Merge pull request #360 from secvisogram/197-csaf-2.1-mandatory-test-6.1.52

feat: add mandatory test 6.1.52

Author: bendo-eXX

README.md

@@ -323,7 +323,6 @@ The following tests are not yet implemented and therefore missing:
 - Mandatory Test 6.1.49
 - Mandatory Test 6.1.50
 - Mandatory Test 6.1.51
-- Mandatory Test 6.1.52
 - Mandatory Test 6.1.53
 - Mandatory Test 6.1.54
 - Mandatory Test 6.1.55
@@ -435,6 +434,7 @@ export const mandatoryTest_6_1_39: DocumentTest
 export const mandatoryTest_6_1_40: DocumentTest
 export const mandatoryTest_6_1_41: DocumentTest
 export const mandatoryTest_6_1_43: DocumentTest
+export const mandatoryTest_6_1_52: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)

csaf_2_1/mandatoryTests.js

@@ -58,3 +58,4 @@ export { mandatoryTest_6_1_39 } from './mandatoryTests/mandatoryTest_6_1_39.js'
 export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
 export { mandatoryTest_6_1_43 } from './mandatoryTests/mandatoryTest_6_1_43.js'
+export { mandatoryTest_6_1_52 } from './mandatoryTests/mandatoryTest_6_1_52.js'

csaf_2_1/mandatoryTests/mandatoryTest_6_1_52.js

@@ -0,0 +1,123 @@
+import Ajv from 'ajv/dist/jtd.js'
+import { compareZonedDateTimes } from '../../lib/shared/dateHelper.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      properties: {
+        tracking: {
+          additionalProperties: true,
+          properties: {
+            revision_history: {
+              elements: {
+                additionalProperties: true,
+                optionalProperties: {
+                  date: { type: 'string' },
+                },
+              },
+            },
+            status: { type: 'string' },
+          },
+        },
+      },
+    },
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          first_known_exploitation_dates: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                date: { type: 'string' },
+                exploitation_date: { type: 'string' },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validate = ajv.compile(inputSchema)
+
+/**
+ * This implements the mandatory test 6.1.52 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export function mandatoryTest_6_1_52(doc) {
+  /*
+      The `ctx` variable holds the state that is accumulated during the test ran and is
+      finally returned by the function.
+      */
+  const ctx = {
+    errors:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+    isValid: true,
+  }
+
+  if (!validate(doc)) {
+    return ctx
+  }
+  const status = doc.document.tracking.status
+  if (status !== 'final' && status !== 'interim') {
+    return ctx
+  }
+
+  const newestRevisionHistoryItem = doc.document.tracking.revision_history
+    .filter((item) => item.date != null)
+    .sort((a, z) =>
+      compareZonedDateTimes(
+        /** @type {string} */ (z.date),
+        /** @type {string} */ (a.date)
+      )
+    )[0]
+
+  doc.vulnerabilities?.forEach((vulnerability, vulnerabilityIndex) => {
+    const exploitDate = vulnerability.first_known_exploitation_dates || []
+    exploitDate.forEach((exploit, exploitIdx) => {
+      const date = exploit.date
+      const exploitationDate = exploit.exploitation_date
+      if (
+        newestRevisionHistoryItem &&
+        compareZonedDateTimes(
+          /** @type {string} */ (newestRevisionHistoryItem.date),
+          /** @type {string} */ (date)
+        ) < 0
+      ) {
+        ctx.isValid = false
+        ctx.errors.push({
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}/first_known_exploitation_dates/${exploitIdx}/date`,
+          message: `the status is ${status}, but the "date" of the First Known Exploitation Dates is newer than the newest revision history date`,
+        })
+      }
+      if (
+        newestRevisionHistoryItem &&
+        compareZonedDateTimes(
+          /** @type {string} */ (newestRevisionHistoryItem.date),
+          /** @type {string} */ (exploitationDate)
+        ) < 0
+      ) {
+        ctx.isValid = false
+        ctx.errors.push({
+          instancePath: `/vulnerabilities/${vulnerabilityIndex}/first_known_exploitation_dates/${exploitIdx}/exploitation_date`,
+          message: `the status is ${status}, but the "exploitation_date" of the First Known Exploitation Dates is newer than the newest revision history date`,
+        })
+      }
+    })
+  })
+
+  return ctx
+}

tests/csaf_2_1/mandatoryTest_6_1_52.js

@@ -0,0 +1,100 @@
+import assert from 'node:assert/strict'
+import { mandatoryTest_6_1_52 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_52.js'
+
+describe('mandatoryTest_6_1_52', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(mandatoryTest_6_1_52({ document: 'mydoc' }).isValid, true)
+  })
+
+  it('skips status draft', function () {
+    assert.equal(
+      mandatoryTest_6_1_52({
+        document: {
+          tracking: {
+            revision_history: [],
+            status: 'draft',
+          },
+        },
+        vulnerabilities: [],
+      }).isValid,
+      true
+    )
+  })
+
+  it('skips empty revision_history object', function () {
+    assert.equal(
+      mandatoryTest_6_1_52({
+        document: {
+          tracking: {
+            revision_history: [
+              {}, // should be ignored
+              { date: '2024-01-24T10:00:00.000Z' },
+            ],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [
+          {
+            first_known_exploitation_dates: [
+              {
+                date: '2024-01-24T13:00:00.000Z',
+                exploitation_date: '2024-01-24T12:34:56.789Z',
+              },
+            ],
+          },
+        ],
+      }).isValid,
+      false
+    )
+  })
+
+  it('skips empty vulnerability object', function () {
+    assert.equal(
+      mandatoryTest_6_1_52({
+        document: {
+          tracking: {
+            revision_history: [{ date: '2024-01-24T10:00:00.000Z' }],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [
+          {}, // should be ignored
+          {
+            first_known_exploitation_dates: [
+              {
+                date: '2024-01-24T13:00:00.000Z',
+                exploitation_date: '2024-01-24T12:34:56.789Z',
+              },
+            ],
+          },
+        ],
+      }).isValid,
+      false
+    )
+  })
+
+  it('skips empty first_known_exploitation_date object', function () {
+    assert.equal(
+      mandatoryTest_6_1_52({
+        document: {
+          tracking: {
+            revision_history: [{ date: '2024-01-24T10:00:00.000Z' }],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [
+          {
+            first_known_exploitation_dates: [
+              {}, // should be ignored
+              {
+                date: '2024-01-24T13:00:00.000Z',
+                exploitation_date: '2024-01-24T12:34:56.789Z',
+              },
+            ],
+          },
+        ],
+      }).isValid,
+      false
+    )
+  })
+})

tests/csaf_2_1/oasis.js

@@ -27,7 +27,6 @@ const excluded = [
   '6.1.49',
   '6.1.50',
   '6.1.51',
-  '6.1.52',
   '6.1.53',
   '6.1.54',
   '6.1.55',