From 0ad4ed7db11b18742289ab2cbaf7f894d36926c4 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:15:49 +0200 Subject: [PATCH 01/14] Optional Patch - addresses parts of oasis-tcs/csaf#563 - add value "optional_patch" - adapt prose --- csaf_2.1/json_schema/csaf_json_schema.json | 1 + ...ema-elements-02-props-04-vulnerabilities.md | 18 +++++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 6cdd283c..8ad7bcb7 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -1338,6 +1338,7 @@ "mitigation", "no_fix_planned", "none_available", + "optional_patch", "vendor_fix", "workaround" ] diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md index af56fb69..311a49c0 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md @@ -633,6 +633,7 @@ Valid values are: mitigation no_fix_planned none_available + optional_patch vendor_fix workaround ``` @@ -650,12 +651,23 @@ and they MAY or MAY NOT be officially sanctioned by the document producer. The value `vendor_fix` indicates that the remediation contains information about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability. -This value contradicts with the categories `none_available` and `no_fix_planned` for the same product. +This value contradicts with the categories `none_available`, `no_fix_planned` and `optional_patch` for the same product. Therefore, such a combination can't be used in the list of remediations. +The value `optional_patch` indicates that the remediation contains information about an patch that +is issued by the original author of the affected product. +Its application is not necessary, but might be desired by the user, e.g. to calm a security scanner by +updating a dependency to a fixed version even though the dependency in the affected version was used +in the product in a way that the product itself was not affected. +Unless otherwise noted, it is assumed that this does not change the state regarding the vulnerability. +This value contradicts with the categories `none_available`, `no_fix_planned` and `vendor_fix` for the same product. +Therefore, such a combination can't be used in the list of remediations. + +> This is sometimes also referred to as a "regulatory compliance patch". + The value `none_available` indicates that there is currently no fix or other remediation available. The text in field `details` SHOULD contain details about why there is no fix or other remediation. -The values `none_available` and `vendor_fix` are mutually exclusive per product. +The values `none_available`, `optional_patch` and `vendor_fix` are mutually exclusive per product. > An issuing party might choose to use this category to announce that a fix is currently developed. It is recommended that this also includes a date when a customer can expect the fix to be ready and distributed. @@ -663,7 +675,7 @@ It is recommended that this also includes a date when a customer can expect the The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time. This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated. The text in field `details` SHOULD contain details about why there will be no fix issued. -The values `no_fix_planned` and `vendor_fix` are mutually exclusive per product. +The values `no_fix_planned`, `optional_patch` and `vendor_fix` are mutually exclusive per product. ##### Vulnerabilities Property - Remediations - Date From 3dc23450b2c7b24eb59bf5b948fac283fecfaec0 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:42:41 +0200 Subject: [PATCH 02/14] Optional Patch - addresses parts of oasis-tcs/csaf#563 - add conversion rule for CVRF - add conversion rule from CSAF 2.0 --- csaf_2.1/prose/edit/src/conformance.md | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md index e619fdf4..9dbd761b 100644 --- a/csaf_2.1/prose/edit/src/conformance.md +++ b/csaf_2.1/prose/edit/src/conformance.md @@ -144,10 +144,17 @@ Secondly, the program fulfills the following for all items of: * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a warning that this CWE has been removed as its usage is not allowed in vulnerability mappings. * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array. -* `/vulnerabilities[]/remediation[]`: If no `product_ids` or `group_ids` is given, - the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in the arrays `known_affected`, - `first_affected` and `last_affected` into `product_ids`. - If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element. +* `/vulnerabilities[]/remediations[]`: + * If no `product_ids` or `group_ids` is given, the CVRF CSAF converter appends all Product IDs which are listed under + `../product_status` in the arrays `known_affected`, `first_affected` and `last_affected` into `product_ids`. + If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element. + * The CVRF CSAF converter MUST convert any remediation with the attribute `Vendor Fix` into the category `optional_patch` if the product in + question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. + Otherwise, the category `vendor_fix` MUST be set. + The CVRF CSAF converter MUST output a warning if the value of the category was changed including the products it was changed for. + If multiple products are associated with the remediation - either directly or through a product group - and the products belong to + different product status groups, the CVRF CSAF converter MUST duplicate the remediation, change the category in one instance + to `optional_patch` and distribute the products accordingly as stated by the conversion rule. * `/vulnerabilities[]/metrics[]`: * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.) @@ -550,6 +557,14 @@ Secondly, the program fulfills the following for all items of: The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches. +* `/vulnerabilities[]/remediations[]`: The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the + category `optional_patch` if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. + Otherwise, the category `vendor_fix` MUST stay the same. + The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if the value of the category was changed including the products it was changed for. + If multiple products are associated with the remediation - either directly or through a product group - and the products belong to different + product status groups, the CSAF 2.0 to CSAF 2.1 converter MUST duplicate the remediation, change the category in one instance to `optional_patch` + and distribute the products accordingly as stated by the conversion rule. + > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown. > A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any From b5b4f0ef978d9f4a09f86c91444a108acf8e871a Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 17:44:49 +0200 Subject: [PATCH 03/14] Fix planned - addresses parts of oasis-tcs/csaf#662 - add value `fix_planned` as remediation category - adapt prose - restructure mutually exclusive categories --- csaf_2.1/json_schema/csaf_json_schema.json | 1 + ...ma-elements-02-props-04-vulnerabilities.md | 22 +++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 8ad7bcb7..ec1d90fa 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -1335,6 +1335,7 @@ "description": "Specifies the category which this remediation belongs to.", "type": "string", "enum": [ + "fix_planned", "mitigation", "no_fix_planned", "none_available", diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md index 311a49c0..09ac9342 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md @@ -630,6 +630,7 @@ Category of the remediation (`category`) of value type `string` and `enum` speci Valid values are: ``` + fix_planned mitigation no_fix_planned none_available @@ -651,8 +652,6 @@ and they MAY or MAY NOT be officially sanctioned by the document producer. The value `vendor_fix` indicates that the remediation contains information about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability. -This value contradicts with the categories `none_available`, `no_fix_planned` and `optional_patch` for the same product. -Therefore, such a combination can't be used in the list of remediations. The value `optional_patch` indicates that the remediation contains information about an patch that is issued by the original author of the affected product. @@ -669,14 +668,29 @@ The value `none_available` indicates that there is currently no fix or other rem The text in field `details` SHOULD contain details about why there is no fix or other remediation. The values `none_available`, `optional_patch` and `vendor_fix` are mutually exclusive per product. -> An issuing party might choose to use this category to announce that a fix is currently developed. -It is recommended that this also includes a date when a customer can expect the fix to be ready and distributed. +The value `fix_planned` indicates that there is a fix for the vulnerability planned but not yet ready. +An issuing party might choose to use this category to announce that a fix is currently developed. +The text in field `details` SHOULD contain details including a date when a customer can expect the fix to be ready and distributed. The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time. This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated. The text in field `details` SHOULD contain details about why there will be no fix issued. The values `no_fix_planned`, `optional_patch` and `vendor_fix` are mutually exclusive per product. +Some category values contradict each other and thus are mutually exclusive per product. +Therefore, such a combination MUST NOT be used in the list of remediations for the same product. +The following tables shows the allowed and prohibited combinations: + +| category value | `workaround` | `mitigation` | `vendor_fix` | `optional_patch` | `none_available` | `fix_planned` | `no_fix_planned` | +|:----------------:|:------------:|:------------:|:------------:|:----------------:|:----------------:|:-------------:|:----------------:| +| `workaround` | allowed | allowed | allowed | prohibited | prohibited | allowed | allowed | +| `mitigation` | allowed | allowed | allowed | prohibited | prohibited | allowed | allowed | +| `vendor_fix` | allowed | allowed | allowed | prohibited | prohibited | prohibited | prohibited | +| `optional_patch` | prohibited | prohibited | prohibited | allowed | prohibited | prohibited | prohibited | +| `none_available` | prohibited | prohibited | prohibited | prohibited | allowed | prohibited | prohibited | +| `fix_planned` | allowed | allowed | prohibited | prohibited | prohibited | allowed | prohibited | +| `no_fix_planned` | allowed | allowed | prohibited | prohibited | prohibited | prohibited | allowed | + ##### Vulnerabilities Property - Remediations - Date Date of the remediation (`date`) of value type `string` with format `date-time` contains the date from which the remediation is available. From 60137b8b3171d0c749b198dd8e7c66ee01e4bedb Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:20:07 +0200 Subject: [PATCH 04/14] Fix planned - addresses parts of oasis-tcs/csaf#662 - add conversion rule from CVRF - add conversion rule from CSAF 2.0 - fix format mistake --- csaf_2.1/prose/edit/src/conformance.md | 39 +++++++++++++++++++------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md index 9dbd761b..8f85ec56 100644 --- a/csaf_2.1/prose/edit/src/conformance.md +++ b/csaf_2.1/prose/edit/src/conformance.md @@ -148,13 +148,22 @@ Secondly, the program fulfills the following for all items of: * If no `product_ids` or `group_ids` is given, the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in the arrays `known_affected`, `first_affected` and `last_affected` into `product_ids`. If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element. - * The CVRF CSAF converter MUST convert any remediation with the attribute `Vendor Fix` into the category `optional_patch` if the product in + * The CVRF CSAF converter MUST convert any remediation with the type `Vendor Fix` into the category `optional_patch` if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. Otherwise, the category `vendor_fix` MUST be set. - The CVRF CSAF converter MUST output a warning if the value of the category was changed including the products it was changed for. If multiple products are associated with the remediation - either directly or through a product group - and the products belong to different