Merge branch '196-csaf-2.1' into feat/199-Informative-Tests_CSAF2_1_6.3.4

tschmidtb51 · web-flow · commit ad0a05c2d25e · 2025-05-30T20:43:09.000+02:00
diff --git a/csaf_2_1/informativeTests.js b/csaf_2_1/informativeTests.js
@@ -1,5 +1,4 @@
 export {
-  informativeTest_6_3_1,
   informativeTest_6_3_2,
   informativeTest_6_3_3,
   informativeTest_6_3_5,
@@ -10,4 +9,5 @@ export {
   informativeTest_6_3_10,
   informativeTest_6_3_11,
 } from '../informativeTests.js'
-export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
+export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js'
+export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
diff --git a/csaf_2_1/informativeTests/informativeTest_6_3_1.js b/csaf_2_1/informativeTests/informativeTest_6_3_1.js
@@ -0,0 +1,131 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+/**
+ * @typedef {object} MetricContent
+ * @property {object} [cvss_v2]
+ * @property {string} cvss_v2.version
+ * @property {object} [cvss_v3]
+ * @property {string} cvss_v3.version
+ * @property {object} [cvss_v4]
+ * @property {string} cvss_v4.version
+ */
+
+/**
+ * @typedef {object} Metric
+ * @property {MetricContent} [content]
+ * @property {Array<string>} products
+ */
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        properties: {},
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              properties: {
+                products: {
+                  elements: { type: 'string' },
+                },
+              },
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    cvss_v2: {
+                      additionalProperties: true,
+                      properties: {
+                        version: { type: 'string' },
+                      },
+                    },
+                    cvss_v3: {
+                      additionalProperties: true,
+                      properties: {
+                        version: { type: 'string' },
+                      },
+                    },
+                    cvss_v4: {
+                      additionalProperties: true,
+                      properties: {
+                        version: { type: 'string' },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * @param {unknown} doc
+ * @returns
+ */
+export function informativeTest_6_3_1(doc) {
+  const ctx = {
+    infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  /**
+   * @param {Metric} metric
+   * @param {Set<string>} versionSet
+   */
+  function addVersionsInMetricToSet(metric, versionSet) {
+    if (metric.content?.cvss_v2?.version !== undefined) {
+      versionSet.add(metric.content.cvss_v2.version)
+    }
+    if (metric.content?.cvss_v3?.version !== undefined) {
+      versionSet.add(metric.content.cvss_v3.version)
+    }
+    if (metric.content?.cvss_v4?.version !== undefined) {
+      versionSet.add(metric.content.cvss_v4.version)
+    }
+  }
+
+  const vulnerabilities = doc.vulnerabilities
+
+  vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+    /** @type {Map<string, Set<string>>} */
+    const cvssVersionsByProduct = new Map()
+    const metricIndexByProduct = new Map()
+    /** @type {Array<Metric> | undefined} */
+    const metrics = vulnerability.metrics
+    metrics?.forEach((metric, metricIndex) => {
+      /** @type {Array<string>} */
+      const products = metric.products
+      products.forEach((product) => {
+        const versionSet = cvssVersionsByProduct.get(product) ?? new Set()
+        cvssVersionsByProduct.set(product, versionSet)
+        metricIndexByProduct.set(product, metricIndex)
+        addVersionsInMetricToSet(metric, versionSet)
+      })
+    })
+    cvssVersionsByProduct.forEach((value, product) => {
+      if (value.size === 1 && value.values().next().value === '2.0') {
+        const metricIndex = metricIndexByProduct.get(product)
+        ctx.infos.push({
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}`,
+          message: `use of cvss v2 as the only scoring system for product ${product}`,
+        })
+      }
+    })
+  })
+
+  return ctx
+}
diff --git a/tests/csaf_2_1/informativeTest_6_3_1.js b/tests/csaf_2_1/informativeTest_6_3_1.js
@@ -0,0 +1,8 @@
+import assert from 'node:assert'
+import { informativeTest_6_3_1 } from '../../csaf_2_1/informativeTests.js'
+
+describe('informativeTest_6_3_1', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(informativeTest_6_3_1({ document: 'mydoc' }).infos.length, 0)
+  })
+})
diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js
@@ -59,7 +59,6 @@ const excluded = [
   '6.2.39.1',
   '6.2.39.2',
   '6.2.40',
-  '6.3.1',
   '6.3.2',
   '6.3.14',
   '6.3.15',
