec_e/prdct_in_eval.html

CyberSecurity Malaysia

Certified products (archived marked but included):
https://www.cybersecurity.my/mycc/mycprA.html
Products in evaluation:
https://www.cybersecurity.my/mycc/mycprC.html

NSCIB

Certified products:
https://www.tuv-nederland.nl/common-criteria/certificates.html
Products in evaluation:
https://www.tuv-nederland.nl/common-criteria/ongoing-certifications.html

Australasian Certification Authority (ACA)

Same as Australia.

SERTIT

Certified products:
https://sertit.no/certified-products/category1919.html
Only publishes products in evaluation as "articles" on its page.
Archived products:
https://sertit.no/certified-products/product-archive/

IT Security Certification Center(ITSCC)

Certified products:
https://itscc.kr/certprod/list.do?product_class=1
Suspended certified products:
https://itscc.kr/certprod/list.do?product_class=2
Archived products:
https://itscc.kr/certprod/list.do?product_class=4

Cyber Security Agency of Singapore

Certified products:
https://www.csa.gov.sg/Programmes/certification-and-labelling-schemes/csa-common-criteria/product-list
Archived products:
https://www.csa.gov.sg/Programmes/certification-and-labelling-schemes/csa-common-criteria/product-archives

Organismo de Certificación de la Seguridad de las Tecnologías de la Información

Certified products:
https://oc.ccn.cni.es/productos-certificados/productos-certificados

Swedish Certification Body for IT Security FMV/CSEC

Certified products:
https://www.fmv.se/verksamhet/ovrig-verksamhet/csec/certifikat-utgivna-av-csec/
Products in evaluation:
https://www.fmv.se/verksamhet/ovrig-verksamhet/csec/pagaende-certifieringar/
Archived products:
https://www.fmv.se/verksamhet/ovrig-verksamhet/csec/arkiverade-certifikat-aldre-an-5-ar/

TSE (Turkish Standards Institution) Common Criteria Certification Scheme

Certified products (yes, it is a PDF):
https://statik.tse.org.tr/upload/tr/dosya/icerikyonetimi/3300/03112021143434-2.pdf

National Information Assurance Partnership

Certified products:
https://www.niap-ccevs.org/Product/PCL.cfm
Products in evaluation:
https://www.niap-ccevs.org/Product/PINE.cfm
Archived products:
https://www.niap-ccevs.org/Product/Archived.cfm