CSAF Tests 6.1.43 to 6.1.49

.gitmodules

@@ -2,3 +2,7 @@
 	path = csaf
 	url = https://github.com/oasis-tcs/csaf
 	branch = master
+[submodule "ssvc"]
+	path = ssvc
+	url = https://github.com/CERTCC/SSVC.git
+	branch = main

csaf-lib/build.rs

@@ -21,21 +21,35 @@ fn main() -> Result<(), BuildError> {
     build(
         "./src/csaf/csaf2_0/csaf_json_schema.json",
         "csaf/csaf2_0/schema.rs",
+        true,
+    )?;
+    build(
+        "./src/csaf/csaf2_1/ssvc-1-0-1-merged.schema.json",
+        "csaf/csaf2_1/ssvc_schema.rs",
+        false,
     )?;
     build(
         "./src/csaf/csaf2_1/csaf_json_schema.json",
         "csaf/csaf2_1/schema.rs",
+        true,
+    )?;
+    build(
+        "../ssvc/data/schema/v1/Decision_Point-1-0-1.schema.json",
+        "csaf/csaf2_1/ssvc_dp_schema.rs",
+        false,
     )?;
 
     Ok(())
 }
 
-fn build(input: &str, output: &str) -> Result<(), BuildError> {
+fn build(input: &str, output: &str, no_date_time: bool) -> Result<(), BuildError> {
     let content = fs::read_to_string(input)?;
     let mut schema_value = serde_json::from_str(&content)?;
-    // Recursively search for "format": "date-time" and replace with something else
-    remove_datetime_formats(&mut schema_value);
-    let schema = serde_json::from_value::<schemars::schema::RootSchema>(schema_value)?;
+    if no_date_time {
+        // Recursively search for "format": "date-time" and remove this format
+        remove_datetime_formats(&mut schema_value);
+    }
+    let schema: schemars::schema::RootSchema = serde_json::from_value(schema_value)?;
 
     let mut type_space = TypeSpace::new(TypeSpaceSettings::default().with_struct_builder(true));
     type_space.add_root_schema(schema)?;

csaf-lib/src/csaf/csaf2_0/getter_implementations.rs

@@ -1,7 +1,9 @@
-use crate::csaf::csaf2_0::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, DocumentGenerator, DocumentLevelMetaData, DocumentStatus, Flag, FullProductNameT, HelperToIdentifyTheProduct, Involvement, LabelOfTlp, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Revision, RulesForSharingDocument, Threat, Tracking, TrafficLightProtocolTlp, Vulnerability};
+use crate::csaf::csaf2_0::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, DocumentGenerator, DocumentLevelMetaData, DocumentStatus, Flag, FullProductNameT, HelperToIdentifyTheProduct, Id, Involvement, LabelOfTlp, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Revision, RulesForSharingDocument, Threat, Tracking, TrafficLightProtocolTlp, Vulnerability};
 use crate::csaf::csaf2_1::schema::{CategoryOfTheRemediation as Remediation21, DocumentStatus as Status21, LabelOfTlp as Tlp21};
-use crate::csaf::getter_traits::{BranchTrait, CsafTrait, DistributionTrait, DocumentTrait, FlagTrait, ProductTrait, GeneratorTrait, InvolvementTrait, MetricTrait, ProductGroupTrait, ProductIdentificationHelperTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, RevisionTrait, SharingGroupTrait, ThreatTrait, TlpTrait, TrackingTrait, VulnerabilityTrait};
+use crate::csaf::getter_traits::{BranchTrait, CsafTrait, DistributionTrait, DocumentTrait, FlagTrait, ProductTrait, GeneratorTrait, InvolvementTrait, MetricTrait, ProductGroupTrait, ProductIdentificationHelperTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, RevisionTrait, SharingGroupTrait, ThreatTrait, TlpTrait, TrackingTrait, VulnerabilityTrait, ContentTrait, VulnerabilityIdTrait};
 use std::ops::Deref;
+use serde::de::Error;
+use crate::csaf::csaf2_1::ssvc_schema::SsvcV1;
 use crate::csaf::validation::ValidationError;
 
 impl RemediationTrait for Remediation {
@@ -73,6 +75,8 @@ impl ProductStatusTrait for ProductStatus {
 }
 
