From 4cd010bdb360dada7b273e9eecd28bb3c35e91be Mon Sep 17 00:00:00 2001 From: brian d foy Date: Sat, 17 Feb 2024 08:16:51 -0500 Subject: [PATCH] Add Rx validation, and fix lots of incosistencies --- cpansa/CPANSA-Cpanel-JSON-XS.yml | 1 - cpansa/CPANSA-DBD-SQLite.yml | 4 +- cpansa/CPANSA-Encode.yml | 2 - cpansa/CPANSA-File-Path.yml | 4 +- cpansa/CPANSA-HTTP-Daemon.yml | 3 +- cpansa/CPANSA-IPC-Run.yml | 5 +- cpansa/CPANSA-MDK-Common.yml | 5 +- cpansa/CPANSA-MT.yml | 104 +++------ cpansa/CPANSA-Net-Dropbear.yml | 4 +- cpansa/CPANSA-Net-LDAPS.yml | 2 +- cpansa/CPANSA-Plack-Middleware-XSRFBlock.yml | 2 +- cpansa/CPANSA-Term-ReadLine-Gnu.yml | 2 +- cpansa/CPANSA-perl.yml | 9 +- cpansa/CPANSA-urxvt-bgdsl.yml | 9 +- t/validate.t | 222 +++++++++++++++++++ 15 files changed, 264 insertions(+), 114 deletions(-) create mode 100644 t/validate.t diff --git a/cpansa/CPANSA-Cpanel-JSON-XS.yml b/cpansa/CPANSA-Cpanel-JSON-XS.yml index 4fc51f5..34da514 100644 --- a/cpansa/CPANSA-Cpanel-JSON-XS.yml +++ b/cpansa/CPANSA-Cpanel-JSON-XS.yml @@ -29,7 +29,6 @@ advisories: description: | Wrong error messages/sometimes crashes or endless loops with invalid JSON in relaxed mode fixed_versions: '>=4.033' - github_advisory_database: https://github.com/advisories/GHSA-44qr-8pf6-6q33 github_security_advisory: - GHSA-44qr-8pf6-6q33 id: CPANSA-Cpanel-JSON-XS-2023-01 diff --git a/cpansa/CPANSA-DBD-SQLite.yml b/cpansa/CPANSA-DBD-SQLite.yml index 8580875..d2a6de3 100644 --- a/cpansa/CPANSA-DBD-SQLite.yml +++ b/cpansa/CPANSA-DBD-SQLite.yml @@ -697,9 +697,7 @@ advisories: - https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E reported: 2018-03-17 severity: high -- affected_versions: - - =1.55_06 - - <=1.55_03 +- affected_versions: "=1.55_06,<=1.55_03" cves: - CVE-2017-10989 description: | diff --git a/cpansa/CPANSA-Encode.yml b/cpansa/CPANSA-Encode.yml index b71fc68..c225efb 100644 --- a/cpansa/CPANSA-Encode.yml +++ b/cpansa/CPANSA-Encode.yml @@ -58,8 +58,6 @@ advisories: - http://search.cpan.org/~flora/perl-5.14.2/pod/perldelta.pod#Encode_decode_xs_n-byte_heap-overflow_(CVE-2011-2939) reported: 2012-01-13 severity: ~ - x-commit: 'Encode CVE-2011-2939 GitHub #13' - x-file: cpansa/CPANSA-Encode.yml cpansa_version: 2 distribution: Encode last_checked: 1708150846 diff --git a/cpansa/CPANSA-File-Path.yml b/cpansa/CPANSA-File-Path.yml index c864d27..dfa66e0 100644 --- a/cpansa/CPANSA-File-Path.yml +++ b/cpansa/CPANSA-File-Path.yml @@ -46,9 +46,7 @@ advisories: - http://www.securityfocus.com/archive/1/500210/100/0/threaded reported: 2008-12-01 severity: ~ -- affected_versions: - - =1.08 - - =2.07 +- affected_versions: "=1.08,=2.07" cves: - CVE-2008-5302 description: | diff --git a/cpansa/CPANSA-HTTP-Daemon.yml b/cpansa/CPANSA-HTTP-Daemon.yml index 7ec44e9..4df45a1 100644 --- a/cpansa/CPANSA-HTTP-Daemon.yml +++ b/cpansa/CPANSA-HTTP-Daemon.yml @@ -6,8 +6,7 @@ advisories: description: | HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rejected. fixed_versions: '>=6.15' - github_security_advisory: - - '' + github_security_advisory: [] id: CPANSA-HTTP-Daemon-2022-31081 references: - https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2 diff --git a/cpansa/CPANSA-IPC-Run.yml b/cpansa/CPANSA-IPC-Run.yml index 869eb59..007f41b 100644 --- a/cpansa/CPANSA-IPC-Run.yml +++ b/cpansa/CPANSA-IPC-Run.yml @@ -1,9 +1,6 @@ --- advisories: -- affected_versions: - - <0.90 - - =0.90_01 - - =0.90_02 +- affected_versions: "<0.90,=0.90_01,=0.90_02" cves: [] description: | INADDR_ANY