Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

in production, CNA containers validated against wrong schema #1185

Closed
ElectricNroff opened this issue Feb 17, 2024 · 0 comments
Closed

in production, CNA containers validated against wrong schema #1185

ElectricNroff opened this issue Feb 17, 2024 · 0 comments

Comments

@ElectricNroff
Copy link
Contributor

validateCveCnaContainerJsonSchema,

const cnaContainerSchema = JSON.parse(fs.readFileSync('src/controller/cve.controller/cna_container_schema.json'))

const validateCnaContainer = ajv.compile(cnaContainerSchema)

const result = validateCnaContainer(cnaContainer)
if (!result) {
logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))

"programFiles": {
"type": "array",
"description": "A list of the affected source code files (optional)",
"uniqueItems": true,
"items": {
"description": "Name or path or location of the affected source code file in RFC3986 compliant format (optional).",
"$ref": "#/definitions/uriType"
}
},

This is not the same as programFiles in the 5.0 schema:

"programFiles": {
"type": "array",
"description": "A list of the affected source code files (optional).",
"uniqueItems": true,
"items": {
"description": "Name or path or location of the affected source code file.",
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},

https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json#L222-L232

This means that containers.cna.affected.programFiles can have an array of filename strings when the "POST /cve/:id" endpoint is used (which is the intended behavior according to the 5.0 schema), but cannot have an array of filename strings when the "POST /cve/:id/cna" endpoint is used. The error is:

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.",
"details":{"errors":[{"instancePath":"/cnaContainer/affected/0/programFiles/0",
"schemaPath":"#/definitions/uriType/format","keyword":"format","params":{"format":"uri"},
"message":"must match format \"uri\""}]}}

(same error on cveawg.mitre.org and cveawg-test.mitre.org)

No CNA has successfully used programFiles, but we don't know how many tried. One new CNA wants to use programFiles today.

A former team member tried to work around this defect by putting a URL in the CNA container example, even though there is no URL in the full CVE Record example:

https://github.com/CVEProject/cve-schema/blob/6b11a1b3a7c3a9e504c5cba1b39129d279a7f147/schema/v5.0/docs/cnaContainer-advanced-example.json#L43-L44
versus
https://github.com/CVEProject/cve-schema/blob/6b11a1b3a7c3a9e504c5cba1b39129d279a7f147/schema/v5.0/docs/full-record-advanced-example.json#L59-L60

and this does make the example work; however, real products typically do not use URIs for filenames.

One solution is to update cna_container_schema.json so that it allows exactly the same CNA container content as 5.0_bundled_schema.json.

@github-actions github-actions bot added this to Needs Triage in Issue Triage Feb 17, 2024
@jdaigneau5 jdaigneau5 removed this from Needs Triage in Issue Triage Feb 21, 2024
@jdaigneau5 jdaigneau5 added this to In progress in Sprint 42 (Feb 14 - Mar 13) Feb 21, 2024
david-rocca added a commit that referenced this issue Feb 27, 2024
Draft: Resolves #1124, #1126, #1185, #1186 5.1 schema implementation
@jdaigneau5 jdaigneau5 moved this from In progress to Done in Sprint 42 (Feb 14 - Mar 13) Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Development

No branches or pull requests

2 participants