product status groups, the CVRF CSAF converter MUST duplicate the remediation, change the category in one instance to `optional_patch` and distribute the products accordingly as stated by the conversion rule. + * The CVRF CSAF converter MUST convert any remediation with the type `None Available` into the category `fix_planned` + if the product in question is also listed in a remediation of the type `Vendor Fix` with a `Date` in the future or no `Date` at all. + Consequently, the product MUST be removed from the remediation of the category `vendor_fix`. + If it was the last product in that remediation, the remediation MUST be removed. + * The CVRF CSAF converter MUST remove any product from a remediation with the type `None Available` + if the product in question is also listed in a remediation of the type `Vendor Fix` with a `Date` in the past or to the exact same time. + If it was the last product in that remediation, the remediation MUST be removed. + * In any other case, the CVRF CSAF converter MUST preserve the product in the remediation of the category `none_available`. + * The CVRF CSAF converter MUST output a warning if a remediation was added, deleted or the value of the category was changed, + including the products it was changed for. * `/vulnerabilities[]/metrics[]`: * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.) @@ -541,7 +550,7 @@ Secondly, the program fulfills the following for all items of: option to use this label instead. If the TLP label changes through such conversion in a way that is not reflected in the table above, the the CSAF 2.0 to CSAF 2.1 converter MUST output a warning that the TLP label was taken from the distribution text. Such a warning MUST include both values: the converted one based on the table and the one from the distribution text. - > This is a common case for CSAF 2.0 documents labeled as TLP:RED but actually intended to be TLP:AMBER+STRICT. + > This is a common case for CSAF 2.0 documents labeled as `TLP:RED` but actually intended to be `TLP:AMBER+STRICT`. If no TLP label was given, the CSAF 2.0 to CSAF 2.1 converter SHOULD assign `TLP:CLEAR` and output a warning that the default TLP has been set. * `/document/publisher/category`: If the value is `other`, the CSAF 2.0 to CSAF 2.1 converter SHOULD output a warning that some parties have @@ -557,13 +566,23 @@ Secondly, the program fulfills the following for all items of: The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches. -* `/vulnerabilities[]/remediations[]`: The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the - category `optional_patch` if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. - Otherwise, the category `vendor_fix` MUST stay the same. - The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if the value of the category was changed including the products it was changed for. - If multiple products are associated with the remediation - either directly or through a product group - and the products belong to different - product status groups, the CSAF 2.0 to CSAF 2.1 converter MUST duplicate the remediation, change the category in one instance to `optional_patch` - and distribute the products accordingly as stated by the conversion rule. +* `/vulnerabilities[]/remediations[]`: + * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch` + if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. + Otherwise, the category `vendor_fix` MUST stay the same. + If multiple products are associated with the remediation - either directly or through a product group - and the products belong to different + product status groups, the CSAF 2.0 to CSAF 2.1 converter MUST duplicate the remediation, change the category in one instance to `optional_patch` + and distribute the products accordingly as stated by the conversion rule. + * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `none_available` into the category `fix_planned` + if the product in question is also listed in a remediation of the category `vendor_fix` with a `date` in the future or no `date` at all. + Consequently, the product MUST be removed from the remediation of the category `vendor_fix`. + If it was the last product in that remediation, the remediation MUST be removed. + * The CSAF 2.0 to CSAF 2.1 converter MUST remove any product from a remediation with the category `none_available` + if the product in question is also listed in a remediation of the category `vendor_fix` with a `date` in the past or to the exact same time. + If it was the last product in that remediation, the remediation MUST be removed. + * In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`. + * The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed, + including the products it was changed for. > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown. From 6e78e52a94ff9cb85ba1e33bf7b6024219d03568 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:32:22 +0200 Subject: [PATCH 05/14] Remediation categories - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - clarify that reference of products can be direct or indirect --- .../edit/src/schema-elements-02-props-04-vulnerabilities.md | 1 + 1 file changed, 1 insertion(+) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md index 09ac9342..4942823d 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md @@ -679,6 +679,7 @@ The values `no_fix_planned`, `optional_patch` and `vendor_fix` are mutually excl Some category values contradict each other and thus are mutually exclusive per product. Therefore, such a combination MUST NOT be used in the list of remediations for the same product. +This is independent from whether the product is referenced directly or indirectly through a product group. The following tables shows the allowed and prohibited combinations: | category value | `workaround` | `mitigation` | `vendor_fix` | `optional_patch` | `none_available` | `fix_planned` | `no_fix_planned` | From 22bfacb62289bda6ae76d4af73228bd04c58b839 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 21:00:21 +0200 Subject: [PATCH 06/14] Contradicting Remediations - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - add mandatory test for contradicting remediations - add invalid examples - add valid examples --- ...