Skip to content

feat: add mandatory test 6.1.48 - SSVC #358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat: add mandatory test 6.1.48 - SSVC #358

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2bc1f6b
feat: add mandatory test 6.1.48
christopher-exx Jun 26, 2025
ad519c0
fix: fix doc in inputSchema test
christopher-exx Jun 26, 2025
66057c0
refactor: simplify implementation
christopher-exx Jun 30, 2025
151a439
feat: change ssvc in inputSchema from property to optionalProperty
christopher-exx Jul 2, 2025
d178db2
refactor: use a map of only the relevant valid ssvc decision point pr…
christopher-exx Jul 8, 2025
c6968cb
refactor: use map to easier filter decision points
christopher-exx Jul 9, 2025
b42f68b
refactor: renaming variable
christopher-exx Jul 9, 2025
87b4e65
refactor: simplify implementation
christopher-exx Jul 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,6 @@ The following tests are not yet implemented and therefore missing:
- Mandatory Test 6.1.44
- Mandatory Test 6.1.46
- Mandatory Test 6.1.47
- Mandatory Test 6.1.48
- Mandatory Test 6.1.49
- Mandatory Test 6.1.50
- Mandatory Test 6.1.51
Expand Down Expand Up @@ -434,6 +433,7 @@ export const mandatoryTest_6_1_40: DocumentTest
export const mandatoryTest_6_1_41: DocumentTest
export const mandatoryTest_6_1_43: DocumentTest
export const mandatoryTest_6_1_45: DocumentTest
export const mandatoryTest_6_1_48: DocumentTest
export const mandatoryTest_6_1_52: DocumentTest
```

Expand Down
1 change: 1 addition & 0 deletions csaf_2_1/mandatoryTests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,4 +60,5 @@ export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
export { mandatoryTest_6_1_43 } from './mandatoryTests/mandatoryTest_6_1_43.js'
export { mandatoryTest_6_1_45 } from './mandatoryTests/mandatoryTest_6_1_45.js'
export { mandatoryTest_6_1_48 } from './mandatoryTests/mandatoryTest_6_1_48.js'
export { mandatoryTest_6_1_52 } from './mandatoryTests/mandatoryTest_6_1_52.js'
181 changes: 181 additions & 0 deletions csaf_2_1/mandatoryTests/mandatoryTest_6_1_48.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
import Ajv from 'ajv/dist/jtd.js'
import ssvcDecisionPoints from '../../lib/ssvc/ssvc_decision_points.js'

const ajv = new Ajv()

/*
This is the jtd schema that needs to match the input document so that the
test is activated. If this schema doesn't match it normally means that the input
document does not validate against the csaf json schema or optional fields that
the test checks are not present.
*/
const inputSchema = /** @type {const} */ ({
additionalProperties: true,
properties: {
vulnerabilities: {
elements: {
additionalProperties: true,
optionalProperties: {
metrics: {
elements: {
additionalProperties: true,
optionalProperties: {
content: {
additionalProperties: true,
optionalProperties: {
ssvc_v1: {
additionalProperties: true,
optionalProperties: {
id: { type: 'string' },
schemaVersion: { type: 'string' },
timestamp: { type: 'string' },
selections: {
elements: {
additionalProperties: true,
optionalProperties: {
name: { type: 'string' },
namespace: { type: 'string' },
values: {
elements: { type: 'string' },
},
version: { type: 'string' },
},
},
},
},
},
},
},
},
},
},
},
},
},
},
})

const validateInput = ajv.compile(inputSchema)

/**
* @param {string | undefined} name
* @param {string | undefined} namespace
* @param {string | undefined} version
*/
function decisionPointHash(name, namespace, version) {
return JSON.stringify({
name: name ?? '',
namespace: namespace ?? '',
version: version ?? '',
})
}

/** @type {Map<string,{ name: string; namespace: string; version: string; key?: string; values: { key: string; name: string; description: string; }[]; }>} */
const decisionPointMap = new Map(
ssvcDecisionPoints.decisionPoints.map((obj) => [
decisionPointHash(obj.name, obj.namespace, obj.version),
obj,
])
)

/**
* This implements the mandatory test 6.1.48 of the CSAF 2.1 standard.
*
* @param {any} doc
*/
export function mandatoryTest_6_1_48(doc) {
const ctx = {
errors:
/** @type {Array<{ instancePath: string; message: string }>} */ ([]),
isValid: true,
}

if (!validateInput(doc)) {
return ctx
}

const registeredSsvcNamespaces = ['ssvc', 'cvss']

doc.vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
vulnerability.metrics?.forEach((metric, metricIndex) => {
const selectionsWithRegisteredNamespace =
metric.content?.ssvc_v1?.selections?.filter(
(s) =>
s.namespace !== undefined &&
registeredSsvcNamespaces.includes(s.namespace)
)
selectionsWithRegisteredNamespace?.forEach(
(selection, selectionIndex) => {
// check if a decision point with these properties exists
const selectedDecisionPnt = decisionPointMap.get(
decisionPointHash(
selection.name,
selection.namespace,
selection.version
)
)

if (!selectedDecisionPnt) {
ctx.isValid = false
ctx.errors.push({
instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/ssvc_v1/selections/${selectionIndex}`,
message: `there exists no decision point with name ${selection.name} and version ${selection.version} in the namespace ${selection.namespace}`,
})
} else {
if (
selection.values &&
!areValuesValidAndinOrder(
selectedDecisionPnt.values,
selection.values
)
) {
ctx.isValid = false
ctx.errors.push({
instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/ssvc_v1/selections/${selectionIndex}`,
message: `this decision point contains invalid values or its values are not in order`,
})
}
}
}
)
})
})

return ctx
}

/**
* Check if the elements in the values array of the decision point are valid and if they are in the right order
* according to the specification.
* If values are missing, this is not an issue.
*
* @param {{ key: string; name: string; description: string; }[]} decisionPointValues the valid elements of the values array of the respective decision point
* and their order according to the SSVC specification
* @param {string[]} usedValues the actual used values of the decision point
*/
function areValuesValidAndinOrder(decisionPointValues, usedValues) {
const specifiedValues = decisionPointValues.map((value) => value.name)
//check if there is an invalid value used
for (let i = 0; i < usedValues.length; i++) {
const element = usedValues[i]
if (!specifiedValues.includes(element)) {
return false
}
}

// check for the correct order
for (let valueIndex = 0; valueIndex < usedValues.length; valueIndex++) {
const value = usedValues[valueIndex]
if (valueIndex === 0) {
continue
}
const specifiedIndexCurrentElement = specifiedValues.indexOf(value)
const previousValue = usedValues[valueIndex - 1]
const specifiedIndexPreviousElement = specifiedValues.indexOf(previousValue)

if (specifiedIndexCurrentElement < specifiedIndexPreviousElement) {
return false
}
}
return true
}
Loading
Loading