can be your external ip, IPC::Run should only listen on localhost. diff --git a/cpansa/CPANSA-MDK-Common.yml b/cpansa/CPANSA-MDK-Common.yml index 47eae86..78a8bf4 100644 --- a/cpansa/CPANSA-MDK-Common.yml +++ b/cpansa/CPANSA-MDK-Common.yml @@ -1,9 +1,6 @@ --- advisories: -- affected_versions: - - =1.1.11 - - =1.1.24 - - '>=1.2.9,<=1.2.14' +- affected_versions: '=1.1.11,=1.1.24,>=1.2.9,<=1.2.14' cves: - CVE-2009-0912 description: | diff --git a/cpansa/CPANSA-MT.yml b/cpansa/CPANSA-MT.yml index 518e0a4..af86f05 100644 --- a/cpansa/CPANSA-MT.yml +++ b/cpansa/CPANSA-MT.yml @@ -16,17 +16,12 @@ advisories: - http://www.sec-1.com/blog/?p=402 reported: 2013-01-23 severity: ~ -- affected_versions: - - '>=7,<=7.9.4' - - '>=6,<=6.8.6' - - '>=4,<=5' +- affected_versions: '>=7,<=7.9.4,>=6,<=6.8.6,>=4,<=5' cves: - CVE-2022-38078 description: | Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. - fixed_versions: - - 7.9.5 - - 6.8.7 + fixed_versions: '7.9.5,6.8.7' github_security_advisory: - GHSA-f342-4q2c-v2q2 id: CPANSA-MT-2022-38078 @@ -35,10 +30,7 @@ advisories: - https://jvn.jp/en/jp/JVN57728859/index.html reported: 2022-08-24 severity: critical -- affected_versions: - - '>=7,<=7.8.1' - - '>=6,<=6.8.2' - - <6 +- affected_versions: '>=7,<=7.8.1,>=6,<=6.8.2,<6' cves: - CVE-2021-20837 description: | @@ -54,8 +46,7 @@ advisories: - http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html reported: 2021-10-26 severity: critical -- affected_versions: - - '>=7,<7.8.0' +- affected_versions: '>=7,<7.8.0' cves: - CVE-2021-20814 description: | @@ -69,8 +60,7 @@ advisories: - https://jvn.jp/en/jp/JVN97545738/index.html reported: 2021-08-26 severity: medium -- affected_versions: - - '>=7,<7.8.0' +- affected_versions: '>=7,<7.8.0' cves: - CVE-2021-20813 description: | @@ -84,9 +74,7 @@ advisories: - https://jvn.jp/en/jp/JVN97545738/index.html reported: 2021-08-26 severity: medium -- affected_versions: - - '>=7,<7.8.0' - - '>=6,<=6.8.0' +- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0' cves: - CVE-2021-20815 description: | @@ -100,9 +88,7 @@ advisories: - https://jvn.jp/en/jp/JVN97545738/index.html reported: 2021-08-26 severity: medium -- affected_versions: - - '>=7,<7.8.0' - - '>=6,<=6.8.0' +- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0' cves: - CVE-2021-20811 description: | @@ -116,9 +102,7 @@ advisories: - https://jvn.jp/en/jp/JVN97545738/index.html reported: 2021-08-26 severity: medium -- affected_versions: - - '>=7,<7.8.0' - - '>=6,<=6.8.0' +- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0' cves: - CVE-2021-20810 description: | @@ -132,9 +116,7 @@ advisories: - https://jvn.jp/en/jp/JVN97545738/index.html reported: 2021-08-26 severity: medium -- affected_versions: - - '>=7,<7.8.0' - - '>=6,<=6.8.0' +- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0' cves: - CVE-2021-20809 description: | @@ -148,9 +130,7 @@ advisories: - https://jvn.jp/en/jp/JVN97545738/index.html reported: 2021-08-26 severity: medium -- affected_versions: - - '>=7,<7.8.0' - - '>=6,<=6.8.0' +- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0' cves: - CVE-2021-20808 description: | @@ -178,9 +158,7 @@ advisories: - https://jvn.jp/en/jp/JVN94245475/index.html reported: 2021-10-26 severity: medium -- affected_versions: - - '>=7,<7.2.1' - - '>=6,<=6.5.3' +- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3' cves: - CVE-2020-5577 description: | @@ -194,9 +172,7 @@ advisories: - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html