-01-mndtr-35-contradicting-remediations.md | 37 ++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json | 65 +++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-02.json | 85 +++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json | 92 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-11.json | 58 ++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-12.json | 84 +++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-13.json | 93 +++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 35 ++++++- .../test/validator/testcases_json_schema.json | 2 +- 9 files changed, 549 insertions(+), 2 deletions(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-12.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-13.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md new file mode 100644 index 00000000..4603d95e --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md @@ -0,0 +1,37 @@ +### Contradicting Remediations + +For each item in `/vulnerabilities[]/remediations` it MUST be tested that the same Product ID is not member of contradicting remediation categories. + +The relevant path for this test is: + +``` + /vulnerabilities[]/remediations[] +``` + +*Example 1 (which fails the test):* + +``` + "remediations": [ + { + "category": "no_fix_planned", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080700" + ] + }, + { + "category": "vendor_fix", + "details": "Update to version >=14.3 to fix the vulnerability.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] +``` + +> The two remediations given for the product with product ID `CSAFPID-908070` contradict each other. + +> A tool MAY apply the conversion rules from the conformance target CSAF 2.0 to CSAF 2.1 converter if applicable or +> remove the product from the remediation with the lower priority. +> The priority MAY be defined as follows: +> `vendor_fix` > `mitigation` > `workaround` > `fix_planned` > `no_fix_planned` > `optional_patch` > `none_available` diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json new file mode 100644 index 00000000..ed2dbd2a --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json @@ -0,0 +1,65 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "no_fix_planned", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080700" + ] + }, + { + "category": "vendor_fix", + "details": "Update to version >=14.3 to fix the vulnerability.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-02.json new file mode 100644 index 00000000..9fe0194d --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-02.json @@ -0,0 +1,85 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + "remediations": [ + { + "category": "none_available", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080700" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json new file mode 100644 index 00000000..676bf805 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json @@ -0,0 +1,92 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + "remediations": [ + { + "category": "workaround", + "details": "Disconnect the product from all networks.", + "product_ids": [ + "CSAFPID-9080702" + ] + }, + { + "category": "fix_planned", + "details": "A fix is expected in December 2024.", + "product_ids": [ + "CSAFPID-9080702" + ] + }, + { + "category": "optional_patch", + "details": "Apply the firmware update provided.", + "group_ids": [ + "CSAFGID-1020300" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-11.json new file mode 100644 index 00000000..283148e3 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-11.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "vendor_fix", + "details": "Update to version >=14.3 to fix the vulnerability.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-12.json new file mode 100644 index 00000000..b41b640f --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-12.json @@ -0,0 +1,84 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + "remediations": [ + { + "category": "none_available", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080700" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-13.json new file mode 100644 index 00000000..fbe5cd16 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-13.json @@ -0,0 +1,93 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080702" + ], + "known_not_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701" + ] + }, + "remediations": [ + { + "category": "workaround", + "details": "Disconnect the product from all networks.", + "product_ids": [ + "CSAFPID-9080702" + ] + }, + { + "category": "fix_planned", + "details": "A fix is expected in December 2024.", + "product_ids": [ + "CSAFPID-9080702" + ] + }, + { + "category": "optional_patch", + "details": "Apply the firmware update provided.", + "group_ids": [ + "CSAFGID-1020300" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 4180ec2c..b18e83cb 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1003,7 +1003,8 @@ "valid": true } ] - },{ + }, + { "id": "6.1.34", "group": "mandatory", "failures": [ @@ -1023,6 +1024,38 @@ } ] }, + { + "id": "6.1.35", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-13.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index ddb189a6..5bad35a7 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-4]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-5]))$" }, "valid": { "title": "List of valid examples", From 675a980423661d216f80538efddfb6cc87ad35fe Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:11:04 +0200 Subject: [PATCH 07/14] Remediation categories - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - remove duplicate notes about mutually exclusive categories - add table for contradicting product status group remediation category combinations --- ...ma-elements-02-props-04-vulnerabilities.