From efb969160b55d36e08fdc5c7a26629ce1fceeba2 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 17:16:00 +0200 Subject: [PATCH 01/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#735 - add test to prevent usage of deprecated CWEs --- csaf_2.1/prose/edit/src/tests-02-optional.md | 26 ++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 6b4cb447..001ceea5 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -705,3 +705,29 @@ The relevant path for this test is: > A tool MAY remove the document tracking id from the document title. > It SHOULD also remove any separating characters including whitespace, colon, dash and brackets. + +### Usage of deprecated CWE + +For each item CWE array it MUST be tested that the CWE is not deprecated in the given version. + +The relevant path for this test is: + +``` + /vulnerabilities[]/cwes[] +``` + +*Example 1 (which fails the test):* + +``` + "cwes": [ + { + "id": "CWE-596", + "name": "DEPRECATED: Incorrect Semantic Object Comparison", + "version": "4.13" + } + ] +``` + +> The `CWE-596` is deprecated in version 4.13. + +> A tool MAY suggest to replace the deprecated CWE with its replacement or closes equivalent. From 19eb7b80ffffa4a51cbd1c901cd38c7dc86763c2 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 17:20:40 +0200 Subject: [PATCH 02/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#735 - add invalid examples for 6.2.23 - add valid examples for 6.2.23 - fix spelling mistakes --- csaf_2.1/prose/edit/src/tests-02-optional.md | 4 +- ...oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json | 43 +++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json | 58 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json | 61 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json | 43 +++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json | 53 ++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json | 61 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 32 ++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 9 files changed, 354 insertions(+), 3 deletions(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 001ceea5..ad469fb3 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -708,7 +708,7 @@ The relevant path for this test is: ### Usage of deprecated CWE -For each item CWE array it MUST be tested that the CWE is not deprecated in the given version. +For each item in the CWE array it MUST be tested that the CWE is not deprecated in the given version. The relevant path for this test is: @@ -730,4 +730,4 @@ The relevant path for this test is: > The `CWE-596` is deprecated in version 4.13. -> A tool MAY suggest to replace the deprecated CWE with its replacement or closes equivalent. +> A tool MAY suggest to replace the deprecated CWE with its replacement or closest equivalent. diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json new file mode 100644 index 00000000..8a54c2a3 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of deprecated CWE (failing example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-01", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-596", + "name": "DEPRECATED: Incorrect Semantic Object Comparison", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json new file mode 100644 index 00000000..2f6ad18d --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of deprecated CWE (failing example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-02", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-1324", + "name": "DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface", + "version": "4.10" + }, + { + "id": "CWE-300", + "name": "Channel Accessible by Non-Endpoint", + "version": "4.10" + }, + { + "id": "CWE-923", + "name": "Improper Restriction of Communication Channel to Intended Endpoints", + "version": "4.10" + }, + { + "id": "CWE-284", + "name": "Improper Access Control", + "version": "4.10" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json new file mode 100644 index 00000000..c623668b --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json @@ -0,0 +1,61 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of deprecated CWE (failing example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-03", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-602", + "name": "Client-Side Enforcement of Server-Side Security", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-1004", + "name": "Sensitive Cookie Without 'HttpOnly' Flag", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-365", + "name": "DEPRECATED: Race Condition in Switch", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json new file mode 100644 index 00000000..0a124dc0 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of deprecated CWE (valid example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-11", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-596", + "name": "Incorrect Semantic Object Comparison", + "version": "3.0" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json new file mode 100644 index 00000000..34c6e090 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of deprecated CWE (valid example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-12", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-319", + "name": "Cleartext Transmission of Sensitive Information", + "version": "4.10" + }, + { + "id": "CWE-311", + "name": "Missing Encryption of Sensitive Data", + "version": "4.10" + }, + { + "id": "CWE-693", + "name": "Protection Mechanism Failure", + "version": "4.10" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json new file mode 100644 index 00000000..8e8b572e --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json @@ -0,0 +1,61 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of deprecated CWE (valid example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-13", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-602", + "name": "Client-Side Enforcement of Server-Side Security", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-1004", + "name": "Sensitive Cookie Without 'HttpOnly' Flag", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-367", + "name": "Time-of-check Time-of-use (TOCTOU) Race Condition", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index f4ef0c14..c0599c89 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1479,6 +1479,38 @@ } ] }, + { + "id": "6.2.23", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index cb215c90..b7120144 