Skip to content

Implementing 6.2.24 Usage of Non-Latest CWE Version#699

Open
konradweiss wants to merge 2 commits into
csaf-rs:mainfrom
Fraunhofer-AISEC:feature/6.2.24-non-latest-cwe
Open

Implementing 6.2.24 Usage of Non-Latest CWE Version#699
konradweiss wants to merge 2 commits into
csaf-rs:mainfrom
Fraunhofer-AISEC:feature/6.2.24-non-latest-cwe

Conversation

@konradweiss

Copy link
Copy Markdown

Note: Some of the test cases that are expected to fail use a newer version than the current one. For now I have implemented them with the same Error message, which could be changed.

@konradweiss

Copy link
Copy Markdown
Author

Closes #310

@konradweiss konradweiss changed the title Implementing 6.2.24 with tests Implementing 6.2.24 Usage of Non-Latest CWE Version Jun 23, 2026
@peinjoh

peinjoh commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Is this ready to be reviewed?

@konradweiss konradweiss marked this pull request as ready for review June 23, 2026 20:32
@konradweiss konradweiss requested a review from a team as a code owner June 23, 2026 20:32
@konradweiss

Copy link
Copy Markdown
Author

Is this ready to be reviewed?

Yes, and happy to get some advice for improvements :)


#[test]
fn test_test_6_2_24() {
let case_01 = Err(vec![create_non_latest_cwe_error(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let case_01 = Err(vec![create_non_latest_cwe_error(
let case_01_cwe_version_before_latest = Err(vec![create_non_latest_cwe_error(

We try to go for speaking variable names for the failing cases. For these, it's kind of trivial to see whats wrong, but we found this helpful for more complex cases.

Comment on lines +104 to +109
let case_02 = Err(vec![create_non_latest_cwe_error(
"CWE-143",
"4.15",
"4.13",
"/vulnerabilities/0/cwes/0",
)]);

@peinjoh peinjoh Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, I think a speaking var name would help. Also, I would like to point out the error message being generated here:

Weakness 'CWE-143' uses non-latest CWE version 4.15 (latest: 4.13).

This might be confusing to users, as the message does not indicate that the latest CWE version at the time of release is evaluated, and 4.15 is clearly later than 4.13. We could for example a) include a mention of the release date of latest or b) provide a different error message for when latest is "earlier" than the actual version of the CWE.

create_non_latest_cwe_error("CWE-318", "4.14", "4.13", "/vulnerabilities/1/cwes/0"),
create_non_latest_cwe_error("CWE-61", "4.15", "4.13", "/vulnerabilities/2/cwes/0"),
]);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We try to provide a small comment on what the passing test cases do, to allow for a shared unterstanding and discussion of test coverage.

For example:

// Case 11: 1 vuln, 1 correct cwe version, correction of case 01
// Case 12: 1 vuln, 1 correct cwe version, corrrection of case 02
// Case 13: 1 vuln, 3 correct cwe versions, correction of case 03
// Case 14: multiple vulns, multiple correct cwe versions, correction of case 04

Did you find any code paths / gaps during implementation? If so, feel free to open an issue so we can add a supplemental test for it :)

&cwe_item.id,
version,
latest,
format!("/vulnerabilities/{i_r}/cwes/{i_cwe}").as_str(),

@peinjoh peinjoh Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can safe a few string allocations by passing the indices and only having one format! call in the create_non_latest_cwe_error() function here :)

// skip the check (no external CWE data available).
let Some(latest) = latest_version else {
continue;
};

@peinjoh peinjoh Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check can live outside this loop I think, if the latest version is None, this test can not run.

There are ongoing discussions how to handle this (test not being able to run, being skipped for various reasons, ...) upstream (one of them: oasis-tcs/csaf#1231). We had this discussion as #409 in our repo.

Please add a comment on which under which coniditions latest_version can be None, which will help us choose the correct return type during that coming refactor.

Comment on lines +17 to +25
if !date.is_valid() {
return None;
}

// Convert to a date (UTC) and compare against the release dates stored in the CWE assets.
let doc_date: NaiveDate = match date {
CsafDateTime::Valid(v) => v.get_as_utc().date_naive(),
_ => return None,
};

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two checks are duplicate, as date.is_valid() is just matches!(self, CsafDateTime::Valid(_)), which you do in the second statement.

Also, lets discuss if a) this check should be done in the main function, and this function should accept only ValidCsafDatetime structs, and also b if this function should be co-located with CWE_ENTRIES

if let Some(cwes) = vulnerability.get_cwe() {
for (i_cwe, cwe_item) in cwes.iter().enumerate() {
// Require the CWE item to include a version. If missing, the parser
// should have rejected the document; skip checking here.

@peinjoh peinjoh Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is slightly incorrect: CWE version is required for CSAF 2.1 and noneexistent for CSAF 2.0. So the CSAF 2.1 deserialization would have broken before this test could be executed, making this codepath practically unreachable.

This code path should be revisited if we implement #159 (although this test simply does not make sense for CSAF 2.0 and would probably be skipped altogether) and #571, where the strict requirements introduced by our generated type deserialization will not exist and this codepath could be visited.

@peinjoh

peinjoh commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Lastly: A big thank you for your first contribution(s) to your project, if there are any further questions we are happy to help!

I've written a bit more lengthy comments to show you around some of the currently still rough edges of our codebase, my comments might also find their way into #700 or similar so others don't stumble over the same things.

Thanks again, and I look forward to the discussions and your potential future contributions 👍

@konradweiss

Copy link
Copy Markdown
Author

Lastly: A big thank you for your first contribution(s) to your project, if there are any further questions we are happy to help!

I've written a bit more lengthy comments to show you around some of the currently still rough edges of our codebase, my comments might also find their way into #700 or similar so others don't stumble over the same things.

Thanks again, and I look forward to the discussions and your potential future contributions 👍

Thanks, for you review comments :) I will look to address them ASAP, which for me should be on Friday

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants