csaf-rs 0.5.0

A parser for the CSAF standard written in Rust
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

use crate::csaf_traits::{CsafTrait, MetricTrait, ProductStatusTrait, VulnerabilityTrait};
use crate::validation::ValidationError;
use std::collections::HashSet;

fn create_missing_metric_error(
    vulnerability_index: usize,
    status_group_name: &str,
    status_group_product_index: usize,
    product_id: &str,
) -> ValidationError {
    ValidationError {
        message: format!(
            "Missing at least one metric for product ID '{product_id}' in product status group '{status_group_name}'",
        ),
        instance_path: format!(
            "/vulnerabilities/{vulnerability_index}/product_status/{status_group_name}/{status_group_product_index}"
        ),
    }
}

fn check_product_status_group_for_missing_metrics<'a>(
    errors: &mut Option<Vec<ValidationError>>,
    status_group_product_ids: impl Iterator<Item = &'a str>,
    remediation_product_ids: &HashSet<String>,
    vulnerability_index: usize,
    status_group_name: &str,
) {
    // for each product ID in the status group, check if a metric exists
    // if not, generate an error
    for (sg_p_i, product_id) in status_group_product_ids.enumerate() {
        if !remediation_product_ids.contains(product_id) {
            errors.get_or_insert_default().push(create_missing_metric_error(
                vulnerability_index,
                status_group_name,
                sg_p_i,
                product_id,
            ));
        }
    }
}

/// 6.2.3 Missing Metric
///
/// For each product in status groups "affected", a metric must exist.
pub fn test_6_2_03_missing_metric(doc: &impl CsafTrait) -> Result<(), Vec<ValidationError>> {
    let mut errors: Option<Vec<ValidationError>> = None;

    // for each vulnerability
    for (v_i, vuln) in doc.get_vulnerabilities().iter().enumerate() {
        // if there are product statuses
        if let Some(product_status) = vuln.get_product_status() {
            // check if there are products with the relevant product status groups
            if product_status.get_first_affected().is_none()
                && product_status.get_known_affected().is_none()
                && product_status.get_last_affected().is_none()
            {
                continue;
            }

            // collect all product IDs referenced in metrics
            let mut metric_product_ids = HashSet::<String>::new();
            if let Some(metrics) = vuln.get_metrics() {
                for metric in metrics {
                    for product_id in metric.get_products() {
                        metric_product_ids.insert(product_id.to_owned());
                    }
                }
            }

            // check each relevant product status group for missing metrics
            if let Some(first_affected) = product_status.get_first_affected() {
                check_product_status_group_for_missing_metrics(
                    &mut errors,
                    first_affected,
                    &metric_product_ids,
                    v_i,
                    "first_affected",
                );
            }
            if let Some(known_affected) = product_status.get_known_affected() {
                check_product_status_group_for_missing_metrics(
                    &mut errors,
                    known_affected,
                    &metric_product_ids,
                    v_i,
                    "known_affected",
                );
            }
            if let Some(last_affected) = product_status.get_last_affected() {
                check_product_status_group_for_missing_metrics(
                    &mut errors,
                    last_affected,
                    &metric_product_ids,
                    v_i,
                    "last_affected",
                );
            }
        }
    }

    errors.map_or(Ok(()), Err)
}

crate::test_validation::impl_validator!(ValidatorForTest6_2_3, test_6_2_03_missing_metric);

#[cfg(test)]
mod tests {
    use super::*;
    use crate::csaf2_0::testcases::TESTS_2_0;
    use crate::csaf2_1::testcases::TESTS_2_1;

    #[test]
    fn test_test_6_2_03() {
        let case_01 = Err(vec![create_missing_metric_error(
            0,
            "first_affected",
            0,
            "CSAFPID-9080700",
        )]);

        // Both CSAF 2.0 and 2.1 have 2 test cases
        TESTS_2_0.test_6_2_3.expect(case_01.clone());
        TESTS_2_1.test_6_2_3.expect(case_01);
    }
}