feat(CSAF2.1): add informative test 6.3.17

Author: rainer-exxcellent

csaf_2_1/informativeTests.js

@@ -11,3 +11,4 @@ export {
 } from '../informativeTests.js'
 export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js'
 export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
+export { informativeTest_6_3_17 } from './informativeTests/informativeTest_6_3_17.js'

csaf_2_1/informativeTests/informativeTest_6_3_17.js

@@ -0,0 +1,85 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ABOUTCODE_LICENSE_DB =
+  'https://scancode-licensedb.aboutcode.org/index.json'
+const SPDX_LICENSE_DB =
+  'https://raw.githubusercontent.com/composer/spdx-licenses/refs/heads/main/res/spdx-licenses.json'
+
+const ajv = new Ajv()
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      properties: {
+        license_expression: {
+          type: 'string',
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * Read JSON from given URL
+ * @param {string | URL | Request} dataUrl
+ * @returns
+ */
+async function readJson(dataUrl) {
+  /** @type {any} */
+  const headers = { Accept: 'application/vnd.github.v3+json' }
+  const response = await fetch(dataUrl, { headers })
+  if (!response.ok) {
+    throw new Error(`Response status: ${response.status}`)
+  }
+
+  return await response.json()
+}
+
+/**
+ * Read considered licenses from SPDX and About Code
+ * @returns {Promise<Set<string>>}
+ */
+async function readConsideredLicenses() {
+  /** @type {Array<{ license_key: string; spdx_license_key: string }>} */
+  const aboutcodeLicenses = await readJson(ABOUTCODE_LICENSE_DB)
+  /** @type {Record<string, []>}  */
+  const spdxLicenses = await readJson(SPDX_LICENSE_DB)
+
+  const consideredLicenses = new Set(
+    aboutcodeLicenses.map((aboutCode) => aboutCode.license_key)
+  )
+  Object.keys(spdxLicenses).forEach((item) => consideredLicenses.add(item))
+  return consideredLicenses
+}
+
+/**
+ * It MUST be tested that the all license identifiers and exceptions are listed either
+ * in the official SPDX license identifier list or AboutCode's "ScanCode LicenseDB".
+ * @param {unknown} doc
+ * @returns
+ */
+export async function informativeTest_6_3_17(doc) {
+  const ctx = {
+    infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  const consideredLicenses = await readConsideredLicenses()
+
+  const licenseToCheck = doc.document.license_expression
+  if (!consideredLicenses.has(licenseToCheck)) {
+    ctx.infos.push({
+      instancePath: '/document/license_expression',
+      message: `Invalid license: '${licenseToCheck}'`,
+    })
+  }
+
+  return ctx
+}

tests/csaf_2_1/informativeTest_6_3_17.js

@@ -0,0 +1,10 @@
+import assert from 'node:assert'
+import { informativeTest_6_3_17 } from '../../csaf_2_1/informativeTests.js'
+
+describe('informativeTest_6_3_17', function () {
+  it('only runs on relevant documents', function () {
+    informativeTest_6_3_17({ document: 'mydoc' }).then((result) =>
+      assert.equal(result.infos.length, 0)
+    )
+  })
+})

tests/csaf_2_1/oasis.js

@@ -81,7 +81,6 @@ const excluded = [
   '6.3.12',
   '6.3.13',
   '6.3.16',
-  '6.3.17',
 ]
 
 /** @typedef {import('../../lib/shared/types.js').DocumentTest} DocumentTest */