Merge commit '38c14b1a51b8dc17945041ee7deabe05389c7217' into chore/dependency-updates

Author: christopher-exx

csaf-validator-lib/README.md

@@ -313,8 +313,6 @@ The following tests are not yet implemented and therefore missing:
 
 - Mandatory Test 6.1.26
 - Mandatory Test 6.1.27.13
-- Mandatory Test 6.1.42
-- Mandatory Test 6.1.44
 - Mandatory Test 6.1.46
 - Mandatory Test 6.1.47
 - Mandatory Test 6.1.48
@@ -332,10 +330,6 @@ The following tests are not yet implemented and therefore missing:
 - Recommended Test 6.2.21
 - Recommended Test 6.2.24
 - Recommended Test 6.2.26
-- Recommended Test 6.2.27
-- Recommended Test 6.2.28
-- Recommended Test 6.2.29
-- Recommended Test 6.2.30
 - Recommended Test 6.2.31
 - Recommended Test 6.2.32
 - Recommended Test 6.2.33
@@ -429,7 +423,9 @@ export const mandatoryTest_6_1_38: DocumentTest
 export const mandatoryTest_6_1_39: DocumentTest
 export const mandatoryTest_6_1_40: DocumentTest
 export const mandatoryTest_6_1_41: DocumentTest
+export const mandatoryTest_6_1_42: DocumentTest
 export const mandatoryTest_6_1_43: DocumentTest
+export const mandatoryTest_6_1_44: DocumentTest
 export const mandatoryTest_6_1_45: DocumentTest
 export const mandatoryTest_6_1_51: DocumentTest
 export const mandatoryTest_6_1_52: DocumentTest
@@ -460,6 +456,10 @@ export const recommendedTest_6_2_18: DocumentTest
 export const recommendedTest_6_2_22: DocumentTest
 export const recommendedTest_6_2_23: DocumentTest
 export const recommendedTest_6_2_25: DocumentTest
+export const recommendedTest_6_2_27: DocumentTest
+export const recommendedTest_6_2_28: DocumentTest
+export const recommendedTest_6_2_29: DocumentTest
+export const recommendedTest_6_2_30: DocumentTest
 export const recommendedTest_6_2_43: DocumentTest
 ```
 
@@ -480,6 +480,7 @@ export const informativeTest_6_3_9: DocumentTest
 export const informativeTest_6_3_10: DocumentTest
 export const informativeTest_6_3_11: DocumentTest
 export const informativeTest_6_3_12: DocumentTest
+export const informativeTest_6_3_18: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)

csaf-validator-lib/csaf_2_1/informativeTests.js

@@ -12,3 +12,4 @@ export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.
 export { informativeTest_6_3_2 } from './informativeTests/informativeTest_6_3_2.js'
 export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
 export { informativeTest_6_3_12 } from './informativeTests/informativeTest_6_3_12.js'
+export { informativeTest_6_3_18 } from './informativeTests/informativeTest_6_3_18.js'

csaf-validator-lib/csaf_2_1/informativeTests/informativeTest_6_3_18.js

@@ -0,0 +1,76 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+/**
+ * @typedef {object} MetricContent
+ * @property {string} [qualitative_severity_rating]
+ */
+
+/**
+ * @typedef {object} Metric
+ * @property {MetricContent} [content]
+ * @property {Array<string>} [products]
+ */
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    qualitative_severity_rating: {
+                      type: 'string',
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * For each item in metrics it MUST be tested that it does not use the qualitative severity rating.
+ * @param {any} doc
+ * @returns
+ */
+export function informativeTest_6_3_18(doc) {
+  const ctx = {
+    infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  const vulnerabilities = doc.vulnerabilities
+
+  vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+    /** @type {Array<Metric> | undefined} */
+    const metrics = vulnerability.metrics
+    metrics?.forEach((metric, metricIndex) => {
+      if (metric?.content?.qualitative_severity_rating) {
+        ctx.infos.push({
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/qualitative_severity_rating`,
+          message: 'qualitative_severity_rating object is present',
+        })
+      }
+    })
+  })
+
+  return ctx
+}

csaf-validator-lib/csaf_2_1/mandatoryTests.js

@@ -58,7 +58,9 @@ export { mandatoryTest_6_1_38 } from './mandatoryTests/mandatoryTests_6_1_38.js'
 export { mandatoryTest_6_1_39 } from './mandatoryTests/mandatoryTest_6_1_39.js'
 export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
+export { mandatoryTest_6_1_42 } from './mandatoryTests/mandatoryTest_6_1_42.js'
 export { mandatoryTest_6_1_43 } from './mandatoryTests/mandatoryTest_6_1_43.js'
+export { mandatoryTest_6_1_44 } from './mandatoryTests/mandatoryTest_6_1_44.js'
 export { mandatoryTest_6_1_45 } from './mandatoryTests/mandatoryTest_6_1_45.js'
 export { mandatoryTest_6_1_51 } from './mandatoryTests/mandatoryTest_6_1_51.js'
 export { mandatoryTest_6_1_52 } from './mandatoryTests/mandatoryTest_6_1_52.js'

csaf-validator-lib/csaf_2_1/mandatoryTests/mandatoryTest_6_1_42.js

@@ -0,0 +1,228 @@
+import { PackageURL } from 'packageurl-js'
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+const fullProductNameSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  optionalProperties: {
+    product_identification_helper: {
+      additionalProperties: true,
+      optionalProperties: {
+        purls: { elements: { type: 'string' } },
+      },
+    },
+  },
+})
+
+const branchSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  optionalProperties: {
+    branches: {
+      elements: {
+        additionalProperties: true,
+        properties: {},
+      },
+    },
+    product: fullProductNameSchema,
+  },
+})
+
+const validateBranch = ajv.compile(branchSchema)
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match, it normally means that the input
+  document does not validate against the csaf JSON schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  optionalProperties: {
+    product_tree: {
+      additionalProperties: true,
+      optionalProperties: {
+        branches: {
+          elements: branchSchema,
+        },
+        full_product_names: {
+          elements: fullProductNameSchema,
+        },
+        relationships: {
+          elements: {
+            additionalProperties: true,
+            optionalProperties: {
+              full_product_name: fullProductNameSchema,
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validate = ajv.compile(inputSchema)
+
+/**
+ * @typedef {import('ajv/dist/core').JTDDataType<typeof branchSchema>} Branch
+ * @typedef {import('ajv/dist/core').JTDDataType<typeof fullProductNameSchema>} FullProductName
+ */
+
+/**
+ *
+ * @param {PackageURL | null} firstPurl
+ * @param {PackageURL | null} otherPurl
+ * @return {Array<string>} the parts of the PURLS that differ
+ */
+function purlPartsThatDifferExceptQualifiers(firstPurl, otherPurl) {
+  /** @type {Array<string>}*/
+  const partsThatDiffer = []
+
+  if (firstPurl && otherPurl) {
+    if (firstPurl.type !== otherPurl.type) {
+      partsThatDiffer.push('type')
+    }
+    if (firstPurl.namespace !== otherPurl.namespace) {
+      partsThatDiffer.push('namespace')
+    }
+    if (firstPurl.name !== otherPurl.name) {
+      partsThatDiffer.push('name')
+    }
+    if (firstPurl.version !== otherPurl.version) {
+      partsThatDiffer.push('version')
+    }
+  }
+  return partsThatDiffer
+}
+
+/**
+ * Validates all given PURLs and check whether the PURLs
+ * differ only in qualifiers to the first URL
+ *
+ * @param {Array<string> | undefined} purls PURLs to check
+ * @return {Array<{index:number, purlParts: Array<string> }>} indexes and parts of the PURLs that differ
+ */
+export function checkPurls(purls) {
+  /** @type {Array<{index:number, purlParts: Array<string> }>} */
+  const invalidPurls = []
+  if (purls) {
+    /** @type {Array<PackageURL | null>} */
+    const packageUrls = purls.map((purl) => {
+      try {
+        return PackageURL.fromString(purl)
+      } catch (e) {
+        // ignore, tested in CSAF 2.1 test 6.1.13
+        return null
+      }
+    })
+
+    /**
+     * @type {Array<PackageURL>}
+     */
+    if (packageUrls.length > 1) {
+      const firstPurl = packageUrls[0]
+      for (let i = 1; i < packageUrls.length; i++) {
+        /** @type {Array<string>}*/
+        const purlParts = purlPartsThatDifferExceptQualifiers(
+          firstPurl,
+          packageUrls[i]
+        )
+        if (purlParts.length > 0) {
+          invalidPurls.push({ index: i, purlParts: purlParts })
+        }
+      }
+    }
+  }
+  return invalidPurls
+}
+
+/**
+ * For each product_identification_helper object containing multiple purls,
+ * it MUST be tested that the purls only differ in their qualifiers.
+ *
+ * @param {unknown} doc
+ */
+export function mandatoryTest_6_1_42(doc) {
+  /*
+    The `ctx` variable holds the state that is accumulated during the test ran and is
+    finally returned by the function.
+   */
+  const ctx = {
+    errors:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+    isValid: true,
+  }
+
+  if (!validate(doc)) {
+    return ctx
+  }
+
+  doc.product_tree?.branches?.forEach((branch, index) => {
+    checkBranch(`/product_tree/branches/${index}`, branch)
+  })
+
+  doc.product_tree?.full_product_names?.forEach((fullProduceName, index) => {
+    checkFullProductName(
+      `/product_tree/full_product_names/${index}`,
+      fullProduceName
+    )
+  })
+
+  doc.product_tree?.relationships?.forEach((relationship, index) => {
+    const fullProductName = relationship.full_product_name
+    if (fullProductName) {
+      checkFullProductName(
+        `/product_tree/relationships/${index}/full_product_name`,
+        fullProductName
+      )
+    }
+  })
+
+  return ctx
+
+  /**
+   *  Check whether the PURLs only differ in their qualifiers for a full product name.
+   *
+   * @param {string} prefix The instance path prefix of the "full product name". It is
+   *    used to generate error messages.
+   * @param {FullProductName} fullProductName The "full product name" object.
+   */
+  function checkFullProductName(prefix, fullProductName) {
+    const invalidPurls = checkPurls(
+      fullProductName.product_identification_helper?.purls
+    )
+    invalidPurls.forEach((invalidPurl) => {
+      ctx.isValid = false
+      ctx.errors.push({
+        instancePath: `${prefix}/product_identification_helper/purls/${invalidPurl.index}`,
+        message: `the PURL differs from the first PURL in the following part(s): ${invalidPurl.purlParts.join()}`,
+      })
+    })
+  }
+
+  /**
+   * Check whether the PURLs only differ in their qualifiers for the given branch object
+   * and its branch children.
+   *
+   * @param {string} prefix The instance path prefix of the "branch". It is
+   *    used to generate error messages.
+   * @param {Branch} branch The "branch" object.
+   */
+  function checkBranch(prefix, branch) {
+    const invalidPurls = checkPurls(
+      branch.product?.product_identification_helper?.purls
+    )
+    invalidPurls.forEach((invalidPurl) => {
+      ctx.isValid = false
+      ctx.errors.push({
+        instancePath: `${prefix}/product/product_identification_helper/purls/${invalidPurl.index}`,
+        message: `the PURL differs from the first PURL in the following parts: ${invalidPurl.purlParts.join()}`,
+      })
+    })
+    branch.branches?.forEach((branch, index) => {
+      if (validateBranch(branch)) {
+        checkBranch(`${prefix}/branches/${index}`, branch)
+      }
+    })
+  }
+}