CSAFajv

[tschmidtb51]

Why do we use an AJV with strict=false for the schema validation? Shouldn't the strict_schema be checked with the strict option?

@domachine: Something to discuss in the meeting.

[tschmidtb51]

As discussed in the meeting: Check whether the schema compiles with strict=true.

[domachine]

There seems to be a problem with the license keyword used in the cvss schemas. When compiling with strict: true I get the following error:

Error: strict mode: unknown keyword: "license"
    at checkStrictMode (/Users/dominik/Desktop/repos/github.com/secvisogram/csaf-validator-lib/node_modules/ajv/dist/compile/util.js:174:15)
    at checkUnknownRules (/Users/dominik/Desktop/repos/github.com/secvisogram/csaf-validator-lib/node_modules/ajv/dist/compile/util.js:32:13)
    at checkKeywords (/Users/dominik/Desktop/repos/github.com/secvisogram/csaf-validator-lib/node_modules/ajv/dist/compile/validate/index.js:120:34)
    at validateFunctionCode (/Users/dominik/Desktop/repos/github.com/secvisogram/csaf-validator-lib/node_modules/ajv/dist/compile/validate/index.js:19:9)
...

[tschmidtb51]

Thanks for digging into it. That would require the FIRST CVSS SIG to change their JSON schema. At the moment this can't be implemented.

We'll start a discussion with the FIRST CVSS SIG at the appropriate time.