I can confirm this issue. It is still appearing.

This is in the current version (v2.2.1-95-ga65fead) even worse as SHA-512 or SHA-256 that are missing result in failing of requirement 18.

At least the following cases must be covered:

1. Just SHA256 present and listed in ROLIE => INFO: SHA512 not present
2. Just SHA512 present and listed in ROLIE => INFO: SHA256 not present
3. Just SHA256 present and folder based distribution used => INFO: SHA512 not present
4. Just SHA512 present and folder based distribution used => INFO: SHA256 not present
5. Just SHA256 present, but both listed in ROLIE => WARN: SHA512 not present
6. Just SHA512 present, but both listed in ROLIE => WARN: SHA256 not present
7. No SHA listed in only ROLIE-based distribution => ERROR (in 18)
8. No SHA listed in ROLIE-based distribution, but SHAs present => ERROR (in 15)

For the first 4 cases, it would be nice to collapse the message to one summary, if it is true for all tested advisories.

Shall this done as part of service+dev? Just add the label.

Looking at the issue again, I think an additional option would be nice, where I could explicitly point out which hash should be looked for.

I just want to inform you that this issue impacted us too.
We run a CSAF Trusted Provider I would describe as "type 4" within the list @tschmidtb51 provided (Just SHA512 present and folder based distribution used).

So under "num": 18, "description": "Integrity",

We get tons of:

"text": "Fetching https://securitybulletin.huawei.com/.well-known/csaf/xxxxxxx/xxxxxxxxxx/xxxxxxxxxxxx/en/2024/xxxxxxxxxxxxxx.json.sha256 failed: Status code 400 (400 )"

Whereas corresponding .sha512 files are present.

I got the feedback from a colleague that the corresponding pull request does not fully resolve the situation (and lacks a bit of documentation on what CLI options to use).

Imo @tschmidtb51 is right with his listing of cases, and it'd be great to have a way to explicitly point out which hash the checker should be looking for.

7. No SHA listed in only ROLIE-based distribution => ERROR (in 18)

We think it's better to report this under 15.

We don't necessarily want to report one error in multiple places, and listing this under 18 gives the wrong impression that the ROLIE feed is fine which may lead to further confusion if e.g. the shas can simply not be found.