feat(CSAF2.1): add recommendedTest_6_2_11.js

Author: bendo-eXX

README.md

@@ -338,7 +338,6 @@ The following tests are not yet implemented and therefore missing:
 
 **Recommended Tests**
 
-- Recommended Test 6.2.11
 - Recommended Test 6.2.19
 - Recommended Test 6.2.20
 - Recommended Test 6.2.21
@@ -454,6 +453,7 @@ export const recommendedTest_6_2_7: DocumentTest
 export const recommendedTest_6_2_8: DocumentTest
 export const recommendedTest_6_2_9: DocumentTest
 export const recommendedTest_6_2_10: DocumentTest
+export const recommendedTest_6_2_11: DocumentTest
 export const recommendedTest_6_2_12: DocumentTest
 export const recommendedTest_6_2_13: DocumentTest
 export const recommendedTest_6_2_14: DocumentTest

csaf_2_1/recommendedTests/recommendedTest_6_2_11.js

@@ -1,8 +1,104 @@
-import { optionalTest_6_2_11 } from '../../optionalTests.js'
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      properties: {
+        references: {
+          elements: {
+            additionalProperties: true,
+            optionalProperties: {
+              category: { type: 'string' },
+              url: { type: 'string' },
+            },
+          },
+        },
+        tracking: {
+          additionalProperties: true,
+          optionalProperties: {
+            id: { type: 'string' },
+          },
+        },
+      },
+    },
+  },
+})
+const validateInput = ajv.compile(inputSchema)
 
 /**
- * @param {unknown} doc
+ * Test for the optional test 6.2.11
+ * @param {any} doc
  */
 export function recommendedTest_6_2_11(doc) {
-  return optionalTest_6_2_11(doc)
+  const ctx = {
+    warnings:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  const trackingId = doc.document.tracking.id
+  if (!trackingId) {
+    return ctx
+  }
+
+  const filename = transformTrackingIdToFilename(trackingId)
+
+  const selfReferences =
+    doc.document.references
+      ?.map((reference, index) => ({ ...reference, index }))
+      .filter((ref) => ref.category === 'self') ?? []
+
+  if (selfReferences.length === 0) {
+    return ctx
+  }
+
+  const hasValidSelfReference = selfReferences.some((reference) => {
+    const url = reference.url || ''
+    return (
+      typeof url === 'string' &&
+      url.startsWith('https://') &&
+      url.endsWith(filename)
+    )
+  })
+
+  if (hasValidSelfReference) {
+    return ctx
+  }
+
+  selfReferences.forEach((reference) => {
+    const url = reference.url || ''
+    const referenceIndex = reference.index
+
+    if (
+      typeof url !== 'string' ||
+      !url.startsWith('https://') ||
+      !url.endsWith(filename)
+    ) {
+      ctx.warnings.push({
+        instancePath: `/document/references/${referenceIndex}/url`,
+        message:
+          'The reference category is "self", but the URL does not fulfill the requirements of a valid filename for a CSAF document.',
+      })
+    }
+  })
+
+  return ctx
+}
+
+/** * Transforms a tracking ID into a filename.
+ *
+ * @param {string} trackingId
+ * @returns {string} filename
+ */
+function transformTrackingIdToFilename(trackingId) {
+  const lowerCase = trackingId.toLowerCase()
+  const replacedString = lowerCase.replace(/[^+\-a-z0-9]+/g, '_')
+  return replacedString + '.json'
 }

tests/csaf_2_1/oasis.js

@@ -39,7 +39,6 @@ const excluded = [
   '6.1.53',
   '6.1.54',
   '6.1.55',
-  '6.2.11',
   '6.2.19',
   '6.2.20',
   '6.2.21',

tests/csaf_2_1/recommendedTest_6_2_11.js

@@ -0,0 +1,80 @@
+import assert from 'node:assert'
+import { recommendedTest_6_2_11 } from '../../csaf_2_1/recommendedTests.js'
+
+describe('recommendedTest_6_2_11', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(
+      recommendedTest_6_2_11({ vulnerabilities: 'mydoc' }).warnings.length,
+      0
+    )
+  })
+
+  it('skips documents with empty tracking id', function () {
+    assert.equal(
+      recommendedTest_6_2_11({
+        document: {
+          references: [
+            {
+              category: 'self',
+              url: 'https://example.com/security/data/csaf/2024/oasis_csaf_tc-csaf_2.1-2024-6-2-11-01_1.json',
+            },
+          ],
+          tracking: { id: '' },
+        },
+      }).warnings.length,
+      0
+    )
+  })
+
+  it('skips reference without self references', function () {
+    assert.equal(
+      recommendedTest_6_2_11({
+        document: {
+          references: [
+            {
+              category: 'external',
+              url: 'https://example.com/security/data/csaf/2024/oasis_csaf_tc-csaf_2.1-2024-6-2-11-01_1.json',
+            },
+          ],
+          tracking: { id: 'OASIS_CSAF_TC-CSAF_2.1-2024-6-2-11-01' },
+        },
+      }).warnings.length,
+      0
+    )
+  })
+
+  it('should warn when self reference has empty url', function () {
+    assert.equal(
+      recommendedTest_6_2_11({
+        document: {
+          references: [
+            {
+              category: 'self',
+              url: '',
+            },
+          ],
+          tracking: { id: 'OASIS_CSAF_TC-CSAF_2.1-2024-6-2-11-01' },
+        },
+      }).warnings.length,
+      1
+    )
+  })
+
+  it('skips empty reference', function () {
+    assert.equal(
+      recommendedTest_6_2_11({
+        document: {
+          references: [
+            {},
+            {
+              category: 'self',
+              url: 'https://example.com/security/data/csaf/2024/oasis_csaf_tc-csaf_2.1-2024-6-2-11-01_1.json',
+            },
+          ],
+          tracking: { id: 'OASIS_CSAF_TC-CSAF_2.1-2024-6-2-11-01' },
+        },
+      }).warnings.length,
+      1
+    )
+  })
+})