fix: add optional test 6.2.37

christopher-exx · christopher-exx · commit 1a1f0ed8cd0e · 2025-06-11T17:26:19.000+02:00
diff --git a/csaf_2_1/recommendedTests/optionalTest_6_2_37.js b/csaf_2_1/recommendedTests/optionalTest_6_2_37.js
@@ -0,0 +1,72 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        properties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              properties: {
+                content: {
+                  additionalProperties: true,
+                  properties: {
+                    ssvc_v1: {
+                      additionalProperties: true,
+                      properties: {
+                        role: {
+                          type: 'string',
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validate = ajv.compile(inputSchema)
+
+/**
+ * This implements the optional test 6.2.37 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export function optionalTest_6_2_37(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const warnings = []
+  const context = { warnings }
+
+  if (!validate(doc)) {
+    return context
+  }
+
+  /*
+   * Please note that this list can change
+   * */
+  const registeredSsvcRoles = ['Supplier', 'Deployer', 'Coordinator']
+
+  doc.vulnerabilities?.forEach((vulnerability, vulnerabilityIndex) => {
+    vulnerability.metrics.forEach((metric, metricIndex) => {
+      const role = metric.content.ssvc_v1.role
+      if (!registeredSsvcRoles.includes(role)) {
+        context.warnings.push({
+          message: `The  used role "${role}" is not a registered role`,
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/ssvc_v1/role`,
+        })
+      }
+    })
+  })
+
+  return context
+}
diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js
@@ -62,7 +62,6 @@ const excluded = [
   '6.2.34',
   '6.2.35',
   '6.2.36',
-  '6.2.37',
   '6.2.38',
   '6.2.39.1',
   '6.2.39.2',
diff --git a/tests/csaf_2_1/optionalTest_6_2_37.js b/tests/csaf_2_1/optionalTest_6_2_37.js
@@ -0,0 +1,11 @@
+import assert from 'node:assert'
+import { optionalTest_6_2_37 } from '../../csaf_2_1/optionalTests.js'
+
+describe('optionalTest_6_2_37', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(
+      optionalTest_6_2_37({ vulnerabilities: 'mydoc' }).warnings.length,
+      0
+    )
+  })
+})
