feat: add mandatory test 6.1.46

Author: christopher-exx

csaf_2_1/mandatoryTests.js

@@ -47,3 +47,4 @@ export { mandatoryTest_6_1_38 } from './mandatoryTests/mandatoryTests_6_1_38.js'
 export { mandatoryTest_6_1_39 } from './mandatoryTests/mandatoryTest_6_1_39.js'
 export { mandatoryTest_6_1_40 } from './mandatoryTests/mandatoryTest_6_1_40.js'
 export { mandatoryTest_6_1_41 } from './mandatoryTests/mandatoryTest_6_1_41.js'
+export { mandatoryTest_6_1_46 } from './mandatoryTests/mandatoryTest_6_1_46.js'

csaf_2_1/mandatoryTests/mandatoryTest_6_1_46.js

@@ -0,0 +1,83 @@
+import Ajv from 'ajv/dist/jtd.js'
+import csafAjv from '../../lib/shared/csafAjv.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  properties: {
+                    ssvc_v1: {
+                      additionalProperties: true,
+                      properties: {},
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+const validate_ssvc_v1 = csafAjv.compile({
+  $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json',
+})
+
+/**
+ * This implements the mandatory test 6.1.46 of the CSAF 2.1 standard.
+ *
+ * @param {unknown} doc
+ */
+export function mandatoryTest_6_1_46(doc) {
+  /*
+  The `ctx` variable holds the state that is accumulated during the test ran and is
+  finally returned by the function.
+ */
+  const ctx = {
+    errors:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+    isValid: true,
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  doc.vulnerabilities?.forEach((vulnerability, vulnerabilityIndex) => {
+    vulnerability.metrics?.forEach((metric, metricIndex) => {
+      const valid = validate_ssvc_v1(metric.content?.ssvc_v1)
+      if (!valid) {
+        ctx.isValid = false
+        for (const err of validate_ssvc_v1.errors ?? []) {
+          ctx.errors.push({
+            instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/${metricIndex}/content/ssvc_v1${err.instancePath}`,
+            message: err.message ?? '',
+          })
+        }
+      }
+    })
+  })
+
+  return ctx
+}

lib/shared/csafAjv.js

@@ -4,12 +4,22 @@ import cvss_v2_0 from './csafAjv/cvss-v2.0.js'
 import cvss_v3_0 from './csafAjv/cvss-v3.0.js'
 import cvss_v3_1 from './csafAjv/cvss-v3.1.js'
 import cvss_v4_0 from './csafAjv/cvss-v4.0.js'
+import ssvc_v1 from './csafAjv/ssvc-v1.js'
+import ssvc_v1_schemaVersion from './csafAjv/ssvc-v1_schemaVersion.js'
 
 const csafAjv = new Ajv2020({ strict: false, allErrors: true })
 addFormats(csafAjv)
 csafAjv.addSchema(cvss_v2_0, 'https://www.first.org/cvss/cvss-v2.0.json')
 csafAjv.addSchema(cvss_v3_0, 'https://www.first.org/cvss/cvss-v3.0.json')
 csafAjv.addSchema(cvss_v3_1, 'https://www.first.org/cvss/cvss-v3.1.json')
 csafAjv.addSchema(cvss_v4_0, 'https://www.first.org/cvss/cvss-v4.0.json')
+csafAjv.addSchema(
+  ssvc_v1,
+  'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json'
+)
+csafAjv.addSchema(
+  ssvc_v1_schemaVersion,
+  'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json'
+)
 
 export default csafAjv

lib/shared/csafAjv/ssvc-v1.js

@@ -0,0 +1,83 @@
+export default {
+  $schema: 'https://json-schema.org/draft/2020-12/schema',
+  $id: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json',
+  description:
+    'This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.',
+  $defs: {
+    id: {
+      type: 'string',
+      description:
+        'Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.',
+      examples: ['CVE-1900-1234', 'VU#11111', 'GHSA-11a1-22b2-33c3'],
+      minLength: 1,
+    },
+    role: {
+      type: 'string',
+      description:
+        'The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/',
+      examples: ['Supplier', 'Deployer', 'Coordinator'],
+      minLength: 1,
+    },
+    timestamp: {
+      description:
+        'Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.',
+      type: 'string',
+      format: 'date-time',
+    },
+    SsvcdecisionpointselectionSchema: {
+      description:
+        'A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.',
+      properties: {
+        name: {
+          $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name',
+        },
+        namespace: {
+          $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace',
+        },
+        values: {
+          description:
+            'One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.',
+          title: 'values',
+          type: 'array',
+          minItems: 1,
+          items: {
+            $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name',
+          },
+        },
+        version: {
+          $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version',
+        },
+      },
+      type: 'object',
+      required: ['name', 'namespace', 'values', 'version'],
+      additionalProperties: false,
+    },
+  },
+  properties: {
+    id: {
+      $ref: '#/$defs/id',
+    },
+    role: {
+      $ref: '#/$defs/role',
+    },
+    schemaVersion: {
+      $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion',
+    },
+    timestamp: {
+      $ref: '#/$defs/timestamp',
+    },
+    selections: {
+      description:
+        'An array of Decision Points and their selected values for the identified Vulnerability.  If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.',
+      title: 'selections',
+      type: 'array',
+      minItems: 1,
+      items: {
+        $ref: '#/$defs/SsvcdecisionpointselectionSchema',
+      },
+    },
+  },
+  type: 'object',
+  required: ['selections', 'id', 'timestamp', 'schemaVersion'],
+  additionalProperties: false,
+}

