When loading the example CSAF document at https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/examples/csaf/bsi-2022-0001.json the implementation rejects the CVSS element with suspicious messages:
E pydantic.error_wrappers.ValidationError: 5 validation errors for CSAF
E vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> vectorString
E string does not match regex "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" (type=value_error.str.regex; pattern=^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$)
E vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> confidentialityImpact
E value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])
E vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> availabilityImpact
E value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])
E vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> confidentialityImpact
E value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])
E vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> availabilityImpact
E value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])
Note, that the claim REGEX failure is providing the CVSS3.0 pattern ...
Also using the yet unfinished business rules validation per the "app" fails (and it should not):
❯ csaf validate /local/oasis-tcs/csaf/csaf_2.0/examples/csaf/bsi-2022-0001.json 2>&1 | cut -c25- | sed "s/CSAF/.../g; s/WARNING/W/g; s/ERROR/E/g; s/INFO/I/g;"
I [...]: set of document.aggregate_severity properties only contains known properties
I [...]: set of document.aggregate_severity properties is a proper subset of the known properties
I [...]: set of document properties only contains known properties
I [...]: set of document properties is a proper subset of the known properties
E [...]: advisory fails mandatory rules:
E [...]: undefined product ids, invalid translator
Fixing the domain of the
ciaType
allows loading the score from the example:Python 3.10.9 (main, Dec 24 2022, 15:33:29) [Clang 15.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import json >>> import csaf.cvss as cvss >>> DATA = { ... "attackComplexity": "LOW", ... "attackVector": "LOCAL", ... "availabilityImpact": "LOW", ... "baseScore": 6.1, ... "baseSeverity": "MEDIUM", ... "confidentialityImpact": "HIGH", ... "exploitCodeMaturity": "FUNCTIONAL", ... "integrityImpact": "NONE", ... "privilegesRequired": "NONE", ... "remediationLevel": "OFFICIAL_FIX", ... "reportConfidence": "CONFIRMED", ... "scope": "UNCHANGED", ... "userInteraction": "REQUIRED", ... "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C", ... "version": "3.1", ... } >>> JSON = json.dumps(DATA) >>> c31 = cvss.CVSS31.parse_raw(JSON) >>> c31.vector_string 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C' >>> json_lines = c31.json(indent=2).split('\n') >>> json_rep_of_vs = [line for line in json_lines if 'vectorString' in line][0] >>> json_rep_of_vs ' "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C",'Namely:
❯ git diff csaf/vuln_types.py diff --git a/csaf/vuln_types.py b/csaf/vuln_types.py index 943bb07..14df01c 100644 --- a/csaf/vuln_types.py +++ b/csaf/vuln_types.py @@ -28,8 +28,8 @@ class AuthenticationType(Enum): class CiaType(Enum): none = 'NONE' - partial = 'PARTIAL' - complete = 'COMPLETE' + low = 'LOW' + high = 'HIGH' class ExploitabilityType(Enum):
Fixed in 1af4182