reported: 2020-05-14 severity: high -- affected_versions: - - '>=7,<7.2.1' - - '>=6,<=6.5.3' +- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3' cves: - CVE-2020-5576 description: | @@ -210,9 +186,7 @@ advisories: - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html reported: 2020-05-14 severity: high -- affected_versions: - - '>=7,<7.2.1' - - '>=6,<=6.5.3' +- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3' cves: - CVE-2020-5575 description: | @@ -226,9 +200,7 @@ advisories: - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html reported: 2020-05-14 severity: medium -- affected_versions: - - '>=7,<7.2.1' - - '>=6,<=6.5.3' +- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3' cves: - CVE-2020-5574 description: | @@ -242,9 +214,7 @@ advisories: - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html reported: 2020-05-14 severity: medium -- affected_versions: - - '>=7,<7.1.4' - - '>=6,<=6.5.2' +- affected_versions: '>=7,<7.1.4,>=6,<=6.5.2' cves: - CVE-2020-5528 description: | @@ -258,10 +228,7 @@ advisories: - http://jvn.jp/en/jp/JVN94435544/index.html reported: 2020-02-06 severity: medium -- affected_versions: - - '>=7,<7.1.3' - - '>=6.5.0,<=6.5.1' - - '>=6,<=6.3.9' +- affected_versions: '>=7,<7.1.3,>=6.5.0,<=6.5.1,>=6,<=6.3.9' cves: - CVE-2019-6025 description: | @@ -288,10 +255,7 @@ advisories: - http://jvn.jp/en/jp/JVN89550319/index.html reported: 2018-09-04 severity: medium -- affected_versions: - - '>=6.0.0,<6.1.3' - - '>=6.2.0,<6.2.6' - - <5.2.13 +- affected_versions: '>=6.0.0,<6.1.3,>=6.2.0,<6.2.6,<5.2.13' cves: - CVE-2016-5742 description: | @@ -308,9 +272,7 @@ advisories: - http://www.securitytracker.com/id/1036160 reported: 2017-01-23 severity: critical -- affected_versions: - - <5.2.12 - - '>=6.0.0,<=6.0.7' +- affected_versions: '<5.2.12,>=6.0.0,<=6.0.7' cves: - CVE-2015-1592 description: | @@ -329,10 +291,7 @@ advisories: - https://exchange.xforce.ibmcloud.com/vulnerabilities/100912 reported: 2015-02-19 severity: ~ -- affected_versions: - - <5.18 - - '>=5.2.0,<5.2.11' - - '>=6,<6.0.6' +- affected_versions: '<5.18,>=5.2.0,<5.2.11,>=6,<6.0.6' cves: - CVE-2014-9057 description: | @@ -364,8 +323,7 @@ advisories: - http://seclists.org/oss-sec/2013/q2/560 reported: 2015-03-27 severity: ~ -- affected_versions: - - '>=4.20,<4.38' +- affected_versions: '>=4.20,<4.38' cves: - CVE-2013-0209 description: | @@ -399,10 +357,7 @@ advisories: - https://exchange.xforce.ibmcloud.com/vulnerabilities/79521 reported: 2014-08-29 severity: ~ -- affected_versions: - - <4.38 - - '>=5,<5.07' - - '>=5.10,<5.13' +- affected_versions: '<4.38,>=5,<5.07,>=5.10,<5.13' cves: - CVE-2012-0320 description: | @@ -421,10 +376,7 @@ advisories: - http://www.debian.org/security/2012/dsa-2423 reported: 2012-03-03 severity: ~ -- affected_versions: - - <4.38 - - '>=5,<5.07' - - '>=5.10,<5.13' +- affected_versions: '<4.38,>=5,<5.07,>=5.10,<5.13' cves: - CVE-2012-0317 description: | @@ -443,9 +395,7 @@ advisories: - http://www.debian.org/security/2012/dsa-2423 reported: 2012-03-03 severity: ~ -- affected_versions: - - '>=4,<4.36' - - '>=5,<5.05' +- affected_versions: '>=4,<4.36,>=5,<5.05' cves: - CVE-2011-5085 description: | @@ -459,9 +409,7 @@ advisories: - http://www.debian.org/security/2012/dsa-2423 reported: 2012-04-02 severity: ~ -- affected_versions: - - '>=4,<4.36' - - '>=5,<5.05' +- affected_versions: '>=4,<4.36,>=5,<5.05' cves: - CVE-2011-5084 description: | @@ -571,9 +519,7 @@ advisories: - http://jvn.jp/en/jp/JVN45658190/index.html