From c9c2baef27e1ac61f83d1d1aba97503ff6226e05 Mon Sep 17 00:00:00 2001
From: Giuseppe Di Terlizzi <giuseppe.diterlizzi@gmail.com>
Date: Mon, 7 Oct 2024 16:36:18 +0200
Subject: [PATCH] Improved 6.1.9 mandatory test

---
 lib/CSAF/Validator/MandatoryTests.pm | 36 +++++++++++++++++++++-------
 t/10-mandatory-6.1.9.t               |  5 ++++
 2 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/lib/CSAF/Validator/MandatoryTests.pm b/lib/CSAF/Validator/MandatoryTests.pm
index 34a35a5..385cde7 100644
--- a/lib/CSAF/Validator/MandatoryTests.pm
+++ b/lib/CSAF/Validator/MandatoryTests.pm
@@ -11,6 +11,7 @@ use CSAF::Util::CVSS qw(decode_cvss_vector_string);
 use CSAF::Util       qw(collect_product_ids product_in_group_exists);
 use CSAF::Schema;
 
+use CVSS;
 use List::MoreUtils qw(uniq duplicates);
 use List::Util      qw(first);
 use URI::PackageURL;
@@ -509,15 +510,10 @@ sub TEST_6_1_8 {
 
 }
 
-sub TEST_6_1_9 {    # TODO INCOMPLETE
+sub TEST_6_1_9 {
 
     my $self = shift;
 
-    DEBUG and $self->log->warn('Incomplete Mandatory Test 6.1.9');
-
-    my $cvss2_severity = {LOW => [0, 3.9], MEDIUM => [4, 6.9], HIGH => [7, 10]};
-    my $cvss3_severity = {LOW => [0, 3.9], MEDIUM => [4, 6.9], HIGH => [7, 8.9], CRITICAL => [9, 10]};
-
     $self->csaf->vulnerabilities->each(sub {
 
         my ($vulnerability, $vuln_idx) = @_;
@@ -526,13 +522,35 @@ sub TEST_6_1_9 {    # TODO INCOMPLETE
 
             my ($score, $score_idx) = @_;
 
+            if (my $cvss2 = $score->cvss_v2) {
+
+                my $cvss = CVSS->from_vector_string($cvss2->vectorString);
+
+                if ($cvss2->baseScore && $cvss->baseScore ne $cvss2->baseScore) {
+                    $self->add_message(
+                        category => 'mandatory',
+                        path     => "/vulnerabilities/$vuln_idx/score/$score_idx/cvss_v2",
+                        code     => '6.1.9',
+                        message  => 'Invalid CVSS computation'
+                    );
+                }
+
+            }
+
             if (my $cvss3 = $score->cvss_v3) {
 
-                return if (!$cvss3->baseSeverity);
+                my $cvss = CVSS->from_vector_string($cvss3->vectorString);
 
-                my ($score_min, $score_max) = @{$cvss3_severity->{$cvss3->baseSeverity}};
+                if ($cvss3->baseSeverity && $cvss->baseSeverity ne $cvss3->baseSeverity) {
+                    $self->add_message(
+                        category => 'mandatory',
+                        path     => "/vulnerabilities/$vuln_idx/score/$score_idx/cvss_v3",
+                        code     => '6.1.9',
+                        message  => 'Invalid CVSS computation'
+                    );
+                }
 
-                unless ($cvss3->baseScore >= $score_min && $cvss3->baseScore <= $score_max) {
+                if ($cvss3->baseScore && $cvss->baseScore ne $cvss3->baseScore) {
                     $self->add_message(
                         category => 'mandatory',
                         path     => "/vulnerabilities/$vuln_idx/score/$score_idx/cvss_v3",
diff --git a/t/10-mandatory-6.1.9.t b/t/10-mandatory-6.1.9.t
index 38c0a6f..3950d1c 100644
--- a/t/10-mandatory-6.1.9.t
+++ b/t/10-mandatory-6.1.9.t
@@ -51,5 +51,10 @@ $vuln->scores->add(
         {baseScore => 10.0, baseSeverity => 'LOW', vectorString => 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}
 );
 
+$vuln->scores->add(
+    products => ['CSAFPID-9080700'],
+    cvss_v2  => {baseScore => 10.0, vectorString => 'AV:N/AC:L/Au:N/C:C/I:C/A:C'}
+);
+
 exec_validator_mandatory_test($csaf, '6.1.9');
 done_testing;