secvisogram · bendo-eXX · Oct 6, 2025 · Oct 6, 2025 · Oct 22, 2025
diff --git a/README.md b/README.md
@@ -328,7 +328,6 @@ The following tests are not yet implemented and therefore missing:
 
 - Recommended Test 6.2.11
 - Recommended Test 6.2.19
-- Recommended Test 6.2.20
 - Recommended Test 6.2.21
 - Recommended Test 6.2.24
 - Recommended Test 6.2.26
@@ -453,6 +452,7 @@ export const recommendedTest_6_2_15: DocumentTest
 export const recommendedTest_6_2_16: DocumentTest
 export const recommendedTest_6_2_17: DocumentTest
 export const recommendedTest_6_2_18: DocumentTest
+export const recommendedTest_6_2_20: DocumentTest
 export const recommendedTest_6_2_22: DocumentTest
 export const recommendedTest_6_2_23: DocumentTest
 export const recommendedTest_6_2_25: DocumentTest

diff --git a/csaf_2_1/csafAjv.js b/csaf_2_1/csafAjv.js
@@ -1,8 +1,8 @@
 import addFormats from 'ajv-formats'
 import Ajv2020 from 'ajv/dist/2020.js'
-import cvss_v2_0 from '../schemas/cvss-v2.0.js'
-import cvss_v3_0 from '../schemas/cvss-v3.0.js'
-import cvss_v3_1 from '../schemas/cvss-v3.1.js'
+import cvss_v2_0 from './csafAjv/cvss-v2.0.js'
+import cvss_v3_0 from './csafAjv/cvss-v3.0.js'
+import cvss_v3_1 from './csafAjv/cvss-v3.1.js'
 import cvss_v4_0_1 from './csafAjv/cvss-v4.0.1.js'
 import meta from './csafAjv/meta.js'
 import draft_07_schema from './csafAjv/draft-07-schema.js'

diff --git a/csaf_2_1/csafAjv/cvss-v2.0.js b/csaf_2_1/csafAjv/cvss-v2.0.js
@@ -24,6 +24,7 @@ export default {
   title: 'JSON Schema for Common Vulnerability Scoring System version 2.0',
   $id: 'https://www.first.org/cvss/cvss-v2.0.json?20170531',
   type: 'object',
+  additionalProperties: false,
   $defs: {
     accessVectorType: {
       type: 'string',

diff --git a/csaf_2_1/csafAjv/cvss-v3.0.js b/csaf_2_1/csafAjv/cvss-v3.0.js
@@ -24,6 +24,7 @@ export default {
   title: 'JSON Schema for Common Vulnerability Scoring System version 3.0',
   $id: 'https://www.first.org/cvss/cvss-v3.0.json?20170531',
   type: 'object',
+  additionalProperties: false,
   $defs: {
     attackVectorType: {
       type: 'string',

diff --git a/csaf_2_1/csafAjv/cvss-v3.1.js b/csaf_2_1/csafAjv/cvss-v3.1.js
@@ -25,6 +25,7 @@ export default {
   title: 'JSON Schema for Common Vulnerability Scoring System version 3.1',
   $id: 'https://www.first.org/cvss/cvss-v3.1.json?20190610',
   type: 'object',
+  additionalProperties: false,
   $defs: {
     attackVectorType: {
       type: 'string',

diff --git a/csaf_2_1/csafAjv/cvss-v4.0.1.js b/csaf_2_1/csafAjv/cvss-v4.0.1.js
@@ -26,6 +26,7 @@ export default {
     'JSON Schema for Common Vulnerability Scoring System version 4.0, Revision 1',
   $id: 'https://www.first.org/cvss/cvss-v4.0.1.json?20250704',
   type: 'object',
+  additionalProperties: false,
   definitions: {
     attackVectorType: {
       type: 'string',
@@ -191,6 +192,12 @@ export default {
       pattern:
         '^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$',
     },
+    baseScore: { $ref: '#/definitions/noneScoreType' },
+    baseSeverity: { $ref: '#/definitions/noneSeverityType' },
+    threatScore: { $ref: '#/definitions/noneScoreType' },
+    threatSeverity: { $ref: '#/definitions/noneSeverityType' },
+    environmentalScore: { $ref: '#/definitions/noneScoreType' },
+    environmentalSeverity: { $ref: '#/definitions/noneSeverityType' },
     attackVector: { $ref: '#/definitions/attackVectorType' },
     attackComplexity: { $ref: '#/definitions/attackComplexityType' },
     attackRequirements: { $ref: '#/definitions/attackRequirementsType' },

diff --git a/csaf_2_1/recommendedTests/recommendedTest_6_2_20.js b/csaf_2_1/recommendedTests/recommendedTest_6_2_20.js
@@ -1,8 +1,29 @@
-import { optionalTest_6_2_20 } from '../../optionalTests.js'
+import schema from '../schemaTests/csaf_2_1_strict/schema.js'
+import csafAjv from '../csafAjv.js'
+
+const validateStrictSchema = csafAjv.compile(schema)
 
 /**
  * @param {unknown} doc
  */
 export function recommendedTest_6_2_20(doc) {
-  return optionalTest_6_2_20(doc)
+  const ctx = {
+    warnings:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+  }
+
+  if (!validateStrictSchema(doc)) {
+    const additionalPropertiesErrors =
+      validateStrictSchema.errors?.filter(
+        (e) => e.keyword === 'additionalProperties'
+      ) ?? []
+    for (const error of additionalPropertiesErrors) {
+      ctx.warnings.push({
+        instancePath: error.instancePath,
+        message: error.message ?? '',
+      })
+    }
+  }
+
+  return ctx
 }
diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js
@@ -32,7 +32,6 @@ const excluded = [
   '6.1.56',
   '6.2.11',
   '6.2.19',
-  '6.2.20',
   '6.2.21',
   '6.2.24',
   '6.2.26',