feat: add OSV document, validation

Signed-off-by: Rifa Achrinza <[email protected]>

Author: achrinza

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "vendors/secvisogram"]
 	path = vendors/secvisogram
 	url = [email protected]:BSI-Bund/secvisogram.git
+[submodule "vendors/osv-schema"]
+	path = vendors/osv-schema
+	url = [email protected]:ossf/osv-schema.git

.husky/pre-commit

@@ -6,3 +6,4 @@
 
 npm run-script prettier:check
 npm run-script validate-csaf20
+npm run-script validate-osv

.vscode/settings.json

@@ -8,6 +8,12 @@
                 "advisories/lbsa-*.csaf.json"
             ],
             "url": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json"
+        },
+        {
+            "fileMatch": [
+                "advisories/lbsa-*.osv.json"
+            ],
+            "url": "./vendors/osv-schema/validation/schema.json"
         }
     ]
 }

advisories/README.md

@@ -11,17 +11,19 @@
 
 This section of the Git repository is where all LBSAs are stored. They are
 written as [CSAF 2.0](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html)
-documents.
+documents and
+[OSV 1.2.0](https://github.com/ossf/osv-schema/tree/5e3cbf8abb4e192f87d00354b23e56340388cf98).
 
 The naming convention is as follows:
 
 ```
-lbsa-YYYYMMDD.csaf.json
+lbsa-YYYYMMDD.csaf.json <-- CSAF 2.0
+lbsa-YYYYMMDD.osv.json  <-- OSV 1.2.0
 ```
 
 Where:
 
-- `YYYY` is the year
+- `YYYY` is the year of
 - `MM` is the month
 - `DD` is the day
 
@@ -33,13 +35,26 @@ during a Git commit, and as part of the
 [CI pipeline](../.github/workflows/ci.yaml). It can also be triggered by running
 `npm run validate-csaf20`.
 
+Validation of OSV 1.2.0 documents are done by
+<../scripts/advisories/validate-osv.ts>. This is triggered automatically during
+a Git commit, and as aprt of the [CI pipeline](../.github/workflows/ci.yaml). It
+can also be triggered by running `npm run validate-osv`.
+
+CSAF 2.0 acts as the "source of truth" of which the other formats are validated
+against as it is the most comprehensive format. Hence, any deviations from the
+CSAF 2.0 document must also be reflected back in the CSAF 2.0 document itself.
+
 ## Vendors
 
 This section depends on [Secvisogram](../vendors/README.md#submodules) for
 validation, its ports of JSON Schemas from Draft-04 (No first-class AJV support)
 to Draft-2019, and for a strict variant of CSAF 2.0 JSON Schema. There are plans
 to utilise the other parts of the codebase for more thorough validation.
 
+It also depends on
+[Open Source Vulnerability schema](../vendors/README.md#submodules) for JSON
+Schema-based OSV validation.
+
 ## Dependents
 
 There's current no known dependents on these CSAF 2.0 documents. However, there

advisories/lbsa-20201130.osv.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.2.0",
+  "id": "LBSA-20201130",
+  "modified": "2022-03-05T00:00:00.000Z",
+  "severity": [
+    {
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:O/E:U/RC:C",
+      "type": "CVSS_V3"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Olivier Beg"
+    },
+    {
+      "name": "Samuel Erb"
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://loopback.io/doc/en/sec/lbsa-2020-11-30.csaf.json"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://loopback.io/doc/en/sec/Security-advisory-11-30-2020.html"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4988"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://www.cve.org/CVERecord?id=CVE-2020-4988"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://www.npmjs.com/package/@loopback/rest"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192706"
+    }
+  ],
+  "aliases": ["CVE-2020-4988"],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@loopback/rest"
+      },
+      "versions": ["8.0.0"]
+    }
+  ],
+  "database_specific": {
+    "CWE": "CWE-1321"
+  },
+  "summary": "`@loopback/rest` allows REST APIs to have `constructor` in the JSON payload, which is vulnerable to prototype pollution.",
+  "details": "It's a similar issue as https://snyk.io/vuln/SNYK-JS-LODASH-73638, where the following description is quoted from.\n\n> Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\n>\n> There are two main ways in which the pollution of prototypes occurs:\n>\n> - Unsafe Object recursive merge\n> - Property definition by path"
+}

advisories/lbsa-20201130.osv.json.license

@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: LoopBack Contributors
+SPDX-License-Identifier: MIT

