Closed brphelps closed 10 months ago
Thanks for reporting this, @brphelps! It looks like refs to/through some keywords are pretty broken. Do you mind trying out this fix? https://github.com/davishmcclurg/json_schemer/pull/160
At the very least I can see that no more errors are raising when I try to validate using the schema 🤔 so that seems like at least a partial improvement.
At the very least I can see that no more errors are raising when I try to validate using the schema 🤔 so that seems like at least a partial improvement.
Does it return validation errors as expected? Or is something still not working?
I do see it processing a rule that it previously errored out on. I'm not sure if it's doing it completely correctly. I tried testing this file against the schema:
This validates out of the box with the schema I mentioned above.
I tried changing attackVector to be "WAITING1" instead of "WAITING". I saw an error message I expected, but also many I did not:
["value at `/containers/cna/metrics/0/cvssV3_1/attackVector` is not one of: [\"NETWORK\", \"ADJACENT_NETWORK\", \"LOCAL\", \"PHYSICAL\"]",
"value at `/cveMetadata/state` is not one of: [\"REJECTED\"]",
"object property at `/containers/cna/title` is not defined and schema does not allow additional properties",
"object property at `/containers/cna/problemTypes` is not defined and schema does not allow additional properties",
"object property at `/containers/cna/metrics` is not defined and schema does not allow additional properties",
"object property at `/containers/cna/references` is not defined and schema does not allow additional properties",
"object property at `/containers/cna/affected` is not defined and schema does not allow additional properties",
"object property at `/containers/cna/descriptions` is not defined and schema does not allow additional properties",
"object property at `/containers/cna/source` is not defined and schema does not allow additional properties",
"object at `/containers/cna` is missing required properties: rejectedReasons"]
So, assuming this is correct, it appears to be working.
From what I can tell, those errors are correct. It looks like the unexpected errors are coming from the second oneOf
branch because the first branch no longer matches when you change attackVector
.
Thanks for testing it out!
The CVE JSON schema is public and located at https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json .
After trying to upgrade to version 2.0 of
json_schemer
, I've noticed that the parsing process no longer seems to handle items under the URIhttps://cve.org/cve/record/v5_00/#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType
We get a NoMethodError:
from https://github.com/davishmcclurg/json_schemer/blob/332cb2e5ae7125c04f29eed27548150d3f04f188/lib/json_schemer/schema.rb#L204
I've noticed that the contents of parsed in these cases is an
anyOf
Schema, and the code seems to no longer throw if we just do another.parsed
when that happens, a la:I don't know if the above change is logically correct or not, but it seems like there is a way for an obj.parsed value to currently have another Schema inside it.