Skip to content

feat: add informative test 6.3.6 #608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
domachine wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add informative test 6.3.6 #608

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion csaf_2_1/informativeTests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
export {
informativeTest_6_3_3,
informativeTest_6_3_5,
informativeTest_6_3_6,
informativeTest_6_3_7,
informativeTest_6_3_8,
informativeTest_6_3_9,
informativeTest_6_3_10,
informativeTest_6_3_11,
} from '../informativeTests.js'
export { informativeTest_6_3_6 } from './informativeTests/informativeTest_6_3_6.js'
export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js'
export { informativeTest_6_3_2 } from './informativeTests/informativeTest_6_3_2.js'
export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
Expand Down
219 changes: 219 additions & 0 deletions csaf_2_1/informativeTests/informativeTest_6_3_6.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
import { Ajv } from 'ajv/dist/jtd.js'
import testURL from '#lib/informativeTests/shared/testURL.js'
import { walkPath } from '#lib/walkPaths.js'

const ajv = new Ajv()

const referenceSchema = /** @type {const} */ ({
additionalProperties: true,
optionalProperties: {
url: { type: 'string' },
category: { type: 'string' },
},
})

const inputSchema = /** @type {const} */ ({
additionalProperties: true,
optionalProperties: {
document: {
additionalProperties: true,
optionalProperties: {
acknowledgments: {
elements: {
additionalProperties: true,
optionalProperties: {
urls: {
elements: { type: 'string' },
},
},
},
},
references: {
elements: referenceSchema,
},
aggregate_severity: {
additionalProperties: true,
optionalProperties: {
namespace: { type: 'string' },
},
},
distribution: {
additionalProperties: true,
optionalProperties: {
tlp: {
additionalProperties: true,
optionalProperties: {
url: { type: 'string' },
},
},
},
},
publisher: {
additionalProperties: true,
optionalProperties: {
namespace: { type: 'string' },
},
},
},
},
product_tree: {
additionalProperties: true,
optionalProperties: {
full_product_names: {
elements: {
additionalProperties: true,
optionalProperties: {
product_identification_helper: {
additionalProperties: true,
optionalProperties: {
sbom_urls: { elements: { type: 'string' } },
x_generic_uris: {
elements: {
additionalProperties: true,
optionalProperties: {
namespace: { type: 'string' },
uri: { type: 'string' },
},
},
},
},
},
},
},
},
branches: {
elements: {
additionalProperties: true,
properties: {},
},
},
product_paths: {
elements: {
additionalProperties: true,
optionalProperties: {
full_product_name: {
additionalProperties: true,
optionalProperties: {
product_identification_helper: {
additionalProperties: true,
optionalProperties: {
sbom_urls: { elements: { type: 'string' } },
x_generic_uris: {
elements: {
additionalProperties: true,
optionalProperties: {
namespace: { type: 'string' },
uri: { type: 'string' },
},
},
},
},
},
},
},
},
},
},
},
},
vulnerabilities: {
elements: {
additionalProperties: true,
optionalProperties: {
remediations: {
elements: {
additionalProperties: true,
optionalProperties: {
url: { type: 'string' },
},
},
},
acknowledgments: {
elements: {
additionalProperties: true,
optionalProperties: {
urls: {
elements: { type: 'string' },
},
},
},
},
references: {
elements: referenceSchema,
},
},
},
},
},
})

const validateInput = ajv.compile(inputSchema)
const validateReference = ajv.compile(referenceSchema)

/**
* CSAF 2.1 Informative Test 6.3.6:
* verifies that all non-self references using URL fields resolve to HTTP 2xx or 3xx.
*
* @param {unknown} doc
*/
export async function informativeTest_6_3_6(doc) {
const ctx = {
infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
}

