1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#!perl
use 5.010001;
use strict;
use warnings;
use Test::More;
use FindBin '$RealBin';
use lib "$RealBin/lib";
use Test::CSAF qw(base_csaf_security_advisory exec_validator_mandatory_test);
use CSAF::Validator::MandatoryTests;
# 6.1.9 Invalid CVSS computation
# It MUST be tested that the given CVSS object has the values computed correctly according to the definition.
# The vectorString SHOULD take precedence.
# The relevant paths for this test are:
# /vulnerabilities[]/scores[]/cvss_v2/baseScore
# /vulnerabilities[]/scores[]/cvss_v2/temporalScore
# /vulnerabilities[]/scores[]/cvss_v2/environmentalScore
# /vulnerabilities[]/scores[]/cvss_v3/baseScore
# /vulnerabilities[]/scores[]/cvss_v3/baseSeverity
# /vulnerabilities[]/scores[]/cvss_v3/temporalScore
# /vulnerabilities[]/scores[]/cvss_v3/temporalSeverity
# /vulnerabilities[]/scores[]/cvss_v3/environmentalScore
# /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity
# Fail test:
# "cvss_v3": {
# "version": "3.1",
# "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
# "baseScore": 10.0,
# "baseSeverity": "LOW"
# }
my $csaf = base_csaf_security_advisory();
$csaf->product_tree->full_product_names->add(name => 'Product A', product_id => 'CSAFPID-9080700');
my $vulns = $csaf->vulnerabilities;
my $vuln = $vulns->add(cve => 'CVE-2023-00000');
$vuln->scores->add(
products => ['CSAFPID-9080700'],
cvss_v3 =>
{baseScore => 10.0, baseSeverity => 'LOW', vectorString => 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}
);
$vuln->scores->add(
products => ['CSAFPID-9080700'],
cvss_v2 => {baseScore => 10.0, vectorString => 'AV:N/AC:L/Au:N/C:C/I:C/A:C'}
);
exec_validator_mandatory_test($csaf, '6.1.9');
done_testing;
|
