secvisogram · christopher-exx · Jun 17, 2025 · Jun 24, 2025 · Jun 24, 2025 · Jun 25, 2025
diff --git a/README.md b/README.md
@@ -315,7 +315,6 @@ The following tests are not yet implemented and therefore missing:
 - Mandatory Test 6.1.27.13
 - Mandatory Test 6.1.42
 - Mandatory Test 6.1.44
-- Mandatory Test 6.1.46
 - Mandatory Test 6.1.47
 - Mandatory Test 6.1.48
 - Mandatory Test 6.1.49
@@ -434,6 +433,7 @@ export const mandatoryTest_6_1_40: DocumentTest
 export const mandatoryTest_6_1_41: DocumentTest
 export const mandatoryTest_6_1_43: DocumentTest
 export const mandatoryTest_6_1_45: DocumentTest
+export const mandatoryTest_6_1_46: DocumentTest
 export const mandatoryTest_6_1_52: DocumentTest
 ```
 

diff --git a/csaf_2_1/mandatoryTests.js b/csaf_2_1/mandatoryTests.js
@@ -60,4 +60,5 @@ export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
 export { mandatoryTest_6_1_43 } from './mandatoryTests/mandatoryTest_6_1_43.js'
 export { mandatoryTest_6_1_45 } from './mandatoryTests/mandatoryTest_6_1_45.js'
+export { mandatoryTest_6_1_46 } from './mandatoryTests/mandatoryTest_6_1_46.js'
 export { mandatoryTest_6_1_52 } from './mandatoryTests/mandatoryTest_6_1_52.js'
diff --git a/csaf_2_1/mandatoryTests/mandatoryTest_6_1_46.js b/csaf_2_1/mandatoryTests/mandatoryTest_6_1_46.js
@@ -0,0 +1,85 @@
+import Ajv from 'ajv/dist/jtd.js'
+import csafAjv from '../csafAjv.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    ssvc_v2: {
+                      additionalProperties: true,
+                      properties: {},
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+const validate_ssvc_v2 = csafAjv.compile({
+  $ref: 'https://certcc.github.io/SSVC/data/schema/v2/Decision_Point_Value_Selection-2-0-0.schema.json',
+})
+
+/**
+ * This implements the mandatory test 6.1.46 of the CSAF 2.1 standard.
+ *
+ * @param {unknown} doc
+ */
+export function mandatoryTest_6_1_46(doc) {
+  /*
+  The `ctx` variable holds the state that is accumulated during the test ran and is
+  finally returned by the function.
+ */
+  const ctx = {
+    errors:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+    isValid: true,
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  doc.vulnerabilities?.forEach((vulnerability, vulnerabilityIndex) => {
+    vulnerability.metrics?.forEach((metric, metricIndex) => {
+      if (metric.content?.ssvc_v2) {
+        const valid = validate_ssvc_v2(metric.content.ssvc_v2)
+        if (!valid) {
+          ctx.isValid = false
+          for (const err of validate_ssvc_v2.errors ?? []) {
+            ctx.errors.push({
+              instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/ssvc_v2${err.instancePath}`,
+              message: err.message ?? '',
+            })
+          }
+        }
+      }
+    })
+  })
+
+  return ctx
+}
diff --git a/tests/csaf_2_1/mandatoryTest_6_1_46.js b/tests/csaf_2_1/mandatoryTest_6_1_46.js
@@ -0,0 +1,35 @@
+import assert from 'node:assert/strict'
+import { mandatoryTest_6_1_46 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_46.js'
+import { expect } from 'chai'
+
+const failingInputSchemaTestWithEmptyVulnerability6_1_46 = {
+  vulnerabilities: [
+    {}, // even this vulnerability is empty, the test should run
+    {
+      cve: 'CVE-1900-0001',
+      metrics: [
+        {
+          content: {
+            ssvc_v2: {
+              schemaVersion: '2.0.0',
+              timestamp: '2024-01-24T10:00:00.000Z',
+            },
+          },
+          products: ['CSAFPID-9080700'],
+        },
+      ],
+    },
+  ],
+}
+
+describe('mandatoryTest_6_1_46', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(mandatoryTest_6_1_46({ document: 'mydoc' }).isValid, true)
+  })
+  it('test input schema with empty json object in vulnerabilities', async function () {
+    const result = mandatoryTest_6_1_46(
+      failingInputSchemaTestWithEmptyVulnerability6_1_46
+    )
+    expect(result.errors.length).to.eq(1)
+  })
+})
diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js
@@ -21,7 +21,6 @@ const excluded = [
   '6.1.37',
   '6.1.42',
   '6.1.44',
-  '6.1.46',
   '6.1.47',
   '6.1.48',
   '6.1.49',