lib/shared/csafAjv/ssvc-v1_schemaVersion.js

@@ -0,0 +1,106 @@
+export default {
+  $schema: 'https://json-schema.org/draft/2020-12/schema',
+  title: 'Decision Point schema definition',
+  $id: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json',
+  description:
+    'Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.',
+  $defs: {
+    schemaVersion: {
+      description: 'Schema version used to represent this Decision Point.',
+      type: 'string',
+      enum: ['1-0-1'],
+    },
+    decision_point_value: {
+      type: 'object',
+      additionalProperties: false,
+      properties: {
+        key: {
+          type: 'string',
+          description:
+            'A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.',
+          minLength: 1,
+          examples: ['P', 'Y'],
+        },
+        name: {
+          type: 'string',
+          description: 'A short label that identifies a Decision Point Value',
+          minLength: 1,
+          examples: ['Public PoC', 'Yes'],
+        },
+        description: {
+          type: 'string',
+          description: 'A full description of the Decision Point Value.',
+          minLength: 1,
+          examples: [
+            'One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.',
+            'Attackers can reliably automate steps 1-4 of the kill chain.',
+          ],
+        },
+      },
+      required: ['key', 'name', 'description'],
+    },
+    decision_point: {
+      type: 'object',
+      additionalProperties: false,
+      properties: {
+        schemaVersion: {
+          $ref: '#/$defs/schemaVersion',
+        },
+        namespace: {
+          type: 'string',
+          description:
+            'Namespace (a short, unique string): The value must be one of the official namespaces, currenlty "ssvc", "cvss" OR can start with \'x_\' for private namespaces. See SSVC Documentation for details.',
+          pattern: '^(?=.{3,100}$)(x_)?[a-z0-9]{3}([/.-]?[a-z0-9]+){0,97}$',
+          examples: ['ssvc', 'cvss', 'x_custom', 'x_custom/extension'],
+        },
+        version: {
+          type: 'string',
+          description:
+            'Version (a semantic version string) that identifies the version of a Decision Point.',
+          pattern:
+            '^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$',
+          examples: ['1.0.1', '1.0.1-alpha'],
+        },
+        key: {
+          type: 'string',
+          description:
+            'A short, unique string (or key) used as a shorthand identifier for a Decision Point.',
+
+          minLength: 1,
+          examples: ['E', 'A'],
+        },
+        name: {
+          type: 'string',
+          description: 'A short label that identifies a Decision Point.',
+          minLength: 1,
+          examples: ['Exploitation', 'Automatable'],
+        },
+        description: {
+          type: 'string',
+          description:
+            'A full description of the Decision Point, explaining what it represents and how it is used in SSVC.',
+          minLength: 1,
+        },
+        values: {
+          description: 'A set of possible answers for a given Decision Point',
+          uniqueItems: true,
+          type: 'array',
+          minItems: 1,
+          items: {
+            $ref: '#/$defs/decision_point_value',
+          },
+        },
+      },
+      required: [
+        'namespace',
+        'version',
+        'key',
+        'name',
+        'description',
+        'values',
+        'schemaVersion',
+      ],
+    },
+  },
+  $ref: '#/$defs/decision_point',
+}

tests/csaf_2_1/mandatoryTest_6_1_46.js

@@ -0,0 +1,8 @@
+import assert from 'node:assert/strict'
+import { mandatoryTest_6_1_46 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_46.js'
+
+describe('mandatoryTest_6_1_46', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(mandatoryTest_6_1_46({ document: 'mydoc' }).isValid, true)
+  })
+})

tests/csaf_2_1/oasis.js

@@ -33,7 +33,6 @@ const excluded = [
   '6.1.43',
   '6.1.44',
   '6.1.45',
-  '6.1.46',
   '6.1.47',
   '6.1.48',
   '6.1.49',