Tests 6.1.4 through 6.1.7 (#42)

* Update CSAF schema 2.1, add support for handling notes

Introduced `NoteTrait` and `WithGroupIds` traits, extending functionality to handle notes and group IDs across CSAF structures. Updated relevant getter implementations for compatibility with these enhancements.

* Add validation for undefined product_group_id in CSAF documents

This adds a new validation function, `test_6_1_04_missing_definition_of_product_group_id`, to ensure all product group IDs used in notes, vulnerabilities, remediations, threats, and flags are defined in the product tree.

* Add validation for duplicate product group IDs (test_6_1_05)

Introduce a new validation to detect multiple definitions of the same product group ID in CSAF documents. This ensures data integrity by identifying conflicts within the `product_tree` structure. Includes corresponding unit tests for CSAF 2.0 and 2.1 versions.

* Add validation for conflicting remediation, minor cleanup

Extended the test to include a case where a product listed as fixed has a conflicting remediation category of "no_fix_planned". Ensures better coverage and accuracy in remediation validation logic.

* Update RFC3339 regex to disallow leap seconds

Revised the date-time validation regex to exclude leap seconds, ensuring stricter compliance with RFC3339. Updated test cases and error messages to reflect the change and improve clarity for non-compliant date-time issues.

* Add validation for conflicting product status groups.

This commit introduces `test_6_1_06_contradicting_product_status` to verify that no product has contradictory status groups (e.g., affected vs. not affected). Includes error handling, tests, and updates to the module index.

* Add support for accessing CVSS, EPSS, and content paths in traits

Expanded `ContentTrait` and related implementations to include methods for accessing CVSS v2/v3/v4, EPSS, and JSON content paths. Updated CSAF 2.0 and 2.1 schema integrations with new fields and improved consistency in metrics handling.

* Add validation for duplicate vulnerability metrics check

Introduced a new validation test (test_6_1_07) to ensure no product is assigned the same type of vulnerability metric multiple times. This includes support for various metrics like CVSS and EPSS, with detailed error handling and unit tests for CSAF 2.1 compliance.

* Add support for CSAF 2.0 tests in test_6_1_07 validation.

This update introduces `run_csaf20_tests` to validate CSAF 2.0 cases alongside CSAF 2.1. Common path prefixes are refactored for clarity and reuse, ensuring consistent test implementation across versions.

* Update CSAF schema enforcing stricter validation rules

Replaced JSON schema reference and file name for CSAF v2.1. Introduced `additionalProperties: false` across the schema to ensure no extraneous fields are allowed. Added new fields such as `first_known_exploitation_dates`, `license_expression`, and others. Updated deserialization logic with `deny_unknown_fields` to improve validation rigor.

* Add `get_source` method to traits and fixed validation 6.1.7

Introduced the `get_source` method in relevant traits and implementations to access the source of vulnerability metrics. Enhanced the duplicate metric validation logic to account for sources, updating error messages to reflect source details.

Author: milux

csaf

@@ -29,7 +29,7 @@ fn main() -> Result<(), BuildError> {
         false,
     )?;
     build(
-        "./src/csaf/csaf2_1/csaf_json_schema.json",
+        "./src/csaf/csaf2_1/csaf.json",
         "csaf/csaf2_1/schema.rs",
         true,
     )?;

