feat: add optional test 6.2.23

Author: christopher-exx

csaf_2_1/optionalTests.js

@@ -0,0 +1,23 @@
+export {
+  optionalTest_6_2_1,
+  optionalTest_6_2_2,
+  optionalTest_6_2_4,
+  optionalTest_6_2_5,
+  optionalTest_6_2_6,
+  optionalTest_6_2_7,
+  optionalTest_6_2_8,
+  optionalTest_6_2_9,
+  optionalTest_6_2_10,
+  optionalTest_6_2_11,
+  optionalTest_6_2_12,
+  optionalTest_6_2_13,
+  optionalTest_6_2_14,
+  optionalTest_6_2_15,
+  optionalTest_6_2_16,
+  optionalTest_6_2_17,
+  optionalTest_6_2_18,
+  optionalTest_6_2_19,
+  optionalTest_6_2_20,
+} from '../optionalTests.js'
+export { optionalTest_6_2_3 } from './optionalTests/optionalTest_6_2_3.js'
+export { optionalTest_6_2_23 } from './optionalTests/optionalTest_6_2_23.js'

csaf_2_1/recommendedTests/optionalTest_6_2_23.js

@@ -0,0 +1,94 @@
+import Ajv from 'ajv/dist/jtd.js'
+import { cwecMap } from '../../lib/cwec.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        properties: {
+          cwes: {
+            elements: {
+              additionalProperties: true,
+              properties: {},
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+const cweSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    id: { type: 'string' },
+    version: { type: 'string' },
+    name: { type: 'string' },
+  },
+})
+
+const validateCWE = ajv.compile(cweSchema)
+
+/**
+ * This implements the optional test 6.2.23 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export async function optionalTest_6_2_23(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const warnings = []
+  const context = { warnings }
+
+  if (!validateInput(doc)) {
+    return context
+  }
+
+  for (let i = 0; i < doc.vulnerabilities.length; ++i) {
+    const vulnerability = doc.vulnerabilities[i]
+    for (let j = 0; j < vulnerability.cwes.length; ++j) {
+      const cwe = vulnerability.cwes.at(j)
+      if (validateCWE(cwe)) {
+        const cwec = cwecMap.get(cwe.version)
+        if (!cwec) {
+          context.warnings.push({
+            instancePath: `/vulnerabilities/${i}/cwes/${j}/version`,
+            message: 'no such cwe version is recognized',
+          })
+          continue
+        }
+        const entry = (await cwec()).default.weaknesses.find(
+          (w) => w.id === cwe.id
+        )
+        if (!entry) {
+          context.warnings.push({
+            instancePath: `/vulnerabilities/${i}/cwes/${j}/id`,
+            message: `no weakness with this id is recognized in CWE ${cwe.version}`,
+          })
+          continue
+        }
+        if (entry.status === 'Deprecated') {
+          context.warnings.push({
+            instancePath: `/vulnerabilities/${i}/cwes/${j}/id`,
+            message:
+              'the status of the weakness with the given id is deprecated',
+          })
+          continue
+        }
+      }
+    }
+  }
+
+  return context
+}

tests/csaf_2_1/oasis.js

@@ -44,6 +44,7 @@ const excluded = [
   '6.2.19',
   '6.2.20',
   '6.2.21',
+  '6.2.22',
   '6.2.23',
   '6.2.24',
   '6.2.25',

tests/csaf_2_1/optionalTest_6_2_23.js

@@ -0,0 +1,11 @@
+import assert from 'node:assert'
+import { optionalTest_6_2_23 } from '../../csaf_2_1/optionalTests.js'
+
+describe('optionalTest_6_2_23', function () {
+  it('only runs on relevant documents', async function () {
+    assert.equal(
+      (await optionalTest_6_2_23({ vulnerabilities: 'mydoc' })).warnings.length,
+      0
+    )
+  })
+})