csaf-rs 0.5.1

A parser for the CSAF standard written in Rust
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

use crate::csaf::types::csaf_document_category::CsafDocumentCategory;
use crate::csaf_traits::resolve_product_groups;
use crate::csaf_traits::{CsafTrait, DocumentTrait, ProductStatusTrait, VulnerabilityTrait};
use crate::validation::ValidationError;
use crate::validations::utils::document_category_test_config::DocumentCategoryTestConfig;
use std::collections::{HashMap, HashSet};

/// 6.1.27.10 Action Statement
///
/// This test only applies to documents with `/document/category` with value `csaf_vex`.
///
/// Each item in `/vulnerabilities[]/product_status/known_affected` must have a corresponding
/// action statement in `/vulnerabilities[]/remediations`
///
pub fn test_6_1_27_10_action_statement(doc: &impl CsafTrait) -> Result<(), Vec<ValidationError>> {
    let doc_category = doc.get_document().get_category();
    let vulnerabilities = doc.get_vulnerabilities();

    // Only execute this test for documents with category 'csaf_vex'
    // and if there are any vulnerabilities present
    if !PROFILE_TEST_CONFIG.matches_category(&doc_category) || vulnerabilities.is_empty() {
        return Ok(()); // ToDo generate skipped https://github.com/csaf-rs/csaf/issues/409
    }

    let mut errors: Option<Vec<ValidationError>> = None;
    // for each vulnerability
    for (v_i, vulnerability) in vulnerabilities.iter().enumerate() {
        // generate hashmap of all known_affected product or group ids with value of known_not_affected path index
        let mut known_affected_product_or_group_ids: HashMap<String, usize> = HashMap::new();
        if let Some(product_status) = vulnerability.get_product_status()
            && let Some(known_affected) = product_status.get_known_affected()
        {
            for (kna_i, known_affected_entry) in known_affected.enumerate() {
                known_affected_product_or_group_ids.insert(known_affected_entry.to_owned(), kna_i);
            }
        }

        // generate all unique product ids and group ids found in remediations
        let mut found_product_ids: HashSet<String> = HashSet::new();
        let mut found_group_ids: HashSet<String> = HashSet::new();
        found_product_ids.extend(
            vulnerability
                .get_remediations_product_references()
                .iter()
                .map(|(product_id, _)| product_id.to_owned()),
        );
        found_group_ids.extend(
            vulnerability
                .get_remediations_group_references()
                .iter()
                .map(|(group_id, _)| group_id.to_owned()),
        );

        // merge the resolved product ids from group ids into the directly found product ids
        if let Some(resolved_product_ids) = resolve_product_groups(doc, &found_group_ids) {
            found_product_ids.extend(resolved_product_ids.iter().map(|product_id| product_id.to_owned()));
        }

        // remove all found product ids from hashmap
        for product_id in &found_product_ids {
            known_affected_product_or_group_ids.remove(product_id);
        }

        // generate errors for all remaining known_affected product or group ids
        for known_affected_product_or_group_id in &known_affected_product_or_group_ids {
            errors.get_or_insert_default().push(test_6_1_27_10_err_generator(
                known_affected_product_or_group_id.0.clone(),
                v_i,
                *known_affected_product_or_group_id.1,
            ));
        }
    }

    errors.map_or(Ok(()), Err)
}

const PROFILE_TEST_CONFIG: DocumentCategoryTestConfig =
    DocumentCategoryTestConfig::new().shared(&[CsafDocumentCategory::CsafVex]);

fn test_6_1_27_10_err_generator(
    product_or_group_id: String,
    vuln_path_index: usize,
    known_affected_path_index: usize,
) -> ValidationError {
    ValidationError {
        message: format!(
            "No action statement found for 'known_affected' product status entry '{product_or_group_id}'."
        ),
        instance_path: format!(
            "/vulnerabilities/{vuln_path_index}/product_status/known_affected/{known_affected_path_index}"
        ),
    }
}

crate::test_validation::impl_validator!(ValidatorForTest6_1_27_10, test_6_1_27_10_action_statement);

#[cfg(test)]
mod tests {
    use super::*;
    use crate::csaf2_0::testcases::TESTS_2_0;
    use crate::csaf2_1::testcases::TESTS_2_1;

    #[test]
    fn test_test_6_1_27_10() {
        let case_one_product_missing_from_group =
            Err(vec![test_6_1_27_10_err_generator("CSAFPID-9080702".to_string(), 0, 2)]);
        let case_one_product_missing_from_products =
            Err(vec![test_6_1_27_10_err_generator("CSAFPID-9080702".to_string(), 0, 2)]);
        let case_missing_remediation = Err(vec![
            test_6_1_27_10_err_generator("CSAFPID-9080700".to_string(), 0, 0),
            test_6_1_27_10_err_generator("CSAFPID-9080701".to_string(), 0, 1),
            test_6_1_27_10_err_generator("CSAFPID-9080702".to_string(), 0, 2),
        ]);

        TESTS_2_0.test_6_1_27_10.expect(
            case_one_product_missing_from_group.clone(),
            case_missing_remediation.clone(),
            case_one_product_missing_from_products.clone(),
            Ok(()),
            Ok(()),
        );
        TESTS_2_1.test_6_1_27_10.expect(
            case_one_product_missing_from_group,
            case_missing_remediation,
            case_one_product_missing_from_products,
            Ok(()),
            Ok(()),
        );
    }
}