search

davishmcclurg / json_schemer

JSON Schema validator. Supports drafts 4, 6, 7, 2019-09, 2020-12, OpenAPI 3.0, and OpenAPI 3.1.
MIT License
399 stars 64 forks source link

Complex json schema appears to leave boxed Schema during token traversal #159

Closed brphelps closed 10 months ago

brphelps commented 10 months ago

The CVE JSON schema is public and located at https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json .

After trying to upgrade to version 2.0 of json_schemer, I've noticed that the parsing process no longer seems to handle items under the URI https://cve.org/cve/record/v5_00/#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType

We get a NoMethodError: Image

from https://github.com/davishmcclurg/json_schemer/blob/332cb2e5ae7125c04f29eed27548150d3f04f188/lib/json_schemer/schema.rb#L204

I've noticed that the contents of parsed in these cases is an anyOf Schema, and the code seems to no longer throw if we just do another .parsed when that happens, a la: 

else
  if obj.parsed.is_a? Schema
    obj.parsed.parsed.fetch(token)
  else 
    obj.parsed.fetch(token)
  end
end

I don't know if the above change is logically correct or not, but it seems like there is a way for an obj.parsed value to currently have another Schema inside it.

davishmcclurg commented 10 months ago

Thanks for reporting this, @brphelps! It looks like refs to/through some keywords are pretty broken. Do you mind trying out this fix? https://github.com/davishmcclurg/json_schemer/pull/160

brphelps commented 10 months ago

At the very least I can see that no more errors are raising when I try to validate using the schema 🤔 so that seems like at least a partial improvement.

davishmcclurg commented 10 months ago

At the very least I can see that no more errors are raising when I try to validate using the schema 🤔 so that seems like at least a partial improvement.

Does it return validation errors as expected? Or is something still not working?

brphelps commented 10 months ago

I do see it processing a rule that it previously errored out on. I'm not sure if it's doing it completely correctly. I tried testing this file against the schema:

sample.json

This validates out of the box with the schema I mentioned above.

I tried changing attackVector to be "WAITING1" instead of "WAITING". I saw an error message I expected, but also many I did not: 

["value at `/containers/cna/metrics/0/cvssV3_1/attackVector` is not one of: [\"NETWORK\", \"ADJACENT_NETWORK\", \"LOCAL\", \"PHYSICAL\"]",
 "value at `/cveMetadata/state` is not one of: [\"REJECTED\"]",
 "object property at `/containers/cna/title` is not defined and schema does not allow additional properties",
 "object property at `/containers/cna/problemTypes` is not defined and schema does not allow additional properties",
 "object property at `/containers/cna/metrics` is not defined and schema does not allow additional properties",
 "object property at `/containers/cna/references` is not defined and schema does not allow additional properties",
 "object property at `/containers/cna/affected` is not defined and schema does not allow additional properties",
 "object property at `/containers/cna/descriptions` is not defined and schema does not allow additional properties",
 "object property at `/containers/cna/source` is not defined and schema does not allow additional properties",
 "object at `/containers/cna` is missing required properties: rejectedReasons"]

So, assuming this is correct, it appears to be working.

davishmcclurg commented 10 months ago

From what I can tell, those errors are correct. It looks like the unexpected errors are coming from the second oneOf branch because the first branch no longer matches when you change attackVector.

Thanks for testing it out!