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md index 4942823d..b2f288d2 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md @@ -659,14 +659,11 @@ Its application is not necessary, but might be desired by the user, e.g. to calm updating a dependency to a fixed version even though the dependency in the affected version was used in the product in a way that the product itself was not affected. Unless otherwise noted, it is assumed that this does not change the state regarding the vulnerability. -This value contradicts with the categories `none_available`, `no_fix_planned` and `vendor_fix` for the same product. -Therefore, such a combination can't be used in the list of remediations. > This is sometimes also referred to as a "regulatory compliance patch". The value `none_available` indicates that there is currently no fix or other remediation available. The text in field `details` SHOULD contain details about why there is no fix or other remediation. -The values `none_available`, `optional_patch` and `vendor_fix` are mutually exclusive per product. The value `fix_planned` indicates that there is a fix for the vulnerability planned but not yet ready. An issuing party might choose to use this category to announce that a fix is currently developed. @@ -675,7 +672,6 @@ The text in field `details` SHOULD contain details including a date when a custo The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time. This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated. The text in field `details` SHOULD contain details about why there will be no fix issued. -The values `no_fix_planned`, `optional_patch` and `vendor_fix` are mutually exclusive per product. Some category values contradict each other and thus are mutually exclusive per product. Therefore, such a combination MUST NOT be used in the list of remediations for the same product. @@ -692,6 +688,21 @@ The following tables shows the allowed and prohibited combinations: | `fix_planned` | allowed | allowed | prohibited | prohibited | prohibited | allowed | prohibited | | `no_fix_planned` | allowed | allowed | prohibited | prohibited | prohibited | prohibited | allowed | +Some category values contradict certain product status groups. +Therefore, such a combination MUST NOT exist in a vulnerability item for the same product. +This is independent from whether the product is referenced directly or indirectly through a product group. +The following tables shows the allowed, discouraged and prohibited combinations: + +| category value | Affected | Not Affected | Fixed | Under Investigation | Recommended | +|:----------------:|:----------:|:------------:|:-----------:|:-------------------:|:-----------:| +| `workaround` | allowed | prohibited | prohibited | discouraged | allowed | +| `mitigation` | allowed | prohibited | prohibited | discouraged | allowed | +| `vendor_fix` | allowed | prohibited | prohibited | discouraged | allowed | +| `optional_patch` | prohibited | allowed | discouraged | allowed | allowed | +| `none_available` | allowed | prohibited | prohibited | allowed | allowed | +| `fix_planned` | allowed | discouraged | prohibited | discouraged | allowed | +| `no_fix_planned` | allowed | discouraged | prohibited | allowed | allowed | + ##### Vulnerabilities Property - Remediations - Date Date of the remediation (`date`) of value type `string` with format `date-time` contains the date from which the remediation is available. From 05502f89fba8ea6c84066ab22a6dc78f314b8809 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:24:11 +0200 Subject: [PATCH 08/14] Contradicting Product Status vs Remediation - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - add mandatory test for contradicting Product status remediations combinations - add invalid examples - add valid examples --- ...-product-status-remediation-combination.md | 30 ++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json | 101 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json | 101 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json | 58 ++++++++++ csaf_2.1/test/validator/data/testcases.json | 32 ++++++ .../test/validator/testcases_json_schema.json | 2 +- 9 files changed, 497 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md new file mode 100644 index 00000000..1e3c5f15 --- /dev/null +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md @@ -0,0 +1,30 @@ +### Contradicting Product Status Remediation Combination + +For each item in `/vulnerabilities[]/remediations` it MUST be tested that the same Product ID is not member of a contradicting product status group. + +The relevant path for this test is: + +``` + /vulnerabilities[]/remediations[] +``` + +*Example 1 (which fails the test):* + +``` + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "vendor_fix", + "details": "Update to version >=14.3 to fix the vulnerability.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] +``` + +> For the product with product ID `CSAFPID-908070` a `vendo_fix` is given but the product was not affected at all. diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json new file mode 100644 index 00000000..624dc058 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "vendor_fix", + "details": "Update to version >=14.3 to fix the vulnerability.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json new file mode 100644 index 00000000..c0b9c37c --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "first_fixed": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ], + "fixed": [ + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "none_available", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080703" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "vendor_fix", + "details": "Update to the version 8.5.1 or higher.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + } + ] +} + diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json new file mode 100644 index 00000000..34945b81 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (failing example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-03", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "optional_patch", + "details": "Apply patch HOTFIX-0815 to check compliance.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json new file mode 100644 index 00000000..c5a6b9fd --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "optional_patch", + "details": "Update to version >=14.3 to calm security scanner. Note that the product was never affected in the first place and that there is not status change regarding the vulnerability by applying the patch.