search

RedHatProductSecurity / cvelib

A Python library and command line interface for CVE Services.
MIT License
56 stars 24 forks source link

Weird error message when validating a record with missing references. #83

Closed MrSeccubus closed 3 months ago

MrSeccubus commented 4 months ago

I have this record: https://github.com/DIVD-NL/cna-bot/blob/main/error-cves/cve_5.1/refs/01.missing/CVE-1999-0012.json

When I validate it with this code:

        if "containers" in json_data and "cna" in json_data["containers"]:
            try:
                CveRecord.validate(json_data["containers"]["cna"])
            except Exception as e:
                error_str="Schema validation of CVE record failed."
                for error in e.errors:
                    error_str = "{}\n{}\n\n---".format(error_str,error)
                results.append(error_str)

error_str is return as this:

'references' is a required property

Failed validating 'required' in schema:
    {'$comment': 'The character . is restricted in names allowed by '
                 'patternProperties to work-around naming limitations in '
                 'some common implementations.',
     '$schema': 'http://json-schema.org/draft-07/schema#',
     'additionalProperties': False,
     'definitions': {'affected': {'description': 'List of affected '
                                                 'products.',
                                  'items': {'$ref': '#/definitions/product'},
                                  'minItems': 1,
                                  'type': 'array'},
                     'cnaTags': {'description': 'Tags provided by a CNA '
                                                'describing the CVE '
                                                'Record.',
                                 'items': {'oneOf': [{'$ref': '#/definitions/tagExtension'},
                                                     {'$id': 'https://cve.mitre.org/cve/v5_00/tags/cna/',
                                                      '$schema': 'http://json-schema.org/draft-07/schema#',
                                                      'description': 'exclusively-hosted-service: '
                                                                     'All '
                                                                     'known '
                                                                     'software '
                                                                     'and/or '
                                                                     'hardware '
                                                                     'affected '
                                                                     'by '
                                                                     'this '
                                                                     'CVE '
                                                                     'Record '
                                                                     'is '
                                                                     'known '
                                                                     'to '
                                                                     'exist '
                                                                     'only '
                                                                     'in '
                                                                     'the '
                                                                     'affected '
                                                                     'hosted '
                                                                     'service. '
                                                                     'If '
<snip>
                                                      'enum': ['unsupported-when-assigned',
                                                               'exclusively-hosted-service',
                                                               'disputed'],
                                                      'type': 'string'}]},
                                 'minItems': 1,
                                 'type': 'array',
                                 'uniqueItems': True},
                     'configurations': {'description': 'Configurations '
                                                       'required for '
                                                       'exploiting this '
                                                       'vulnerability.',
                                        'items': {'$ref': '#/definitions/description'},
                                        'minItems': 1,
                                        'type': 'array',
                                        'uniqueItems': True},
                     'credits': {'description': 'Statements acknowledging '
                                                'specific people, '
                                                'organizations, or tools '
                                                'recognizing the work done '
                                                'in researching, '
                                                'discovering, remediating '
                                                'or helping with '
                                                'activities related to '
                                                'this CVE.',
                                 'items': {'additionalProperties': False,
                                           'properties': {'lang': {'$ref': '#/definitions/language',
                                                                   'description': 'The '
                                                                                  'language '
                                                                                  'used '
                                                                                  'when '
                                                                                  'describing '
                                                                                  'the '
                                                                                  'credits. '
                                                                                  'The '
<snip>

Not sure if this is you bug or a bug in the Draft7Validator.

mprpic commented 4 months ago

The error message is fairly clear: 'references' is a required property :-) Your record is missing references which are a required field: https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_cna_references

MrSeccubus commented 4 months ago

It ia correct it stating that, what is weird is that the sentence that starts with exclusively-hosted-service: is turned into an array of words and thus makes for a very, very (3 screens) long output that cannot be presented to an end user.

I cannot spot anything in your code that might do this, so suspect this is an upstream bug in the draft7validator.

mprpic commented 4 months ago

It's just the way that the schema gets printed by the validator because the issue is in one of the required elements at the top level set of definitions. If the issue was somewhere deeper in a more specific schema element, the output would be much smaller. But yes, it's a bit harder to navigate the output unless you're familiar with it. You can choose to ignore it and only report error_str :wink:

MrSeccubus commented 4 months ago

I've raised it as a ticker in the python-jsonschema project: https://github.com/python-jsonschema/jsonschema/issues/1260

MrSeccubus commented 4 months ago

For me personally error_str is too general and what I have now too verbose (because of this bug).

mprpic commented 3 months ago

I don't think this is something we should work around in cvelib, so I'd suggest trying to submit patches to jsonschema to improve the formatting of the schema, or add some way to produce different levels of details for the printed schema.