Merge pull request #574 from secvisogram/fix/csaf-2.1_mandatory_test_6.1.27.5

fix(CSAF2.1): fix mandatoryTest_6_1_27_5.js

Author: domachine

csaf_2_1/mandatoryTests.js

@@ -21,7 +21,6 @@ export {
   mandatoryTest_6_1_27_2,
   mandatoryTest_6_1_27_3,
   mandatoryTest_6_1_27_4,
-  mandatoryTest_6_1_27_5,
   mandatoryTest_6_1_27_6,
   mandatoryTest_6_1_27_7,
   mandatoryTest_6_1_27_8,
@@ -43,6 +42,7 @@ export { mandatoryTest_6_1_9 } from './mandatoryTests/mandatoryTest_6_1_9.js'
 export { mandatoryTest_6_1_10 } from './mandatoryTests/mandatoryTest_6_1_10.js'
 export { mandatoryTest_6_1_11 } from './mandatoryTests/mandatoryTest_6_1_11.js'
 export { mandatoryTest_6_1_13 } from './mandatoryTests/mandatoryTest_6_1_13.js'
+export { mandatoryTest_6_1_27_5 } from './mandatoryTests/mandatoryTest_6_1_27_5.js'
 export { mandatoryTest_6_1_27_12 } from './mandatoryTests/mandatoryTest_6_1_27_12.js'
 export { mandatoryTest_6_1_27_14 } from './mandatoryTests/mandatoryTest_6_1_27_14.js'
 export { mandatoryTest_6_1_27_15 } from './mandatoryTests/mandatoryTest_6_1_27_15.js'

csaf_2_1/mandatoryTests/mandatoryTest_6_1_27_5.js

@@ -0,0 +1,73 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      properties: {
+        category: {
+          type: 'string',
+        },
+      },
+    },
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          notes: {
+            elements: {
+              additionalProperties: true,
+              properties: {},
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validate = ajv.compile(inputSchema)
+/**
+ * @param {any} doc
+ */
+export function mandatoryTest_6_1_27_5(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const errors = []
+  let isValid = true
+
+  if (!validate(doc)) return { errors, isValid }
+
+  const checkedDocumentCategories = new Set([
+    'csaf_security_advisory',
+    'csaf_vex',
+    'csaf_deprecated_security_advisory',
+  ])
+
+  if (!checkedDocumentCategories.has(doc.document?.category)) {
+    return { errors, isValid }
+  }
+
+  const vulnerabilities = doc.vulnerabilities
+  if (Array.isArray(vulnerabilities)) {
+    vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+      if (!vulnerability.notes || vulnerability.notes.length === 0) {
+        isValid = false
+        errors.push({
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}`,
+          message: 'needs a `notes` attribute',
+        })
+      }
+    })
+  }
+
+  return { errors, isValid }
+}

tests/csaf_2_1/mandatoryTest_6_1_27_5.js

@@ -0,0 +1,36 @@
+import assert from 'node:assert/strict'
+import { mandatoryTest_6_1_27_5 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_27_5.js'
+
+describe('mandatoryTest_6_1_27_5', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(mandatoryTest_6_1_27_5({ document: 'mydoc' }).isValid, true)
+  })
+
+  it('returns valid for documents with irrelevant category', function () {
+    assert.equal(
+      mandatoryTest_6_1_27_5({
+        document: { category: 'csaf_base' },
+        vulnerabilities: [{}],
+      }).isValid,
+      true
+    )
+  })
+
+  it('returns invalid when vulnerability has no notes', function () {
+    const result = mandatoryTest_6_1_27_5({
+      document: { category: 'csaf_security_advisory' },
+      vulnerabilities: [{}],
+    })
+    assert.equal(result.isValid, false)
+    assert.equal(result.errors.length, 1)
+  })
+
+  it('returns invalid when vulnerability has empty notes array', function () {
+    const result = mandatoryTest_6_1_27_5({
+      document: { category: 'csaf_security_advisory' },
+      vulnerabilities: [{ notes: [] }],
+    })
+    assert.equal(result.isValid, false)
+    assert.equal(result.errors.length, 1)
+  })
+})

tests/csaf_2_1/oasis.js

@@ -98,7 +98,6 @@ const excluded = [
 const skippedTests = new Set([
   'mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-01-12.json',
   'mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-03-01.json',
-  'mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-27-05-03.json',
 ])
 
 /** @typedef {import('../../lib/shared/types.js').DocumentTest} DocumentTest */