feat: add mandatory test 6.1.47 - SSVC

README.md

@@ -317,7 +317,6 @@ The following tests are not yet implemented and therefore missing:
 - Mandatory Test 6.1.42
 - Mandatory Test 6.1.44
 - Mandatory Test 6.1.46
-- Mandatory Test 6.1.47
 - Mandatory Test 6.1.48
 - Mandatory Test 6.1.49
 - Mandatory Test 6.1.50
@@ -434,6 +433,7 @@ export const mandatoryTest_6_1_40: DocumentTest
 export const mandatoryTest_6_1_41: DocumentTest
 export const mandatoryTest_6_1_43: DocumentTest
 export const mandatoryTest_6_1_45: DocumentTest
+export const mandatoryTest_6_1_47: DocumentTest
 export const mandatoryTest_6_1_52: DocumentTest
 ```
 

csaf_2_1/mandatoryTests.js

@@ -59,4 +59,5 @@ export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
 export { mandatoryTest_6_1_43 } from './mandatoryTests/mandatoryTest_6_1_43.js'
 export { mandatoryTest_6_1_45 } from './mandatoryTests/mandatoryTest_6_1_45.js'
+export { mandatoryTest_6_1_47 } from './mandatoryTests/mandatoryTest_6_1_47.js'
 export { mandatoryTest_6_1_52 } from './mandatoryTests/mandatoryTest_6_1_52.js'

csaf_2_1/mandatoryTests/mandatoryTest_6_1_47.js

@@ -0,0 +1,111 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      optionalProperties: {
+        tracking: {
+          additionalProperties: true,
+          optionalProperties: {
+            id: { type: 'string' },
+          },
+        },
+      },
+    },
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          cve: { type: 'string' },
+          ids: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                text: { type: 'string' },
+              },
+            },
+          },
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    ssvc_v2: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        target_ids: { elements: { type: 'string' } },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * This implements the mandatory test 6.1.47 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export function mandatoryTest_6_1_47(doc) {
+  const ctx = {
+    errors:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+    isValid: true,
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  doc.vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+    vulnerability.metrics?.forEach((metric, metricIndex) => {
+      if (metric.content?.ssvc_v2) {
+        metric.content.ssvc_v2.target_ids?.forEach((ssvcId, ssvcIdIndex) => {
+          if (ssvcId === doc.document.tracking?.id) {
+            if (doc.vulnerabilities.length > 1) {
+              ctx.isValid = false
+              ctx.errors.push({
+                instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/ssvc_v2/${ssvcIdIndex}`,
+                message:
+                  `the ssvc id equals the "document/tracking/id" ` +
+                  `but the csaf document has multiple vulnerabilities`,
+              })
+            }
+          }
+          const idTexts = vulnerability.ids?.map((id) => id.text)
+          if (ssvcId !== vulnerability.cve && !idTexts?.includes(ssvcId)) {
+            ctx.isValid = false
+            ctx.errors.push({
+              instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/ssvc_v2/${ssvcIdIndex}`,
+              message:
+                `the ssvc id does neither match the "cve" ` +
+                `nor it matches the "text" of any item in the "ids" array`,
+            })
+          }
+        })
+      }
+    })
+  })
+
+  return ctx
+}

tests/csaf_2_1/mandatoryTest_6_1_47.js

@@ -0,0 +1,49 @@
+import assert from 'node:assert/strict'
+import { mandatoryTest_6_1_47 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_47.js'
+import { expect } from 'chai'
+
+const failingInputSchemaTestWithEmptyVulnerability6_1_47 = {
+  document: {},
+  vulnerabilities: [
+    {}, // even this vulnerability is empty, the test should run
+    {
+      cve: 'CVE-1900-0001',
+      metrics: [
+        {
+          content: {
+            ssvc_v2: {
+              schemaVersion: '2.0.0',
+              selections: [
+                {
+                  key: 'E',
+                  namespace: 'ssvc',
+                  values: [
+                    {
+                      key: 'N',
+                    },
+                  ],
+                  version: '1.1.0',
+                },
+              ],
+              target_ids: ['CVE-1900-0002'],
+              timestamp: '2024-01-24T10:00:00.000Z',
+            },
+          },
+          products: ['CSAFPID-9080700'],
+        },
+      ],
+    },
+  ],
+}
+
+describe('mandatoryTest_6_1_47', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(mandatoryTest_6_1_47({ document: 'mydoc' }).isValid, true)
+  })
+  it('test input schema with empty json object in vulnerabilities', async function () {
+    const result = mandatoryTest_6_1_47(
+      failingInputSchemaTestWithEmptyVulnerability6_1_47
+    )
+    expect(result.errors.length).to.eq(1)
+  })
+})

tests/csaf_2_1/oasis.js

@@ -23,7 +23,6 @@ const excluded = [
   '6.1.42',
   '6.1.44',
   '6.1.46',
-  '6.1.47',
   '6.1.48',
   '6.1.49',
   '6.1.50',