Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail to deal with external schemata #114

Open
Fadiabb opened this issue Dec 6, 2021 · 2 comments
Open

Fail to deal with external schemata #114

Fadiabb opened this issue Dec 6, 2021 · 2 comments

Comments

@Fadiabb
Copy link

Fadiabb commented Dec 6, 2021

Hallo,
We have faced the following problem during the validation of some json files:
The Validation of the CVE-2018-0171-modified.json file with csaf_json_schema.json schema throws an Error:
/vulnerabilities/0/scores/0/cvss_v3: did not match any of the specified OneOf schemas and thus this valid document is classified as invalid.
Validator confirms the validity of this file against this schema also.
It seems that something goes wrong when processing oneOf on #ref external schemata.

Tested with qri-io/jsonschema v0.2.1 und go v1.17.1

@Fadiabb
Copy link
Author

Fadiabb commented Dec 7, 2021

Minimizing the linked schema and json file in the last comment by removing some attributes and adjusting the usage example to use these minimized files like following:

import (
	"context"
	"encoding/json"
	"fmt"
	"github.com/qri-io/jsonschema"
)

func main() {
ctx := context.Background()

var schemaData = []byte(`{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json",
  "title": "Common Security Advisory Framework",
  "description": "Representation of security advisory information as a JSON document.",
  "type": "object",
  "properties": {
    "scores": {
      "title": "List of scores",
      "description": "contains score objects for the current vulnerability.",
      "type": "array",
      "minItems": 1,
      "items": {
        "title": "Score",
        "description": "specifies information about (at least one) score of the vulnerability and for which products the given value applies.",
        "type": "object",
        "properties": {
          "cvss_v2": {
            "$ref": "https://www.first.org/cvss/cvss-v2.0.json"
          },
          "cvss_v3": {
            "oneOf": [
              {
                "$ref": "https://www.first.org/cvss/cvss-v3.0.json"
              },
              {
                "$ref": "https://www.first.org/cvss/cvss-v3.1.json"
              }
            ]
          }
        }
      }
    }
  }
}`)

rs := &jsonschema.Schema{}
if err := json.Unmarshal(schemaData, rs); err != nil {
		panic("unmarshal schema: " + err.Error())
	}

var valid = []byte(`{
  "scores": [
    {
      "cvss_v3": {
        "version": "3.0",
        "baseScore": 9.8,
        "baseSeverity": "CRITICAL",
        "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
      }
    }
  ]
}`)

errs, err := rs.ValidateBytes(ctx, valid)
if err != nil {
	panic(err)
	}
if len(errs) > 0 {
	fmt.Println(errs[0].Error())
	}
}

Throws the error: /scores/0/cvss_v3: {"baseScore":9.8,"ba... did not match any of the specified OneOf schemas

@msiner
Copy link

msiner commented Apr 19, 2022

This excerpt from debug output indicates that the problem is not being able to resolve a ref.

[Ref] Validating
[AddError] Error: failed to resolve schema for ref #/definitions/scoreType
[Schema] Validating
[AddError] Error: schema is nil
[AddSubErrors] Error: failed to resolve schema for ref #/definitions/scoreType
[AddSubErrors] Error: schema is nil

Furthermore, there is a warning earlier in the debug output that leads to the root cause.

[Schema] WARN: 'definitions' is not supported and will be ignored

Validation is failing because the schema being used is written to comply with JSON Schema draft-07 and qri-io/jsonschema primarily targets JSON Schema 2019-09. Specifically, between revisions, the functionality associated with the "definitions" keyword was moved to the new "$defs" keyword. See issue #97 for more discussion.

For this particular case, registering the "definitions" keyword with the "$def" keyword handler before any validation occurs, as shown below, should allow for your provided test case to validate as expected.

jsonschema.RegisterKeyword("definitions", jsonschema.NewDefs)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants