Merge branch 'main' into 316-mandatory-test-6.1.27.14

Author: domachine

README.md

@@ -311,8 +311,6 @@ The following tests are not yet implemented and therefore missing:
 
 **Mandatory Tests**
 
-- Mandatory Test 6.1.7
-- Mandatory Test 6.1.10
 - Mandatory Test 6.1.14
 - Mandatory Test 6.1.16
 - Mandatory Test 6.1.27.12
@@ -394,8 +392,10 @@ export const mandatoryTest_6_1_3: DocumentTest
 export const mandatoryTest_6_1_4: DocumentTest
 export const mandatoryTest_6_1_5: DocumentTest
 export const mandatoryTest_6_1_6: DocumentTest
+export const mandatoryTest_6_1_7: DocumentTest
 export const mandatoryTest_6_1_8: DocumentTest
 export const mandatoryTest_6_1_9: DocumentTest
+export const mandatoryTest_6_1_10: DocumentTest
 export const mandatoryTest_6_1_11: DocumentTest
 export const mandatoryTest_6_1_12: DocumentTest
 export const mandatoryTest_6_1_13: DocumentTest

csaf

@@ -1,5 +1,4 @@
 export {
-  informativeTest_6_3_2,
   informativeTest_6_3_3,
   informativeTest_6_3_5,
   informativeTest_6_3_6,
@@ -11,3 +10,4 @@ export {
 } from '../informativeTests.js'
 export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js'
 export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
+export { informativeTest_6_3_2 } from './informativeTests/informativeTest_6_3_2.js'

csaf_2_1/informativeTests.js

@@ -0,0 +1,72 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    cvss_v3: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        version: { type: 'string' },
+                        vectorString: { type: 'string' },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * For each item in the list of metrics which contains the cvss_v3 object under
+ * content it MUST be tested that CVSS v3.0 is not used.
+ * @param {unknown} doc
+ * @returns
+ */
+export function informativeTest_6_3_2(doc) {
+  const ctx = {
+    infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  doc.vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+    const metrics = vulnerability.metrics
+    metrics?.forEach((metric, metricIndex) => {
+      if (metric.content?.cvss_v3) {
+        if (
+          metric.content.cvss_v3.version === '3.0' ||
+          metric.content.cvss_v3.vectorString?.startsWith('CVSS:3.0')
+        ) {
+          ctx.infos.push({
+            instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/cvss_v3/version`,
+            message: 'It is recommended to upgrade to CVSS v3.1.',
+          })
+        }
+      }
+    })
+  })
+
+  return ctx
+}

csaf_2_1/informativeTests/informativeTest_6_3_2.js

@@ -35,9 +35,11 @@ export {
   mandatoryTest_6_1_33,
 } from '../mandatoryTests.js'
 export { mandatoryTest_6_1_1 } from './mandatoryTests/mandatoryTest_6_1_1.js'
+export { mandatoryTest_6_1_7 } from './mandatoryTests/mandatoryTest_6_1_7.js'
 export { mandatoryTest_6_1_8 } from './mandatoryTests/mandatoryTest_6_1_8.js'
 export { mandatoryTest_6_1_11 } from './mandatoryTests/mandatoryTest_6_1_11.js'
 export { mandatoryTest_6_1_13 } from './mandatoryTests/mandatoryTest_6_1_13.js'
+export { mandatoryTest_6_1_10 } from './mandatoryTests/mandatoryTest_6_1_10.js'
 export { mandatoryTest_6_1_27_14 } from './mandatoryTests/mandatoryTest_6_1_27_14.js'
 export { mandatoryTest_6_1_34 } from './mandatoryTests/mandatoryTest_6_1_34.js'
 export { mandatoryTest_6_1_35 } from './mandatoryTests/mandatoryTest_6_1_35.js'

