csaf-poc · milux · Mar 28, 2025 · Mar 25, 2025 · Mar 26, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/csaf-lib/Cargo.toml b/csaf-lib/Cargo.toml
@@ -8,6 +8,7 @@ regress = "0.10.1"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 chrono = { version = "0.4.38", features = ["serde"] }
+regex = "1.11.1"
 
 [build-dependencies]
 schemars = "0.8.21"

diff --git a/csaf-lib/build.rs b/csaf-lib/build.rs
@@ -32,7 +32,10 @@ fn main() -> Result<(), BuildError> {
 
 fn build(input: &str, output: &str) -> Result<(), BuildError> {
     let content = fs::read_to_string(input)?;
-    let schema = serde_json::from_str::<schemars::schema::RootSchema>(&content)?;
+    let mut schema_value = serde_json::from_str(&content)?;
+    // Recursively search for "format": "date-time" and replace with something else
+    remove_datetime_formats(&mut schema_value);
+    let schema = serde_json::from_value::<schemars::schema::RootSchema>(schema_value)?;
 
     let mut type_space = TypeSpace::new(TypeSpaceSettings::default().with_struct_builder(true));
     type_space.add_root_schema(schema)?;
@@ -43,3 +46,23 @@ fn build(input: &str, output: &str) -> Result<(), BuildError> {
     out_file.push(output);
     Ok(fs::write(out_file, content)?)
 }
+
+fn remove_datetime_formats(value: &mut serde_json::Value) {
+    if let serde_json::Value::Object(map) = value {
+        if let Some(format) = map.get("format") {
+            if format.as_str() == Some("date-time") {
+                // Remove the format property entirely
+                map.remove("format");
+            }
+        }
+
+        // Recursively process all values in the object
+        for (_, v) in map.iter_mut() {
+            remove_datetime_formats(v);
+        }
+    } else if let serde_json::Value::Array(arr) = value {
+        for item in arr.iter_mut() {
+            remove_datetime_formats(item);
+        }
+    }
+}
diff --git a/csaf-lib/src/csaf/csaf2_0/getter_implementations.rs b/csaf-lib/src/csaf/csaf2_0/getter_implementations.rs
@@ -1,10 +1,9 @@
-use crate::csaf::csaf2_0::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, FullProductNameT, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Threat, Vulnerability};
-use crate::csaf::csaf2_1::schema::CategoryOfTheRemediation as Remediation21;
-use crate::csaf::getter_traits::{BranchTrait, CsafTrait, FullProductNameTrait, MetricTrait, ProductGroupTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, ThreatTrait, VulnerabilityTrait};
+use crate::csaf::csaf2_0::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, DocumentGenerator, DocumentLevelMetaData, Flag, FullProductNameT, Involvement, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Revision, Threat, Tracking, Vulnerability};
+use crate::csaf::csaf2_1::schema::{CategoryOfTheRemediation as Remediation21};
+use crate::csaf::getter_traits::{BranchTrait, CsafTrait, DocumentTrait, FlagTrait, FullProductNameTrait, GeneratorTrait, InvolvementTrait, MetricTrait, ProductGroupTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, RevisionTrait, ThreatTrait, TrackingTrait, VulnerabilityTrait};
 use std::ops::Deref;
 
 impl RemediationTrait for Remediation {
-
     /// Normalizes the remediation categories from CSAF 2.0 to those of CSAF 2.1.
     ///
     /// # Explanation
@@ -25,58 +24,72 @@ impl RemediationTrait for Remediation {
         }
     }
 
-    fn get_product_ids(&self) -> Option<Vec<&String>> {
-        self.product_ids.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_product_ids(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.product_ids.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
+    }
+
+    fn get_group_ids(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.group_ids.as_ref().map(|g| (*g).iter().map(|x| x.deref()))
     }
 