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-2])|(1\\.2[3-68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-3])|(1\\.2[4-68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" }, "valid": { "title": "List of valid examples", From 984013e76bc00aebc0d45cccceba17b993c9f7d3 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 18:18:20 +0200 Subject: [PATCH 03/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#737 - add optional test to suggest usage of latest corresponding version in CWE - fix spelling mistake --- csaf_2.1/prose/edit/src/tests-02-optional.md | 41 +++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index ad469fb3..21b11206 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -728,6 +728,45 @@ The relevant path for this test is: ] ``` -> The `CWE-596` is deprecated in version 4.13. +> The `CWE-596` is deprecated in version `4.13`. > A tool MAY suggest to replace the deprecated CWE with its replacement or closest equivalent. + +### Usage of non-latest CWE Version + +For each item in the CWE array it MUST be tested that the latest CWE version available at the time of the last revision was used. +The test SHALL fail if a later CWE version was used. + +The relevant path for this test is: + +``` + /vulnerabilities[]/cwes[] +``` + +*Example 1 (which fails the test):* + +``` + "document": { + // ... + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + // ... + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-256", + "name": "Plaintext Storage of a Password", + "version": "4.12" + } + ] + } + ] +``` + +> The CWE version listed is `4.12`. However, version `4.13` was most recent version when the document was released on `2024-01-21T10:00:00.000Z`. + +> A tool MAY suggest to use the latest version available at the time of the `current_release_date`. +> This is most likely also the overall latest CWE version as modifications to a CSAF document lead to a new `current_release_date`. From 6d01df5043f6c3da35de1da87a661d1005e77c6a Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 18:21:34 +0200 Subject: [PATCH 04/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#737 - add invalid examples for 6.2.24 - add valid examples for 6.2.24 --- ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json | 53 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json | 66 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json | 53 +++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json | 66 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 40 +++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 10 files changed, 451 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json new file mode 100644 index 00000000..f65413ac --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (failing example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-01", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-256", + "name": "Plaintext Storage of a Password", + "version": "4.12" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json new file mode 100644 index 00000000..67f514cd --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (failing example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-02", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-143", + "name": "Improper Neutralization of Record Delimiters", + "version": "4.15" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json new file mode 100644 index 00000000..0721127d --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (failing example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-03", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-262", + "name": "Not Using Password Aging", + "version": "1.8.1" + }, + { + "id": "CWE-1390", + "name": "Weak Authentication", + "version": "4.13" + }, + { + "id": "CWE-287", + "name": "Insufficient Authentication", + "version": "1.0" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json new file mode 100644 index 00000000..fc41b518 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (failing example 4)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-04", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-158", + "name": "Failure to Sanitize Null Byte or NUL Character", + "version": "1.3" + }, + { + "id": "CWE-138", + "name": "Improper Neutralization of Special Elements", + "version": "2.1" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-318", + "name": "Cleartext Storage of Sensitive Information in Executable", + "version": "4.14" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-61", + "name": "UNIX Symbolic Link (Symlink) Following", + "version": "4.15" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json new file mode 100644 index 00000000..bc0eeae0 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (valid example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-11", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-256", + "name": "Plaintext Storage of a Password", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json new file mode 100644 index 00000000..0cf8abeb --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (valid example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-12", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-143", + "name": "Improper Neutralization of Record Delimiters", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json new file mode 100644 index 00000000..d05c1b2c --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (valid example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-13", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-262", + "name": "Not Using Password Aging", + "version": "4.13" + }, + { + "id": "CWE-1390", + "name": "Weak Authentication", + "version": "4.13" + }, + { + "id": "CWE-287", + "name": "Improper Authentication", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json new file mode 100644 index 00000000..2d501e9e --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of non-latest CWE Version (valid example 4)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-14", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-158", + "name": "Improper Neutralization of Null Byte or NUL Character", + "version": "4.13" + }, + { + "id": "CWE-138", + "name": "Improper Neutralization of Special Elements", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-318", + "name": "Cleartext Storage of Sensitive Information in Executable", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-61", + "name": "UNIX Symbolic Link (Symlink) Following", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index c0599c89..1d025d51 