Skip to content

Commit

Permalink
Contradicting Remediations
Browse files Browse the repository at this point in the history 
- addresses parts of oasis-tcs#541, oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting remediations
- add invalid examples
- add valid examples
  • Loading branch information
@tschmidtb51
tschmidtb51 committed Oct 25, 2024
1 parent 6e78e52 commit 22bfacb
Show file tree
Hide file tree
Showing 9 changed files with 549 additions and 2 deletions.
37 changes: 37 additions & 0 deletions csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
### Contradicting Remediations

For each item in `/vulnerabilities[]/remediations` it MUST be tested that the same Product ID is not member of contradicting remediation categories.

The relevant path for this test is:

```
/vulnerabilities[]/remediations[]
```

*Example 1 (which fails the test):*

```
"remediations": [
{
"category": "no_fix_planned",
"details": "The product is end-of-life. Therefore, no fix will be provided.",
"product_ids": [
"CSAFPID-9080700"
]
},
{
"category": "vendor_fix",
"details": "Update to version >=14.3 to fix the vulnerability.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
```

> The two remediations given for the product with product ID `CSAFPID-908070` contradict each other.
> A tool MAY apply the conversion rules from the conformance target CSAF 2.0 to CSAF 2.1 converter if applicable or
> remove the product from the remediation with the lower priority.
> The priority MAY be defined as follows:
> `vendor_fix` > `mitigation` > `workaround` > `fix_planned` > `no_fix_planned` > `optional_patch` > `none_available`
65 changes: 65 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Remediations (failing example 1)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-01",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "no_fix_planned",
"details": "The product is end-of-life. Therefore, no fix will be provided.",
"product_ids": [
"CSAFPID-9080700"
]
},
{
"category": "vendor_fix",
"details": "Update to version >=14.3 to fix the vulnerability.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]
}
85 changes: 85 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-02.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Remediations (failing example 2)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-02",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
},
"remediations": [
{
"category": "none_available",
"details": "The product is end-of-life. Therefore, no fix will be provided.",
"product_ids": [
"CSAFPID-9080700"
]
},
{
"category": "mitigation",
"details": "Make sure that the product is not connected to any network.",
"group_ids": [
"CSAFGID-1020300"
]
}
]
}
]
}
92 changes: 92 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Remediations (failing example 3)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-03",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
},
"remediations": [
{
"category": "workaround",
"details": "Disconnect the product from all networks.",
"product_ids": [
"CSAFPID-9080702"
]
},
{
"category": "fix_planned",
"details": "A fix is expected in December 2024.",
"product_ids": [
"CSAFPID-9080702"
]
},
{
"category": "optional_patch",
"details": "Apply the firmware update provided.",
"group_ids": [
"CSAFGID-1020300"
]
}
]
}
]
}
58 changes: 58 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-11.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Remediations (valid example 1)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-11",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to version >=14.3 to fix the vulnerability.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]
}
Loading

0 comments on commit 22bfacb

Please sign in to comment.