The security.txt can have several PMDs.
csaf_downloader, checker and ISDuBA only use one (the first valid one as far as I know).
This is an issue to report about other PMDs, that were found, but are not used.
So users of the command line tool or online tool can see that there is an unused PMD and also see the warning that it should be removed as soon as possible.
(This is the less common subcase of #712)
reference
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#718-requirement-8-securitytxt
It is possible to advertise more than one provider-metadata.json by adding multiple CSAF fields, e.g. in case of changes to the organizational structure through merges or acquisitions. However, this SHOULD NOT be done and removed as soon as possible. If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF entry in the security.txt.
The security.txt can have several PMDs.
csaf_downloader, checker and ISDuBA only use one (the first valid one as far as I know).
This is an issue to report about other PMDs, that were found, but are not used.
So users of the command line tool or online tool can see that there is an unused PMD and also see the warning that it should be removed as soon as possible.
(This is the less common subcase of #712)
reference
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#718-requirement-8-securitytxt