csaf-lib/build.rs

@@ -1,11 +1,18 @@
-use crate::csaf::csaf2_0::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, DocumentGenerator, DocumentLevelMetaData, DocumentStatus, Flag, FullProductNameT, HelperToIdentifyTheProduct, Id, Involvement, LabelOfTlp, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Revision, RulesForSharingDocument, Threat, Tracking, TrafficLightProtocolTlp, Vulnerability};
-use crate::csaf::csaf2_1::schema::{CategoryOfTheRemediation as Remediation21, DocumentStatus as Status21, LabelOfTlp as Tlp21};
-use crate::csaf::getter_traits::{BranchTrait, CsafTrait, DistributionTrait, DocumentTrait, FlagTrait, ProductTrait, GeneratorTrait, InvolvementTrait, MetricTrait, ProductGroupTrait, ProductIdentificationHelperTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, RevisionTrait, SharingGroupTrait, ThreatTrait, TlpTrait, TrackingTrait, VulnerabilityTrait, ContentTrait, VulnerabilityIdTrait};
+use crate::csaf::csaf2_0::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, DocumentGenerator, DocumentLevelMetaData, DocumentStatus, Flag, FullProductNameT, HelperToIdentifyTheProduct, Id, Involvement, LabelOfTlp, Note, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Revision, RulesForSharingDocument, Score, Threat, Tracking, TrafficLightProtocolTlp, Vulnerability};
+use crate::csaf::csaf2_1::schema::{CategoryOfTheRemediation as Remediation21, DocumentStatus as Status21, Epss, LabelOfTlp as Tlp21};
+use crate::csaf::getter_traits::{BranchTrait, CsafTrait, DistributionTrait, DocumentTrait, FlagTrait, ProductTrait, GeneratorTrait, InvolvementTrait, MetricTrait, ProductGroupTrait, ProductIdentificationHelperTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, RevisionTrait, SharingGroupTrait, ThreatTrait, TlpTrait, TrackingTrait, VulnerabilityTrait, ContentTrait, VulnerabilityIdTrait, NoteTrait, WithGroupIds};
 use std::ops::Deref;
 use serde::de::Error;
+use serde_json::{Map, Value};
 use crate::csaf::csaf2_1::ssvc_schema::SsvcV1;
 use crate::csaf::validation::ValidationError;
 
+impl WithGroupIds for Remediation {
+    fn get_group_ids(&self) -> Option<impl Iterator<Item=&String> + '_> {
+        self.group_ids.as_ref().map(|g| (*g).iter().map(|x| x.deref()))
+    }
+}
+
 impl RemediationTrait for Remediation {
     /// Normalizes the remediation categories from CSAF 2.0 to those of CSAF 2.1.
     ///
@@ -31,10 +38,6 @@ impl RemediationTrait for Remediation {
         self.product_ids.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_group_ids(&self) -> Option<impl Iterator<Item = &String> + '_> {
-        self.group_ids.as_ref().map(|g| (*g).iter().map(|x| x.deref()))
-    }
-
     fn get_date(&self) -> &Option<String> {
         &self.date
     }
@@ -72,29 +75,73 @@ impl ProductStatusTrait for ProductStatus {
     fn get_under_investigation(&self) -> Option<impl Iterator<Item = &String> + '_> {
         self.under_investigation.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
+
+    /// Not specified for CSAF 2.0, so `None`
+    fn get_unknown(&self) -> Option<impl Iterator<Item=&String> + '_> {
+        None::<std::iter::Empty<&String>>
+    }
 }
 
-impl MetricTrait for () {
-    type ContentType = ();
+impl MetricTrait for Score {
+    type ContentType = Score;
 
-    //noinspection RsConstantConditionIf
     fn get_products(&self) -> impl Iterator<Item = &String> + '_ {
-        // This construction is required to satisfy compiler checks
-        // and still panic if this is ever called (as this would be a clear error!).
-        if true {
-            panic!("Metrics are not implemented in CSAF 2.0");
-        }
-        std::iter::empty()
+        self.products.iter().map(|x| x.deref())
     }
 
     fn get_content(&self) -> &Self::ContentType {
-        panic!("Metrics are not implemented in CSAF 2.0");
+        self
+    }
+
+    fn get_source(&self) -> &Option<String> {
+        &None
     }
 }
 
