Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add mandatory test 6.1.35 #215

Merged
merged 1 commit into from
Mar 7, 2025
Merged

feat: add mandatory test 6.1.35 #215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions csaf_2_1/mandatoryTests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,4 @@ export {
mandatoryTest_6_1_33,
} from '../mandatoryTests.js'
export { mandatoryTest_6_1_34 } from './mandatoryTests/mandatoryTest_6_1_34.js'
export { mandatoryTest_6_1_35 } from './mandatoryTests/mandatoryTest_6_1_35.js'
209 changes: 209 additions & 0 deletions csaf_2_1/mandatoryTests/mandatoryTest_6_1_35.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
import Ajv from 'ajv/dist/jtd.js'

const ajv = new Ajv()

/**
* @typedef {'workaround'
* | 'mitigation'
* | 'vendor_fix'
* | 'optional_patch'
* | 'none_available'
* | 'fix_planned'
* | 'no_fix_planned'} Category
*/

/**
* This map holds prohibited category combinations.
* See https://github.com/oasis-tcs/csaf/blob/master/csaf_2.1/prose/share/csaf-v2.1-draft.md#324131-vulnerabilities-property---remediations---category-
*
* @type {Map<string, Set<string>>}
*/
const prohibitionRuleMap = new Map(
/** @satisfies {Array<[Category, Category[]]>} */ ([
['workaround', ['optional_patch', 'none_available']],
['mitigation', ['optional_patch', 'none_available']],
[
'vendor_fix',
['optional_patch', 'none_available', 'fix_planned', 'no_fix_planned'],
],
[
'optional_patch',
[
'workaround',
'mitigation',
'vendor_fix',
'none_available',
'fix_planned',
'no_fix_planned',
],
],
[
'none_available',
[
'workaround',
'mitigation',
'vendor_fix',
'optional_patch',
'fix_planned',
'no_fix_planned',
],
],
[
'fix_planned',
['vendor_fix', 'optional_patch', 'none_available', 'no_fix_planned'],
],
[
'no_fix_planned',
['vendor_fix', 'optional_patch', 'none_available', 'fix_planned'],
],
]).map((e) => [e[0], new Set(e[1])])
)

const remediationSchema = /** @type {const} */ ({
additionalProperties: true,
optionalProperties: {
group_ids: {
elements: {
type: 'string',
},
},
product_ids: {
elements: {
type: 'string',
},
},
category: { type: 'string' },
},
})

/*
This is the jtd schema that needs to match the input document so that the
test is activated. If this schema doesn't match it normally means that the input
document does not validate against the csaf json schema or optional fields that
the test checks are not present.
*/
const inputSchema = /** @type {const} */ ({
additionalProperties: true,
optionalProperties: {
product_tree: {
additionalProperties: true,
optionalProperties: {
product_groups: {
elements: {
additionalProperties: true,
optionalProperties: {
group_id: { type: 'string' },
product_ids: {
elements: {
type: 'string',
},
},
},
},
},
},
},
},
properties: {
vulnerabilities: {
elements: {
additionalProperties: true,
optionalProperties: {
remediations: {
elements: remediationSchema,
},
},
},
},
},
})

const validate = ajv.compile(inputSchema)

/**
* This implements the mandatory test of the CSAF 2.1 standard.
*
* @param {any} doc
*/
export function mandatoryTest_6_1_35(doc) {
/*
The `ctx` variable holds the state that is accumulated during the test ran and is
finally returned by the function.
*/
const ctx = {
/** @type {Array<{ instancePath: string; message: string }>} */
errors: [],
isValid: true,
}

if (!validate(doc)) {
return ctx
}

for (const [vulnerabilityIndex, vulnerability] of Object.entries(
doc.vulnerabilities
)) {
/**
* This map holds all discovered product ids and maps them to the set of corresponding
* remediation categories. Later we can check this map to find out if there are any
* contradicting remediations.
*
* @type {Map<string, Set<string>>}
*/
const productToCategoriesMap = new Map()

vulnerability.remediations?.forEach((remediation, remediationIndex) => {
const category = remediation.category
if (!category) return

/**
* This function adds the current category to the given product id in the
* `productMap`. If the product does not yet exist in the map, it is added.
*
* @param {string} id
*/
const collectCategory = (id) => {
productToCategoriesMap.set(
id,
new Set(productToCategoriesMap.get(id)).add(category)
)
}

remediation.product_ids?.forEach(collectCategory)

remediation.group_ids?.forEach((id) => {
const group = doc.product_tree?.product_groups?.find(
(g) => g.group_id === id
)
if (!group) return
group.product_ids?.forEach(collectCategory)
})

for (const [productId, categories] of productToCategoriesMap) {
/**
* This set will hold all already checked categories to avoid double checks
* and doubled error messages.
*/
const checkedCategories = new Set()

for (const categoryA of categories) {
checkedCategories.add(categoryA)

for (const categoryB of categories) {
if (checkedCategories.has(categoryB)) continue

if (prohibitionRuleMap.get(categoryA)?.has(categoryB)) {
ctx.errors.push({
instancePath: `/vulnerabilities/${vulnerabilityIndex}/remediations/${remediationIndex}`,
message: `contradicting remediation categories for product id "${productId}": ${categoryA}, ${categoryB}`,
})
ctx.isValid = false
}
}
}
}
})
}

return ctx
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The result errors seems to be duplicated with switched categories

[
{
"instancePath": "/vulnerabilities/0/remediations/1",
"message": "contradicting remediation categories for product id "CSAFPID-9080700": no_fix_planned, vendor_fix"
},
{
"instancePath": "/vulnerabilities/0/remediations/1",
"message": "contradicting remediation categories for product id "CSAFPID-9080700": vendor_fix, no_fix_planned"
}
]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I addressed this issue using a Set which holds the already checked categories.

}
35 changes: 35 additions & 0 deletions tests/csaf_2_1/mandatoryTest_6_1_35.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import assert from 'node:assert'
import { mandatoryTest_6_1_35 } from '../../csaf_2_1/mandatoryTests.js'

describe('mandatoryTest_6_1_37', function () {
it('only runs on relevant documents', function () {
assert.equal(mandatoryTest_6_1_35({ document: 'mydoc' }).isValid, true)
})

it('skips remediations without valid category', function () {
assert.equal(
mandatoryTest_6_1_35({
vulnerabilities: [{ remediations: [{}] }],
}).isValid,
true
)
})

it('skips remediation group checks without declared group', function () {
assert.equal(
mandatoryTest_6_1_35({
vulnerabilities: [
{
remediations: [
{
category: 'some_category',
group_ids: ['my_not_existing_group'],
},
],
},
],
}).isValid,
true
)
})
})
1 change: 0 additions & 1 deletion tests/csaf_2_1/oasis.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ const excluded = [
'6.1.13',
'6.1.14',
'6.1.16',
'6.1.35',
'6.1.36',
'6.1.37',
'6.1.38',
Expand Down