feat(CSAF2.1): #199 copy and adapt informative test 6.3.1 from CSAF 2.0 to CSAF 2.1

rainer-exxcellent · rainer-exxcellent · commit 52f56b387b4b · 2025-03-25T08:12:04.000+01:00
diff --git a/csaf_2_1/informativeTests.js b/csaf_2_1/informativeTests.js
@@ -1,5 +1,4 @@
 export {
-  informativeTest_6_3_1,
   informativeTest_6_3_2,
   informativeTest_6_3_3,
   informativeTest_6_3_4,
@@ -11,3 +10,4 @@ export {
   informativeTest_6_3_10,
   informativeTest_6_3_11,
 } from '../informativeTests.js'
+export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js'
diff --git a/csaf_2_1/informativeTests/informativeTest_6_3_1.js b/csaf_2_1/informativeTests/informativeTest_6_3_1.js
@@ -0,0 +1,74 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        properties: {},
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    cvss_v2: {
+                      additionalProperties: true,
+                      properties: {},
+                    },
+                    cvss_v3: {
+                      additionalProperties: true,
+                      properties: {},
+                    },
+                    cvss_v4: {
+                      additionalProperties: true,
+                      properties: {},
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * @param {unknown} doc
+ * @returns
+ */
+export function informativeTest_6_3_1(doc) {
+  const ctx = {
+    infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  doc.vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+    vulnerability.metrics?.forEach((metric, metricIndex) => {
+      if (
+        metric.content?.cvss_v2 &&
+        !metric.content?.cvss_v3 &&
+        !metric.content?.cvss_v4
+      ) {
+        ctx.infos.push({
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}`,
+          message: 'use of cvss v2 as the only scoring system',
+        })
+      }
+    })
+  })
+
+  return ctx
+}
