From 05502f89fba8ea6c84066ab22a6dc78f314b8809 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:24:11 +0200 Subject: [PATCH] Contradicting Product Status vs Remediation - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - add mandatory test for contradicting Product status remediations combinations - add invalid examples - add valid examples --- ...-product-status-remediation-combination.md | 30 ++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json | 101 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json | 101 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json | 58 ++++++++++ csaf_2.1/test/validator/data/testcases.json | 32 ++++++ .../test/validator/testcases_json_schema.json | 2 +- 9 files changed, 497 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md new file mode 100644 index 000000000..1e3c5f157 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md @@ -0,0 +1,30 @@ +### Contradicting Product Status Remediation Combination + +For each item in `/vulnerabilities[]/remediations` it MUST be tested that the same Product ID is not member of a contradicting product status group. + +The relevant path for this test is: + +``` + /vulnerabilities[]/remediations[] +``` + +*Example 1 (which fails the test):* + +``` + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "vendor_fix", + "details": "Update to version >=14.3 to fix the vulnerability.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] +``` + +> For the product with product ID `CSAFPID-908070` a `vendo_fix` is given but the product was not affected at all. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json new file mode 100644 index 000000000..624dc0588 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "vendor_fix", + "details": "Update to version >=14.3 to fix the vulnerability.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json new file mode 100644 index 000000000..c0b9c37c1 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "first_fixed": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ], + "fixed": [ + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "none_available", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080703" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "vendor_fix", + "details": "Update to the version 8.5.1 or higher.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + } + ] +} + diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json new file mode 100644 index 000000000..34945b819 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "optional_patch", + "details": "Apply patch HOTFIX-0815 to check compliance.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json new file mode 100644 index 000000000..c5a6b9fdc --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "optional_patch", + "details": "Update to version >=14.3 to calm security scanner. Note that the product was never affected in the first place and that there is not status change regarding the vulnerability by applying the patch.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json new file mode 100644 index 000000000..a91b8ba36 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "first_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ], + "known_affected": [ + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "none_available", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080703" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "vendor_fix", + "details": "Update to the version 8.5.1 or higher.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + } + ] +} + diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json new file mode 100644 index 000000000..e145d170a --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "optional_patch", + "details": "Apply patch HOTFIX-0815 to check compliance.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index b18e83cbe..2184b3d6f 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1056,6 +1056,38 @@ } ] }, + { + "id": "6.1.36", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 5bad35a7d..f6e829497 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-5]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" }, "valid": { "title": "List of valid examples",