reported: 2009-01-05 severity: ~ -- affected_versions: - - '>=3,<=3.38' - - '>=4,<4.23' +- affected_versions: '>=3,<=3.38,>=4,<4.23' cves: - CVE-2008-5808 description: | diff --git a/cpansa/CPANSA-Net-Dropbear.yml b/cpansa/CPANSA-Net-Dropbear.yml index 8c17e0f..cdeb655 100644 --- a/cpansa/CPANSA-Net-Dropbear.yml +++ b/cpansa/CPANSA-Net-Dropbear.yml @@ -1,7 +1,7 @@ --- advisories: -- affected_versions: <0 - comments: | +- affected_versions: '<0' + comment: | From the author: "I have reviewed Dropbear's usage of libtomcrypt, and the function in question for CVE-2019-17362, der_decode_utf8_string, is not used in Dropbear. None of the DER parsing from libtomcrypt is used in Dropbear at all, I have confirmed that the flag to include it is not set, and confirmed that the resultant Dropbear.so that is built by Net::Dropbear does not include any of the der_* symbols." cves: - CVE-2019-17362 diff --git a/cpansa/CPANSA-Net-LDAPS.yml b/cpansa/CPANSA-Net-LDAPS.yml index 445fe20..3db7e43 100644 --- a/cpansa/CPANSA-Net-LDAPS.yml +++ b/cpansa/CPANSA-Net-LDAPS.yml @@ -9,7 +9,6 @@ advisories: github_security_advisory: - GHSA-9c48-27fx-7952 id: CPANSA-Net-LDAPS-2020-16093 - main_module: Net::LDAP references: - https://lemonldap-ng.org/download - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250 @@ -22,3 +21,4 @@ last_checked: 1708150860 latest_version: '0.68' metacpan: https://metacpan.org/pod/perl::ldap repo: git://github.com/perl-ldap/perl-ldap.git +main_module: Net::LDAP diff --git a/cpansa/CPANSA-Plack-Middleware-XSRFBlock.yml b/cpansa/CPANSA-Plack-Middleware-XSRFBlock.yml index 5ef10fb..3e1228d 100644 --- a/cpansa/CPANSA-Plack-Middleware-XSRFBlock.yml +++ b/cpansa/CPANSA-Plack-Middleware-XSRFBlock.yml @@ -15,10 +15,10 @@ advisories: - https://nvd.nist.gov/vuln/detail/CVE-2023-52431 reported: 2023-07-14 severity: ~ - url: ~ cpansa_version: 2 distribution: Plack-Middleware-XSRFBlock last_checked: 1708150864 latest_version: 0.0.19 metacpan: https://metacpan.org/pod/Plack::Middleware::XSRFBlock repo: git://github.com/chiselwright/plack-middleware-xsrfblock.git +url: ~ diff --git a/cpansa/CPANSA-Term-ReadLine-Gnu.yml b/cpansa/CPANSA-Term-ReadLine-Gnu.yml index 6f12da9..cc3d72a 100644 --- a/cpansa/CPANSA-Term-ReadLine-Gnu.yml +++ b/cpansa/CPANSA-Term-ReadLine-Gnu.yml @@ -1,7 +1,7 @@ --- advisories: - affected_versions: <1.27 - comments: | + comment: | The presense of affected versions of Term-ReadLine-Gnu suggests that a vulnerable version of the readline linrary is installed on the host system. cves: - CVE-2014-2524 diff --git a/cpansa/CPANSA-perl.yml b/cpansa/CPANSA-perl.yml index 9b18a8d..9062a78 100644 --- a/cpansa/CPANSA-perl.yml +++ b/cpansa/CPANSA-perl.yml @@ -69,8 +69,7 @@ advisories: description: | regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. fixed_versions: '>=5.30.3' - github_security_advisory: - - '' + github_security_advisory: [] id: CPANSA-perl-2020-12723 references: - https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3 @@ -97,8 +96,7 @@ advisories: description: | Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. fixed_versions: '>=5.30.3' - github_security_advisory: - - '' + github_security_advisory: [] id: CPANSA-perl-2020-10878 references: - https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3 @@ -124,8 +122,7 @@ advisories: description: | Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. fixed_versions: '>=5.30.3' - github_security_advisory: - - '' + github_security_advisory: [] id: CPANSA-perl-2020-10543 references: - https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3 diff --git a/cpansa/CPANSA-urxvt-bgdsl.yml b/cpansa/CPANSA-urxvt-bgdsl.yml index f6d5fd1..a2cf00b 100644 --- a/cpansa/CPANSA-urxvt-bgdsl.yml +++ b/cpansa/CPANSA-urxvt-bgdsl.yml @@ -1,11 +1,8 @@ --- advisories: - affected_versions: '>=9.25,<=9.26' - comment: | - This is a darkpan application. cves: - CVE-2022-4170 - darkpan: true, description: | The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. fixed_versions: '>=9.29' @@ -17,11 +14,13 @@ advisories: - https://www.openwall.com/lists/oss-security/2022/12/05/1 reported: 2022-12-09 severity: ~ - url: http://software.schmorp.de/pkg/rxvt-unicode.html cpansa_version: 2 darkpan: true distribution: urxvt-bgdsl last_checked: 1708150869 latest_version: ~ -metacpan: https://metacpan.org/pod/urxvt::bgdsl +metacpan: ~ repo: ~ +url: http://software.schmorp.de/pkg/rxvt-unicode.html +comment: | + This is a darkpan application. diff --git a/t/validate.t b/t/validate.t new file mode 100644 index 0000000..5aa539c --- /dev/null +++ b/t/validate.t @@ -0,0 +1,222 @@ +use v5.36; + +use Test::More; + +use Data::Rx; +use Mojo::Util; +use YAML::XS; + + +package My::Type::YYYYMMDD { + use parent 'Data::Rx::CommonType::EasyNew'; + + sub type_uri { + say STDERR "In type uri"; + 'tag:example.com,EXAMPLE:rx/cpansa-date', + } + + sub assert_valid { + my ($self, $value) = @_; + return 1 unless defined $value; + $value =~ /\A(?:19[6789]\d|20[012]\d)-\d\d-\d\d\z/a or $self->fail({ + error => [ qw(type) ], + message => "date value is not YYYY-MM-DD", + value => $value, + }) + } + } + +package My::Type::GHSA { + use parent 'Data::Rx::CommonType::EasyNew'; + + sub type_uri { + 'tag:example.com,EXAMPLE:rx/ghsa', + } + + sub assert_valid { # GHSA-6wjc-jvcr-hcxw + my ($self, $value) = @_; + $value =~ /\AGHSA(?:-[a-z0-9]{4}){3}\z/a or $self->fail({ + error => [ qw(type) ], + message => "value <$value> is not a valid GitHub Advisory Database identifier", + value => $value, + }) + } + } + +package My::Type::CVE { + use parent 'Data::Rx::CommonType::EasyNew'; + + sub type_uri { + 'tag:example.com,EXAMPLE:rx/cve', + } + + sub assert_valid { + my ($self, $value) = @_; + $value =~ /\ACVE-\d+-\d+\z/a or $self->fail({ + error => [ qw(type) ], + message => "value <$value> is not a valid CVE identifier", + value => $value, + }) + } + } + +package My::Type::URL { + use parent 'Data::Rx::CommonType::EasyNew'; + + sub type_uri { + 'tag:example.com,EXAMPLE:rx/url', + } + + sub assert_valid { + my ($self, $value) = @_; + if( ! defined $value ) { + return $self->fail({ + error => [ qw(type) ], + message => "URL value is not defined", + value => $value, + }) + } + elsif( $value !~ m{\A(?:https?|ftp)://}ia ) { + $self->fail({ + error => [ qw(type) ], + message => "URL value <$value> is not valid", + value => $value, + }) + } + return 1; + } + } + +package My::Type::VCS_URL { + use parent 'Data::Rx::CommonType::EasyNew'; + + sub type_uri { + 'tag:example.com,EXAMPLE:rx/vcs-url', + } + + sub assert_valid { + my ($self, $value) = @_; + if( ! defined $value ) { + return $self->fail({ + error => [ qw(type) ], + message => "URL value is not defined", + value => $value, + }) + } + elsif( $value !~ m{\A(?:https?