csaf-rs 0.5.0

A parser for the CSAF standard written in Rust
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

use crate::csaf::types::csaf_document_category::CsafDocumentCategory;
use crate::csaf_traits::resolve_product_groups;
use crate::csaf_traits::{
    CsafTrait, DocumentTrait, ProductStatusTrait, ThreatTrait, VulnerabilityTrait, WithOptionalGroupIds,
    WithOptionalProductIds,
};
use crate::schema::csaf2_1::schema::CategoryOfTheThreat;
use crate::validation::ValidationError;
use crate::validations::utils::document_category_test_config::DocumentCategoryTestConfig;
use std::collections::{HashMap, HashSet};

/// 6.1.27.9 Impact Statement
///
/// This test only applies to documents with `/document/category` with value `csaf_vex`.
///
/// Each item in `/vulnerabilities[]/product_status/known_not_affected` must have a corresponding
/// impact statement in `/vulnerabilities[]/flags` or `/vulnerabilities[]/threats`. For impact statements under
/// `threats`, the category must be `impact`.
pub fn test_6_1_27_09_impact_statement(doc: &impl CsafTrait) -> Result<(), Vec<ValidationError>> {
    let doc_category = doc.get_document().get_category();
    let vulnerabilities = doc.get_vulnerabilities();

    // Only execute this test for documents with category 'csaf_vex'
    // and if there are any vulnerabilities present
    if !PROFILE_TEST_CONFIG.matches_category(&doc_category) || vulnerabilities.is_empty() {
        return Ok(()); // ToDo generate skipped https://github.com/csaf-rs/csaf/issues/409
    }

    let mut errors: Option<Vec<ValidationError>> = None;
    // for each vulnerability
    for (v_i, vulnerability) in vulnerabilities.iter().enumerate() {
        // generate hashmap of all known_not_affected product or group ids with value of known_not_affected path index
        let mut known_not_affected_product_or_group_ids: HashMap<String, usize> = HashMap::new();
        if let Some(product_status) = vulnerability.get_product_status()
            && let Some(known_not_affected) = product_status.get_known_not_affected()
        {
            for (kna_i, known_not_affected_entry) in known_not_affected.enumerate() {
                known_not_affected_product_or_group_ids.insert(known_not_affected_entry.to_owned(), kna_i);
            }
        }

        // generate all unique product ids and group ids found in flags and threats with category impact
        let mut found_product_ids: HashSet<String> = HashSet::new();
        let mut found_group_ids: HashSet<String> = HashSet::new();

        // gather from flags
        found_group_ids.extend(
            vulnerability
                .get_flags_group_references()
                .iter()
                .map(|(group_id, _)| group_id.to_owned()),
        );
        found_product_ids.extend(
            vulnerability
                .get_flags_product_references()
                .iter()
                .map(|(product_id, _)| product_id.to_owned()),
        );

        // gather from threats with category impact
        for threat in vulnerability.get_threats() {
            if threat.get_category() == CategoryOfTheThreat::Impact {
                if let Some(group_ids) = threat.get_group_ids() {
                    found_group_ids.extend(group_ids.map(|group_id| group_id.to_owned()));
                }
                if let Some(product_ids) = threat.get_product_ids() {
                    found_product_ids.extend(product_ids.map(|product_id| product_id.to_owned()));
                }
            }
        }

        // merge the resolved product ids from group ids into the directly found product ids
        if let Some(resolved_product_ids) = resolve_product_groups(doc, &found_group_ids) {
            found_product_ids.extend(resolved_product_ids.iter().map(|product_id| product_id.to_owned()));
        }

        // remove all found product ids from known_not_affected_product_or_group_ids
        for product_id in &found_product_ids {
            known_not_affected_product_or_group_ids.remove(product_id);
        }

        // generate errors for all remaining known_not_affected product or group ids
        for known_not_affected_group_id in &known_not_affected_product_or_group_ids {
            errors.get_or_insert_default().push(test_6_1_27_09_err_generator(
                known_not_affected_group_id.0.clone(),
                v_i,
                *known_not_affected_group_id.1,
            ));
        }
    }

    errors.map_or(Ok(()), Err)
}

const PROFILE_TEST_CONFIG: DocumentCategoryTestConfig =
    DocumentCategoryTestConfig::new().shared(&[CsafDocumentCategory::CsafVex]);

fn test_6_1_27_09_err_generator(
    product_or_group_id: String,
    vuln_path_index: usize,
    known_not_affected_path_index: usize,
) -> ValidationError {
    ValidationError {
        message: format!(
            "No impact statement found for 'known_not_affected' product status entry '{product_or_group_id}'."
        ),
        instance_path: format!(
            "/vulnerabilities/{vuln_path_index}/product_status/known_not_affected/{known_not_affected_path_index}"
        ),
    }
}

crate::test_validation::impl_validator!(ValidatorForTest6_1_27_9, test_6_1_27_09_impact_statement);

#[cfg(test)]
mod tests {
    use super::*;
    use crate::csaf2_0::testcases::TESTS_2_0;
    use crate::csaf2_1::testcases::TESTS_2_1;

    #[test]
    fn test_test_6_1_27_09() {
        let case_group_covered_by_threats =
            Err(vec![test_6_1_27_09_err_generator("CSAFPID-9080702".to_string(), 0, 2)]);
        let case_group_covered_by_flag = Err(vec![test_6_1_27_09_err_generator("CSAFPID-9080702".to_string(), 0, 2)]);
        let case_products_covered_by_threats =
            Err(vec![test_6_1_27_09_err_generator("CSAFPID-9080700".to_string(), 0, 0)]);
        let case_products_covered_by_flags =
            Err(vec![test_6_1_27_09_err_generator("CSAFPID-9080700".to_string(), 0, 0)]);
        let case_products_covered_by_flags_or_threats =
            Err(vec![test_6_1_27_09_err_generator("CSAFPID-9080700".to_string(), 0, 0)]);
        let case_one_not_covered_with_multiple_vulnerabilities =
            Err(vec![test_6_1_27_09_err_generator("CSAFPID-9080701".to_string(), 1, 1)]);
        let case_one_not_covered_by_threat_with_wrong_category =
            Err(vec![test_6_1_27_09_err_generator("CSAFPID-9080702".to_string(), 0, 2)]);

        TESTS_2_0.test_6_1_27_9.expect(
            case_group_covered_by_threats.clone(),
            case_group_covered_by_flag.clone(),
            case_products_covered_by_threats.clone(),
            case_products_covered_by_flags.clone(),
            case_products_covered_by_flags_or_threats.clone(),
            case_one_not_covered_with_multiple_vulnerabilities.clone(),
            case_one_not_covered_by_threat_with_wrong_category.clone(),
            Ok(()),
            Ok(()),
            Ok(()),
            Ok(()),
            Ok(()),
            Ok(()),
        );
        TESTS_2_1.test_6_1_27_9.expect(
            case_group_covered_by_threats,
            case_group_covered_by_flag,
            case_products_covered_by_threats,
            case_products_covered_by_flags,
            case_products_covered_by_flags_or_threats,
            case_one_not_covered_with_multiple_vulnerabilities,
            case_one_not_covered_by_threat_with_wrong_category,
            Ok(()),
            Ok(()),
            Ok(()),
            Ok(()),
            Ok(()),
            Ok(()),
        );
    }
}