 impl MetricTrait for () {
+    type ContentType = ();
+
     //noinspection RsConstantConditionIf
     fn get_products(&self) -> impl Iterator<Item = &String> + '_ {
         // This construction is required to satisfy compiler checks
@@ -82,6 +86,16 @@ impl MetricTrait for () {
         }
         std::iter::empty()
     }
+
+    fn get_content(&self) -> &Self::ContentType {
+        panic!("Metrics are not implemented in CSAF 2.0");
+    }
+}
+
+impl ContentTrait for () {
+    fn get_ssvc_v1(&self) -> Result<SsvcV1, serde_json::Error> {
+        Err(serde_json::Error::custom("Metrics are not implemented in CSAF 2.0"))
+    }
 }
 
 impl ThreatTrait for Threat {
@@ -102,6 +116,7 @@ impl VulnerabilityTrait for Vulnerability {
     type ThreatType = Threat;
     type FlagType = Flag;
     type InvolvementType = Involvement;
+    type VulnerabilityIdType = Id;
 
     fn get_remediations(&self) -> &Vec<Self::RemediationType> {
         &self.remediations
@@ -120,7 +135,7 @@ impl VulnerabilityTrait for Vulnerability {
         &self.threats
     }
 
-    fn get_release_date(&self) -> &Option<String> {
+    fn get_disclosure_date(&self) -> &Option<String> {
         &self.release_date
     }
 
@@ -135,6 +150,23 @@ impl VulnerabilityTrait for Vulnerability {
     fn get_involvements(&self) -> &Option<Vec<Self::InvolvementType>> {
         &self.involvements
     }
+
+    fn get_cve(&self) -> Option<&String> {
+        self.cve.as_ref().map(|x| x.deref())
+    }
+    fn get_ids(&self) -> &Option<Vec<Self::VulnerabilityIdType>> {
+        &self.ids
+    }
+}
+
+impl VulnerabilityIdTrait for Id {
+    fn get_system_name(&self) -> &String {
+        self.system_name.deref()
+    }
+
+    fn get_text(&self) -> &String {
+        self.text.deref()
+    }
 }
 
 impl FlagTrait for Flag {
@@ -274,6 +306,10 @@ impl TrackingTrait for Tracking {
             DocumentStatus::Interim => Status21::Interim,
         }
     }
+
+    fn get_id(&self) -> &String {
+        self.id.deref()
+    }
 }
 
 impl GeneratorTrait for DocumentGenerator {

csaf-lib/src/csaf/csaf2_1/csaf_json_schema.json

@@ -854,7 +854,7 @@
             },
             "initial_release_date": {
               "title": "Initial release date",
-              "description": "The date when this document was first published.",
+              "description": "The date when this document was first released to the specified target group.",
               "type": "string",
               "format": "date-time"
             },
@@ -1098,6 +1098,12 @@
               }
             }
           },
+          "disclosure_date": {
+            "title": "Disclosure date",
+            "description": "Holds the date and time the vulnerability was originally disclosed to the public.",
+            "type": "string",
+            "format": "date-time"
+          },
           "discovery_date": {
             "title": "Discovery date",
             "description": "Holds the date and time the vulnerability was originally discovered.",
@@ -1267,6 +1273,9 @@
                     },
                     "cvss_v4": {
                       "type": "object"
+                    },
+                    "ssvc_v1": {
+                      "type": "object"
                     }
                   }
                 },
@@ -1340,12 +1349,6 @@
             "description": "Holds a list of references associated with this vulnerability item.",
             "$ref": "#/$defs/references_t"
           },
-          "release_date": {
-            "title": "Release date",
-            "description": "Holds the date and time the vulnerability was originally released into the wild.",
-            "type": "string",
-            "format": "date-time"
-          },
           "remediations": {
             "title": "List of remediations",
             "description": "Contains a list of remediations.",