if (!validateInput(doc)) {
return ctx
}

for (const path of [
'/document/acknowledgments[]/urls[]',
'/document/aggregate_severity/namespace',
'/document/distribution/tlp/url',
'/document/publisher/namespace',
'/product_tree/branches[*]/product/product_identification_helper/sbom_urls[]',
'/product_tree/branches[*]/product/product_identification_helper/x_generic_uris[]/namespace',
'/product_tree/branches[*]/product/product_identification_helper/x_generic_uris[]/uri',
'/product_tree/full_product_names[]/product_identification_helper/sbom_urls[]',
'/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/namespace',
'/product_tree/full_product_names[]/product_identification_helper/x_generic_uris[]/uri',
'/product_tree/product_paths[]/full_product_name/product_identification_helper/sbom_urls[]',
'/product_tree/product_paths[]/full_product_name/product_identification_helper/x_generic_uris[]/namespace',
'/product_tree/product_paths[]/full_product_name/product_identification_helper/x_generic_uris[]/uri',
'/vulnerabilities[]/acknowledgments[]/urls[]',
'/vulnerabilities[]/remediations[]/url',
]) {
await walkPath(doc, path, async (instancePath, value) => {
if (typeof value !== 'string') return
await testURL(value, () => {
ctx.infos.push({
instancePath,
message: 'use of non-self referencing urls failing to resolve',
})
})
})
}

for (const path of [
'/document/references[]',
'/vulnerabilities[]/references[]',
]) {
await walkPath(doc, path, async (instancePath, value) => {
if (
!validateReference(value) ||
value.category === 'self' ||
typeof value.url !== 'string'
) {
return
}

await testURL(value.url, () => {
ctx.infos.push({
instancePath: instancePath + '/url',
message: 'use of non-self referencing urls failing to resolve',
})
})
})
}

return ctx
}
83 changes: 83 additions & 0 deletions lib/walkPaths.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
/**
* Traverses a simplified JSON-path-like expression and executes a callback on
* every matching node.
*
* Path syntax supported here:
* - `/foo/bar` for object traversal
* - `/items[]/url` for array traversal
* - '/items[*]/url` for recursive array traversal
* - combinations of all of the above
*
* The callback receives a JSON Pointer-like `instancePath` for each match.
*
* @param {unknown} root - Root object to traverse.
* @param {string} path - Traversal path, for example
* `/document/acknowledgments[]/urls[]`.
* @param {(instancePath: string, value: unknown) => Promise<void>} onCheck
* Callback invoked for each matched value.
*/
export async function walkPath(root, path, onCheck) {
return walk([], path.split('/').slice(1), root)

/**
* The actual recursive function.
*
* @param {string[]} resolvedSegments
* @param {string[]} remainingSegments
* @param {unknown} node
*/
async function walk(resolvedSegments, remainingSegments, node) {
if (node == null) return
const keyEntry = remainingSegments[0]

if (!keyEntry) {
// Reached the end of the path: call the callback now ...

await onCheck('/' + resolvedSegments.join('/'), node)
} else if (keyEntry.endsWith('[*]')) {
// ... Recursive-descent array: visit every element and re-apply this same
// segment on each element to handle arbitrary nesting depth.

const arrayName = keyEntry.slice(0, -3)
/** @type {unknown} */
const array = Reflect.get(node, arrayName)

if (Array.isArray(array)) {
for (const [elementIndex, element] of array.entries()) {
const nextResolved = [
...resolvedSegments,
arrayName,
String(elementIndex),
]
// ... Continue with the rest of the path at this depth
await walk(nextResolved, remainingSegments.slice(1), element)
// ... Recurse deeper into same-named sub-arrays
await walk(nextResolved, remainingSegments, element)
}
}
} else if (keyEntry.endsWith('[]')) {
// ... Array entry: iterate through all the elements.

const arrayName = keyEntry.split('[')[0]
/** @type {unknown} */
const array = Reflect.get(node, arrayName)

if (Array.isArray(array)) {
for (const [elementIndex, element] of array?.entries() ?? []) {
await walk(
[...resolvedSegments, arrayName, String(elementIndex)],
[...remainingSegments.slice(1)],
element
)
}
}
} else {
// ... Otherwise we recurse deeper
await walk(
[...resolvedSegments, keyEntry],
remainingSegments.slice(1),
Reflect.get(node, keyEntry)
)
}
}
}
3 changes: 3 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
"repository": {
"url": "https://github.com/secvisogram/csaf-validator-lib"
},
"imports": {
"#*.js": "./*.js"
},
"files": [
"lib",
"schemas",
Expand Down
9 changes: 9 additions & 0 deletions tests/csaf_2_1/informativeTest_6_3_6.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
import assert from 'node:assert/strict'
import { informativeTest_6_3_6 } from '../../csaf_2_1/informativeTests.js'

describe('informativeTest_6_3_6', function () {
it('returns no infos for invalid input', async function () {
const result = await informativeTest_6_3_6('not-an-object')
assert.equal(result.infos.length, 0)
})
})
Loading
Loading