package-lock.json

@@ -17,7 +17,9 @@
     "prettier:cli": "lb-prettier '**/*.ts' '**/*.js' 'advisories/lbsa*.csaf.json' '**/*.md'",
     "prettier:check": "npm run prettier:cli -- -l",
     "prettier:fix": "npm run prettier:cli -- --write",
-    "validate-csaf20": "ts-node --project=scripts/tsconfig.json scripts/advisories/validate-csaf20.ts"
+    "ts-node": "ts-node --project=scripts/tsconfig.json",
+    "validate-csaf20": "npm run ts-node -- scripts/advisories/validate-csaf20.ts",
+    "validate-osv": "npm run ts-node -- scripts/advisories/validate-osv.ts"
   },
   "repository": {
     "type": "git",
@@ -41,6 +43,8 @@
     "@loopback/build": "^8.1.0",
     "@loopback/eslint-config": "^12.0.2",
     "@types/glob": "^7.2.0",
+    "ajv": "^8.10.0",
+    "ajv-formats": "^2.1.1",
     "eslint": "^8.9.0",
     "eslint-plugin-prettier": "^4.0.0",
     "glob": "^7.2.0",

package.json

@@ -0,0 +1,230 @@
+// SPDX-FileCopyrightText: LoopBack Contributors
+// SPDX-License-Identifier: MIT
+
+import path from 'path';
+import glob from 'glob';
+import Ajv2020 from 'ajv/dist/2020';
+import addFormats from 'ajv-formats';
+import osvSchema from '../../vendors/osv-schema/validation/schema.json';
+
+const osvDocumentGlob = '../../advisories/*.osv.json';
+
+console.log(`Validating OSV 1.2.0 documents... (Glob: ${osvDocumentGlob})`);
+
+interface ValidationResult {
+  isValid: boolean;
+  errors: {
+    instancePath: string;
+    message?: string;
+  }[];
+}
+
+glob(path.resolve(__dirname, osvDocumentGlob), async (err, matches) => {
+  if (err) throw Error;
+
+  let errorCount = 0;
+
+  for (const filePath of matches) {
+    process.stdout.write(
+      `  L Validating: ${path.relative(process.cwd(), filePath)}...`,
+    );
+    const fileContents = require(filePath);
+    const validationResults: Record<string, ValidationResult> = {
+      jsonSchema: validateJsonSchema(fileContents),
+      schemaVersion: validateSchemaVersion(fileContents),
+      csaf20Sync: validateCSAF20Sync(filePath, fileContents),
+    };
+
+    const errors = Object.values(validationResults).flatMap(x => x.errors);
+    const isValid = errors.length < 1;
+
+    if (isValid) console.log('Done!');
+    else {
+      errorCount += errors.length;
+      console.log(`${errors.length} error(s) found:`);
+      for (let i = 0; i < errors.length; i++) {
+        console.log(`    L Error #${i + 1}`);
+        console.log(`      L Instance path : ${errors[i].instancePath}`);
+        console.log(`      L Message       : ${errors[i].message ?? 'N/A'}`);
+      }
+    }
+  }
+
+  if (matches.length === 0) console.log('No OSV 1.2.0 documents found!');
+
+  if (errorCount > 0) {
+    console.log(`${errorCount} error(s) found.`);
+    process.exit(1);
+  }
+
+  console.log('OSV 1.2.0 validation done.');
+});
+
+function validateJsonSchema(fileContents: any): ValidationResult {
+  const validate = addFormats(
+    new Ajv2020({strict: false, allErrors: true}),
+  ).compile(osvSchema);
+  const isValid = validate(fileContents);
+
+  return {
+    isValid,
+    errors: validate.errors ?? [],
+  };
+}
+
+function validateSchemaVersion(fileContents: any): ValidationResult {
+  const errors: ValidationResult['errors'] = [];
+
+  if (fileContents.schema_version !== '1.2.0') {
+    errors.push({
+      instancePath: '/schema_version',
+      message: 'schema_version must be `1.2.0`.',
+    });
+  }
+
+  return {
+    isValid: errors.length < 1,
+    errors,
+  };
+}
+
+function validateCSAF20Sync(
+  filePath: string,
+  osvDocument: any,
+): ValidationResult {
+  const csaf20Document = require(filePath.replace('.osv.json', '.csaf.json'));
+  const errors: ValidationResult['errors'] = [];
+
+  // ID sync
+  const csaf20ID = csaf20Document.document.tracking.id;
+  const osvID = osvDocument.id;
+
+  if (osvID !== csaf20ID) {
+    errors.push({
+      instancePath: '/id',
+      message: 'id must match CSAF 2.0 `/document/tracking/id`.',
