feat: add mandatory test 6.1.53

bendo-eXX · bendo-eXX · commit c75bb20ec9f7 · 2025-07-02T08:20:31.000+02:00
diff --git a/README.md b/README.md
@@ -333,7 +333,6 @@ The following tests are not yet implemented and therefore missing:
 - Mandatory Test 6.1.50
 - Mandatory Test 6.1.51
 - Mandatory Test 6.1.52
-- Mandatory Test 6.1.53
 - Mandatory Test 6.1.54
 - Mandatory Test 6.1.55
 
@@ -435,6 +434,7 @@ export const mandatoryTest_6_1_38: DocumentTest
 export const mandatoryTest_6_1_39: DocumentTest
 export const mandatoryTest_6_1_40: DocumentTest
 export const mandatoryTest_6_1_41: DocumentTest
+export const mandatoryTest_6_1_53: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)
diff --git a/csaf_2_1/mandatoryTests.js b/csaf_2_1/mandatoryTests.js
@@ -49,3 +49,4 @@ export { mandatoryTest_6_1_38 } from './mandatoryTests/mandatoryTests_6_1_38.js'
 export { mandatoryTest_6_1_39 } from './mandatoryTests/mandatoryTest_6_1_39.js'
 export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
+export { mandatoryTest_6_1_53 } from './mandatoryTests/mandatoryTest_6_1_53.js'
diff --git a/csaf_2_1/mandatoryTests/mandatoryTest_6_1_53.js b/csaf_2_1/mandatoryTests/mandatoryTest_6_1_53.js
@@ -0,0 +1,101 @@
+import Ajv from 'ajv/dist/jtd.js'
+import {compareZonedDateTimes} from "../../lib/shared/dateHelper.js";
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+    additionalProperties: true,
+    properties: {
+        document: {
+            additionalProperties: true,
+            properties: {
+                tracking: {
+                    additionalProperties: true,
+                    properties: {
+                        revision_history: {
+                            elements: {
+                                additionalProperties: true,
+                                optionalProperties: {
+                                    date: {type: 'string'},
+                                },
+                            },
+                        },
+                        status: {type: 'string'},
+                    },
+                },
+            },
+        },
+        vulnerabilities: {
+            elements: {
+                additionalProperties: true,
+                optionalProperties: {
+                    first_known_exploitation_dates: {
+                        elements: {
+                            additionalProperties: true,
+                            optionalProperties: {
+                                date: {type: 'string'},
+                                exploitation_date: {type: 'string'},
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    },
+})
+
+const validate = ajv.compile(inputSchema)
+
+/**
+ * This implements the mandatory test 6.1.53 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export function mandatoryTest_6_1_53(doc) {
+    /*
+      The `ctx` variable holds the state that is accumulated during the test ran and is
+      finally returned by the function.
+      */
+    const ctx = {
+        errors:
+        /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+        isValid: true,
+    }
+
+    if (!validate(doc)) {
+        return ctx
+    }
+    const status = doc.document.tracking.status
+    if (status !== 'final' && status !== 'interim') {
+        return ctx
+    }
+
+    doc.vulnerabilities?.forEach((vulnerability, vulnerabilityIndex) => {
+        const exploitDate = vulnerability.first_known_exploitation_dates || []
+        exploitDate.forEach((exploit, exploitIdx) => {
+            const date = exploit.date
+            const exploitationDate = exploit.exploitation_date
+
+            if (
+                compareZonedDateTimes(
+                    /** @type {string} */ (date),
+                    /** @type {string} */ (exploitationDate)
+                ) < 0
+            ) {
+                ctx.isValid = false
+                ctx.errors.push({
+                    instancePath: `/vulnerabilities/${vulnerabilityIndex}/first_known_exploitation_dates/${exploitIdx}`,
+                    message: `the status is ${status}, but the 'exploitation_date' are newer than the 'date'`,
+                })
+            }
+        })
+    })
+
+    return ctx
+}
diff --git a/tests/csaf_2_1/mandatoryTest_6_1_53.js b/tests/csaf_2_1/mandatoryTest_6_1_53.js
@@ -0,0 +1,73 @@
+import assert from 'node:assert/strict'
+import { mandatoryTest_6_1_53 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_53.js'
+
+describe('mandatoryTest_6_1_53', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(mandatoryTest_6_1_53({ document: 'mydoc' }).isValid, true)
+  })
+
+  it('skips status draft', function () {
+    assert.equal(
+      mandatoryTest_6_1_53({
+        document: {
+          tracking: {
+            revision_history: [],
+            status: 'draft',
+          },
+        },
+        vulnerabilities: [],
+      }).isValid,
+      true
+    )
+  })
+
+  it('skips empty vulnerability', function () {
+    assert.equal(
+      mandatoryTest_6_1_53({
+        document: {
+          tracking: {
+            revision_history: [],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [
+          {}, // should be ignored
+          {
+            first_known_exploitation_dates: [
+              {
+                date: '2024-01-24T12:34:56.789Z',
+                exploitation_date: '2024-01-24T13:00:00.000Z',
+              },
+            ],
+          },
+        ],
+      }).isValid,
+      false
+    )
+  })
+
+  it('skips empty first_known_exploitation_date', function () {
+    assert.equal(
+      mandatoryTest_6_1_53({
+        document: {
+          tracking: {
+            revision_history: [],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [
+          {
+            first_known_exploitation_dates: [
+              {}, // should be ignored
+              {
+                date: '2024-01-24T12:34:56.789Z',
+                exploitation_date: '2024-01-24T13:00:00.000Z',
+              },
+            ],
+          },
+        ],
+      }).isValid,
+      false
+    )
+  })
+})
diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js
@@ -38,7 +38,6 @@ const excluded = [
   '6.1.50',
   '6.1.51',
   '6.1.52',
-  '6.1.53',
   '6.1.54',
   '6.1.55',
   '6.2.11',