-    fn get_group_ids(&self) -> Option<Vec<&String>> {
-        self.group_ids.as_ref().map(|g| (*g).iter().map(|x| x.deref()).collect())
+    fn get_date(&self) -> &Option<String> {
+        &self.date
     }
 }
 
 impl ProductStatusTrait for ProductStatus {
-    fn get_first_affected(&self) -> Option<Vec<&String>> {
-        self.first_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_first_affected(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.first_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_first_fixed(&self) -> Option<Vec<&String>> {
-        self.first_fixed.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_first_fixed(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.first_fixed.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_fixed(&self) -> Option<Vec<&String>> {
-        self.fixed.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_fixed(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.fixed.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_known_affected(&self) -> Option<Vec<&String>> {
-        self.known_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_known_affected(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.known_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_known_not_affected(&self) -> Option<Vec<&String>> {
-        self.known_not_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_known_not_affected(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.known_not_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_last_affected(&self) -> Option<Vec<&String>> {
-        self.last_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_last_affected(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.last_affected.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_recommended(&self) -> Option<Vec<&String>> {
-        self.recommended.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_recommended(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.recommended.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 
-    fn get_under_investigation(&self) -> Option<Vec<&String>> {
-        self.under_investigation.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_under_investigation(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.under_investigation.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
     }
 }
 
 impl MetricTrait for () {
-    fn get_products(&self) -> Vec<&String> {
-        panic!("Metrics are not implemented in CSAF 2.0")
+    //noinspection RsConstantConditionIf
+    fn get_products(&self) -> impl Iterator<Item = &String> + '_ {
+        // This construction is required to satisfy compiler checks
+        // and still panic if this is ever called (as this would be a clear error!).
+        if true {
+            panic!("Metrics are not implemented in CSAF 2.0");
+        }
+        std::iter::empty()
     }
 }
 
 impl ThreatTrait for Threat {
-    fn get_product_ids(&self) -> Option<Vec<&String>> {
-        self.product_ids.as_ref().map(|p| (*p).iter().map(|x| x.deref()).collect())
+    fn get_product_ids(&self) -> Option<impl Iterator<Item = &String> + '_> {
+        self.product_ids.as_ref().map(|p| (*p).iter().map(|x| x.deref()))
+    }
+
+    fn get_date(&self) -> &Option<String> {
+        &self.date
     }
 }
 
@@ -86,35 +99,117 @@ impl VulnerabilityTrait for Vulnerability {
     // Metrics are not implemented in CSAF 2.0
     type MetricType = ();
     type ThreatType = Threat;
+    type FlagType = Flag;
+    type InvolvementType = Involvement;
 
-    fn get_remediations(&self) -> Vec<Self::RemediationType> {
-        self.remediations.clone()
+    fn get_remediations(&self) -> &Vec<Self::RemediationType> {
+        &self.remediations
     }
 
-    fn get_product_status(&self) -> Option<Self::ProductStatusType> {
-        self.product_status.clone()
+    fn get_product_status(&self) -> &Option<Self::ProductStatusType> {
+        &self.product_status
     }
 
-    fn get_metrics(&self) -> Option<Vec<Self::MetricType>> {
+    fn get_metrics(&self) -> &Option<Vec<Self::MetricType>> {
         // Metrics are not implemented in CSAF 2.0
-        None
+        &None
+    }
+
+    fn get_threats(&self) -> &Vec<Self::ThreatType> {
+        &self.threats
+    }
+
+    fn get_release_date(&self) -> &Option<String> {
+        &self.release_date
+    }
+
+    fn get_discovery_date(&self) -> &Option<String> {
+        &self.discovery_date
+    }
+
+    fn get_flags(&self) -> &Option<Vec<Self::FlagType>> {
+        &self.flags
     }
 
