Merge pull request #254 from secvisogram/196-csaf-2.1_optional_test_6.2.25

196 csaf 2.1 optional test 6.2.25

Author: christopher-exx

README.md

@@ -332,7 +332,6 @@ The following tests are not yet implemented and therefore missing:
 - Recommended Test 6.2.20
 - Recommended Test 6.2.21
 - Recommended Test 6.2.24
-- Recommended Test 6.2.25
 - Recommended Test 6.2.26
 - Recommended Test 6.2.27
 - Recommended Test 6.2.28
@@ -461,6 +460,7 @@ export const recommendedTest_6_2_17: DocumentTest
 export const recommendedTest_6_2_18: DocumentTest
 export const recommendedTest_6_2_22: DocumentTest
 export const recommendedTest_6_2_23: DocumentTest
+export const recommendedTest_6_2_25: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)

csaf_2_1/recommendedTests.js

@@ -28,6 +28,7 @@ export { recommendedTest_6_2_19 } from './recommendedTests/recommendedTest_6_2_1
 export { recommendedTest_6_2_20 } from './recommendedTests/recommendedTest_6_2_20.js'
 export { recommendedTest_6_2_22 } from './recommendedTests/recommendedTest_6_2_22.js'
 export { recommendedTest_6_2_23 } from './recommendedTests/recommendedTest_6_2_23.js'
+export { recommendedTest_6_2_25 } from './recommendedTests/recommendedTest_6_2_25.js'
 export { recommendedTest_6_2_27 } from './recommendedTests/recommendedTest_6_2_27.js'
 export { recommendedTest_6_2_28 } from './recommendedTests/recommendedTest_6_2_28.js'
 export { recommendedTest_6_2_29 } from './recommendedTests/recommendedTest_6_2_29.js'

csaf_2_1/recommendedTests/recommendedTest_6_2_25.js

@@ -0,0 +1,87 @@
+import Ajv from 'ajv/dist/jtd.js'
+import { cwecMap } from '../../lib/cwec.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          cwes: {
+            elements: {
+              additionalProperties: true,
+              properties: {},
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+const cweSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    id: { type: 'string' },
+    version: { type: 'string' },
+    name: { type: 'string' },
+  },
+})
+
+const validateCWE = ajv.compile(cweSchema)
+
+/**
+ * This implements the recommended test 6.2.25 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export async function recommendedTest_6_2_25(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const warnings = []
+  const context = { warnings }
+
+  if (!validateInput(doc)) {
+    return context
+  }
+
+  for (let i = 0; i < doc.vulnerabilities.length; ++i) {
+    const vulnerability = doc.vulnerabilities[i]
+    if (vulnerability.cwes) {
+      for (let j = 0; j < vulnerability.cwes.length; ++j) {
+        const cwe = vulnerability.cwes.at(j)
+        if (validateCWE(cwe)) {
+          const cwec = cwecMap.get(cwe.version)
+          if (cwec) {
+            const entry = (await cwec()).default.weaknesses.find(
+              (w) => w.id === cwe.id
+            )
+            //NOTE: the usage property is not available in cwe version 4.11 and older
+            if (
+              entry?.usage !== 'Allowed' &&
+              entry?.usage !== 'Allowed-with-Review'
+            ) {
+              context.warnings.push({
+                instancePath: `/vulnerabilities/${i}/cwes/${j}/id`,
+                message:
+                  'the usage of the weakness with the given id is not allowed',
+              })
+            }
+          }
+        }
+      }
+    }
+  }
+
+  return context
+}

tests/csaf_2_1/oasis.js

@@ -36,7 +36,6 @@ const excluded = [
   '6.2.20',
   '6.2.21',
   '6.2.24',
-  '6.2.25',
   '6.2.26',
   '6.2.30',
   '6.2.31',

tests/csaf_2_1/recommendedTest_6_2_25.js

@@ -0,0 +1,33 @@
+import assert from 'node:assert'
+import { recommendedTest_6_2_25 } from '../../csaf_2_1/recommendedTests.js'
+
+describe('recommendedTest_6_2_25', function () {
+  it('only runs on relevant documents', async function () {
+    assert.equal(
+      (await recommendedTest_6_2_25({ vulnerabilities: 'mydoc' })).warnings
+        .length,
+      0
+    )
+  })
+  it('skips empty objects', async function () {
+    assert.equal(
+      (
+        await recommendedTest_6_2_25({
+          vulnerabilities: [
+            {
+              cwes: [
+                {
+                  id: 'CWE-20',
+                  name: 'Improper Input Validation',
+                  version: '4.13',
+                },
+              ],
+            },
+            {}, // should be ignored
+          ],
+        })
+      ).warnings.length,
+      1
+    )
+  })
+})