Skip to content

Commit

Permalink
Contradicting Product Status vs Remediation
Browse files Browse the repository at this point in the history 
- addresses parts of oasis-tcs#662, oasis-tcs#563
- add mandatory test for contradicting Product status remediations combinations
- add invalid examples
- add valid examples
  • Loading branch information
@tschmidtb51
tschmidtb51 committed Oct 24, 2024
1 parent 7b6ae7a commit 35ac496
Show file tree
Hide file tree
Showing 9 changed files with 497 additions and 1 deletion.
30 changes: 30 additions & 0 deletions ...t/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
### Contradicting Product Status Remediation Combination

For each item in `/vulnerabilities[]/remediations` it MUST be tested that the same Product ID is not member of a contradicting product status group.

The relevant path for this test is:

```
/vulnerabilities[]/remediations[]
```

*Example 1 (which fails the test):*

```
"product_status": {
"known_not_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to version >=14.3 to fix the vulnerability.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
```

> For the product with product ID `CSAFPID-908070` a `vendo_fix` is given but the product was not affected at all.
58 changes: 58 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 1)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-01",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_not_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to version >=14.3 to fix the vulnerability.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]
}
101 changes: 101 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 2)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-02",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
},
{
"product_id": "CSAFPID-9080701",
"name": "Product B"
},
{
"product_id": "CSAFPID-9080702",
"name": "Product C"
},
{
"product_id": "CSAFPID-9080703",
"name": "Product D"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1020300",
"product_ids": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
]
}
]
},
"vulnerabilities": [
{
"product_status": {
"first_fixed": [
"CSAFPID-9080700",
"CSAFPID-9080701",
"CSAFPID-9080702"
],
"fixed": [
"CSAFPID-9080703"
]
},
"remediations": [
{
"category": "none_available",
"details": "The product is end-of-life. Therefore, no fix will be provided.",
"product_ids": [
"CSAFPID-9080703"
]
},
{
"category": "mitigation",
"details": "Make sure that the product is not connected to any network.",
"group_ids": [
"CSAFGID-1020300"
]
},
{
"category": "vendor_fix",
"details": "Update to the version 8.5.1 or higher.",
"product_ids": [
"CSAFPID-9080701",
"CSAFPID-9080702"
]
}
]
}
]
}

58 changes: 58 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 3)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-03",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "optional_patch",
"details": "Apply patch HOTFIX-0815 to check compliance.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]
}
58 changes: 58 additions & 0 deletions csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
"document": {
"category": "csaf_base",
"csaf_version": "2.1",
"distribution": {
"tlp": {
"label": "CLEAR"
}
},
"publisher": {
"category": "other",
"name": "OASIS CSAF TC",
"namespace": "https://csaf.io"
},
"title": "Mandatory test: Contradicting Product Status Remediation Combination (valid example 1)",
"tracking": {
"current_release_date": "2024-01-24T10:00:00.000Z",
"id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-11",
"initial_release_date": "2024-01-24T10:00:00.000Z",
"revision_history": [
{
"date": "2024-01-24T10:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"full_product_names": [
{
"product_id": "CSAFPID-9080700",
"name": "Product A"
}
]
},
"vulnerabilities": [
{
"product_status": {
"known_not_affected": [
"CSAFPID-9080700"
]
},
"remediations": [
{
"category": "optional_patch",
"details": "Update to version >=14.3 to calm security scanner. Note that the product was never affected in the first place and that there is not status change regarding the vulnerability by applying the patch.",
"product_ids": [
"CSAFPID-9080700"
]
}
]
}
]
}
Loading

0 comments on commit 35ac496

Please sign in to comment.