andrewmusselman opened a new issue, #676:
URL: https://github.com/apache/tooling-trusted-releases/issues/676
**ASVS Requirement:** 9.2.1 — Token Validity Time Span Verification
**Severity:** Low
### Description
The `TrustedPublisherPayload` data model in
`atr/sbom/models/github.py:20-45` defines `nbf` as an optional field (`nbf: int
| None = None`). Per ASVS 9.2.1, if `nbf` is present in a token it must be
verified. Since this is a data class without built-in validation, consuming
code must remember to check temporal claims independently.
### Recommended fix
Add a `validate_temporal_claims()` method to the model so that callers have
a single, correct place to check both `exp` and `nbf`:
```python
def validate_temporal_claims(self, clock_skew_seconds: int = 60) -> bool:
now = int(datetime.now(datetime.UTC).timestamp())
if self.exp <= now - clock_skew_seconds:
return False
if self.nbf is not None and now < self.nbf - clock_skew_seconds:
return False
return True
```
NB: note that we can have a different OIDC provider so we might have nbf
plus GitHub could change
### Relevant code
`atr/sbom/models/github.py` — `TrustedPublisherPayload`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
