oasis-tcs · tschmidtb51 · Sep 25, 2024 · Aug 27, 2024 · Aug 27, 2024 · Aug 27, 2024
diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md
@@ -705,3 +705,121 @@ The relevant path for this test is:
 
 > A tool MAY remove the document tracking id from the document title.
 > It SHOULD also remove any separating characters including whitespace, colon, dash and brackets.
+
+### Usage of Deprecated CWE
+
+For each item in the CWE array it MUST be tested that the CWE is not deprecated in the given version.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/cwes[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+     "cwes": [
+        {
+          "id": "CWE-596",
+          "name": "DEPRECATED: Incorrect Semantic Object Comparison",
+          "version": "4.13"
+        }
+      ]
+```
+
+> The `CWE-596` is deprecated in version `4.13`.
+
+> A tool MAY suggest to replace the deprecated CWE with its replacement or closest equivalent.
+
+### Usage of Non-Latest CWE Version
+
+For each item in the CWE array it MUST be tested that the latest CWE version available at the time of the last revision was used.
+The test SHALL fail if a later CWE version was used.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/cwes[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "tracking": {
+      "current_release_date": "2024-01-21T10:00:00.000Z",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cwes": [
+        {
+          "id": "CWE-256",
+          "name": "Plaintext Storage of a Password",
+          "version": "4.12"
+        }
+      ]
+    }
+  ]
+```
+
+> The CWE version listed is `4.12`. However, version `4.13` was most recent version when the document was released on `2024-01-21T10:00:00.000Z`.
+
+> A tool MAY suggest to use the latest version available at the time of the `current_release_date`.
+> This is most likely also the overall latest CWE version as modifications to a CSAF document lead to a new `current_release_date`.
+
+### Usage of CWE Not Allowed for Vulnerability Mapping
+
+For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed.
+
+> Currently, this includes the two usage state `Allowed` and `Allowed-with-Review`.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/cwes[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+      "cwes": [
+        {
+          "id": "CWE-20",
+          "name": "Improper Input Validation",
+          "version": "4.13"
+        }
+      ]
+```
+
+> The usage of CWE-20 is discouraged as "is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available". [cite](https://cwe.mitre.org/data/definitions/20.html#Vulnerability_Mapping_Notes_20)
+
+### Usage of CWE Allowed with Review for Vulnerability Mapping
+
+For each item in the CWE array it MUST be tested that the vulnerability mapping is allowed without review.
+
+> Reasoning: CWEs marked with a vulnerability mapping state of `Allowed-with-Review` should only be used if a thorough review was done.
+> This test helps to flag such mappings which can be used to trigger processes that ensure the extra review, e.g. by a senior analyst.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/cwes[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+      "cwes": [
+        {
+          "id": "CWE-1023",
+          "name": "Incomplete Comparison with Missing Factors",
+          "version": "4.13"
+        }
+      ]
+```
+
+> The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html#Vulnerability_Mapping_Notes_1023)
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-01.json
@@ -0,0 +1,43 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Deprecated CWE (failing example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-21T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-01",
+      "initial_release_date": "2024-01-21T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-21T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cwes": [
+        {
+          "id": "CWE-596",
+          "name": "DEPRECATED: Incorrect Semantic Object Comparison",
+          "version": "4.13"
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-02.json
@@ -0,0 +1,58 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Deprecated CWE (failing example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-21T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-02",
+      "initial_release_date": "2024-01-21T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-21T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cwes": [
+        {
+          "id": "CWE-1324",
+          "name": "DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface",
+          "version": "4.10"
+        },
+        {
+          "id": "CWE-300",
+          "name": "Channel Accessible by Non-Endpoint",
+          "version": "4.10"
+        },
+        {
+          "id": "CWE-923",
+          "name": "Improper Restriction of Communication Channel to Intended Endpoints",
+          "version": "4.10"
+        },
+        {
+          "id": "CWE-284",
+          "name": "Improper Access Control",
+          "version": "4.10"
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-03.json
@@ -0,0 +1,61 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Deprecated CWE (failing example 3)",
+    "tracking": {
+      "current_release_date": "2024-01-21T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-03",
+      "initial_release_date": "2024-01-21T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-21T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cwes": [
+        {
+          "id": "CWE-602",
+          "name": "Client-Side Enforcement of Server-Side Security",
+          "version": "4.13"
+        }
+      ]
+    },
+    {
+      "cwes": [
+        {
+          "id": "CWE-1004",
+          "name": "Sensitive Cookie Without 'HttpOnly' Flag",
+          "version": "4.13"
+        }
+      ]
+    },
+    {
+      "cwes": [
+        {
+          "id": "CWE-365",
+          "name": "DEPRECATED: Race Condition in Switch",
+          "version": "4.13"
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-11.json
@@ -0,0 +1,43 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Deprecated CWE (valid example 1)",
+    "tracking": {
+      "current_release_date": "2024-01-21T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-11",
+      "initial_release_date": "2024-01-21T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-21T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cwes": [
+        {
+          "id": "CWE-596",
+          "name": "Incorrect Semantic Object Comparison",
+          "version": "3.0"
+        }
+      ]
+    }
+  ]
+}
diff --git a/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json b/csaf_2.1/test/validator/data/optional/oasis_csaf_tc-csaf_2_1-2024-6-2-23-12.json
@@ -0,0 +1,53 @@
+{
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
+  "document": {
+    "category": "csaf_base",
+    "csaf_version": "2.1",
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    "publisher": {
+      "category": "other",
+      "name": "OASIS CSAF TC",
+      "namespace": "https://csaf.io"
+    },
+    "title": "Optional test: Usage of Deprecated CWE (valid example 2)",
+    "tracking": {
+      "current_release_date": "2024-01-21T10:00:00.000Z",
+      "id": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-23-12",
+      "initial_release_date": "2024-01-21T10:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-21T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cwes": [
+        {
+          "id": "CWE-319",
+          "name": "Cleartext Transmission of Sensitive Information",
+          "version": "4.10"
+        },
+        {
+          "id": "CWE-311",
+          "name": "Missing Encryption of Sensitive Data",
+          "version": "4.10"
+        },
+        {
+          "id": "CWE-693",
+          "name": "Protection Mechanism Failure",
+          "version": "4.10"
+        }
+      ]
+    }
+  ]
+}