feat(CSAF2.1): added test to recommendedTest_6_1_6.js

Author: bendo-eXX

csaf_2_1/mandatoryTests/mandatoryTest_6_1_6.js

@@ -1,10 +1,60 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          product_status: {
+            additionalProperties: true,
+            optionalProperties: {
+              first_affected: { elements: { type: 'string' } },
+              first_fixed: { elements: { type: 'string' } },
+              fixed: { elements: { type: 'string' } },
+              known_affected: { elements: { type: 'string' } },
+              known_not_affected: { elements: { type: 'string' } },
+              last_affected: { elements: { type: 'string' } },
+              under_investigation: { elements: { type: 'string' } },
+              unknown: { elements: { type: 'string' } },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validate = ajv.compile(inputSchema)
+
 /**
+ * This implements the mandatory test 6.1.6 of the CSAF 2.1 standard.
+ *
  * @param {any} doc
  */
 export function mandatoryTest_6_1_6(doc) {
-  /** @type {Array<{ message: string; instancePath: string }>} */
-  const errors = []
-  let isValid = true
+  /*
+    The `ctx` variable holds the state that is accumulated during the test ran and is
+    finally returned by the function.
+   */
+  const ctx = {
+    errors:
+      /** @type {Array<{ instancePath: string; message: string }>} */ ([]),
+    isValid: true,
+  }
+
+  if (!validate(doc)) {
+    return ctx
+  }
 
   if (Array.isArray(doc.vulnerabilities)) {
     /** @type {Array<any>} */
@@ -61,8 +111,8 @@ export function mandatoryTest_6_1_6(doc) {
         const remainingGroups = groups.slice(index + 1)
         group.forEach((productID) => {
           if (remainingGroups.some((g) => g.has(productID))) {
-            isValid = false
-            errors.push({
+            ctx.isValid = false
+            ctx.errors.push({
               instancePath: `/vulnerabilities/${vulnerabilityIndex}/product_status`,
               message: `product id "${productID}" is mentioned in contradicting product status groups`,
             })
@@ -72,5 +122,5 @@ export function mandatoryTest_6_1_6(doc) {
     })
   }
 
-  return { isValid, errors }
+  return ctx
 }

tests/csaf_2_1/mandatoryTest_6_1_6.js

@@ -2,14 +2,14 @@ import assert from 'node:assert/strict'
 import { mandatoryTest_6_1_6 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_6.js'
 
 describe('mandatoryTest_6_1_6', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(mandatoryTest_6_1_6({ document: 'mydoc' }).isValid, true)
+  })
+
   it('skip the check if there is no product status', function () {
     assert.equal(
       mandatoryTest_6_1_6({
-        vulnerabilities: [
-          {
-            metrics: [],
-          },
-        ],
+        vulnerabilities: [{}],
       }).isValid,
       true
     )