search

csaf-poc / csaf_webview

Web app (module) to display a CSAF 2 document and to browse CSAF 2 ROLIE feeds. ⚠️ The web demo is often not allowed to access servers:
https://csaf-poc.github.io/csaf_webview/
1 stars 3 forks source link

How to deal with validation of CSAF documents? #1

Closed ThomasJunk closed 11 months ago

ThomasJunk commented 1 year ago

At first it seemed like the proper thing to do after loading to simply validate the incoming document. Unfortunately this turned out harder than at first sight.

1) Using the common library of AJV I had discovered that the document specification of the schema has itself a specification of 2012-12 of JSON-Schema. Referenced are schemata like https://www.first.org/cvss/cvss-v2.0.json which is draft-04 or https://www.first.org/cvss/cvss-v3.1.json which is draft-07. Simply combining these schemata didn't work. On top draft-04 is not supported in the current version of ajv. I opened a stack overflow question but without results (at the time of writing this 2023-07-05) so far. I even copied the approach from here which resulted in no schema with key or ref "http://json-schema.org/draft-04/schema#"(the gist)

2) I tried to include the csaf-validator-library with their instructions. It turns out that it doesn't seem to work in browser context.

I suggest to postpone the schema validation to a later point in time.

tschmidtb51 commented 1 year ago

I suggest to postpone the schema validation to a later point in time.

Agreed. Validation is not a key part of the viewer...

tschmidtb51 commented 1 year ago

To document (for later reference), how the issue can be solved:

Approach 1: Use AJV but convert the schemas to a single standard upfront. This was implemented in csaf-validator-lib. Pro: no additional libraries; Con: maintenance

Approach 2: preferred Use the csaf-validator-lib. However, to execute the lib in the context of the browser, one cannot use the validateStrict function as it loads all tests (including those that cannot be executed in the context of a browser). Instead the same approach as in Secvisogram needs to be used: Use the validate function but ensure that the test functions that are passed during the call are valid in the library and can't be user-controlled.

tschmidtb51 commented 1 year ago

@ThomasJunk Please also add the resolution to stack overflow to help the community ;-)

ThomasJunk commented 1 year ago

@ThomasJunk Please also add the resolution to stack overflow to help the community ;-)

Hm. I don't know yet.

The question was related to "ajv" and different schema-versions - so "normalizing" would circumvent the problem but not really solve it.

tschmidtb51 commented 1 year ago

@ThomasJunk Please also add the resolution to stack overflow to help the community ;-)

Hm. I don't know yet.

The question was related to "ajv" and different schema-versions - so "normalizing" would circumvent the problem but not really solve it.

True: It's a workaround...

ThomasJunk commented 11 months ago

Out of scope