function()

in custom/cve5/conf.js [416:463]

• 47 lines of code
• 30 McCabe index (conditional complexity)

        function (schema, value, path) {
            var errors = [];
            if (path == 'root') {
                if (value && value.CNA_private && value.CNA_private.state && value.containers.cna.references) {
                    var asf = 0;
                    for (ref of value.containers.cna.references) {
                        if (ref.tags && ref.tags.includes("vendor-advisory") && ref.url && ref.url.includes("apache.org/")) {
                            asf+=1;
                        }
                    }
                    if (asf == 0 && value.CNA_private.state == 'PUBLIC') {
                        errors.push({path: path, property: 'format', message: 'In state PUBLIC you must include a vendor-advisory reference pointing to your advisory or mailing list post at an apache.org URL'});
                    }
                }
            } else if (path.startsWith('root.containers.cna.references')) {
                if (value.url != undefined) {
                    try {
                        const url = new URL(value.url);
                        if (url.hostname == "dist.apache.org") {
                            errors.push({path: "root.containers.cna.references", property: 'format', message: 'Do not use dist.apache.org, this should be dlcdn.apache.org'});
                        } else if (url.hostname == "cveprocess.apache.org") {
                            errors.push({path: "root.containers.cna.references", property: 'format', message: 'Do not link to cveprocess.apache.org, this is an internal tool'});
                        } else if (url.hostname == "downloads.apache.org") {
                            errors.push({path: "root.containers.cna.references", property: 'format', message: 'Do not use downloads.apache.org, this should be dlcdn.apache.org'});
                        } else if (value.tags && value.tags.includes("vendor-advisory") && (!url.hostname.endsWith("apache.org") || url.pathname == "/")) {
                            errors.push({path: "root.containers.cna.references", property: 'format', message: 'vendor-advisory tag must point to a URL at apache.org'});
                        }
                    } catch (error) {
                        // Fine, don't validate until the URL is valid
                    }
                }
            } else if (path.startsWith('root.containers.cna.metrics') && path.endsWith(".other")) {
                if (!value.content) {
                    errors.push({path: path.replaceAll(".other", "") + ".oneOf[1].other.content.text", property: 'format', message: 'Severity level is required'});
                }
            } else if (path.startsWith('root.CNA_private.userslist')) {
                value.split(/[ ,]+/).forEach(address => {
                    if (address == "announce@apache.org") {
                        errors.push({path: 'root', property: 'format', message: 'Do not add announce@apache.org to the mailinglists, it will be included automatically.'})
                    } else if (address == "oss-security@lists.openwall.com") {
                        errors.push({path: 'root', property: 'format', message: 'Do not add oss-security to the mailinglists, it will be notified separately.'})
                    } else if (!address.endsWith('.apache.org')) {
                        errors.push({path: 'root', property: 'format', message: 'Notification list is not an ASFlist.'})
                    }
                })
            }
            return errors;
        }