From 7e03b04619d856bdbe4da42d0ceaacdc024674a4 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:52:32 +0200 Subject: [PATCH] Discouraged Product Status Remediation Combination - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - add optional test for discouraged product status remediation combinations - add invalid examples - add valid examples --- csaf_2.1/prose/edit/src/tests-02-optional.md | 33 ++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json | 100 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json | 100 ++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 24 +++++ .../test/validator/testcases_json_schema.json | 2 +- 7 files changed, 374 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 623ee200..b6c10779 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -823,3 +823,36 @@ The relevant path for this test is: ``` > The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html#Vulnerability_Mapping_Notes_1023) + +### Discouraged Product Status Remediation Combination + +For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of a discouraged product status group +remediation category combination. +This takes indirect relations through Product Groups into account. + +The relevant path for this test is: + +``` + /vulnerabilities[]/remediations[] +``` + +*Example 1 (which fails the test):* + +``` + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix should be available in Q4 2024.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] +``` + +> For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all. diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json new file mode 100644 index 00000000..f6bc5e39 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix should be available in Q4 2024.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json new file mode 100644 index 00000000..fa89c71d --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json @@ -0,0 +1,100 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "fixed": [ + "CSAFPID-9080703" + ], + "under_investigation": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix is expected to be distributed in November 2024.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "optional_patch", + "details": "Update to the version 8.5.1.", + "product_ids": [ + "CSAFPID-9080703" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json new file mode 100644 index 00000000..d20fb0d2 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix should be available in Q4 2024.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json new file mode 100644 index 00000000..a7f322cd --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json @@ -0,0 +1,100 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "last_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ], + "under_investigation": [ + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix is expected to be distributed in November 2024.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "optional_patch", + "details": "Update to the version 8.5.1.", + "product_ids": [ + "CSAFPID-9080703" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 2184b3d6..30283341 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1688,6 +1688,30 @@ } ] }, + { + "id": "6.2.27", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index f6e82949..0d30d7ea 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" }, "valid": { "title": "List of valid examples",