Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NotAffected requires impactStatement and/or justificationType #923

Open
ilans opened this issue Nov 14, 2024 · 1 comment
Open

NotAffected requires impactStatement and/or justificationType #923

ilans opened this issue Nov 14, 2024 · 1 comment
Labels
Profile:Security Security Profile and related matters RDF/OWL/SHACL RDF graph, schema, ontology, constraint
Milestone

Comments

@ilans
Copy link
Collaborator

ilans commented Nov 14, 2024

In VexNotAffectedVulnAssessmentRelationship:

Both impactStatement and justificationType properties have a cardinality of 0..1 making them optional. Nevertheless, to produce a valid VEX not_affected statement, one of them MUST be defined. This is specified in the Minimum Elements for VEX.

Or in other words, even though:

Property Type minCount maxCount
impactStatement xsd:string 0 1
justificationType VexJustificationType 0 1

At least one is required (both is fine).

Suggested SHACL shapes:

@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix spdxsec: <https://spdx.org/rdf/3.0.1/terms/Security/> .

spdxsec:VexNotAffectedVulnAssessmentRelationship
    sh:or (
        [ sh:property [
            sh:path spdxsec:impactStatement ;
            sh:minCount 1 ;
        ] ]
        [ sh:property [
            sh:path spdxsec:justificationType ;
            sh:minCount 1 ;
        ] ]
    ) ;
    sh:message "One of impactStatement or justificationType is required. Including both is also allowed." .

Test data:

@prefix ex: <http://example.org/ns#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
@prefix spdxcore: <https://spdx.org/rdf/3.0.1/terms/Core/> .
@prefix spdxsw: <https://spdx.org/rdf/3.0.1/terms/Software/> .
@prefix spdxsec: <https://spdx.org/rdf/3.0.1/terms/Security/> .
@prefix spdxsecjust: <https://spdx.org/rdf/3.0.1/terms/Security/VexJustificationType/> .

spdxsecjust:componentNotPresent a spdxsec:VexJustificationType .
spdxsecjust:vulnerableCodeNotPresent a spdxsec:VexJustificationType .
spdxsecjust:vulnerableCodeCannotBeControlledByAdversary a spdxsec:VexJustificationType .
spdxsecjust:vulnerableCodeNotInExecutePath a spdxsec:VexJustificationType .
spdxsecjust:inlineMitigationsAlreadyExist a spdxsec:VexJustificationType .

ex:MyAgent
    a spdxcore:Agent ;
    spdxcore:creationInfo _:MyCreationInfo .

_:MyCreationInfo
    a spdxcore:CreationInfo ;
    spdxcore:createdBy ex:MyAgent ;
    spdxcore:created "2024-09-04T20:25:34Z"^^xsd:dateTimeStamp ;
    spdxcore:specVersion "3.0.1" .

ex:MyPackage
    a spdxsw:Package ;
    spdxcore:creationInfo _:MyCreationInfo .

ex:MyVulnerability
    a spdxsec:Vulnerability ;
    spdxcore:creationInfo _:MyCreationInfo .

ex:ShouldPassWithImpactStatement
    a spdxsec:VexNotAffectedVulnAssessmentRelationship ;
    spdxcore:creationInfo _:MyCreationInfo ;
    spdxcore:from ex:MyVulnerability ;
    spdxcore:to ex:MyPackage ;
    spdxsec:impactStatement "This is an impact statement" .

ex:ShouldPassJustificationType
    a spdxsec:VexNotAffectedVulnAssessmentRelationship ;
    spdxcore:creationInfo _:MyCreationInfo ;
    spdxcore:from ex:MyVulnerability ;
    spdxcore:to ex:MyPackage ;
    spdxsec:justificationType spdxsecjust:componentNotPresent .

ex:ShouldFailBothAreMissing
    a spdxsec:VexNotAffectedVulnAssessmentRelationship ;
    spdxcore:creationInfo _:MyCreationInfo ;
    spdxcore:from ex:MyVulnerability ;
    spdxcore:to ex:MyPackage .

ex:ShouldFailTooManyImpactStatement
    a spdxsec:VexNotAffectedVulnAssessmentRelationship ;
    spdxcore:creationInfo _:MyCreationInfo ;
    spdxcore:from ex:MyVulnerability ;
    spdxcore:to ex:MyPackage ;
    spdxsec:impactStatement "This is an impact statement" ;
    spdxsec:impactStatement "Here's another impact statement" .

ex:ShouldFailTooManyJustificationType
    a spdxsec:VexNotAffectedVulnAssessmentRelationship ;
    spdxcore:creationInfo _:MyCreationInfo ;
    spdxcore:from ex:MyVulnerability ;
    spdxcore:to ex:MyPackage ;
    spdxsec:justificationType spdxsecjust:componentNotPresent ;
    spdxsec:justificationType spdxsecjust:vulnerableCodeNotPresent .

Test script:
https://raw.githubusercontent.com/condots/dots/refs/heads/main/scripts/test-shacl.py

Test results:

----------------------------------------------------------------------------------------------------
Violation message: More than 1 values on ex:ShouldFailTooManyJustificationType->spdxsec:justificationType
Violation constraint: MaxCountConstraintComponent
Violation value: None
Property path: https://spdx.org/rdf/3.0.1/terms/Security/justificationType
Focus node: http://example.org/ns#ShouldFailTooManyJustificationType
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
Violation message: More than 1 values on ex:ShouldFailTooManyImpactStatement->spdxsec:impactStatement
Violation constraint: MaxCountConstraintComponent
Violation value: None
Property path: https://spdx.org/rdf/3.0.1/terms/Security/impactStatement
Focus node: http://example.org/ns#ShouldFailTooManyImpactStatement
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
Violation message: One of impactStatement or justificationType is required. Including both is also allowed.
Violation constraint: OrConstraintComponent
Violation value: http://example.org/ns#ShouldFailBothAreMissing
Property path: None
Focus node: http://example.org/ns#ShouldFailBothAreMissing
----------------------------------------------------------------------------------------------------
@ilans ilans added Profile:Security Security Profile and related matters RDF/OWL/SHACL RDF graph, schema, ontology, constraint labels Nov 14, 2024
@goneall
Copy link
Member

goneall commented Nov 14, 2024

Moving to 3.1 since the text already defines the restriction - we can implement the SHACL in the next release.

@goneall goneall added this to the 3.1 milestone Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Profile:Security Security Profile and related matters RDF/OWL/SHACL RDF graph, schema, ontology, constraint
Projects
None yet
Development

No branches or pull requests

2 participants