csaf-lib/src/csaf/csaf2_1/getter_implementations.rs

@@ -1,6 +1,8 @@
-use crate::csaf::csaf2_1::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, DocumentGenerator, DocumentLevelMetaData, DocumentStatus, Flag, FullProductNameT, HelperToIdentifyTheProduct, Involvement, LabelOfTlp, Metric, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Revision, RulesForSharingDocument, SharingGroup, Threat, Tracking, TrafficLightProtocolTlp, Vulnerability};
-use crate::csaf::getter_traits::{BranchTrait, CsafTrait, DistributionTrait, DocumentTrait, FlagTrait, ProductTrait, GeneratorTrait, InvolvementTrait, MetricTrait, ProductGroupTrait, ProductIdentificationHelperTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, RevisionTrait, SharingGroupTrait, ThreatTrait, TlpTrait, TrackingTrait, VulnerabilityTrait};
+use crate::csaf::csaf2_1::schema::{Branch, CategoryOfTheRemediation, CommonSecurityAdvisoryFramework, Content, DocumentGenerator, DocumentLevelMetaData, DocumentStatus, Flag, FullProductNameT, HelperToIdentifyTheProduct, Id, Involvement, LabelOfTlp, Metric, ProductGroup, ProductStatus, ProductTree, Relationship, Remediation, Revision, RulesForSharingDocument, SharingGroup, Threat, Tracking, TrafficLightProtocolTlp, Vulnerability};
+use crate::csaf::getter_traits::{BranchTrait, CsafTrait, DistributionTrait, DocumentTrait, FlagTrait, ProductTrait, GeneratorTrait, InvolvementTrait, MetricTrait, ProductGroupTrait, ProductIdentificationHelperTrait, ProductStatusTrait, ProductTreeTrait, RelationshipTrait, RemediationTrait, RevisionTrait, SharingGroupTrait, ThreatTrait, TlpTrait, TrackingTrait, VulnerabilityTrait, ContentTrait, VulnerabilityIdTrait};
 use std::ops::Deref;
+use serde_json::Value;
+use crate::csaf::csaf2_1::ssvc_schema::SsvcV1;
 use crate::csaf::validation::ValidationError;
 
 impl RemediationTrait for Remediation {
@@ -56,9 +58,22 @@ impl ProductStatusTrait for ProductStatus {
 }
 
 impl MetricTrait for Metric {
+    type ContentType = Content;
+
     fn get_products(&self) -> impl Iterator<Item = &String> + '_ {
         self.products.deref().iter().map(|p| p.deref())
     }
+
+    fn get_content(&self) -> &Self::ContentType {
+        &self.content
+    }
+}
+
+impl ContentTrait for Content {
+    fn get_ssvc_v1(&self) -> Result<SsvcV1, serde_json::Error> {
+        let ssvc_value = Value::Object(self.ssvc_v1.clone());
+        serde_json::from_value::<SsvcV1>(ssvc_value)
+    }
 }
 
 impl ThreatTrait for Threat {
@@ -78,6 +93,7 @@ impl VulnerabilityTrait for Vulnerability {
     type ThreatType = Threat;
     type FlagType = Flag;
     type InvolvementType = Involvement;
+    type VulnerabilityIdType = Id;
 
     fn get_remediations(&self) -> &Vec<Self::RemediationType> {
         &self.remediations
@@ -95,8 +111,8 @@ impl VulnerabilityTrait for Vulnerability {
         &self.threats
     }
 
-    fn get_release_date(&self) -> &Option<String> {
-        &self.release_date
+    fn get_disclosure_date(&self) -> &Option<String> {
+        &self.disclosure_date
     }
 
     fn get_discovery_date(&self) -> &Option<String> {
@@ -110,6 +126,24 @@ impl VulnerabilityTrait for Vulnerability {
     fn get_involvements(&self) -> &Option<Vec<Self::InvolvementType>> {
         &self.involvements
     }
+
+    fn get_cve(&self) -> Option<&String> {
+        self.cve.as_ref().map(|x| x.deref())
+    }
+
+    fn get_ids(&self) -> &Option<Vec<Self::VulnerabilityIdType>> {
+        &self.ids
+    }
+}
+
+impl VulnerabilityIdTrait for Id {
+    fn get_system_name(&self) -> &String {
+        self.system_name.deref()
+    }
+
+    fn get_text(&self) -> &String {
+        self.text.deref()
+    }
 }
 
 impl FlagTrait for Flag {
@@ -219,6 +253,10 @@ impl TrackingTrait for Tracking {
     fn get_status(&self) -> DocumentStatus {
         self.status
     }
+
+    fn get_id(&self) -> &String {
+        self.id.deref()
+    }
 }
 
 impl GeneratorTrait for DocumentGenerator {

csaf-lib/src/csaf/csaf2_1/mod.rs

@@ -2,3 +2,5 @@ pub mod loader;
 pub mod schema;
 pub mod validation;
 pub mod getter_implementations;
+pub mod ssvc_schema;
+pub mod ssvc_dp_schema;