+    });
+  }
+
+  // Summary sync
+  const csaf20Summary = csaf20Document.document.notes.find(
+    x => x.category === 'summary',
+  ).text;
+  const osvSummary = osvDocument.summary;
+
+  if (csaf20Summary !== osvSummary) {
+    errors.push({
+      instancePath: '/summary',
+      message: 'summary must match CSAF 2.0 `/document/notes` instance.',
+    });
+  }
+
+  // Description / Details sync
+  const csaf2SDescription = csaf20Document.document.notes.find(
+    x => x.category === 'description',
+  ).text;
+  const osvDetails = osvDocument.details;
+
+  if (csaf2SDescription !== osvDetails) {
+    errors.push({
+      instancePath: '/details',
+      message: 'details must match CSAF 2.0 `/document/notes` instance.',
+    });
+  }
+
+  // CVE sync
+  const csaf20CVE = csaf20Document.vulnerabilities[0].cve;
+  const osvCVE = osvDocument.aliases.find(x => x.startsWith('CVE-'));
+
+  if (csaf20CVE !== osvCVE) {
+    errors.push({
+      instancePath: '/aliases',
+      message: 'alises must match CSAF `/vulnerabilities/0/cve`.',
+    });
+  }
+
+  // CVSS V3 sync
+  const csaf20CVSS3 =
+    csaf20Document.vulnerabilities[0].scores[0].cvss_v3?.vectorString;
+  const osvCVSS3Index = osvDocument.severity.findIndex(
+    x => x.type === 'CVSS_V3',
+  );
+  const osvCVSS3 =
+    osvCVSS3Index > -1 ? osvDocument.severity[osvCVSS3Index].score : undefined;
+
+  if (csaf20CVSS3 !== osvCVSS3) {
+    errors.push({
+      instancePath: `/severity/score/${osvCVSS3Index}`,
+      message:
+        'score must match CSAF 2.0 `/vulnerabilities/0/scores/0/cvss_v3/attackVector`.',
+    });
+  }
+
+  // CWE sync
+  const csaf20CWE = csaf20Document.vulnerabilities[0].cwe.id;
+  const osvCWE = osvDocument.database_specific.CWE;
+
+  if (csaf20CWE !== osvCWE) {
+    errors.push({
+      instancePath: '/database_specific/cwe',
+      message: 'cwe must match CSAF 2.0 `/vulnerabilities/0/cwe/id`.',
+    });
+  }
+
+  // References sync
+  const csaf20References = csaf20Document.document.references.map(x => x.url);
+  const osvReferences = osvDocument.references.map(x => x.url);
+
+  if (osvReferences.length >= csaf20References.length) {
+    for (let i = 0; i < osvReferences.length; i++) {
+      if (!csaf20References.includes(osvReferences[i])) {
+        errors.push({
+          instancePath: `/references/${i}`,
+          message: `entry \`${osvReferences[i]}\` not found in CSAF 2.0 \`/document/references\`.`,
+        });
+      }
+    }
+  } else {
+    for (let i = 0; i < csaf20References.length; i++) {
+      if (!osvReferences.includes(csaf20References[i])) {
+        errors.push({
+          instancePath: '/references',
+          message: `references missing \`${csaf20References[i]}\` from CSAF 2.0 \`/document/references\`.`,
+        });
+      }
+    }
+  }
+
+  // Acknowledgments / credits sync
+  const csaf20Acknowledgments = csaf20Document.document.acknowledgments.flatMap(
+    x => x.names,
+  ) as string[];
+  const osvCredits = osvDocument.credits.flatMap(x => x.name) as string[];
+
+  if (osvCredits.length >= csaf20Acknowledgments.length) {
+    for (let i = 0; i < osvCredits.length; i++) {
+      const osvCredit = osvCredits[i];
+      if (!csaf20Acknowledgments.includes(osvCredit)) {
+        errors.push({
+          instancePath: `/credits/${i}`,
+          message: `entry \`${osvCredit}\` not found in CSAF 2.0 \`/document/acknowledgments\`.`,
+        });
+      }
+    }
+  } else {
+    for (let i = 0; i < csaf20Acknowledgments.length; i++) {
+      const csaf20Acknowledgement = csaf20Acknowledgments[i];
+      if (!osvCredits.includes(csaf20Acknowledgement)) {
+        errors.push({
+          instancePath: `/credits`,
+          message: `missing entry \`${csaf20Acknowledgement}\` from CSAF 2.0 \`/document/acknowledgments\`.`,
+        });
+      }
+    }
+  }
+
+  return {
+    isValid: errors.length < 1,
+    errors,
+  };
+}