in custom/cve5/conf.js [461:527]
function (schema, value, path) {
var errors = [];
if (path == 'root') {
if (value && value.CNA_private && value.CNA_private.state && value.containers.cna.references) {
var asf = 0;
for (ref of value.containers.cna.references) {
if (ref.tags && ref.tags.includes("vendor-advisory") && ref.url && ref.url.includes("apache.org/")) {
asf+=1;
}
}
if (asf == 0 && value.CNA_private.state == 'PUBLIC') {
errors.push({path: path, property: 'format', message: 'In state PUBLIC you must include a vendor-advisory reference pointing to your advisory or mailing list post at an apache.org URL'});
}
}
if (value && value.containers && value.containers.cna && value.containers.cna.title && value.containers.cna.affected && value.containers.cna.affected.length > 0 && value.containers.cna.affected[0].product) {
const product = value.containers.cna.affected[0].product.toLowerCase()
const title = value.containers.cna.title.toLowerCase()
if (title.includes(product)) {
errors.push({path: "root.containers.cna.title", property: 'format', message: 'The title does not need to contain the product name: it will be prepended automatically'});
}
}
if (value && value.containers && value.containers.cna && value.containers.cna.affected) {
for (let i = 0; i < value.containers.cna.affected.length; i++) {
const affected = value.containers.cna.affected[i]
if (affected.collectionURL && affected.collectionURL.includes("maven")) {
if (!affected.packageName || !affected.packageName.includes(":")) {
errors.push({path: "root.containers.cna.affected." + i + ".packageName", property: 'format', message: "Specify the package name in the format 'groupId:artifactId'"})
}
}
}
}
} else if (path.startsWith('root.containers.cna.references')) {
if (value.url != undefined) {
try {
const url = new URL(value.url);
if (url.hostname == "dist.apache.org") {
errors.push({path: "root.containers.cna.references", property: 'format', message: 'Do not use dist.apache.org, this should be dlcdn.apache.org'});
} else if (url.hostname == "cveprocess.apache.org") {
errors.push({path: "root.containers.cna.references", property: 'format', message: 'Do not link to cveprocess.apache.org, this is an internal tool'});
} else if (url.hostname == "downloads.apache.org") {
errors.push({path: "root.containers.cna.references", property: 'format', message: 'Do not use downloads.apache.org, this should be dlcdn.apache.org'});
} else if (value.tags && value.tags.includes("vendor-advisory") && (!url.hostname.endsWith("apache.org") || url.pathname == "/")) {
errors.push({path: "root.containers.cna.references", property: 'format', message: 'vendor-advisory tag must point to a URL at apache.org'});
}
} catch (error) {
// Fine, don't validate until the URL is valid
}
}
} else if (path.startsWith('root.containers.cna.metrics') && path.endsWith(".other")) {
if (!value.content) {
errors.push({path: path.replaceAll(".other", "") + ".oneOf[1].other.content.text", property: 'format', message: 'Severity level is required'});
}
} else if (path.startsWith('root.CNA_private.userslist')) {
value.trim().split(/[ ,]+/).forEach(address => {
if (address == "announce@apache.org") {
errors.push({path: 'root', property: 'format', message: 'Do not add announce@apache.org to the mailinglists, it will be included automatically.'})
} else if (address == "oss-security@lists.openwall.com") {
errors.push({path: 'root', property: 'format', message: 'Do not add oss-security to the mailinglists, it will be notified separately.'})
} else if (!address.endsWith('.apache.org')) {
errors.push({path: 'root', property: 'format', message: 'Notification list is not an ASF list.'})
} else if (address.startsWith('security@') || address.startsWith('private@')) {
errors.push({path: 'root', property: 'format', message: 'Do not notify private lists: notifications should go to public lists. Mixing public and private lists is discouraged.'})
}
})
}
return errors;
}