SSVC

- addresses parts of #803
- add test 6.1.49 for inconsistent SSVC timestamp
- add invalid examples
- add valid examples

Author: tschmidtb51

csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md

@@ -41,4 +41,4 @@ The relevant path for this test is:
   ]
 ```
 
-> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the date of newest item in the `revision_history`.
+> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the `date` of newest item in the `revision_history`.

csaf_2.1/prose/edit/src/tests-01-mndtr-49-inconsistent-ssvc-timestamp.md

@@ -0,0 +1,66 @@
+### Inconsistent SSVC Timestamp
+
+For each vulnerability, it MUST be tested that the SSVC `timestamp` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Active"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-07-13T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The document is in status `final` but the SSVC `timestamp` is newer than the `date` of newest item in the `revision_history`.

csaf_2.1/prose/edit/src/tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md

@@ -13,7 +13,7 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 1)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-01",
@@ -48,15 +48,15 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Mission Impact",
-                  "namespace": "SSVC",
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
                   "values": [
-                    "None"
+                    "Active"
                   ],
-                  "version": "1.0.0"
+                  "version": "1.1.0"
                 }
               ],
-              "timestamp": "2024-01-24T10:00:00.000Z"
+              "timestamp": "2024-07-13T10:00:00.000Z"
             }
           },
           "products": [

csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-01.json

@@ -13,20 +13,25 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (failing example 2)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 2)",
     "tracking": {
-      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "current_release_date": "2024-02-29T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-02",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
           "date": "2024-01-24T10:00:00.000Z",
           "number": "1",
           "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
         }
       ],
       "status": "final",
-      "version": "1"
+      "version": "2"
     }
   },
   "product_tree": {
@@ -48,15 +53,15 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Attack Complexity",
-                  "namespace": "CVSS",
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
                   "values": [
-                    "Low"
+                    "Public PoC"
                   ],
-                  "version": "3.0.1"
+                  "version": "1.1.0"
                 }
               ],
-              "timestamp": "2024-01-24T10:00:00.000Z"
+              "timestamp": "2024-02-28T14:30:00.000-20:00"
             }
           },
           "products": [

csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-02.json

@@ -0,0 +1,74 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (failing example 3)",
+    "tracking": {
+      "current_release_date": "2024-02-29T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-03",
+      "initial_release_date": "2024-01-24T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
+        }
+      ],
+      "status": "final",
+      "version": "2"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Public PoC"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-02-29T14:30:00.000+04:00"
+            }
+          },
+          "products": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+    }
+  ]
+}

csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-03.json

@@ -13,7 +13,7 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 1)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 1)",
     "tracking": {
       "current_release_date": "2024-01-24T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-11",
@@ -48,12 +48,12 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Mission Impact",
+                  "name": "Exploitation",
                   "namespace": "ssvc",
                   "values": [
-                    "None"
+                    "Active"
                   ],
-                  "version": "1.0.0"
+                  "version": "1.1.0"
                 }
               ],
               "timestamp": "2024-01-24T10:00:00.000Z"

csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-49-11.json

@@ -13,20 +13,25 @@
       "name": "OASIS CSAF TC",
       "namespace": "https://csaf.io"
     },
-    "title": "Mandatory test: Prohibited SSVC Decision Point Namespace (valid example 2)",
+    "title": "Mandatory test: Inconsistent SSVC Timestamp (valid example 2)",
     "tracking": {
-      "current_release_date": "2024-01-24T10:00:00.000Z",
+      "current_release_date": "2024-02-29T10:00:00.000Z",
       "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-49-12",
       "initial_release_date": "2024-01-24T10:00:00.000Z",
       "revision_history": [
         {
           "date": "2024-01-24T10:00:00.000Z",
           "number": "1",
           "summary": "Initial version."
+        },
+        {
+          "date": "2024-02-29T10:00:00.000Z",
+          "number": "2",
+          "summary": "Second version."
         }
       ],
       "status": "final",
-      "version": "1"
+      "version": "2"
     }
   },
   "product_tree": {
@@ -48,15 +53,15 @@
               "schemaVersion": "1-0-1",
               "selections": [
                 {
-                  "name": "Attack Complexity",
-                  "namespace": "cvss",
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
                   "values": [
-                    "Low"
+                    "Public PoC"
                   ],
-                  "version": "3.0.1"
+                  "version": "1.1.0"
                 }
               ],
-              "timestamp": "2024-01-24T10:00:00.000Z"
+              "timestamp": "2024-02-28T14:30:00.000-19:00"
             }
           },
           "products": [