-    fn get_threats(&self) -> Vec<Self::ThreatType> {
-        self.threats.clone()
+    fn get_involvements(&self) -> &Option<Vec<Self::InvolvementType>> {
+        &self.involvements
+    }
+}
+
+impl FlagTrait for Flag {
+    fn get_date(&self) -> &Option<String> {
+        &self.date
+    }
+}
+
+impl InvolvementTrait for Involvement {
+    fn get_date(&self) -> &Option<String> {
+        &self.date
     }
 }
 
 impl CsafTrait for CommonSecurityAdvisoryFramework {
     type VulnerabilityType = Vulnerability;
     type ProductTreeType = ProductTree;
+    type DocumentType = DocumentLevelMetaData;
+
+    fn get_product_tree(&self) -> &Option<Self::ProductTreeType> {
+        &self.product_tree
+    }
 
-    fn get_product_tree(&self) -> Option<Self::ProductTreeType> {
-        self.product_tree.clone()
+    fn get_vulnerabilities(&self) -> &Vec<Self::VulnerabilityType> {
+        &self.vulnerabilities
     }
 
-    fn get_vulnerabilities(&self) -> Vec<Self::VulnerabilityType> {
-        self.vulnerabilities.clone()
+    fn get_document(&self) -> &Self::DocumentType {
+        &self.document
+    }
+}
+
+impl DocumentTrait for DocumentLevelMetaData {
+    type TrackingType = Tracking;
+
+    fn get_tracking(&self) -> &Self::TrackingType {
+        &self.tracking
+    }
+}
+
+impl TrackingTrait for Tracking {
+    type GeneratorType = DocumentGenerator;
+    type RevisionType = Revision;
+
+    fn get_current_release_date(&self) -> &String {
+        &self.current_release_date
+    }
+
+    fn get_initial_release_date(&self) -> &String {
+        &self.initial_release_date
+    }
+
+    fn get_generator(&self) -> &Option<Self::GeneratorType> {
+        &self.generator
+    }
+
+    fn get_revision_history(&self) -> &Vec<Self::RevisionType> {
+        &self.revision_history
+    }
+}
+
+impl GeneratorTrait for DocumentGenerator {
+    fn get_date(&self) -> &Option<String> {
+        &self.date
+    }
+}
+
+impl RevisionTrait for Revision {
+    fn get_date(&self) -> &String {
+        &self.date
+    }
+    fn get_number(&self) -> &String {
+        &self.number
+    }
+    fn get_summary(&self) -> &String {
+        &self.summary
     }
 }
 
@@ -149,8 +244,8 @@ impl BranchTrait for Branch {
         self.branches.as_ref().map(|branches| branches.deref())
     }
 
-    fn get_product(&self) -> Option<&Self::FullProductNameType> {
-        self.product.as_ref()
+    fn get_product(&self) -> &Option<Self::FullProductNameType> {
+        &self.product
     }
 }
 
@@ -159,8 +254,8 @@ impl ProductGroupTrait for ProductGroup {
         self.group_id.deref()
     }
 
-    fn get_product_ids(&self) -> Vec<&String> {
-        self.product_ids.iter().map(|x| x.deref()).collect()
+    fn get_product_ids(&self) -> impl Iterator<Item = &String> + '_ {
+        self.product_ids.iter().map(|x| x.deref())
     }
 }
 

diff --git a/csaf-lib/src/csaf/csaf2_0/loader.rs b/csaf-lib/src/csaf/csaf2_0/loader.rs
@@ -23,6 +23,7 @@ mod tests {
     };
 
     fn mock_document() -> CommonSecurityAdvisoryFramework {
+        let now = chrono::Utc::now().to_string();
         let metadata: DocumentLevelMetaData = DocumentLevelMetaData::builder()
             .title("Test")
             .category("csaf_base")
@@ -36,13 +37,13 @@ mod tests {
             .tracking(
                 Tracking::builder()
                     .id("test")
-                    .current_release_date(chrono::Utc::now())
-                    .initial_release_date(chrono::Utc::now())
+                    .current_release_date(now.clone())
+                    .initial_release_date(now.clone())
                     .status("final")
                     .version("1")
                     .revision_history(vec![Revision::builder()
                         .number("1")
-                        .date(chrono::Utc::now())
+                        .date(now.clone())
                         .summary("test")
                         .try_into()
                         .unwrap()]),