From 7d0670fe72ad4ae3818e67516629828b7fc1f3f2 Mon Sep 17 00:00:00 2001 From: rschneider <97682836+rainer-exxcellent@users.noreply.github.com> Date: Thu, 8 May 2025 07:32:13 +0200 Subject: [PATCH 1/2] feat(CSAF2.1): #199 - test 6.3.2 for CSAF 2.1 --- csaf_2_1/informativeTests.js | 2 +- .../informativeTests/informativeTest_6_3_2.js | 74 +++++++++++++++++++ tests/csaf_2_1/informativeTest_6_3_2.js | 8 ++ tests/csaf_2_1/oasis.js | 1 - 4 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 csaf_2_1/informativeTests/informativeTest_6_3_2.js create mode 100644 tests/csaf_2_1/informativeTest_6_3_2.js diff --git a/csaf_2_1/informativeTests.js b/csaf_2_1/informativeTests.js index d5ec4ced..12269510 100644 --- a/csaf_2_1/informativeTests.js +++ b/csaf_2_1/informativeTests.js @@ -1,5 +1,4 @@ export { - informativeTest_6_3_2, informativeTest_6_3_3, informativeTest_6_3_5, informativeTest_6_3_6, @@ -11,3 +10,4 @@ export { } from '../informativeTests.js' export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js' export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js' +export { informativeTest_6_3_2 } from './informativeTests/informativeTest_6_3_2.js' diff --git a/csaf_2_1/informativeTests/informativeTest_6_3_2.js b/csaf_2_1/informativeTests/informativeTest_6_3_2.js new file mode 100644 index 00000000..13ffceec --- /dev/null +++ b/csaf_2_1/informativeTests/informativeTest_6_3_2.js @@ -0,0 +1,74 @@ +import Ajv from 'ajv/dist/jtd.js' + +const ajv = new Ajv() + +const inputSchema = /** @type {const} */ ({ + additionalProperties: true, + properties: { + vulnerabilities: { + elements: { + additionalProperties: true, + properties: {}, + optionalProperties: { + metrics: { + elements: { + additionalProperties: true, + optionalProperties: { + content: { + additionalProperties: true, + optionalProperties: { + cvss_v3: { + additionalProperties: true, + properties: {}, + optionalProperties: { + version: { type: 'string' }, + vectorString: { type: 'string' }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, +}) + +const validateInput = ajv.compile(inputSchema) + +/** + * For each item in the list of metrics which contains the cvss_v3 object under + * content it MUST be tested that CVSS v3.0 is not used. + * @param {unknown} doc + * @returns + */ +export function informativeTest_6_3_2(doc) { + const ctx = { + infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]), + } + + if (!validateInput(doc)) { + return ctx + } + + doc.vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => { + const metrics = vulnerability.metrics + metrics?.forEach((metric, metricIndex) => { + if (metric.content?.cvss_v3) { + if ( + metric.content.cvss_v3.version === '3.0' || + metric.content.cvss_v3.vectorString?.startsWith('CVSS:3.0') + ) { + ctx.infos.push({ + instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/cvss_v3/version`, + message: 'It is recommended to upgrade to CVSS v3.1.', + }) + } + } + }) + }) + + return ctx +} diff --git a/tests/csaf_2_1/informativeTest_6_3_2.js b/tests/csaf_2_1/informativeTest_6_3_2.js new file mode 100644 index 00000000..ad2acf89 --- /dev/null +++ b/tests/csaf_2_1/informativeTest_6_3_2.js @@ -0,0 +1,8 @@ +import assert from 'node:assert/strict' +import { informativeTest_6_3_2 } from '../../csaf_2_1/informativeTests/informativeTest_6_3_2.js' + +describe('informativeTest_6_3_2', function () { + it('only runs on relevant documents', function () { + assert.equal(informativeTest_6_3_2({ document: 'mydoc' }).infos.length, 0) + }) +}) diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js index 6fb44c13..62d6bd4d 100644 --- a/tests/csaf_2_1/oasis.js +++ b/tests/csaf_2_1/oasis.js @@ -71,7 +71,6 @@ const excluded = [ '6.2.44', '6.2.45', '6.2.46', - '6.3.2', '6.3.14', '6.3.15', '6.3.12', From 49575adaecd9398ae33f3817fcd2df99b4fa2708 Mon Sep 17 00:00:00 2001 From: rschneider <97682836+rainer-exxcellent@users.noreply.github.com> Date: Mon, 2 Jun 2025 15:28:14 +0200 Subject: [PATCH 2/2] feat(CSAF2.1): #199 - test 6.3.2 for CSAF 2.1 - changed optionalProperties to properties in inputSchema --- .../informativeTests/informativeTest_6_3_2.js | 2 -- tests/csaf_2_1/informativeTest_6_3_2.js | 22 +++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/csaf_2_1/informativeTests/informativeTest_6_3_2.js b/csaf_2_1/informativeTests/informativeTest_6_3_2.js index 13ffceec..0861d54b 100644 --- a/csaf_2_1/informativeTests/informativeTest_6_3_2.js +++ b/csaf_2_1/informativeTests/informativeTest_6_3_2.js @@ -8,7 +8,6 @@ const inputSchema = /** @type {const} */ ({ vulnerabilities: { elements: { additionalProperties: true, - properties: {}, optionalProperties: { metrics: { elements: { @@ -19,7 +18,6 @@ const inputSchema = /** @type {const} */ ({ optionalProperties: { cvss_v3: { additionalProperties: true, - properties: {}, optionalProperties: { version: { type: 'string' }, vectorString: { type: 'string' }, diff --git a/tests/csaf_2_1/informativeTest_6_3_2.js b/tests/csaf_2_1/informativeTest_6_3_2.js index ad2acf89..aa04d939 100644 --- a/tests/csaf_2_1/informativeTest_6_3_2.js +++ b/tests/csaf_2_1/informativeTest_6_3_2.js @@ -5,4 +5,26 @@ describe('informativeTest_6_3_2', function () { it('only runs on relevant documents', function () { assert.equal(informativeTest_6_3_2({ document: 'mydoc' }).infos.length, 0) }) + it('test input schema with not considered json object in vulnerabilities', function () { + assert.equal( + informativeTest_6_3_2({ + document: {}, + vulnerabilities: [ + {}, + { + metrics: [ + { + content: { + cvss_v3: { + version: '3.0', + }, + }, + }, + ], + }, + ], + }).infos.length, + 1 + ) + }) })