Skip to content

Commit

Permalink
Discouraged Product Status Remediation Combination
Browse files Browse the repository at this point in the history 
- addresses parts of #541, #662, #563
- add optional test for discouraged product status remediation combinations
- add invalid examples
- add valid examples
  • Loading branch information
@tschmidtb51
tschmidtb51 committed Oct 25, 2024
1 parent a274571 commit 7e03b04
Show file tree
Hide file tree
Showing 7 changed files with 374 additions and 1 deletion.
33 changes: 33 additions & 0 deletions csaf_2.1/prose/edit/src/tests-02-optional.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -823,3 +823,36 @@ The relevant path for this test is:
```
> The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html#Vulnerability_Mapping_Notes_1023)
### Discouraged Product Status Remediation Combination
For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of a discouraged product status group
remediation category combination.
This takes indirect relations through Product Groups into account.
The relevant path for this test is:
```
/vulnerabilities[]/remediations[]
```
*Example 1 (which fails the test):*
```
"product_status": {
"known_not_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "fix_planned",
"details": "The fix should be available in Q4 2024.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
```
> For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all.
58 changes: 58 additions & 0 deletions csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Optional test: Discouraged Product Status Remediation Combination (failing example 1)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-01",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_not_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "fix_planned",
"details": "The fix should be available in Q4 2024.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]
}
100 changes: 100 additions & 0 deletions csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Optional test: Discouraged Product Status Remediation Combination (failing example 2)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-02",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
},
{
"product_id": "CSAFPID-9080703",
"name": "Product D"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
}
]
},
"vulnerabilities": [
{
"product_status": {
"fixed": [
"CSAFPID-9080703"
],
"under_investigation": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
},
"remediations": [
{
"category": "fix_planned",
"details": "The fix is expected to be distributed in November 2024.",
"product_ids": [
"CSAFPID-9080701",
"CSAFPID-9080702"
]
},
{
"category": "mitigation",
"details": "Make sure that the product is not connected to any network.",
"group_ids": [
"CSAFGID-1020300"
]
},
{
"category": "optional_patch",
"details": "Update to the version 8.5.1.",
"product_ids": [
"CSAFPID-9080703"
]
}
]
}
]
}
58 changes: 58 additions & 0 deletions csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Optional test: Discouraged Product Status Remediation Combination (valid example 1)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-11",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "fix_planned",
"details": "The fix should be available in Q4 2024.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]
}
100 changes: 100 additions & 0 deletions csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Optional test: Discouraged Product Status Remediation Combination (valid example 2)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-12",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
},
{
"product_id": "CSAFPID-9080703",
"name": "Product D"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
}
]
},
"vulnerabilities": [
{
"product_status": {
"last_affected": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
],
"under_investigation": [
"CSAFPID-9080703"
]
},
"remediations": [
{
"category": "fix_planned",
"details": "The fix is expected to be distributed in November 2024.",
"product_ids": [
"CSAFPID-9080701",
"CSAFPID-9080702"
]
},
{
"category": "mitigation",
"details": "Make sure that the product is not connected to any network.",
"group_ids": [
"CSAFGID-1020300"
]
},
{
"category": "optional_patch",
"details": "Update to the version 8.5.1.",
"product_ids": [
"CSAFPID-9080703"
]
}
]
}
]
}
24 changes: 24 additions & 0 deletions csaf_2.1/test/validator/data/testcases.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1688,6 +1688,30 @@
}
]
},
{
"id": "6.2.27",
"group": "optional",
"failures": [
{
"name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json",
"valid": true
},
{
"name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json",
"valid": true
}
],
"valid": [
{
"name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json",
"valid": true
},
{
"name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json",
"valid": true
}
]
},
{
"id": "6.3.1",
"group": "informative",
Expand Down
2 changes: 1 addition & 1 deletion csaf_2.1/test/validator/testcases_json_schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"title": "Number of the test",
"description": "Contains the section number of the test in the specification.",
"type": "string",
"pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$"
"pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$"
},
"valid": {
"title": "List of valid examples",
Expand Down

0 comments on commit 7e03b04

Please sign in to comment.