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json new file mode 100644 index 00000000..a91b8ba3 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "first_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ], + "known_affected": [ + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "none_available", + "details": "The product is end-of-life. Therefore, no fix will be provided.", + "product_ids": [ + "CSAFPID-9080703" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "vendor_fix", + "details": "Update to the version 8.5.1 or higher.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + } + ] +} + diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json new file mode 100644 index 00000000..e145d170 --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Product Status Remediation Combination (valid example 3)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-36-13", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "optional_patch", + "details": "Apply patch HOTFIX-0815 to check compliance.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index b18e83cb..2184b3d6 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1056,6 +1056,38 @@ } ] }, + { + "id": "6.1.36", + "group": "mandatory", + "failures": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-01.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-02.json", + "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-03.json", + "valid": false + } + ], + "valid": [ + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-11.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-12.json", + "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-36-13.json", + "valid": true + } + ] + }, { "id": "6.2.1", "group": "optional", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index 5bad35a7..f6e82949 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-5]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" }, "valid": { "title": "List of valid examples", From a27457109b6d0f71cb04d51dcc6ad0cec39d26b4 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:27:29 +0200 Subject: [PATCH 09/14] Contradicting Product Status vs Remediation - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - fix spelling mistake - improve wording - clarify that this also applies to indirect relationships through product groups --- .../edit/src/tests-01-mndtr-35-contradicting-remediations.md | 3 ++- ...6-contradicting-product-status-remediation-combination.md | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md index 4603d95e..64e00eb2 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md @@ -1,6 +1,7 @@ ### Contradicting Remediations -For each item in `/vulnerabilities[]/remediations` it MUST be tested that the same Product ID is not member of contradicting remediation categories. +For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of contradicting remediation categories. +This takes indirect relations through Product Groups into account. The relevant path for this test is: diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md index 1e3c5f15..248f4818 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md @@ -1,6 +1,7 @@ ### Contradicting Product Status Remediation Combination -For each item in `/vulnerabilities[]/remediations` it MUST be tested that the same Product ID is not member of a contradicting product status group. +For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of a contradicting product status group. +This takes indirect relations through Product Groups into account. The relevant path for this test is: @@ -27,4 +28,4 @@ The relevant path for this test is: ] ``` -> For the product with product ID `CSAFPID-908070` a `vendo_fix` is given but the product was not affected at all. +> For the product with product ID `CSAFPID-908070` a `vendor_fix` is given but the product was not affected at all. From 7e03b04619d856bdbe4da42d0ceaacdc024674a4 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:52:32 +0200 Subject: [PATCH 10/14] Discouraged Product Status Remediation Combination - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - add optional test for discouraged product status remediation combinations - add invalid examples - add valid examples --- csaf_2.1/prose/edit/src/tests-02-optional.md | 33 ++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json | 100 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json | 58 ++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json | 100 ++++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 24 +++++ .../test/validator/testcases_json_schema.json | 2 +- 7 files changed, 374 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json create mode 100644 csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md index 623ee200..b6c10779 100644 --- a/csaf_2.1/prose/edit/src/tests-02-optional.md +++ b/csaf_2.1/prose/edit/src/tests-02-optional.md @@ -823,3 +823,36 @@ The relevant path for this test is: ``` > The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html#Vulnerability_Mapping_Notes_1023) + +### Discouraged Product Status Remediation Combination + +For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of a discouraged product status group +remediation category combination. +This takes indirect relations through Product Groups into account. + +The relevant path for this test is: + +``` + /vulnerabilities[]/remediations[] +``` + +*Example 1 (which fails the test):* + +``` + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix should be available in Q4 2024.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] +``` + +> For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all. diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json new file mode 100644 index 00000000..f6bc5e39 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (failing example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-01", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_not_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix should be available in Q4 2024.