Add validation for contradicting remediations in CSAF documents

Introduced test "6.1.35" to validate and detect contradicting remediation categories for the same product. Added traits and implementations to abstract remediation and vulnerability handling for easier extensibility across CSAF versions. Updated test infrastructure and presets to include the new validation logic.

Author: milux

csaf

@@ -0,0 +1,35 @@
+use std::ops::Deref;
+use std::str::FromStr;
+use crate::csaf::csaf2_0::schema::{CommonSecurityAdvisoryFramework, Remediation, Vulnerability};
+use crate::csaf::csaf2_1::schema::CategoryOfTheRemediation as Remediation21;
+use crate::csaf::getter_traits::{CsafTrait, RemediationTrait, VulnerabilityTrait};
+
+impl RemediationTrait for Remediation {
+    fn get_category(&self) -> Remediation21 {
+        // Categories are identical, so this should never fail
+        Remediation21::from_str(self.category.to_string().as_str()).unwrap()
+    }
+
+    fn get_product_ids(&self) -> Option<Vec<String>> {
+        match &self.product_ids {
+            None => None,
+            Some(product_ids) => Some(product_ids.deref().iter().map(|x| x.to_string()).collect())
+        }
+    }
+}
+
+impl VulnerabilityTrait for Vulnerability {
+    type RemediationType = Remediation;
+
+    fn get_remediations(&self) -> Vec<Self::RemediationType> {
+        self.remediations.clone()
+    }
+}
+
+impl CsafTrait for CommonSecurityAdvisoryFramework {
+    type VulnerabilityType = Vulnerability;
+
+    fn get_vulnerabilities(&self) -> Vec<Self::VulnerabilityType> {
+        self.vulnerabilities.clone()
+    }
+}

csaf-lib/src/csaf/csaf2_0/getter_implementations.rs

@@ -2,3 +2,4 @@ pub mod loader;
 mod product_helper;
 pub mod schema;
 pub mod validation;
+pub mod getter_implementations;

csaf-lib/src/csaf/csaf2_0/mod.rs

@@ -6,19 +6,25 @@ use crate::csaf::helpers::find_duplicates;
 
 impl Validatable<CommonSecurityAdvisoryFramework> for CommonSecurityAdvisoryFramework {
     fn presets(&self) -> HashMap<ValidationPreset, Vec<&str>> {
+        let basic_tests = Vec::from(["6.1.1", "6.1.2"]);
+        // More tests may be added in extend() here later
+        let extended_tests: Vec<&str> = basic_tests.clone();
+        // extended_tests.extend(["foo"].iter());
+        let full_tests: Vec<&str> = extended_tests.clone();
+        // full_tests.extend(["bar"].iter());
         HashMap::from([
-            (ValidationPreset::Basic, Vec::from(["6.1.1", "6.1.2"])),
-            (ValidationPreset::Extended, Vec::from(["6.1.1", "6.1.2"])),
-            (ValidationPreset::Full, Vec::from(["6.1.1", "6.1.2"])),
+            (ValidationPreset::Basic, basic_tests),
+            (ValidationPreset::Extended, extended_tests),
+            (ValidationPreset::Full, full_tests),
         ])
     }
 
     fn tests(&self) -> HashMap<&str, Test<CommonSecurityAdvisoryFramework>> {
-        HashMap::<&str, Test<CommonSecurityAdvisoryFramework>>::from([
-            ("6.1.1", test_6_01_01_missing_definition_of_product_id),
-            ("6.1.2", test_6_01_02_multiple_definition_of_product_id),
-        ]
-            as [(&str, Test<CommonSecurityAdvisoryFramework>); 2])
+        type CsafTest = Test<CommonSecurityAdvisoryFramework>;
+        HashMap::from([
+            ("6.1.1", test_6_01_01_missing_definition_of_product_id as CsafTest),
+            ("6.1.2", test_6_01_02_multiple_definition_of_product_id as CsafTest),
+        ])
     }
 
     fn doc(&self) -> &CommonSecurityAdvisoryFramework {

csaf-lib/src/csaf/csaf2_0/validation.rs

@@ -0,0 +1,32 @@
+use crate::csaf::csaf2_1::schema::{CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, Remediation, Vulnerability};
+use crate::csaf::getter_traits::{CsafTrait, RemediationTrait, VulnerabilityTrait};
+use std::ops::Deref;
+
+impl RemediationTrait for Remediation {
+    fn get_category(&self) -> CategoryOfTheRemediation {
+        self.category.clone()
+    }
+
+    fn get_product_ids(&self) -> Option<Vec<String>> {
+        match &self.product_ids {
+            None => None,
+            Some(product_ids) => Some(product_ids.deref().iter().map(|x| x.to_string()).collect())
+        }
+    }
+}
+
+impl VulnerabilityTrait for Vulnerability {
+    type RemediationType = Remediation;
+
+    fn get_remediations(&self) -> Vec<Self::RemediationType> {
+        self.remediations.clone()
+    }
+}
+
+impl CsafTrait for CommonSecurityAdvisoryFramework {
+    type VulnerabilityType = Vulnerability;
+
+    fn get_vulnerabilities(&self) -> Vec<Self::VulnerabilityType> {
+        self.vulnerabilities.clone()
+    }
+}

csaf-lib/src/csaf/csaf2_1/getter_implementations.rs

@@ -2,3 +2,4 @@ pub mod loader;
 mod product_helper;
 pub mod schema;
 pub mod validation;
+pub mod getter_implementations;

