feat(CSAF2.1): add mandatory Test 6.1.6

bendo-eXX · bendo-eXX · commit 27c29b2c260e · 2025-07-30T13:09:23.000+02:00
diff --git a/README.md b/README.md
@@ -311,7 +311,6 @@ The following tests are not yet implemented and therefore missing:
 
 **Mandatory Tests**
 
-- Mandatory Test 6.1.6
 - Mandatory Test 6.1.14
 - Mandatory Test 6.1.16
 - Mandatory Test 6.1.26
@@ -394,6 +393,7 @@ export const mandatoryTest_6_1_2: DocumentTest
 export const mandatoryTest_6_1_3: DocumentTest
 export const mandatoryTest_6_1_4: DocumentTest
 export const mandatoryTest_6_1_5: DocumentTest
+export const mandatoryTest_6_1_6: DocumentTest
 export const mandatoryTest_6_1_7: DocumentTest
 export const mandatoryTest_6_1_8: DocumentTest
 export const mandatoryTest_6_1_9: DocumentTest
diff --git a/csaf_2_1/mandatoryTests.js b/csaf_2_1/mandatoryTests.js
@@ -3,7 +3,6 @@ export {
   mandatoryTest_6_1_3,
   mandatoryTest_6_1_4,
   mandatoryTest_6_1_5,
-  mandatoryTest_6_1_6,
   mandatoryTest_6_1_12,
   mandatoryTest_6_1_15,
   mandatoryTest_6_1_17,
@@ -35,6 +34,7 @@ export {
   mandatoryTest_6_1_33,
 } from '../mandatoryTests.js'
 export { mandatoryTest_6_1_1 } from './mandatoryTests/mandatoryTest_6_1_1.js'
+export { mandatoryTest_6_1_6 } from './mandatoryTests/mandatoryTest_6_1_6.js'
 export { mandatoryTest_6_1_7 } from './mandatoryTests/mandatoryTest_6_1_7.js'
 export { mandatoryTest_6_1_8 } from './mandatoryTests/mandatoryTest_6_1_8.js'
 export { mandatoryTest_6_1_9 } from './mandatoryTests/mandatoryTest_6_1_9.js'
diff --git a/csaf_2_1/mandatoryTests/mandatoryTest_6_1_6.js b/csaf_2_1/mandatoryTests/mandatoryTest_6_1_6.js
@@ -0,0 +1,76 @@
+/**
+ * @param {any} doc
+ */
+export function mandatoryTest_6_1_6(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const errors = []
+  let isValid = true
+
+  if (Array.isArray(doc.vulnerabilities)) {
+    /** @type {Array<any>} */
+    const vulnerabilities = doc.vulnerabilities
+    vulnerabilities.forEach((vulnerability, vulnerabilityIndex) => {
+      const productStatus = vulnerability.product_status
+      if (!productStatus) return
+      const groups = [
+        new Set(
+          []
+            .concat(
+              Array.isArray(productStatus.first_affected)
+                ? productStatus.first_affected
+                : []
+            )
+            .concat(
+              Array.isArray(productStatus.known_affected)
+                ? productStatus.known_affected
+                : []
+            )
+            .concat(
+              Array.isArray(productStatus.last_affected)
+                ? productStatus.last_affected
+                : []
+            )
+        ),
+        new Set(
+          Array.isArray(productStatus.known_not_affected)
+            ? productStatus.known_not_affected
+            : []
+        ),
+        new Set(
+          []
+            .concat(
+              Array.isArray(productStatus.first_fixed)
+                ? productStatus.first_fixed
+                : []
+            )
+            .concat(
+              Array.isArray(productStatus.fixed) ? productStatus.fixed : []
+            )
+        ),
+        new Set(
+          Array.isArray(productStatus.under_investigation)
+            ? productStatus.under_investigation
+            : []
+        ),
+        new Set(
+          Array.isArray(productStatus.unknown) ? productStatus.unknown : []
+        ),
+      ]
+
+      groups.forEach((group, index) => {
+        const remainingGroups = groups.slice(index + 1)
+        group.forEach((productID) => {
+          if (remainingGroups.some((g) => g.has(productID))) {
+            isValid = false
+            errors.push({
+              instancePath: `/vulnerabilities/${vulnerabilityIndex}/product_status`,
+              message: `product id "${productID}" is mentioned in contradicting product status groups`,
+            })
+          }
+        })
+      })
+    })
+  }
+
+  return { isValid, errors }
+}
diff --git a/tests/csaf_2_1/mandatoryTest_6_1_6.js b/tests/csaf_2_1/mandatoryTest_6_1_6.js
@@ -0,0 +1,17 @@
+import assert from 'node:assert/strict'
+import { mandatoryTest_6_1_6 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_6.js'
+
+describe('mandatoryTest_6_1_6', function () {
+  it('skip the check if there is no product status', function () {
+    assert.equal(
+      mandatoryTest_6_1_6({
+        vulnerabilities: [
+          {
+            metrics: [],
+          },
+        ],
+      }).isValid,
+      true
+    )
+  })
+})
diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js
@@ -10,7 +10,6 @@ import * as mandatory from '../../csaf_2_1/mandatoryTests.js'
   Once all tests are implemented for CSAF 2.1 this should be deleted.
  */
 const excluded = [
-  '6.1.6',
   '6.1.14',
   '6.1.16',
   '6.1.26',
