Closed ThomasJunk closed 11 months ago
I suggest to postpone the schema validation to a later point in time.
Agreed. Validation is not a key part of the viewer...
To document (for later reference), how the issue can be solved:
Approach 1: Use AJV but convert the schemas to a single standard upfront. This was implemented in csaf-validator-lib. Pro: no additional libraries; Con: maintenance
Approach 2: preferred
Use the csaf-validator-lib. However, to execute the lib in the context of the browser, one cannot use the validateStrict
function as it loads all tests (including those that cannot be executed in the context of a browser). Instead the same approach as in Secvisogram needs to be used: Use the validate
function but ensure that the test functions that are passed during the call are valid in the library and can't be user-controlled.
@ThomasJunk Please also add the resolution to stack overflow to help the community ;-)
@ThomasJunk Please also add the resolution to stack overflow to help the community ;-)
Hm. I don't know yet.
The question was related to "ajv" and different schema-versions - so "normalizing" would circumvent the problem but not really solve it.
@ThomasJunk Please also add the resolution to stack overflow to help the community ;-)
Hm. I don't know yet.
The question was related to "ajv" and different schema-versions - so "normalizing" would circumvent the problem but not really solve it.
True: It's a workaround...
Out of scope
At first it seemed like the proper thing to do after loading to simply validate the incoming document. Unfortunately this turned out harder than at first sight.
1) Using the common library of AJV I had discovered that the document specification of the schema has itself a specification of
2012-12
of JSON-Schema. Referenced are schemata likehttps://www.first.org/cvss/cvss-v2.0.json
which isdraft-04
orhttps://www.first.org/cvss/cvss-v3.1.json
which isdraft-07
. Simply combining these schemata didn't work. On topdraft-04
is not supported in the current version ofajv
. I opened a stack overflow question but without results (at the time of writing this 2023-07-05) so far. I even copied the approach from here which resulted inno schema with key or ref "http://json-schema.org/draft-04/schema#"
(the gist)2) I tried to include the csaf-validator-library with their instructions. It turns out that it doesn't seem to work in browser context.
I suggest to postpone the schema validation to a later point in time.