search

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
42 stars 25 forks source link

Double output of an error if a not schema conform provider-metadata.json ist parsed #252

Closed mfd2007 closed 2 years ago

mfd2007 commented 2 years ago

"version": "0.9.4-46-g1b0e5b4",

If a provider-metadata.json with one problem in the schema validation, the problem is printed in twice in the report.

Example:

Add , "additional_field":"value" in provider-metadata.json

Error repot of checker:

       {
          "num": 7,
          "description": "provider-metadata.json",
          "messages": [
            {
              "type": 1,
              "text": "https://csaf-provider-1.csaf/.well-known/csaf/provider-metadata.json: Validating against JSON schema failed: \u003cnil\u003e"
            },
            {
              "type": 1,
              "text": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#/additionalProperties: additionalProperties 'additional_field' not allowed"
            },
            {
              "type": 1,
              "text": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#: doesn't validate with https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#"
            },
            {
              "type": 1,
              "text": "https://csaf-provider-1/.well-known/csaf/provider-metadata.json: Validating against JSON schema failed: \u003cnil\u003e"
            },
            {
              "type": 1,
              "text": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#/additionalProperties: additionalProperties 'additional_field' not allowed"
            },
            {
              "type": 1,
              "text": "https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#: doesn't validate with https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json#"
            }
          ]
        },
s-l-teichmann commented 2 years ago

I would guess this stems from the fact that we unconditionally load the PMD from .well-known and security.txt. Its is essential the same PMD so the reports are generated from both.

A potential solution would add a checksum check with the already loaded one (which we have when we load the second one) and omit the validation when the sums are equal.

s-l-teichmann commented 2 years ago

PR #254 tries very hard to avoid duplicate checks and there reporting.

Fadiabb commented 2 years ago

Fixed with #254. Close here