Replace Secvisogram with `csaf-validator-lib`

[achrinza]

Overview

Secvisogram is a project for a React-powered, web-based Common Security Advisory Framework Version 2.0 (CSAF 2.0) validator.

#5 / 17f860a added CSAF 2.0 validation with Secvisogram. When that change was merged, Secvisogram was bundled as a single solution, and the validation code was not distributed separately. Hence, we implemented a hacky solution to import the entire project and then to call only the validation logic. Notably, this includes:

• Installing all of Secvisogram's depenencies
• Re-constructing and executing relevant parts of Secvisogram's custom build pipeline

Since then, this validation code has been decoupled and Secvisogram has been updated to use the csaf-validator-lib Node.js module (BSI-Bund/secvisogram#39 / BSI-Bund/secvisogram@4487b6b).

Benefits of making the switch include:

• A more stable interface for us to bootstrap and use the dependency.
• Reduced build pipeline complexity
• Removed need for frontend build pipeline knowledge
• Reduced attack surface from unneeded web frontend packages.

Implementation remarks

The current approach involves:

• git submodule-ing https://github.com/BSI-Bund/secvisogram.git
• Installing Secvisogram's dependencies and calling Babel as part of the build pipeline
• Manually copying some non-JavaScript resources to the distibution directory
• Importing validation logic from dist/shared/Core

In contrast, the new approach would involve:

• git submodule-ing https://github.com/secvisogram/csaf-validator-lib.git
  Although the csaf-validator-lib README indicates to use git subtree, git submodule is better for explicitly linking two Git repositories together. In contrast, git subtree copies the Git history without any coupling to the source Git repository.
• Installing csaf-validator-lib's production dependencies

This switch would also bring in the latest features and validation tests such Test 6.3.8 ("Spell check", powered by the Hunspell spell checking library), of which the BSI-Bund Git repository is currently lacking.

Mitigating against NPM dependency confusion attacks

At time of writing, csaf-validator-lib is not published as an NPM package, hence the need to install this as a "local dependency". To mitigate against NPM dependency confusion attacks, it is important that the package.json dependency entry explicitly points to the local copy.

We can achieve this "explicit pointer" requirement by leveraging package aliases, which was introduced in

This issue is to track switching over to csaf-validator-lib