feat: add mandatory test 6.1.52

Author: bendo-eXX

README.md

@@ -332,7 +332,6 @@ The following tests are not yet implemented and therefore missing:
 - Mandatory Test 6.1.49
 - Mandatory Test 6.1.50
 - Mandatory Test 6.1.51
-- Mandatory Test 6.1.52
 - Mandatory Test 6.1.53
 - Mandatory Test 6.1.54
 - Mandatory Test 6.1.55
@@ -435,6 +434,7 @@ export const mandatoryTest_6_1_38: DocumentTest
 export const mandatoryTest_6_1_39: DocumentTest
 export const mandatoryTest_6_1_40: DocumentTest
 export const mandatoryTest_6_1_41: DocumentTest
+export const mandatoryTest_6_1_52: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)

csaf_2_1/mandatoryTests.js

@@ -49,3 +49,4 @@ export { mandatoryTest_6_1_38 } from './mandatoryTests/mandatoryTests_6_1_38.js'
 export { mandatoryTest_6_1_39 } from './mandatoryTests/mandatoryTest_6_1_39.js'
 export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
+export { mandatoryTest_6_1_52 } from './mandatoryTests/mandatoryTest_6_1_52.js'

csaf_2_1/mandatoryTests/mandatoryTest_6_1_52.js

@@ -0,0 +1,125 @@
+import Ajv from 'ajv/dist/jtd.js'
+import {compareZonedDateTimes} from "../../lib/shared/dateHelper.js";
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+    additionalProperties: true,
+    properties: {
+        document: {
+            additionalProperties: true,
+            properties: {
+                tracking: {
+                    additionalProperties: true,
+                    properties: {
+                        revision_history: {
+                            elements: {
+                                additionalProperties: true,
+                                optionalProperties: {
+                                    date: {type: 'string'},
+                                },
+                            },
+                        },
+                        status: {type: 'string'},
+                    },
+                },
+            },
+        },
+        vulnerabilities: {
+            elements: {
+                additionalProperties: true,
+                optionalProperties: {
+                    first_known_exploitation_dates: {
+                        elements: {
+                            additionalProperties: true,
+                            optionalProperties: {
+                                date: {type: 'string'},
+                                exploitation_date: {type: 'string'},
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    },
+})
+
+const validate = ajv.compile(inputSchema)
+
+/**
+ * This implements the mandatory test 6.1.52 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export function mandatoryTest_6_1_52(doc) {
+    /*
+      The `ctx` variable holds the state that is accumulated during the test ran and is
+      finally returned by the function.
+      */
+    const ctx = {
+        errors:
+        /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+        isValid: true,
+    }
+
+    if (!validate(doc)) {
+        return ctx
+    }
+    const status = doc.document.tracking.status
+    if (status !== 'final' && status !== 'interim') {
+        return ctx
+    }
+
+    const newestRevisionHistoryItem = doc.document.tracking.revision_history
+        .filter(item => item.date != null)
+        .slice()
+        .sort((a, z) =>
+            compareZonedDateTimes(
+                /** @type {string} */ (z.date),
+                /** @type {string} */ (a.date)
+            )
+        )[0]
+
+    doc.vulnerabilities?.forEach((vulnerability, vulnerabilityIndex) => {
+        const exploitDate = vulnerability.first_known_exploitation_dates || []
+        exploitDate.forEach((exploit, exploitIdx) => {
+
+            const date = exploit.date
+            const exploitationDate = exploit.exploitation_date
+            if (
+                newestRevisionHistoryItem &&
+                compareZonedDateTimes(
+                    /** @type {string} */ (newestRevisionHistoryItem.date),
+                    /** @type {string} */ (date)
+                ) < 0
+            ) {
+                ctx.isValid = false
+                ctx.errors.push({
+                    instancePath: `/vulnerabilities/${vulnerabilityIndex}/first_known_exploitation_dates/${exploitIdx}/date`,
+                    message: `the status is ${status}, but the 'date' of the First Known Exploitation Dates are newer than the newest revision history date`,
+                })
+            }
+            if (
+                newestRevisionHistoryItem &&
+                compareZonedDateTimes(
+                    /** @type {string} */ (newestRevisionHistoryItem.date),
+                    /** @type {string} */ (exploitationDate)
+                ) < 0
+            ) {
+                ctx.isValid = false
+                ctx.errors.push({
+                    instancePath: `/vulnerabilities/${vulnerabilityIndex}/first_known_exploitation_dates/${exploitIdx}/exploitation_date`,
+                    message: `the status is ${status}, but the 'exploitation_date' of the First Known Exploitation Dates are newer than the newest revision history date`,
+                })
+            }
+        })
+    })
+
+    return ctx
+}

tests/csaf_2_1/mandatoryTest_6_1_52.js

@@ -0,0 +1,51 @@
+import assert from 'node:assert/strict'
+import {mandatoryTest_6_1_52} from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_52.js'
+
+describe('mandatoryTest_6_1_52', function () {
+    it('only runs on relevant documents', function () {
+        assert.equal(mandatoryTest_6_1_52({document: 'mydoc'}).isValid, true)
+    })
+
+    it('skips status draft', function () {
+        assert.equal(
+            mandatoryTest_6_1_52({
+                document: {
+                    tracking: {
+                        revision_history: [],
+                        status: 'draft',
+                    },
+                },
+                vulnerabilities: []
+            }).isValid,
+            true
+        )
+    })
+
+    it('ignores empty objects in revision_history and first_known_exploitation_dates', function () {
+        assert.equal(
+            mandatoryTest_6_1_52({
+                document: {
+                    tracking: {
+                        revision_history: [
+                            {}, // should be ignored
+                            {
+                                "date": "2024-01-24T10:00:00.000Z"
+                            }
+                        ],
+                        status: 'final',
+                    },
+                },
+                vulnerabilities: [
+                    {
+                        first_known_exploitation_dates: [
+                            {}, // should be ignored
+                            {
+                                "date": "2024-01-24T13:00:00.000Z",
+                                "exploitation_date": "2024-01-24T12:34:56.789Z",
+                            }
+                        ],
+                    },
+                ]
+            }).isValid, false)
+    })
+})

tests/csaf_2_1/oasis.js

@@ -37,7 +37,6 @@ const excluded = [
   '6.1.49',
   '6.1.50',
   '6.1.51',
-  '6.1.52',
   '6.1.53',
   '6.1.54',
   '6.1.55',