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1511,6 +1511,46 @@ } ] }, + { + "id": "6.2.24", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index b7120144..5a8a78d7 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-3])|(1\\.2[4-68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-4])|(1\\.2[5-68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" }, "valid": { "title": "List of valid examples", From de55f02d3e90fdd27204b057b5a803a2942a4932 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:18:05 +0200 Subject: [PATCH 05/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#743 - add optional test to prevent vulnerability mapping to CWE that is not allowed --- csaf_2.1/prose/edit/src/tests-02-optional.md | 26 ++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 21b11206..d840623b 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -770,3 +770,29 @@ The relevant path for this test is: > A tool MAY suggest to use the latest version available at the time of the `current_release_date`. > This is most likely also the overall latest CWE version as modifications to a CSAF document lead to a new `current_release_date`. + +### Usage of CWE not allowed for Vulnerability Mapping + +For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed. + +> Currently, this includes the two usage state `Allowed` and `Allowed-with-Review`. + +The relevant path for this test is: + +``` + /vulnerabilities[]/cwes[] +``` + +*Example 1 (which fails the test):* + +``` + "cwes": [ + { + "id": "CWE-20", + "name": "Improper Input Validation", + "version": "4.13" + } + ] +``` + +> The usage of CWE-20 is discouraged as "is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available". [cite](https://cwe.mitre.org/data/definitions/20.html) From 806cef82950bec748e5a23b6a97631d53445e13b Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:21:12 +0200 Subject: [PATCH 06/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#743 - add invalid examples for 6.2.25 - add valid examples for 6.2.25 --- ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json | 48 ++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json | 66 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json | 66 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 40 +++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 10 files changed, 436 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json new file mode 100644 index 00000000..aa1eb139 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-01", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-20", + "name": "Improper Input Validation", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json new file mode 100644 index 00000000..ef5b618e --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-02", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-1187", + "name": "DEPRECATED: Use of Uninitialized Resource", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json new file mode 100644 index 00000000..0dad0481 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-03", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-1287", + "name": "Improper Validation of Specified Type of Input", + "version": "4.13" + }, + { + "id": "CWE-20", + "name": "Improper Input Validation", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json new file mode 100644 index 00000000..65c506c3 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 4)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-04", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-1284", + "name": "Improper Validation of Specified Quantity in Input", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-1289", + "name": "Improper Validation of Unsafe Equivalence in Input", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-94", + "name": "Improper Control of Generation of Code ('Code Injection')", + "version": "4.13" + }, + { + "id": "CWE-74", + "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json new file mode 100644 index 00000000..31ed5946 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-11", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-112", + "name": "Missing XML Validation", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json new file mode 100644 index 00000000..56b89289 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-12", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-908", + "name": "Use of Uninitialized Resource", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json new file mode 100644 index 00000000..6620f445 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-13", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-1287", + "name": "Improper Validation of Specified Type of Input", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json new file mode 100644 index 00000000..65a89cc6 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 4)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-14", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-1284", + "name": "Improper Validation of Specified Quantity in Input", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-1289", + "name": "Improper Validation of Unsafe Equivalence in Input", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-94", + "name": "Improper Control of Generation of Code ('Code Injection')", + "version": "4.13" + }, + { + "id": "CWE-74", + "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 1d025d51..995ab3b3 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1551,6 +1551,46 @@ } ] }, + { + "id": "6.2.25", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 5a8a78d7..1188af2b 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-4])|(1\\.2[5-68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-5])|(1\\.2[68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" }, "valid": { "title": "List of valid examples", From 0256fb95fda40526688220870e51884bc95d22a1 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:49:26 +0200 Subject: [PATCH 07/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#743 - add optional test to prevent vulnerability mapping to CWE that is not allowed without review --- csaf_2.1/prose/edit/src/tests-02-optional.md | 27 ++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index d840623b..09f12ffd 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -796,3 +796,30 @@ The relevant path for this test is: ``` > The usage of CWE-20 is discouraged as "is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available". [cite](https://cwe.mitre.org/data/definitions/20.html) + +### Usage