From ec2662979bdafbb92bdfc8b4a157b129e9f79445 Mon Sep 17 00:00:00 2001 From: bendo-eXX Date: Mon, 6 Oct 2025 14:39:48 +0200 Subject: [PATCH] feat(CSAF2.1): #302 add recommendedTest_6_2_20.js --- README.md | 2 +- csaf_2_1/csafAjv.js | 6 ++--- csaf_2_1/csafAjv/cvss-v2.0.js | 1 + csaf_2_1/csafAjv/cvss-v3.0.js | 1 + csaf_2_1/csafAjv/cvss-v3.1.js | 1 + csaf_2_1/csafAjv/cvss-v4.0.js | 7 ++++++ .../recommendedTest_6_2_20.js | 25 +++++++++++++++++-- tests/csaf_2_1/oasis.js | 1 - 8 files changed, 37 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6f4f9297..dbbe55f7 100644 --- a/README.md +++ b/README.md @@ -330,7 +330,6 @@ The following tests are not yet implemented and therefore missing: - Recommended Test 6.2.11 - Recommended Test 6.2.19 -- Recommended Test 6.2.20 - Recommended Test 6.2.21 - Recommended Test 6.2.24 - Recommended Test 6.2.25 @@ -459,6 +458,7 @@ export const recommendedTest_6_2_15: DocumentTest export const recommendedTest_6_2_16: DocumentTest export const recommendedTest_6_2_17: DocumentTest export const recommendedTest_6_2_18: DocumentTest +export const recommendedTest_6_2_20: DocumentTest export const recommendedTest_6_2_22: DocumentTest export const recommendedTest_6_2_23: DocumentTest ``` diff --git a/csaf_2_1/csafAjv.js b/csaf_2_1/csafAjv.js index 833f8bb0..f37d48f2 100644 --- a/csaf_2_1/csafAjv.js +++ b/csaf_2_1/csafAjv.js @@ -1,8 +1,8 @@ import addFormats from 'ajv-formats' import Ajv2020 from 'ajv/dist/2020.js' -import cvss_v2_0 from '../schemas/cvss-v2.0.js' -import cvss_v3_0 from '../schemas/cvss-v3.0.js' -import cvss_v3_1 from '../schemas/cvss-v3.1.js' +import cvss_v2_0 from './csafAjv/cvss-v2.0.js' +import cvss_v3_0 from './csafAjv/cvss-v3.0.js' +import cvss_v3_1 from './csafAjv/cvss-v3.1.js' import cvss_v4_0 from './csafAjv/cvss-v4.0.js' import meta from './csafAjv/meta.js' import formatAssertion from './csafAjv/format-assertion.js' diff --git a/csaf_2_1/csafAjv/cvss-v2.0.js b/csaf_2_1/csafAjv/cvss-v2.0.js index cf791137..4833f1ce 100644 --- a/csaf_2_1/csafAjv/cvss-v2.0.js +++ b/csaf_2_1/csafAjv/cvss-v2.0.js @@ -24,6 +24,7 @@ export default { title: 'JSON Schema for Common Vulnerability Scoring System version 2.0', $id: 'https://www.first.org/cvss/cvss-v2.0.json?20170531', type: 'object', + additionalProperties: false, $defs: { accessVectorType: { type: 'string', diff --git a/csaf_2_1/csafAjv/cvss-v3.0.js b/csaf_2_1/csafAjv/cvss-v3.0.js index c46f4ef2..f7c4e7cf 100644 --- a/csaf_2_1/csafAjv/cvss-v3.0.js +++ b/csaf_2_1/csafAjv/cvss-v3.0.js @@ -24,6 +24,7 @@ export default { title: 'JSON Schema for Common Vulnerability Scoring System version 3.0', $id: 'https://www.first.org/cvss/cvss-v3.0.json?20170531', type: 'object', + additionalProperties: false, $defs: { attackVectorType: { type: 'string', diff --git a/csaf_2_1/csafAjv/cvss-v3.1.js b/csaf_2_1/csafAjv/cvss-v3.1.js index d4b86cee..d6d0eefc 100644 --- a/csaf_2_1/csafAjv/cvss-v3.1.js +++ b/csaf_2_1/csafAjv/cvss-v3.1.js @@ -25,6 +25,7 @@ export default { title: 'JSON Schema for Common Vulnerability Scoring System version 3.1', $id: 'https://www.first.org/cvss/cvss-v3.1.json?20190610', type: 'object', + additionalProperties: false, $defs: { attackVectorType: { type: 'string', diff --git a/csaf_2_1/csafAjv/cvss-v4.0.js b/csaf_2_1/csafAjv/cvss-v4.0.js index 4bf575fc..feef2db5 100644 --- a/csaf_2_1/csafAjv/cvss-v4.0.js +++ b/csaf_2_1/csafAjv/cvss-v4.0.js @@ -25,6 +25,7 @@ export default { title: 'JSON Schema for Common Vulnerability Scoring System version 4.0', $id: 'https://www.first.org/cvss/cvss-v4.0.json?20240216', type: 'object', + additionalProperties: false, definitions: { attackVectorType: { type: 'string', @@ -190,6 +191,12 @@ export default { pattern: '^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$', }, + baseScore: { $ref: '#/definitions/noneScoreType' }, + baseSeverity: { $ref: '#/definitions/noneSeverityType' }, + threatScore: { $ref: '#/definitions/noneScoreType' }, + threatSeverity: { $ref: '#/definitions/noneSeverityType' }, + environmentalScore: { $ref: '#/definitions/noneScoreType' }, + environmentalSeverity: { $ref: '#/definitions/noneSeverityType' }, attackVector: { $ref: '#/definitions/attackVectorType' }, attackComplexity: { $ref: '#/definitions/attackComplexityType' }, attackRequirements: { $ref: '#/definitions/attackRequirementsType' }, diff --git a/csaf_2_1/recommendedTests/recommendedTest_6_2_20.js b/csaf_2_1/recommendedTests/recommendedTest_6_2_20.js index b47b588a..b60f5372 100644 --- a/csaf_2_1/recommendedTests/recommendedTest_6_2_20.js +++ b/csaf_2_1/recommendedTests/recommendedTest_6_2_20.js @@ -1,8 +1,29 @@ -import { optionalTest_6_2_20 } from '../../optionalTests.js' +import schema from '../schemaTests/csaf_2_1_strict/schema.js' +import csafAjv from '../csafAjv.js' + +const validateStrictSchema = csafAjv.compile(schema) /** * @param {unknown} doc */ export function recommendedTest_6_2_20(doc) { - return optionalTest_6_2_20(doc) + const ctx = { + warnings: + /** @type {Array<{ instancePath: string; message: string }>} */ ([]), + } + + if (!validateStrictSchema(doc)) { + const additionalPropertiesErrors = + validateStrictSchema.errors?.filter( + (e) => e.keyword === 'additionalProperties' + ) ?? [] + for (const error of additionalPropertiesErrors) { + ctx.warnings.push({ + instancePath: error.instancePath, + message: error.message ?? '', + }) + } + } + + return ctx } diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js index 0e9d2e60..100890b1 100644 --- a/tests/csaf_2_1/oasis.js +++ b/tests/csaf_2_1/oasis.js @@ -34,7 +34,6 @@ const excluded = [ '6.1.56', '6.2.11', '6.2.19', - '6.2.20', '6.2.21', '6.2.24', '6.2.25',