secvisogram · domachine · Feb 19, 2025
diff --git a/csaf_2_1/mandatoryTests.js b/csaf_2_1/mandatoryTests.js
@@ -9,7 +9,6 @@ export {
   mandatoryTest_6_1_8,
   mandatoryTest_6_1_9,
   mandatoryTest_6_1_10,
-  mandatoryTest_6_1_11,
   mandatoryTest_6_1_12,
   mandatoryTest_6_1_13,
   mandatoryTest_6_1_14,
@@ -43,4 +42,5 @@ export {
   mandatoryTest_6_1_32,
   mandatoryTest_6_1_33,
 } from '../mandatoryTests.js'
+export { mandatoryTest_6_1_11 } from './mandatoryTests/mandatoryTest_6_1_11.js'
 export { mandatoryTest_6_1_34 } from './mandatoryTests/mandatoryTest_6_1_34.js'
diff --git a/csaf_2_1/mandatoryTests/mandatoryTest_6_1_11.js b/csaf_2_1/mandatoryTests/mandatoryTest_6_1_11.js
@@ -0,0 +1,96 @@
+import Ajv from 'ajv/dist/jtd.js'
+import { cwecMap } from '../../lib/cwec.js'
+
+const ajv = new Ajv()
+
+/*
+  This is the jtd schema that needs to match the input document so that the
+  test is activated. If this schema doesn't match it normally means that the input
+  document does not validate against the csaf json schema or optional fields that
+  the test checks are not present.
+ */
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        properties: {
+          cwes: {
+            elements: {
+              additionalProperties: true,
+              properties: {},
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+const cweSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    id: { type: 'string' },
+    version: { type: 'string' },
+    name: { type: 'string' },
+  },
+})
+
+const validateCWE = ajv.compile(cweSchema)
+
+/**
+ * This implements the mandatory test 6.1.11 of the CSAF 2.1 standard.
+ *
+ * @param {any} doc
+ */
+export async function mandatoryTest_6_1_11(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const errors = []
+  let isValid = true
+
+  if (!validateInput(doc)) {
+    return { errors, isValid }
+  }
+
+  for (let i = 0; i < doc.vulnerabilities.length; ++i) {
+    const vulnerability = doc.vulnerabilities[i]
+    for (let j = 0; j < vulnerability.cwes.length; ++j) {
+      const cwe = vulnerability.cwes.at(i)
+      if (validateCWE(cwe)) {
+        const cwec = cwecMap.get(cwe.version)
+        if (!cwec) {
+          isValid = false
+          errors.push({
+            instancePath: `/vulnerabilities/${i}/cwes/${j}/version`,
+            message: 'no such cwe version is recognized',
+          })
+          continue
+        }
+        const entry = (await cwec()).default.weaknesses.find(
+          (w) => w.id === cwe.id
+        )
+        if (!entry) {
+          isValid = false
+          errors.push({
+            instancePath: `/vulnerabilities/${i}/cwes/${j}/id`,
+            message: 'no weakness with this id is recognized',
+          })
+          continue
+        }
+        if (entry.name !== cwe.name) {
+          isValid = false
+          errors.push({
+            instancePath: `/vulnerabilities/${i}/cwes/${j}/name`,
+            message: 'the name does not match the weakness with the given id',
+          })
+          continue
+        }
+      }
+    }
+  }
+
+  return { isValid, errors }
+}
diff --git a/lib/cwec.js b/lib/cwec.js
@@ -0,0 +1,53 @@
+export const cwecMap = new Map([
+  ['4.15', () => import('./cwec/4.15.js')],
+  ['4.14', () => import('./cwec/4.14.js')],
+  ['4.13', () => import('./cwec/4.13.js')],
+  ['4.12', () => import('./cwec/4.12.js')],
+  ['4.11', () => import('./cwec/4.11.js')],
+  ['4.10', () => import('./cwec/4.10.js')],
+  ['4.9', () => import('./cwec/4.9.js')],
+  ['4.8', () => import('./cwec/4.8.js')],
+  ['4.7', () => import('./cwec/4.7.js')],
+  ['4.6', () => import('./cwec/4.6.js')],
+  ['4.5', () => import('./cwec/4.5.js')],
+  ['4.4', () => import('./cwec/4.4.js')],
+  ['4.3', () => import('./cwec/4.3.js')],
+  ['4.2', () => import('./cwec/4.2.js')],
+  ['4.1', () => import('./cwec/4.1.js')],
+  ['4.0', () => import('./cwec/4.0.js')],
+  ['3.4.1', () => import('./cwec/3.4.1.js')],
+  ['3.4', () => import('./cwec/3.4.js')],
+  ['3.3', () => import('./cwec/3.3.js')],
+  ['3.2', () => import('./cwec/3.2.js')],
+  ['3.1', () => import('./cwec/3.1.js')],
+  ['3.0', () => import('./cwec/3.0.js')],
+  ['2.12', () => import('./cwec/2.12.js')],
+  ['2.11', () => import('./cwec/2.11.js')],
+  ['2.10', () => import('./cwec/2.10.js')],
+  ['2.9', () => import('./cwec/2.9.js')],
+  ['2.8', () => import('./cwec/2.8.js')],
+  ['2.7', () => import('./cwec/2.7.js')],
+  ['2.6', () => import('./cwec/2.6.js')],
+  ['2.5', () => import('./cwec/2.5.js')],
+  ['2.4', () => import('./cwec/2.4.js')],
+  ['2.3', () => import('./cwec/2.3.js')],
+  ['2.2', () => import('./cwec/2.2.js')],
+  ['2.1', () => import('./cwec/2.1.js')],
+  ['2.0', () => import('./cwec/2.0.js')],
+  ['1.13', () => import('./cwec/1.13.js')],
+  ['1.12', () => import('./cwec/1.12.js')],
+  ['1.11', () => import('./cwec/1.11.js')],
+  ['1.10', () => import('./cwec/1.10.js')],
+  ['1.9', () => import('./cwec/1.9.js')],
+  ['1.8.1', () => import('./cwec/1.8.1.js')],
+  ['1.8', () => import('./cwec/1.8.js')],
+  ['1.7', () => import('./cwec/1.7.js')],
+  ['1.6', () => import('./cwec/1.6.js')],
+  ['1.5', () => import('./cwec/1.5.js')],
+  ['1.4', () => import('./cwec/1.4.js')],
+  ['1.3', () => import('./cwec/1.3.js')],
+  ['1.2', () => import('./cwec/1.2.js')],
+  ['1.1', () => import('./cwec/1.1.js')],
+  ['1.0.1', () => import('./cwec/1.0.1.js')],
+  ['1.0', () => import('./cwec/1.0.js')],
+])