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json new file mode 100644 index 00000000..fa89c71d --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json @@ -0,0 +1,100 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (failing example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-02", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "fixed": [ + "CSAFPID-9080703" + ], + "under_investigation": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix is expected to be distributed in November 2024.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "optional_patch", + "details": "Update to the version 8.5.1.", + "product_ids": [ + "CSAFPID-9080703" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json new file mode 100644 index 00000000..d20fb0d2 --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (valid example 1)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-11", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "known_affected": [ + "CSAFPID-9080700" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix should be available in Q4 2024.", + "product_ids": [ + "CSAFPID-9080700" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json new file mode 100644 index 00000000..a7f322cd --- /dev/null +++ b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json @@ -0,0 +1,100 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Optional test: Discouraged Product Status Remediation Combination (valid example 2)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-27-12", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "last_affected": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ], + "under_investigation": [ + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "fix_planned", + "details": "The fix is expected to be distributed in November 2024.", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + { + "category": "mitigation", + "details": "Make sure that the product is not connected to any network.", + "group_ids": [ + "CSAFGID-1020300" + ] + }, + { + "category": "optional_patch", + "details": "Update to the version 8.5.1.", + "product_ids": [ + "CSAFPID-9080703" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 2184b3d6..30283341 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1688,6 +1688,30 @@ } ] }, + { + "id": "6.2.27", + "group": "optional", + "failures": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-01.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-02.json", + "valid": true + } + ], + "valid": [ + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-11.json", + "valid": true + }, + { + "name": "optional/oasis_csaf_tc-csaf_2_1-2024-6-2-27-12.json", + "valid": true + } + ] + }, { "id": "6.3.1", "group": "informative", diff --git a/csaf_2.1/test/validator/testcases_json_schema.json b/csaf_2.1/test/validator/testcases_json_schema.json index f6e82949..0d30d7ea 100644 --- a/csaf_2.1/test/validator/testcases_json_schema.json +++ b/csaf_2.1/test/validator/testcases_json_schema.json @@ -62,7 +62,7 @@ "title": "Number of the test", "description": "Contains the section number of the test in the specification.", "type": "string", - "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" + "pattern": "^6\\.(([1-3]\\.[1-9])|([12]\\.1[0-9])|(3\\.1[0-2])|([12]\\.2[0-6])|(2\\.27)|(1\\.2[8-9])|(1\\.27\\.([1-9]|10|11))|(1\\.3[0-6]))$" }, "valid": { "title": "List of valid examples", From 026b8143507e528f6c61ac1a13b9164de74c092e Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 23:05:19 +0200 Subject: [PATCH 11/14] Contradicting Remediations - addresses parts of oasis-tcs/csaf#541, oasis-tcs/csaf#662, oasis-tcs/csaf#563 - correct example - add valid example - add invalid example --- ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json | 2 +- ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-04.json | 105 ++++++++++++++++++ ...oasis_csaf_tc-csaf_2_1-2024-6-1-35-14.json | 103 +++++++++++++++++ csaf_2.1/test/validator/data/testcases.json | 8 ++ 4 files changed, 217 insertions(+), 1 deletion(-) create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-04.json create mode 100644 csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-14.json diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json index 676bf805..9fb0606f 100644 --- a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json @@ -58,7 +58,7 @@ "vulnerabilities": [ { "product_status": { - "known_affected": [ + "recommended": [ "CSAFPID-9080700", "CSAFPID-9080701", "CSAFPID-9080702" diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-04.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-04.json new file mode 100644 index 00000000..e8f8eb4f --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-04.json @@ -0,0 +1,105 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (failing example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-04", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702" + ] + }, + { + "group_id": "CSAFGID-1020301", + "product_ids": [ + "CSAFPID-9080701", + "CSAFPID-9080702", + "CSAFPID-9080703" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "recommended": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702", + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "mitigation", + "details": "Disconnect the product from all networks. Reboot the product and deactivate the IPv6 stack. Then reconnect the product to trusted networks only.", + "group_ids": [ + "CSAFGID-1020301" + ] + }, + { + "category": "fix_planned", + "details": "A fix is expected in December 2024.", + "group_ids": [ + "CSAFGID-1020301" + ] + }, + { + "category": "optional_patch", + "details": "Apply the firmware update provided.", + "group_ids": [ + "CSAFGID-1020300" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-14.json b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-14.json new file mode 100644 index 00000000..95dfc57b --- /dev/null +++ b/csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-14.json @@ -0,0 +1,103 @@ +{ + "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json", + "document": { + "category": "csaf_base", + "csaf_version": "2.1", + "distribution": { + "tlp": { + "label": "CLEAR" + } + }, + "publisher": { + "category": "other", + "name": "OASIS CSAF TC", + "namespace": "https://csaf.io" + }, + "title": "Mandatory