Merge pull request #418 from tschmidtb51/bind-remediation

Bind remediation
oasis-tcs · Feb 11, 2022 · a14be3b · a14be3b
2 parents 9e0e09c + 2372dc8
commit a14be3b
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 1 deletion.
diff --git a/csaf_2.0/prose/csaf-v2-editor-draft.md b/csaf_2.0/prose/csaf-v2-editor-draft.md
@@ -4171,7 +4171,7 @@ The relevant path for this test is:
 *Example XYZ which fails the test:*
 
 ```
-"document": {
+  "document": {
     // ...
     "lang": "en-US",
     // ...
@@ -4185,6 +4185,31 @@ The relevant path for this test is:
 
 > A tool MAY remove the source language as quick fix.
 
+#### 6.1.29 Remediation without product reference
+
+For each item in `/vulnerabilities[]/remediations` it must be tested that it includes at least one of the elements `group_ids` or `product_ids`.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/remediations[]
+```
+
+*Example XYZ which fails the test:*
+
+```
+      "remediations": [
+        {
+          "category": "no_fix_planned",
+          "details": "These products are end-of-life. Therefore, no fix will be provided."
+        }
+      ]
+```
+
+> The given remediation does not specify to which products it should be applied.
+
+> A tool MAY add all products of the affected group of this vulnerability to the remediation as quick fix.
+
 ## 6.2 Optional Tests
 
 Optional tests SHOULD NOT fail at a valid CSAF document without a good reason. Failing such a test does not make the CSAF document invalid. These tests may include information about features which are still supported but expected to be deprecated in a future version of CSAF. A program MUST handle a test failure as a warning.

diff --git a/csaf_2.0/test/validator/data/mandatory/OASIS_CSAF_TC-CSAF_2_0-2021-6-1-29-01.json b/csaf_2.0/test/validator/data/mandatory/OASIS_CSAF_TC-CSAF_2_0-2021-6-1-29-01.json
@@ -0,0 +1,50 @@
+{
+  "document": {
+    "category": "vex",
+    "csaf_version": "2.0",
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Mandatory test: Remediation without product reference (failing example 1)",
+    "tracking": {
+      "current_release_date": "2021-07-21T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.0-2021-6-1-29-01",
+      "initial_release_date": "2021-07-21T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2021-07-21T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-2017-0145",
+      "product_status": {
+        "known_affected": [
+          "CSAFPID-9080700"
+        ]
+      },
+      "remediations": [
+        {
+          "category": "no_fix_planned",
+          "details": "These products are end-of-life. Therefore, no fix will be provided."
+        }
+      ]
+    }
+  ]
+}