-impl ContentTrait for () {
+impl ContentTrait for Score {
+    fn has_ssvc_v1(&self) -> bool {
+        false
+    }
+
     fn get_ssvc_v1(&self) -> Result<SsvcV1, serde_json::Error> {
-        Err(serde_json::Error::custom("Metrics are not implemented in CSAF 2.0"))
+        Err(serde_json::Error::custom("SSVC metrics are not implemented in CSAF 2.0"))
+    }
+
+    fn get_cvss_v2(&self) -> Option<&Map<String, Value>> {
+        if self.cvss_v2.is_empty() {
+            None
+        } else {
+            Some(&self.cvss_v2)
+        }
+    }
+
+    fn get_cvss_v3(&self) -> Option<&Map<String, Value>> {
+        if self.cvss_v3.is_empty() {
+            None
+        } else {
+            Some(&self.cvss_v3)
+        }
+    }
+
+    fn get_cvss_v4(&self) -> Option<&Map<String, Value>> {
+        None
+    }
+
+    fn get_epss(&self) -> &Option<Epss> {
+        &None::<Epss>
+    }
+
+    fn get_content_json_path(&self, vulnerability_idx: usize, metric_idx: usize) -> String {
+        format!(
+            "/vulnerabilities/{}/scores/{}",
+            vulnerability_idx, metric_idx
+        )
+    }
+}
+
+impl WithGroupIds for Threat {
+    fn get_group_ids(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.group_ids.as_ref().map(|g| (*g).iter().map(|x| x.deref()))
     }
 }
 
@@ -112,11 +159,12 @@ impl VulnerabilityTrait for Vulnerability {
     type RemediationType = Remediation;
     type ProductStatusType = ProductStatus;
     // Metrics are not implemented in CSAF 2.0
-    type MetricType = ();
+    type MetricType = Score;
     type ThreatType = Threat;
     type FlagType = Flag;
     type InvolvementType = Involvement;
     type VulnerabilityIdType = Id;
+    type NoteType = Note;
 
     fn get_remediations(&self) -> &Vec<Self::RemediationType> {
         &self.remediations
@@ -126,9 +174,8 @@ impl VulnerabilityTrait for Vulnerability {
         &self.product_status
     }
 
-    fn get_metrics(&self) -> &Option<Vec<Self::MetricType>> {
-        // Metrics are not implemented in CSAF 2.0
-        &None
+    fn get_metrics(&self) -> Option<&Vec<Self::MetricType>> {
+        Some(&self.scores)
     }
 
     fn get_threats(&self) -> &Vec<Self::ThreatType> {
@@ -154,9 +201,14 @@ impl VulnerabilityTrait for Vulnerability {
     fn get_cve(&self) -> Option<&String> {
         self.cve.as_ref().map(|x| x.deref())
     }
+    
     fn get_ids(&self) -> &Option<Vec<Self::VulnerabilityIdType>> {
         &self.ids
     }
+
+    fn get_notes(&self) -> Option<&Vec<Self::NoteType>> {
+        self.notes.as_ref().map(|x| x.deref())
+    }
 }
 
 impl VulnerabilityIdTrait for Id {
@@ -169,6 +221,12 @@ impl VulnerabilityIdTrait for Id {
     }
 }
 
+impl WithGroupIds for Flag {
+    fn get_group_ids(&self) -> Option<impl Iterator<Item=&String> + '_> {
+        self.group_ids.as_ref().map(|g| (*g).iter().map(|x| x.deref()))
+    }
+}
+
 impl FlagTrait for Flag {
     fn get_date(&self) -> &Option<String> {
         &self.date
@@ -202,6 +260,7 @@ impl CsafTrait for CommonSecurityAdvisoryFramework {
 impl DocumentTrait for DocumentLevelMetaData {
     type TrackingType = Tracking;
     type DistributionType = RulesForSharingDocument;
+    type NoteType = Note;
 
     fn get_tracking(&self) -> &Self::TrackingType {
         &self.tracking
@@ -222,6 +281,10 @@ impl DocumentTrait for DocumentLevelMetaData {
             Some(distribution) => Ok(distribution)
         }
     }
+
+    fn get_notes(&self) -> Option<&Vec<Self::NoteType>> {
+        self.notes.as_ref().map(|x| x.deref())
+    }
 }
 
 impl DistributionTrait for RulesForSharingDocument {
@@ -249,6 +312,14 @@ impl DistributionTrait for RulesForSharingDocument {
     }
 }
 
+impl WithGroupIds for Note {
+    fn get_group_ids(&self) -> Option<impl Iterator<Item=&String> + '_> {
+        None::<std::iter::Empty<&String>>
+    }
+}
+
+impl NoteTrait for Note {}
+
 impl SharingGroupTrait for () {
     fn get_id(&self) -> &String {
         panic!("Sharing groups are not implemented in CSAF 2.0");