test: Contradicting Remediations (valid example 4)", + "tracking": { + "current_release_date": "2024-01-24T10:00:00.000Z", + "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-1-35-14", + "initial_release_date": "2024-01-24T10:00:00.000Z", + "revision_history": [ + { + "date": "2024-01-24T10:00:00.000Z", + "number": "1", + "summary": "Initial version." + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "full_product_names": [ + { + "product_id": "CSAFPID-9080700", + "name": "Product A" + }, + { + "product_id": "CSAFPID-9080701", + "name": "Product B" + }, + { + "product_id": "CSAFPID-9080702", + "name": "Product C" + }, + { + "product_id": "CSAFPID-9080703", + "name": "Product D" + } + ], + "product_groups": [ + { + "group_id": "CSAFGID-1020300", + "product_ids": [ + "CSAFPID-9080700", + "CSAFPID-9080701" + ] + }, + { + "group_id": "CSAFGID-1020301", + "product_ids": [ + "CSAFPID-9080702", + "CSAFPID-9080703" + ] + } + ] + }, + "vulnerabilities": [ + { + "product_status": { + "recommended": [ + "CSAFPID-9080700", + "CSAFPID-9080701", + "CSAFPID-9080702", + "CSAFPID-9080703" + ] + }, + "remediations": [ + { + "category": "mitigation", + "details": "Disconnect the product from all networks. Reboot the product and deactivate the IPv6 stack. Then reconnect the product to trusted networks only.", + "group_ids": [ + "CSAFGID-1020301" + ] + }, + { + "category": "fix_planned", + "details": "A fix is expected in December 2024.", + "group_ids": [ + "CSAFGID-1020301" + ] + }, + { + "category": "optional_patch", + "details": "Apply the firmware update provided.", + "group_ids": [ + "CSAFGID-1020300" + ] + } + ] + } + ] +} diff --git a/csaf_2.1/test/validator/data/testcases.json b/csaf_2.1/test/validator/data/testcases.json index 30283341..6c159090 100644 --- a/csaf_2.1/test/validator/data/testcases.json +++ b/csaf_2.1/test/validator/data/testcases.json @@ -1039,6 +1039,10 @@ { "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-03.json", "valid": false + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-04.json", + "valid": false } ], "valid": [ @@ -1053,6 +1057,10 @@ { "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-13.json", "valid": true + }, + { + "name": "mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-35-14.json", + "valid": true } ] }, From 8f3f5215b0af1a69e66f13061dfc1e14623acc85 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Fri, 25 Oct 2024 23:51:47 +0200 Subject: [PATCH 12/14] Nit: changed no ... or ... is to neither ... nor ... are --- csaf_2.1/prose/edit/src/conformance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md index 8f85ec56..5fde3ab1 100644 --- a/csaf_2.1/prose/edit/src/conformance.md +++ b/csaf_2.1/prose/edit/src/conformance.md @@ -145,7 +145,7 @@ Secondly, the program fulfills the following for all items of: warning that this CWE has been removed as its usage is not allowed in vulnerability mappings. * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array. * `/vulnerabilities[]/remediations[]`: - * If no `product_ids` or `group_ids` is given, the CVRF CSAF converter appends all Product IDs which are listed under + * If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in the arrays `known_affected`, `first_affected` and `last_affected` into `product_ids`. If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element. * The CVRF CSAF converter MUST convert any remediation with the type `Vendor Fix` into the category `optional_patch` if the product in From a47d20cf3d49ff63edc7387a714217aa5559ab23 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 26 Oct 2024 00:17:24 +0200 Subject: [PATCH 13/14] Tests - addresses parts of oasis-tcs/csaf#541 - add missing files to bind.txt --- csaf_2.1/prose/edit/etc/bind.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt index 7179ce2b..946eb837 100644 --- a/csaf_2.1/prose/edit/etc/bind.txt +++ b/csaf_2.1/prose/edit/etc/bind.txt @@ -63,6 +63,9 @@ tests-01-mndtr-30-mixed-integer-and-semantic-versioning.md tests-01-mndtr-31-version-range-in-product-version.md tests-01-mndtr-32-flag-without-product-reference.md tests-01-mndtr-33-multiple-flags-with-vex-justification-codes-per-product.md +tests-01-mndtr-34-branches-recursion-depth.md +tests-01-mndtr-35-contradicting-remediations.md +tests-01-mndtr-36-contradicting-product-status-remediation-combination.md tests-02-optional.md tests-03-informative.md distributing.md From ca7fe943856e4e71dbaddcf8de0b6e53a1366fe6 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Sat, 26 Oct 2024 00:39:09 +0200 Subject: [PATCH 14/14] Remediation categories - addresses review comments from oasis-tcs/csaf#807 - convert unnecessary upper case to lower case --- .../edit/src/tests-01-mndtr-35-contradicting-remediations.md | 4 ++-- ...36-contradicting-product-status-remediation-combination.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md index 64e00eb2..b487b91b 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-35-contradicting-remediations.md @@ -1,7 +1,7 @@ ### Contradicting Remediations -For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of contradicting remediation categories. -This takes indirect relations through Product Groups into account. +For each item in `/vulnerabilities[]/remediations` it MUST be tested that a product is not member of contradicting remediation categories. +This takes indirect relations through product groups into account. The relevant path for this test is: diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md index 248f4818..d62f26dc 100644 --- a/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md +++ b/csaf_2.1/prose/edit/src/tests-01-mndtr-36-contradicting-product-status-remediation-combination.md @@ -1,7 +1,7 @@ ### Contradicting Product Status Remediation Combination -For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of a contradicting product status group. -This takes indirect relations through Product Groups into account. +For each item in `/vulnerabilities[]/remediations` it MUST be tested that a product is not member of a contradicting product status group. +This takes indirect relations through product groups into account. The relevant path for this test is: