Merge pull request #171 from secvisogram/chore/update-dependencies

update dependencies

Author: domachine

backend/package-lock.json

@@ -311,14 +311,9 @@ The following tests are not yet implemented and therefore missing:
 
 **Mandatory Tests**
 
-- Mandatory Test 6.1.6
-- Mandatory Test 6.1.14
-- Mandatory Test 6.1.16
 - Mandatory Test 6.1.26
 - Mandatory Test 6.1.27.13
-- Mandatory Test 6.1.27.16
 - Mandatory Test 6.1.27.18
-- Mandatory Test 6.1.27.19
 - Mandatory Test 6.1.42
 - Mandatory Test 6.1.44
 - Mandatory Test 6.1.45
@@ -328,7 +323,6 @@ The following tests are not yet implemented and therefore missing:
 - Mandatory Test 6.1.49
 - Mandatory Test 6.1.50
 - Mandatory Test 6.1.51
-- Mandatory Test 6.1.52
 - Mandatory Test 6.1.53
 - Mandatory Test 6.1.54
 - Mandatory Test 6.1.55
@@ -339,7 +333,6 @@ The following tests are not yet implemented and therefore missing:
 - Recommended Test 6.2.19
 - Recommended Test 6.2.20
 - Recommended Test 6.2.21
-- Recommended Test 6.2.23
 - Recommended Test 6.2.24
 - Recommended Test 6.2.25
 - Recommended Test 6.2.26
@@ -366,7 +359,6 @@ The following tests are not yet implemented and therefore missing:
 
 **Informative Tests**
 
-- Informative Test 6.2.12
 - Informative Test 6.2.13
 - Informative Test 6.2.14
 - Informative Test 6.2.15
@@ -390,14 +382,17 @@ export const mandatoryTest_6_1_2: DocumentTest
 export const mandatoryTest_6_1_3: DocumentTest
 export const mandatoryTest_6_1_4: DocumentTest
 export const mandatoryTest_6_1_5: DocumentTest
+export const mandatoryTest_6_1_6: DocumentTest
 export const mandatoryTest_6_1_7: DocumentTest
 export const mandatoryTest_6_1_8: DocumentTest
 export const mandatoryTest_6_1_9: DocumentTest
 export const mandatoryTest_6_1_10: DocumentTest
 export const mandatoryTest_6_1_11: DocumentTest
 export const mandatoryTest_6_1_12: DocumentTest
 export const mandatoryTest_6_1_13: DocumentTest
+export const mandatoryTest_6_1_14: DocumentTest
 export const mandatoryTest_6_1_15: DocumentTest
+export const mandatoryTest_6_1_16: DocumentTest
 export const mandatoryTest_6_1_17: DocumentTest
 export const mandatoryTest_6_1_18: DocumentTest
 export const mandatoryTest_6_1_19: DocumentTest
@@ -421,7 +416,9 @@ export const mandatoryTest_6_1_27_11: DocumentTest
 export const mandatoryTest_6_1_27_12: DocumentTest
 export const mandatoryTest_6_1_27_14: DocumentTest
 export const mandatoryTest_6_1_27_15: DocumentTest
+export const mandatoryTest_6_1_27_16: DocumentTest
 export const mandatoryTest_6_1_27_17: DocumentTest
+export const mandatoryTest_6_1_27_19: DocumentTest
 export const mandatoryTest_6_1_28: DocumentTest
 export const mandatoryTest_6_1_29: DocumentTest
 export const mandatoryTest_6_1_30: DocumentTest
@@ -437,6 +434,7 @@ export const mandatoryTest_6_1_39: DocumentTest
 export const mandatoryTest_6_1_40: DocumentTest
 export const mandatoryTest_6_1_41: DocumentTest
 export const mandatoryTest_6_1_43: DocumentTest
+export const mandatoryTest_6_1_52: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)
@@ -462,6 +460,7 @@ export const recommendedTest_6_2_16: DocumentTest
 export const recommendedTest_6_2_17: DocumentTest
 export const recommendedTest_6_2_18: DocumentTest
 export const recommendedTest_6_2_22: DocumentTest
+export const recommendedTest_6_2_23: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)
@@ -480,6 +479,7 @@ export const informativeTest_6_3_8: DocumentTest
 export const informativeTest_6_3_9: DocumentTest
 export const informativeTest_6_3_10: DocumentTest
 export const informativeTest_6_3_11: DocumentTest
+export const informativeTest_6_3_12: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)

csaf-validator-lib/README.md

@@ -11,3 +11,4 @@ export {
 export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js'
 export { informativeTest_6_3_2 } from './informativeTests/informativeTest_6_3_2.js'
 export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
+export { informativeTest_6_3_12 } from './informativeTests/informativeTest_6_3_12.js'

csaf-validator-lib/csaf_2_1/informativeTests.js

@@ -0,0 +1,96 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+/**
+ * @typedef {object} MetricContent
+ * @property {object} [cvss_v2]
+ * @property {string} [cvss_v2.version]
+ * @property {object} [cvss_v3]
+ * @property {string} [cvss_v3.version]
+ * @property {object} [cvss_v4]
+ * @property {string} [cvss_v4.version]
+ */
+
+/**
+ * @typedef {object} Metric
+ * @property {MetricContent} [content]
+ * @property {Array<string>} [products]
+ */
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    cvss_v2: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        version: { type: 'string' },
+                      },
+                    },
+                    cvss_v3: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        version: { type: 'string' },
+                      },
+                    },
+                    cvss_v4: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        version: { type: 'string' },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * For each item in the list of metrics, it MUST be tested that a cvss_v4 object is present.
+ * @param {unknown} doc
+ * @returns
+ */
+export function informativeTest_6_3_12(doc) {
+  const ctx = {
+    infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  const vulnerabilities = doc.vulnerabilities
+
+  vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+    /** @type {Array<Metric> | undefined} */
+    const metrics = vulnerability.metrics
+    metrics?.forEach((metric, metricIndex) => {
+      if (!metric?.content?.cvss_v4) {
+        ctx.infos.push({
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/cvss_v4`,
+          message: `cvss_v4 object is not present`,
+        })
+      }
+    })
+  })
+
+  return ctx
+}

csaf-validator-lib/csaf_2_1/informativeTests/informativeTest_6_3_12.js

@@ -3,9 +3,10 @@ export {
   mandatoryTest_6_1_3,
   mandatoryTest_6_1_4,
   mandatoryTest_6_1_5,
-  mandatoryTest_6_1_6,
   mandatoryTest_6_1_12,
+  mandatoryTest_6_1_14,
   mandatoryTest_6_1_15,
+  mandatoryTest_6_1_16,
   mandatoryTest_6_1_17,
   mandatoryTest_6_1_18,
   mandatoryTest_6_1_19,
@@ -35,6 +36,7 @@ export {
   mandatoryTest_6_1_33,
 } from '../mandatoryTests.js'
 export { mandatoryTest_6_1_1 } from './mandatoryTests/mandatoryTest_6_1_1.js'
+export { mandatoryTest_6_1_6 } from './mandatoryTests/mandatoryTest_6_1_6.js'
 export { mandatoryTest_6_1_7 } from './mandatoryTests/mandatoryTest_6_1_7.js'
 export { mandatoryTest_6_1_8 } from './mandatoryTests/mandatoryTest_6_1_8.js'
 export { mandatoryTest_6_1_9 } from './mandatoryTests/mandatoryTest_6_1_9.js'
@@ -44,7 +46,9 @@ export { mandatoryTest_6_1_13 } from './mandatoryTests/mandatoryTest_6_1_13.js'
 export { mandatoryTest_6_1_27_12 } from './mandatoryTests/mandatoryTest_6_1_27_12.js'
 export { mandatoryTest_6_1_27_14 } from './mandatoryTests/mandatoryTest_6_1_27_14.js'
 export { mandatoryTest_6_1_27_15 } from './mandatoryTests/mandatoryTest_6_1_27_15.js'
+export { mandatoryTest_6_1_27_16 } from './mandatoryTests/mandatoryTest_6_1_27_16.js'
 export { mandatoryTest_6_1_27_17 } from './mandatoryTests/mandatoryTest_6_1_27_17.js'
+export { mandatoryTest_6_1_27_19 } from './mandatoryTests/mandatoryTest_6_1_27_19.js'
 export { mandatoryTest_6_1_34 } from './mandatoryTests/mandatoryTest_6_1_34.js'
 export { mandatoryTest_6_1_35 } from './mandatoryTests/mandatoryTest_6_1_35.js'
 export { mandatoryTest_6_1_36 } from './mandatoryTests/mandatoryTest_6_1_36.js'
@@ -54,3 +58,4 @@ export { mandatoryTest_6_1_39 } from './mandatoryTests/mandatoryTest_6_1_39.js'
 export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
 export { mandatoryTest_6_1_43 } from './mandatoryTests/mandatoryTest_6_1_43.js'
+export { mandatoryTest_6_1_52 } from './mandatoryTests/mandatoryTest_6_1_52.js'

csaf-validator-lib/csaf_2_1/mandatoryTests.js

@@ -75,7 +75,7 @@ function collectProductIdRefs({ document }) {
       if (productRef) {
         entries.push({
           id: productRef,
-          instancePath: `/product_tree/relationships/${i}/product_reference`,
+          instancePath: '/product_tree/relationships/${i}/product_reference',
         })
       }
       const relToProductRef = relationshipGroup.relates_to_product_reference

csaf-validator-lib/csaf_2_1/mandatoryTests/mandatoryTest_6_1_1.js

@@ -0,0 +1,69 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      properties: {
+        category: {
+          type: 'string',
+        },
+        tracking: {
+          additionalProperties: true,
+          properties: {
+            revision_history: {
+              elements: {
+                additionalProperties: true,
+                properties: {},
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validate = ajv.compile(inputSchema)
+
+/**
+ * This implements the mandatory test 6.1.27.16 of the CSAF 2.1 standard.
+ *
+ * @param {unknown} doc
+ */
+export function mandatoryTest_6_1_27_16(doc) {
+  /*
+    The `ctx` variable holds the state that is accumulated during the test ran and is
+    finally returned by the function.
+   */
+  const ctx = {
+    errors:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+    isValid: true,
+  }
+
+  if (
+    !validate(doc) ||
+    !['csaf_withdrawn', 'csaf_superseded'].includes(doc.document.category)
+  )
+    return ctx
+
+  if (doc.document.tracking.revision_history.length < 2) {
+    ctx.isValid = false
+    ctx.errors.push({
+      instancePath: `/document/tracking/revision_history`,
+      message: 'needs at least two entries for the specified document category',
+    })
+  }
+
+  return ctx
+}