|git|svn)://}ia ) { + $self->fail({ + error => [ qw(type) ], + message => "URL value <$value> is not valid", + value => $value, + }) + } + return 1; + } + } + +my @files = glob("cpansa/*.yml"); + +my $rx = Data::Rx->new({ + type_plugins => [qw( + My::Type::YYYYMMDD My::Type::GHSA My::Type::CVE My::Type::URL My::Type::VCS_URL + )], }); + + +my $advisories = { + type => '//arr', + contents => { + type => '//rec', + required => { + affected_versions => { type => '//any', of => [ '//str', '//nil' ] }, + cves => { type => '//arr', contents => { type => "tag:example.com,EXAMPLE:rx/cve" }, }, + description => { type => '//str' }, + fixed_versions => { type => '//any', of => [ '//str', '//nil' ] }, + github_security_advisory => { type => '//arr', contents => { type => "tag:example.com,EXAMPLE:rx/ghsa" }, }, + id => { type => '//str' }, + reported => { type => "//any", of => [ 'tag:example.com,EXAMPLE:rx/cpansa-date', '//nil' ] }, + }, + optional => { + distributed_version => '//str', + previous_id => { type => '//arr', contents => { type => "//str" }, }, + embedded_vulnerability => { + type => '//rec', + optional => { + distributed_version => { type => '//any', of => [ '//str', '//nil' ] }, + name => { type => '//any', of => [ '//str', '//nil' ] }, + affected_versions => { type => '//any', of => [ '//str', '//nil' ] }, + }, + }, + external_vulnerability => { + type => '//rec', + optional => { + distributed_version => { type => '//any', of => [ '//str', '//nil' ] }, + name => { type => '//any', of => [ '//str', '//nil' ] }, + affected_versions => { type => '//any', of => [ '//str', '//nil' ] }, + }, + }, + comment => { type => '//any', of => [ '//str', '//nil' ] }, + severity => { type => '//any', of => [ '//str', '//nil' ] }, + references => { type => '//arr', contents => { type => "tag:example.com,EXAMPLE:rx/url" }, }, + reviewed_by => { + type => '//arr', + contents => { + type => '//rec', + optional => { + date => { type => "//any", of => [ 'tag:example.com,EXAMPLE:rx/cpansa-date', '//nil' ] }, + email => '//str', + name => '//str', + }, + }, + }, + }, + }, + }; + +my $record = { + type => '//rec', + required => { + advisories => $advisories, + cpansa_version => { type => '//int' }, + distribution => { type => '//str' }, + }, + optional => { + last_checked => '//str', + latest_version => { type => '//any', of => [ '//str', '//nil' ] }, + main_module => { type => '//any', of => [ '//str', '//nil' ] }, + metacpan => { type => '//any', of => [ 'tag:example.com,EXAMPLE:rx/url', '//nil' ] }, + repo => { type => '//any', of => [ 'tag:example.com,EXAMPLE:rx/vcs-url', '//nil' ] }, + darkpan => { type => '//any', of => [ '//bool', '//nil', { type => '//int', value => 1 }, { type => '//int', value => 0 } ] }, + comment => '//str', + url => { type => '//any', of => [ 'tag:example.com,EXAMPLE:rx/url', '//nil' ] }, + }, +}; + +my $schema = $rx->make_schema($record); + +foreach my $file ( sort @files ) { + subtest $file => sub { + my $data = eval { YAML::XS::LoadFile( $file ) }; + ok defined $data, "Loaded YAML data"; + # diag( Mojo::Util::dumper($data) ); + isa_ok $data, ref {}; + + eval { $schema->assert_valid($data) }; + my $at = $@; + if( ! ref $at ) { + pass "Data for <$file> was valid"; + } + else { + fail( "Data for <$file> was not valid" ); + foreach my $failure ( $at->failures->@* ) { + diag( $failure ); + } + } + }; + }; + +done_testing(); + +__END__ +Failed //rec: found unexpected entries: advisories cpansa_version distribution last_checked latest_version metacpan repo (error: unexpected at $data) +Failed //rec: no value given for required entry location (error: missing at $data) +Failed //rec: no value given for required entry status (error: missing at $data)