csaf-lib/src/csaf/csaf2_1/mod.rs

@@ -1,28 +1,32 @@
 use super::product_helper::*;
 use super::schema::CommonSecurityAdvisoryFramework;
 use crate::csaf::helpers::find_duplicates;
-use crate::csaf::validation::{Test, Validatable, ValidationPreset};
+use crate::csaf::validation::{test_6_01_35_contradicting_remediations, Test, Validatable, ValidationPreset};
 use std::collections::{HashMap, HashSet};
 
 impl Validatable<CommonSecurityAdvisoryFramework> for CommonSecurityAdvisoryFramework {
     fn presets(&self) -> HashMap<ValidationPreset, Vec<&str>> {
+        let basic_tests = Vec::from(["6.1.1", "6.1.2", "6.1.34", "6.1.35"]);
+        // More tests may be added in extend() here later
+        let extended_tests: Vec<&str> = basic_tests.clone();
+        // extended_tests.extend(["foo"].iter());
+        let full_tests: Vec<&str> = extended_tests.clone();
+        // full_tests.extend(["bar"].iter());
         HashMap::from([
-            (
-                ValidationPreset::Basic,
-                Vec::from(["6.1.1", "6.1.2", "6.1.34"]),
-            ),
-            (ValidationPreset::Extended, Vec::from(["6.1.1", "6.1.2"])),
-            (ValidationPreset::Full, Vec::from(["6.1.1", "6.1.2"])),
+            (ValidationPreset::Basic, basic_tests),
+            (ValidationPreset::Extended, extended_tests),
+            (ValidationPreset::Full, full_tests),
         ])
     }
 
     fn tests(&self) -> HashMap<&str, Test<CommonSecurityAdvisoryFramework>> {
-        HashMap::<&str, Test<CommonSecurityAdvisoryFramework>>::from([
-            ("6.1.1", test_6_01_01_missing_definition_of_product_id),
-            ("6.1.2", test_6_01_02_multiple_definition_of_product_id),
-            ("6.1.34", test_6_01_34_branches_recursion_depth),
-        ]
-            as [(&str, Test<CommonSecurityAdvisoryFramework>); 3])
+        type CsafTest = Test<CommonSecurityAdvisoryFramework>;
+        HashMap::from([
+            ("6.1.1", test_6_01_01_missing_definition_of_product_id as CsafTest),
+            ("6.1.2", test_6_01_02_multiple_definition_of_product_id as CsafTest),
+            ("6.1.34", test_6_01_34_branches_recursion_depth as CsafTest),
+            ("6.1.35", test_6_01_35_contradicting_remediations as CsafTest),
+        ])
     }
 
     fn doc(&self) -> &CommonSecurityAdvisoryFramework {
@@ -82,6 +86,7 @@ mod tests {
         validation::test_6_01_02_multiple_definition_of_product_id,
         validation::test_6_01_34_branches_recursion_depth,
     };
+    use crate::csaf::validation::test_6_01_35_contradicting_remediations;
 
     #[test]
     fn test_test_6_01_01() {
@@ -111,4 +116,13 @@ mod tests {
             Err(String::from("Recursion depth too big: 31"))
         )
     }
+
+    #[test]
+    fn test_test_6_01_35() {
+        let doc = load_document("../csaf/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json").unwrap();
+        assert_eq!(
+            test_6_01_35_contradicting_remediations(&doc),
+            Err(String::from("Product CSAFPID-9080700 has contradicting remediations: no_fix_planned and vendor_fix"))
+        )
+    }
 }

csaf-lib/src/csaf/csaf2_1/validation.rs

@@ -0,0 +1,18 @@
+use crate::csaf::csaf2_1::schema::CategoryOfTheRemediation;
+
+pub trait CsafTrait {
+    type VulnerabilityType: VulnerabilityTrait;
+
+    fn get_vulnerabilities(&self) -> Vec<Self::VulnerabilityType>;
+}
+
+pub trait VulnerabilityTrait {
+    type RemediationType: RemediationTrait;
+
+    fn get_remediations(&self) -> Vec<Self::RemediationType>;
+}
+
+pub trait RemediationTrait {
+    fn get_category(&self) -> CategoryOfTheRemediation;
+    fn get_product_ids(&self) -> Option<Vec<String>>;
+}

csaf-lib/src/csaf/getter_traits.rs

@@ -2,3 +2,4 @@ pub mod csaf2_0;
 pub mod csaf2_1;
 mod helpers;
 pub mod validation;
+pub mod getter_traits;

csaf-lib/src/csaf/mod.rs

@@ -1,5 +1,7 @@
 use std::collections::HashMap;
 use std::str::FromStr;
+use crate::csaf::csaf2_1::schema::CategoryOfTheRemediation;
+use crate::csaf::getter_traits::{CsafTrait, RemediationTrait, VulnerabilityTrait};
 
 pub enum ValidationError {}
 
@@ -83,3 +85,29 @@ pub fn validate_by_test<VersionedDocument>(
         println!("Test with ID {} is missing implementation", test_id);
     }
 }
+
+pub fn test_6_01_35_contradicting_remediations(
+    target: &impl CsafTrait,
+) -> Result<(), String> {
+    for v in target.get_vulnerabilities().iter() {
+        let mut product_categories: HashMap<String, CategoryOfTheRemediation> = HashMap::new();
+        for r in v.get_remediations().iter() {
+            if let Some(product_ids) = r.get_product_ids() {
+                let category = r.get_category();
+                for p in product_ids.iter() {
+                    if let Some(existing_category) = product_categories.get(p) {
+                        if existing_category != &category {
+                            return Err(format!(
+                                "Product {} has contradicting remediations: {} and {}",
+                                p, existing_category, category
+                            ));
+                        }
+                    }
+                    product_categories.insert(p.clone(), category.clone());
+                }
+            }
+        }
+    }
+    Ok(())
+}
+