of CWE allowed with Review for Vulnerability Mapping + +For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed without review. + +> Reasoning: CWEs marked with a vulnerability mapping state of `Allowed-with-Review` should only be used if a thorough review was done. +> This test helps to flag such mappings which can be used to trigger processes that ensure the extra review, e.g. by a senior analyst. + +The relevant path for this test is: + +``` + /vulnerabilities[]/cwes[] +``` + +*Example 1 (which fails the test):* + +``` + "cwes": [ + { + "id": "CWE-1023", + "name": "Incomplete Comparison with Missing Factors", + "version": "4.13" + } + ] +``` + +> The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html) From 0e26ff69e880177519ad5cb956e941f006c49ad9 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:51:25 +0200 Subject: [PATCH 08/11] CWEs - addresses parts of oasis-tcs/csaf#660, oasis-tcs/csaf#743 - add invalid examples for 6.2.26 - add valid examples for 6.2.26 --- ...oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json | 48 +++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json | 70 +++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json | 43 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json | 48 +++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json | 70 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 40 +++++++++++ .../test/validator/testcases_json_schema.json | 2 +- 8 files changed, 363 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json new file mode 100644 index 00000000..8d758228 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (failing example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-01", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-1023", + "name": "Incomplete Comparison with Missing Factors", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json new file mode 100644 index 00000000..f090a2a0 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (failing example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-02", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-733", + "name": "Compiler Optimization Removal or Modification of Security-critical Code", + "version": "4.13" + }, + { + "id": "CWE-1038", + "name": "Insecure Automated Optimizations", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json new file mode 100644 index 00000000..2be1a550 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json @@ -0,0 +1,70 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (failing example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-03", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-15", + "name": "External Control of System or Configuration Setting", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-13", + "name": "ASP.NET Misconfiguration: Password in Configuration File", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-11", + "name": "ASP.NET Misconfiguration: Creating Debug Binary", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-1039", + "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json new file mode 100644 index 00000000..e392698e --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (valid example 1)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-11", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-184", + "name": "Incomplete List of Disallowed Inputs", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json new file mode 100644 index 00000000..ac7a8377 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (valid example 2)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-12", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-14", + "name": "Compiler Removal of Code to Clear Buffers", + "version": "4.13" + }, + { + "id": "CWE-733", + "name": "Compiler Optimization Removal or Modification of Security-critical Code", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json new file mode 100644 index 00000000..ea91d312 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json @@ -0,0 +1,70 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (valid example 3)", + "tracking": { + "current_release_date": "2024-01-21T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-13", + "initial_release_date": "2024-01-21T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-21T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "vulnerabilities": [ + { + "cwes": [ + { + "id": "CWE-15", + "name": "External Control of System or Configuration Setting", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-13", + "name": "ASP.NET Misconfiguration: Password in Configuration File", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-11", + "name": "ASP.NET Misconfiguration: Creating Debug Binary", + "version": "4.13" + } + ] + }, + { + "cwes": [ + { + "id": "CWE-843", + "name": "Access of Resource Using Incompatible Type ('Type Confusion')", + "version": "4.13" + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 995ab3b3..7cc0dd46 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1591,6 +1591,46 @@ } ] }, + { + "id": "6.2.26", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-04.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-14.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 1188af2b..ddb189a6 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-5])|(1\\.2[68-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" }, "valid": { "title": "List of valid examples", From bfe95a1e14bad51277f82239599511cc70fd66de Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 28 Aug 2024 00:16:32 +0200 Subject: [PATCH 09/11] CWEs - addresses parts of oasis-tcs/csaf#779 - remove mentioning of testfiles that never existed in the first place --- csaf_2.1/test/validator/data/testcases.json | 8 -------- 1 file changed, 8 deletions(-) diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 7cc0dd46..4180ec2c 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1606,10 +1606,6 @@ { "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json", "valid": true - }, - { - "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-04.json", - "valid": true } ], "valid": [ @@ -1624,10 +1620,6 @@ { "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json", "valid": true - }, - { - "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-14.json", - "valid": true } ] }, From a0758b9f9a435f9eb37d3a500cbb8d72813831ad Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 28 Aug 2024 01:30:01 +0200 Subject: [PATCH 10/11] CWEs - addresses review comments of oasis-tcs/csaf#779 - fix title case --- csaf_2.1/prose/edit/src/tests-02-optional.md | 8 ++++---- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json | 2 +- .../optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json | 2 +- 29 files changed, 32 insertions(+), 32 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 09f12ffd..78b5f841 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -706,7 +706,7 @@ The relevant path for this test is: > A tool MAY remove the document tracking id from the document title. > It SHOULD also remove any separating characters including whitespace, colon, dash and brackets. -### Usage of deprecated CWE +### Usage of Deprecated CWE For each item in the CWE array it MUST be tested that the CWE is not deprecated in the given version. @@ -732,7 +732,7 @@ The relevant path for this test is: > A tool MAY suggest to replace the deprecated CWE with its replacement or closest equivalent. -### Usage of non-latest CWE Version +### Usage of Non-Latest CWE Version For each item in the CWE array it MUST be tested that the latest CWE version available at the time of the last revision was used. The test SHALL fail if a later CWE version was used. @@ -771,7 +771,7 @@ The relevant path for this test is: > A tool MAY suggest to use the latest version available at the time of the `current_release_date`. > This is most likely also the overall latest CWE version as modifications to a CSAF document lead to a new `current_release_date`. -### Usage of CWE not allowed for Vulnerability Mapping +### Usage of CWE Not Allowed for Vulnerability Mapping For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed. @@ -797,7 +797,7 @@ The relevant path for this test is: > The usage of CWE-20 is discouraged as "is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available". [cite](https://cwe.mitre.org/data/definitions/20.html) -### Usage of CWE allowed with Review for Vulnerability Mapping +### Usage of CWE Allowed with Review for Vulnerability Mapping For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed without review. diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json index 8a54c2a3..71d9a161 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of deprecated CWE (failing example 1)", + "title": "Optional test: Usage of Deprecated CWE (failing example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-01", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json index 2f6ad18d..0f7ac2eb 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of deprecated CWE (failing example 2)", + "title": "Optional test: Usage of Deprecated CWE (failing example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-02", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json index c623668b..e091652c 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of deprecated CWE (failing example 3)", + "title": "Optional test: Usage of Deprecated CWE (failing example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-03", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json index 0a124dc0..a179576b 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of deprecated CWE (valid example 1)", + "title": "Optional test: Usage of Deprecated CWE (valid example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-11", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json index 34c6e090..b28c9b8b 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of deprecated CWE (valid example 2)", + "title": "Optional test: Usage of Deprecated CWE (valid example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-12", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json index 8e8b572e..81e507ce 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-13.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of deprecated CWE (valid example 3)", + "title": "Optional test: Usage of Deprecated CWE (valid example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-13", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json index f65413ac..7d24c21f 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-01.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (failing example 1)", + "title": "Optional test: Usage of Non-Latest CWE Version (failing example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-01", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json index 67f514cd..6f3d0de7 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-02.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (failing example 2)", + "title": "Optional test: Usage of Non-Latest CWE Version (failing example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-02", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json index 0721127d..41f7fd09 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-03.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (failing example 3)", + "title": "Optional test: Usage of Non-Latest CWE Version (failing example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-03", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json index fc41b518..d65cc7c4 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-04.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (failing example 4)", + "title": "Optional test: Usage of Non-Latest CWE Version (failing example 4)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-04", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json index bc0eeae0..9a5e2b0b 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-11.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (valid example 1)", + "title": "Optional test: Usage of Non-Latest CWE Version (valid example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-11", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json index 0cf8abeb..2442edcf 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-12.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (valid example 2)", + "title": "Optional test: Usage of Non-Latest CWE Version (valid example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-12", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json index d05c1b2c..55142116 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-13.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (valid example 3)", + "title": "Optional test: Usage of Non-Latest CWE Version (valid example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-13", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json index 2d501e9e..b5aa0a4f 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-24-14.