The prose for test 6.1.23 states:
It MUST be tested that a CVE is not used in multiple vulnerability items.
There is currently one test case for test 6.1.23, which covers a document with two vulnerabilites, both with the same CVE.
We propose to extend the test coverage to include:
- a passing test case (exp. two vulnerabilites, with two different CVEs)
- non-trivial failing test cases to ensure that the generated errors include all erroneous / only the erroneous vulnerabilites, exp:
a) three vulnerabilites, all with the same CVE
b) four vulnerabilites, pairs of two of the vulnerabilites with the same CVE
c) three vulnerabilites, two with the same CVE, the other one with a different CVE
For csaf-rs, we have created the following supplemental test cases:
1: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s11.json
2a: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s01.json
2b: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s02.json
2c: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s03.json
The links refer to CSAF 2.1 test files, but the same test cases are also available as CSAF 2.0 test files.
This issue was announced here: https://groups.oasis-open.org/discussion/new-issue-improve-6123-test-coverage
The prose for test 6.1.23 states:
There is currently one test case for test 6.1.23, which covers a document with two vulnerabilites, both with the same CVE.
We propose to extend the test coverage to include:
a) three vulnerabilites, all with the same CVE
b) four vulnerabilites, pairs of two of the vulnerabilites with the same CVE
c) three vulnerabilites, two with the same CVE, the other one with a different CVE
For csaf-rs, we have created the following supplemental test cases:
1: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s11.json
2a: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s01.json
2b: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s02.json
2c: https://github.com/csaf-rs/csaf/blob/4f26b8dbe4a9e0c98ba3eeb8bd9b7f5b7bd87c9e/type-generator/assets/tests/csaf_2.1/mandatory/csaf-rs_csaf-csaf_2_1-6-1-23-s03.json
The links refer to CSAF 2.1 test files, but the same test cases are also available as CSAF 2.0 test files.
This issue was announced here: https://groups.oasis-open.org/discussion/new-issue-improve-6123-test-coverage