csaf_2_1/mandatoryTests.js

@@ -0,0 +1,237 @@
+import * as cvss2 from '../../lib/shared/cvss2.js'
+import * as cvss3 from '../../lib/shared/cvss3.js'
+import * as cvss4 from '../../lib/shared/cvss4.js'
+import Ajv from 'ajv/dist/jtd.js'
+
+/** @typedef {import('ajv/dist/jtd.js').JTDDataType<typeof inputSchema>} InputSchema */
+
+/** @typedef {InputSchema['vulnerabilities'][number]} Vulnerability */
+
+/** @typedef {NonNullable<Vulnerability['metrics']>[number]} Metric */
+
+/** @typedef {NonNullable<Metric['content']>} MetricContent */
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    cvss_v2: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        vectorString: { type: 'string' },
+                        version: { type: 'string' },
+                      },
+                    },
+                    cvss_v3: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        vectorString: { type: 'string' },
+                        version: { type: 'string' },
+                      },
+                    },
+                    cvss_v4: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        vectorString: { type: 'string' },
+                        version: { type: 'string' },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+const ajv = new Ajv()
+const validateInput = ajv.compile(inputSchema)
+
+/** @type {  Record<string, { jsonName:string, optionsByKey:Record<string, string>}>} */
+const cvssV3MappingByMetricKey = Object.fromEntries(
+  cvss3.mapping.map((mapping) => {
+    return [
+      mapping[1],
+      {
+        jsonName: mapping[0],
+        optionsByKey: Object.fromEntries(
+          Object.entries(mapping[2]).map(([key, value]) => [value, key])
+        ),
+      },
+    ]
+  })
+)
+
+/** @type {  Record<string, { jsonName:string, optionsByKey:Record<string, string>}>} */
+const cvssV2MappingByMetricKey = Object.fromEntries(
+  cvss2.mapping.map((mapping) => {
+    return [
+      mapping[1],
+      {
+        jsonName: mapping[0],
+        optionsByKey: Object.fromEntries(
+          Object.entries(mapping[2]).map(([key, value]) => [value.id, key])
+        ),
+      },
+    ]
+  })
+)
+
+/**
+ * @param {{optionName: string, optionValue: string, optionKey: string}[]} optionsArray
+ * @return {Record<string, string>}
+ */
+function convertOptionsArrayToObject(optionsArray) {
+  /** @type {Record<string, string>} */
+  const result = {}
+  optionsArray.forEach((option) => {
+    result[option.optionKey] = option.optionValue
+  })
+  return result
+}
+
+/** @type {  Record<string, { jsonName:string, optionsByKey:Record<string, string>}>} */
+const cvssV4MappingByMetricKey = Object.fromEntries(
+  cvss4.flatMetrics.map((flatMetric) => {
+    return [
+      flatMetric.metricShort,
+      {
+        jsonName: flatMetric.jsonName,
+        optionsByKey: convertOptionsArrayToObject(flatMetric.options),
+      },
+    ]
+  })
+)
+
+/**
+ * @param {Metric} metric
+ */
+function validateCvss2(metric) {
+  if (typeof metric.content?.cvss_v2?.vectorString === 'string') {
+    return validateCVSSAttributes(
+      cvssV2MappingByMetricKey,
+      metric.content.cvss_v2
+    )
+  } else {
+    return []
+  }
+}
+
+/**
+ * @param {Metric} metric
+ */
+function validateCvss3(metric) {
+  if (
+    typeof metric?.content?.cvss_v3?.vectorString === 'string' &&
+    (metric.content.cvss_v3.version === '3.1' ||
+      metric.content.cvss_v3.version === '3.0')
+  ) {
+    return validateCVSSAttributes(
+      cvssV3MappingByMetricKey,
+      metric.content.cvss_v3
+    )
+  } else {
+    return []
+  }
+}
+
+/**
+ * @param {Metric} metric
+ */
+function validateCvss4(metric) {
+  if (typeof metric?.content?.cvss_v4?.vectorString === 'string') {
+    return validateCVSSAttributes(
+      cvssV4MappingByMetricKey,
+      metric.content.cvss_v4
+    )
+  } else {
+    return []
+  }
+}
+
+/**
+ * @param {unknown} doc
+ */
+export function mandatoryTest_6_1_10(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const errors = []
+
+  if (!validateInput(doc)) {
+    return { errors, isValid: true }
+  }
+
+  if (Array.isArray(doc.vulnerabilities)) {
+    /** @type {Array<Vulnerability>} */
+    const vulnerabilities = doc.vulnerabilities
+    vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+      if (!Array.isArray(vulnerability.metrics)) return
+      /** @type {Array<Metric>} */
+      const metrics = vulnerability.metrics
+      metrics.forEach((metric, metricIndex) => {
+        validateCvss2(metric).forEach((attributeKey) => {
+          errors.push({
+            instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/cvss_v2/${attributeKey}`,
+            message: 'value is not consistent with the vector string',
+          })
+        })
+
+        validateCvss3(metric).forEach((attributeKey) => {
+          errors.push({
+            instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/cvss_v3/${attributeKey}`,
+            message: 'value is not consistent with the vector string',
+          })
+        })
+
+        validateCvss4(metric).forEach((attributeKey) => {
+          errors.push({
+            instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/cvss_v4/${attributeKey}`,
+            message: 'value is not consistent with the vector string',
+          })
+        })
+      })
+    })
+  }
+
+  return { errors, isValid: errors.length === 0 }
+}
+
+/**
+ * validate the cvss vector against the cvss properties
+ * @param {Record<string, { jsonName:string, optionsByKey:Record<string, string>}>}mappingByMetricKey cvss version specific mapping
+ * @param {Record<string, unknown>} cvss cvss object
+
+ */
+function validateCVSSAttributes(mappingByMetricKey, cvss) {
+  const vectorString = /** @type {string} */ (cvss.vectorString)
+  const vectorValues = vectorString.split('/').slice(1)
+  /**
+   * @type {string[]}
+   */
+  const invalidKeys = []
+  vectorValues.forEach((vectorValue) => {
+    const [vectorMetricKey, vectorOptionKey] = vectorValue.split(':')
+    const mapping = mappingByMetricKey[vectorMetricKey]
+    if (mapping) {
+      const metricOptionValue = cvss[mapping.jsonName]
+      if (typeof metricOptionValue == 'string') {
+        const expectedOptionValue = mapping.optionsByKey[vectorOptionKey]
+        if (metricOptionValue !== expectedOptionValue) {
+          invalidKeys.push(mapping.jsonName)
+        }
+      }
+    }
+  })
+  return invalidKeys
+}