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of non-latest CWE Version (valid example 4)", + "title": "Optional test: Usage of Non-Latest CWE Version (valid example 4)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-24-14", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json index aa1eb139..0eedb885 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-01.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 1)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (failing example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-01", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json index ef5b618e..7cae613b 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-02.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 2)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (failing example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-02", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json index 0dad0481..59b973d3 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-03.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 3)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (failing example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-03", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json index 65c506c3..6a38b593 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-04.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (failing example 4)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (failing example 4)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-04", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json index 31ed5946..10b01485 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-11.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 1)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (valid example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-11", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json index 56b89289..294a8d03 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-12.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 2)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (valid example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-12", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json index 6620f445..afc69f77 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-13.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 3)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (valid example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-13", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json index 65a89cc6..9ff0638b 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-25-14.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE not allowed for Vulnerability Mapping (valid example 4)", + "title": "Optional test: Usage of CWE Not Allowed for Vulnerability Mapping (valid example 4)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-25-14", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json index 8d758228..3550fca2 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-01.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (failing example 1)", + "title": "Optional test: Usage of CWE Allowed with Review for Vulnerability Mapping (failing example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-01", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json index f090a2a0..265fb63b 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-02.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (failing example 2)", + "title": "Optional test: Usage of CWE Allowed with Review for Vulnerability Mapping (failing example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-02", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json index 2be1a550..c0328052 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-03.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (failing example 3)", + "title": "Optional test: Usage of CWE Allowed with Review for Vulnerability Mapping (failing example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-03", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json index e392698e..c5dcbbe4 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-11.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (valid example 1)", + "title": "Optional test: Usage of CWE Allowed with Review for Vulnerability Mapping (valid example 1)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-11", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json index ac7a8377..4e5b8fa5 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-12.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (valid example 2)", + "title": "Optional test: Usage of CWE Allowed with Review for Vulnerability Mapping (valid example 2)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-12", diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json index ea91d312..88a626a7 100644 --- a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-26-13.json @@ -13,7 +13,7 @@ "name": "OASIS CSAF TC", "namespace": "https://csaf.io" }, - "title": "Optional test: Usage of CWE allowed with Review for Vulnerability Mapping (valid example 3)", + "title": "Optional test: Usage of CWE Allowed with Review for Vulnerability Mapping (valid example 3)", "tracking": { "current_release_date": "2024-01-21T10:00:00.000Z", "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-26-13", From 65c5933428725c601f4fd5b1015be3d39f938baa Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 24 Sep 2024 17:44:17 +0200 Subject: [PATCH 11/11] CWEs - addresses parts of oasis-tcs/csaf#779 - correct links as suggested by @sthagen --- csaf_2.1/prose/edit/src/tests-02-optional.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 78b5f841..623ee200 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -795,7 +795,7 @@ The relevant path for this test is: ] ``` -> The usage of CWE-20 is discouraged as "is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available". [cite](https://cwe.mitre.org/data/definitions/20.html) +> The usage of CWE-20 is discouraged as "is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available". [cite](https://cwe.mitre.org/data/definitions/20.html#Vulnerability_Mapping_Notes_20) ### Usage of CWE Allowed with Review for Vulnerability Mapping @@ -822,4 +822,4 @@ The relevant path for this test is: ] ``` -> The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html) +> The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html#Vulnerability_Mapping_Notes_1023)