feat(CSAF2.1): add recommendedTest_6_2_41.js

bendo-eXX · bendo-eXX · commit 99316c8c28fe · 2025-07-16T09:50:42.000+02:00
diff --git a/README.md b/README.md
@@ -361,7 +361,6 @@ The following tests are not yet implemented and therefore missing:
 - Recommended Test 6.2.38
 - Recommended Test 6.2.39
 - Recommended Test 6.2.40
-- Recommended Test 6.2.41
 - Recommended Test 6.2.42
 - Recommended Test 6.2.43
 - Recommended Test 6.2.44
@@ -462,6 +461,7 @@ export const recommendedTest_6_2_16: DocumentTest
 export const recommendedTest_6_2_17: DocumentTest
 export const recommendedTest_6_2_18: DocumentTest
 export const recommendedTest_6_2_22: DocumentTest
+export const recommendedTest_6_2_41: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)
diff --git a/csaf_2_1/recommendedTests.js b/csaf_2_1/recommendedTests.js
@@ -31,3 +31,4 @@ export { recommendedTest_6_2_27 } from './recommendedTests/recommendedTest_6_2_2
 export { recommendedTest_6_2_28 } from './recommendedTests/recommendedTest_6_2_28.js'
 export { recommendedTest_6_2_29 } from './recommendedTests/recommendedTest_6_2_29.js'
 export { recommendedTest_6_2_38 } from './recommendedTests/recommendedTest_6_2_38.js'
+export { recommendedTest_6_2_41 } from './recommendedTests/recommendedTest_6_2_41.js'
diff --git a/csaf_2_1/recommendedTests/recommendedTest_6_2_41.js b/csaf_2_1/recommendedTests/recommendedTest_6_2_41.js
@@ -0,0 +1,132 @@
+import Ajv from 'ajv/dist/jtd.js'
+import { compareZonedDateTimes } from '../../lib/shared/dateHelper.js'
+
+const ajv = new Ajv()
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      properties: {
+        tracking: {
+          additionalProperties: true,
+          properties: {
+            revision_history: {
+              elements: {
+                additionalProperties: true,
+                optionalProperties: {
+                  date: { type: 'string' },
+                },
+              },
+            },
+            status: { type: 'string' },
+          },
+        },
+      },
+    },
+    vulnerabilities: {
+      elements: {
+        additionalProperties: true,
+        optionalProperties: {
+          metrics: {
+            elements: {
+              additionalProperties: true,
+              optionalProperties: {
+                content: {
+                  additionalProperties: true,
+                  optionalProperties: {
+                    epss: {
+                      additionalProperties: true,
+                      optionalProperties: {
+                        timestamp: { type: 'string' },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+
+const validate = ajv.compile(inputSchema)
+
+/**
+ * This implements the recommended test 6.2.41 of the CSAF 2.1 standard.
+ *
+ /**
+ * @param {any} doc
+ */
+export function recommendedTest_6_2_41(doc) {
+  /** @type {Array<{ message: string; instancePath: string }>} */
+  const warnings = []
+  const context = { warnings }
+
+  if (!validate(doc)) {
+    return context
+  }
+
+  const status = doc.document.tracking.status
+  if (status !== 'final' && status !== 'interim') {
+    return context
+  }
+
+  const newestRevisionHistoryItem = doc.document.tracking.revision_history
+    .filter((item) => item.date != null)
+    .sort((a, z) =>
+      compareZonedDateTimes(
+        /** @type {string} */ (z.date),
+        /** @type {string} */ (a.date)
+      )
+    )[0]
+
+  if (!newestRevisionHistoryItem || !newestRevisionHistoryItem.date) {
+    return context
+  }
+
+  doc.vulnerabilities?.forEach((vulnerability, vulnerabilityIndex) => {
+    const metrics = vulnerability.metrics || []
+    const newestEpss = metrics
+      .map((m) => m.content?.epss)
+      .filter((item) => item?.timestamp != null)
+      .sort((a, z) => {
+        if (!a || !z) return 0
+        return compareZonedDateTimes(
+          /** @type {string} */ (z.timestamp),
+          /** @type {string} */ (a.timestamp)
+        )
+      })[0]
+
+    if (
+      !newestEpss ||
+      !newestEpss.timestamp ||
+      !newestRevisionHistoryItem ||
+      !newestRevisionHistoryItem.date
+    ) {
+      return context
+    }
+
+    const revisionDateObj = new Date(newestRevisionHistoryItem.date)
+    const epssDateObj = new Date(newestEpss.timestamp)
+
+    // difference in milliseconds
+    const diffInMs = revisionDateObj.getTime() - epssDateObj.getTime()
+    // 15 days in milliseconds
+    const fifteenDaysMs = 15 * 24 * 60 * 60 * 1000
+
+    if (diffInMs > fifteenDaysMs) {
+      context.warnings.push({
+        instancePath: `/vulnerabilities/${vulnerabilityIndex}/metrics/content/epss/timestamp`,
+        message:
+          `the status is ${status}, but the EPSS "timestamp:" ${newestEpss.timestamp} is more than 15 days ` +
+          `older than the newest "revision history date:" ${newestRevisionHistoryItem.date}`,
+      })
+    }
+  })
+
+  return context
+}
diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js
@@ -61,7 +61,6 @@ const excluded = [
   '6.2.39.3',
   '6.2.39.4',
   '6.2.40',
-  '6.2.41',
   '6.2.42',
   '6.2.43',
   '6.2.44',
diff --git a/tests/csaf_2_1/recommendedTest_6_2_41.js b/tests/csaf_2_1/recommendedTest_6_2_41.js
@@ -0,0 +1,96 @@
+import assert from 'node:assert'
+import { recommendedTest_6_2_41 } from '../../csaf_2_1/recommendedTests.js'
+
+describe('recommendedTest_6_2_41', function () {
+  it('only runs on relevant documents', function () {
+    assert.equal(
+      recommendedTest_6_2_41({ vulnerabilities: 'mydoc' }).warnings.length,
+      0
+    )
+  })
+
+  it('skips status draft', function () {
+    assert.equal(
+      recommendedTest_6_2_41({
+        document: {
+          tracking: {
+            revision_history: [],
+            status: 'draft',
+          },
+        },
+        vulnerabilities: [],
+      }).warnings.length,
+      0
+    )
+  })
+
+  it('skips empty revision_history object', function () {
+    assert.equal(
+      recommendedTest_6_2_41({
+        document: {
+          tracking: {
+            revision_history: [
+              {}, // should be ignored
+            ],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [],
+      }).warnings.length,
+      0
+    )
+  })
+
+  it('skips empty metrics object', function () {
+    assert.equal(
+      recommendedTest_6_2_41({
+        document: {
+          tracking: {
+            revision_history: [{ date: '2024-01-24T10:00:00.000Z' }],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [
+          {
+            metrics: [
+              {}, // should be ignored
+            ],
+          },
+        ],
+      }).warnings.length,
+      0
+    )
+  })
+
+  it('skips empty epss object', function () {
+    assert.equal(
+      recommendedTest_6_2_41({
+        document: {
+          tracking: {
+            revision_history: [{ date: '2024-01-24T10:00:00.000Z' }],
+            status: 'final',
+          },
+        },
+        vulnerabilities: [
+          {
+            metrics: [
+              {
+                content: {
+                  epss: {}, // should be ignored
+                },
+              },
+              {
+                content: {
+                  epss: {
+                    timestamp: '2024-01-01T10:00:00.000Z',
+                  },
+                },
+              },
+            ],
+          },
+        ],
+      }).warnings.length,
+      1
+    )
+  })
+})
