~sthagen/csaf#4: 
Fix validation failures for CVSS of upstream BSI example

When loading the example CSAF document at https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/examples/csaf/bsi-2022-0001.json the implementation rejects the CVSS element with suspicious messages:

E   pydantic.error_wrappers.ValidationError: 5 validation errors for CSAF
E   vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> vectorString
E     string does not match regex "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" (type=value_error.str.regex; pattern=^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$)
E   vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> confidentialityImpact
E     value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])
E   vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> availabilityImpact
E     value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])
E   vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> confidentialityImpact
E     value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])
E   vulnerabilities -> 0 -> scores -> 0 -> cvss_v3 -> availabilityImpact
E     value is not a valid enumeration member; permitted: 'NONE', 'PARTIAL', 'COMPLETE' (type=type_error.enum; enum_values=[<CiaType.none: 'NONE'>, <CiaType.partial: 'PARTIAL'>, <CiaType.complete: 'COMPLETE'>])

Note, that the claim REGEX failure is providing the CVSS3.0 pattern ...

Also using the yet unfinished business rules validation per the "app" fails (and it should not):

❯ csaf validate /local/oasis-tcs/csaf/csaf_2.0/examples/csaf/bsi-2022-0001.json 2>&1 | cut -c25- | sed "s/CSAF/.../g; s/WARNING/W/g; s/ERROR/E/g; s/INFO/I/g;"
I [...]: set of document.aggregate_severity properties only contains known properties
I [...]: set of document.aggregate_severity properties is a proper subset of the known properties
I [...]: set of document properties only contains known properties
I [...]: set of document properties is a proper subset of the known properties
E [...]: advisory fails mandatory rules:
E [...]: undefined product ids, invalid translator
Status
RESOLVED FIXED
Submitter
~sthagen
Assigned to
Submitted
1 year, 6 months ago
Updated
7 months ago
Labels
Bug

~sthagen 1 year, 5 months ago*

Fixing the domain of the ciaType allows loading the score from the example:

Python 3.10.9 (main, Dec 24 2022, 15:33:29) [Clang 15.0.6 ] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import json
>>> import csaf.cvss as cvss
>>> DATA = {
...   "attackComplexity": "LOW",
...   "attackVector": "LOCAL",
...   "availabilityImpact": "LOW",
...   "baseScore": 6.1,
...   "baseSeverity": "MEDIUM",
...   "confidentialityImpact": "HIGH",
...   "exploitCodeMaturity": "FUNCTIONAL",
...   "integrityImpact": "NONE",
...   "privilegesRequired": "NONE",
...   "remediationLevel": "OFFICIAL_FIX",
...   "reportConfidence": "CONFIRMED",
...   "scope": "UNCHANGED",
...   "userInteraction": "REQUIRED",
...   "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C",
...   "version": "3.1",
... }
>>> JSON = json.dumps(DATA)
>>> c31 = cvss.CVSS31.parse_raw(JSON)
>>> c31.vector_string
'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C'
>>> json_lines = c31.json(indent=2).split('\n')
>>> json_rep_of_vs = [line for line in json_lines if 'vectorString' in line][0]
>>> json_rep_of_vs
'  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C",'

Namely:

❯ git diff csaf/vuln_types.py
diff --git a/csaf/vuln_types.py b/csaf/vuln_types.py
index 943bb07..14df01c 100644
--- a/csaf/vuln_types.py
+++ b/csaf/vuln_types.py
@@ -28,8 +28,8 @@ class AuthenticationType(Enum):

 class CiaType(Enum):
     none = 'NONE'
-    partial = 'PARTIAL'
-    complete = 'COMPLETE'
+    low = 'LOW'
+    high = 'HIGH'


 class ExploitabilityType(Enum):

~sthagen REPORTED FIXED 1 year, 5 months ago

Fixed in 1af4182

Register here or Log in to comment, or comment via email.