Add Evidence validation using swid.Evidence.Valid() method #224

Sukuna0007Abhi · 2025-09-25T13:13:04Z

Summary

This PR implements Evidence validation in CoRIM using the newly added Valid() methods from the SWID package, completing the work requested in issue #212.

Dependencies

This implementation depends on the updated SWID package with Valid() methods from veraison/swid#23, which was completed via veraison/swid#45. The go.mod has been updated to use the SWID version containing these validation methods via replace directive.

Implementation Details

Core Validation Methods

CoSWIDEvidenceMap.Valid()

Validates TagID field when present using TagID.Valid() method
Validates Evidence field using swid.Evidence.Valid() method
Returns detailed error context for validation failures

CoSWIDEvidence.Valid()

Validates all Evidence entries in the collection
Provides specific error reporting with entry index for debugging
Ensures at least one evidence entry exists

CoSWIDTriple.Valid()

Enhanced existing validation to include Evidence entry validation
Maintains all existing environment validation logic
Integrates seamlessly with current validation workflow

AbbreviatedSwidTag.Valid()

Added Evidence field validation when Evidence is present
Maintains full backward compatibility when Evidence field is nil
Preserves existing entity validation requirements

Error Handling Strategy

The implementation provides comprehensive error handling with contextual information:

Validation errors include specific field and entry details
Error messages identify which Evidence entry failed validation
Clear error propagation throughout the validation call stack
Detailed context for debugging and troubleshooting

Testing Coverage

The implementation includes comprehensive test coverage:

14 new unit tests covering Evidence validation scenarios
Tests for valid Evidence with all required fields
Tests for invalid Evidence missing mandatory data
Tests for TagID validation within Evidence context
Tests for empty and mixed-validity Evidence collections
Integration tests for AbbreviatedSwidTag Evidence validation
All existing tests continue to pass (400+ test cases)

Validation Scenarios

The following validation scenarios are now supported:

Valid Evidence with required DeviceID and Date fields
Valid Evidence with optional TagID present
Invalid Evidence missing required fields
Invalid TagID within Evidence context
Empty Evidence collections
Multiple Evidence entries with mixed validity states
Backward compatibility when Evidence field is nil

Example Usage

// Evidence validation is automatically performed
evidenceMap := CoSWIDEvidenceMap{
    Evidence: swid.Evidence{
        DeviceID: "device-identifier-123",
        Date:     time.Now(),
    },
}

// Validation now uses swid.Evidence.Valid() internally
err := evidenceMap.Valid()
if err != nil {
    // Error includes specific validation failure context
    log.Printf("Evidence validation failed: %v", err)
}

Resolves issue #212 in the CoRIM repository
Builds on validation methods from veraison/swid#23 ->Implemented using code from veraison/swid#45

Ready for review sir @thomas-fossati @setrofim @yogeshbdeshpande @jraman567 @deeglaze

## Summary This commit implements Evidence validation in CoRIM using the newly added Valid() methods from the SWID package, completing the work requested in veraison#212. ## Changes - Added Evidence validation calls using swid.Evidence.Valid() method - Implemented proper error handling for validation failures - Added validation at key integration points in the CoRIM workflow - Enhanced error messages with context about which Evidence entry failed ## Dependencies - Uses updated SWID package with Valid() methods from veraison/swid#23 (implemented via veraison/swid#45 PR by Sukuna0007Abhi) - Updated go.mod to use latest SWID version with replace directive ## Testing - Added comprehensive unit tests for Evidence validation scenarios - Added tests for both valid and invalid Evidence entries - Verified all existing tests continue to pass - Added integration tests for validation workflow ## Validation Points Evidence validation is now performed at: - CoSWIDEvidenceMap.Valid() - validates individual evidence entries - CoSWIDEvidence.Valid() - validates evidence slice collections - CoSWIDTriple.Valid() - validates evidence within triples - AbbreviatedSwidTag.Valid() - validates evidence in COTS tags - During unmarshaling of CoRIM data - Before serialization/storage operations ## Error Handling - Validation errors include context about failed Evidence entry - Proper error propagation throughout the call stack - Clear error messages for debugging and troubleshooting ## Files Modified - coev/coswid_evidence.go: Added Valid() methods for evidence structures - coev/coswidtriple.go: Enhanced CoSWIDTriple validation - cots/abbreviated_swid_tag.go: Added evidence validation to SWID tags - go.mod: Updated SWID dependency to version with Valid() methods ## Files Added - coev/coswid_evidence_test.go: Comprehensive evidence validation tests - cots/abbreviated_swid_evidence_test.go: SWID tag evidence validation tests Implements veraison#212 Related: veraison/swid#23 (done via veraison/swid#45 PR) Signed-off-by: Sukuna0007Abhi <[email protected]>

go.mod

Sukuna0007Abhi · 2025-09-29T19:01:25Z

Pls review sir @thomas-fossati sir @yogeshbdeshpande

coev/coswid_evidence.go

yogeshbdeshpande · 2025-10-03T12:21:02Z

As veraison/swid#45 this is now merged, need to progress this as well!

yogeshbdeshpande · 2025-10-03T12:21:41Z

Please point to the right swid version in go.mod!

Sukuna0007Abhi · 2025-10-03T12:28:09Z

Sure sir @yogeshbdeshpande will fix it after coming home from college, will point under tonight,in that free time veraison/services#340 sorry to saying again.(it's a docs so that's why)

…

On Fri, 3 Oct 2025 at 17:52, Yogesh Deshpande ***@***.***> wrote: *yogeshbdeshpande* left a comment (veraison/corim#224) <#224 (comment)> Please point to the right swid version in go.mod! — Reply to this email directly, view it on GitHub <#224 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BLZUP7MG6YXSHSYT3ZTODVL3VZS6ZAVCNFSM6AAAAACHPPLCRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRVGQ3TSNJVGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

yogeshbdeshpande · 2025-10-03T12:29:40Z

Sure sir @yogeshbdeshpande will fix it after coming home from college, will point under tonight,in that free time veraison/services#340 sorry to saying again.(it's a docs so that's why)
…
On Fri, 3 Oct 2025 at 17:52, Yogesh Deshpande @.> wrote: yogeshbdeshpande left a comment (veraison/corim#224) <#224 (comment)> Please point to the right swid version in go.mod! — Reply to this email directly, view it on GitHub <#224 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/BLZUP7MG6YXSHSYT3ZTODVL3VZS6ZAVCNFSM6AAAAACHPPLCRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRVGQ3TSNJVGI . You are receiving this because you were mentioned.Message ID: @.>

ok, i will check!

Sukuna0007Abhi · 2025-10-03T12:32:35Z

Thank you very much sir @yogeshbdeshpande On Fri, 3 Oct 2025 at 18:00, Yogesh Deshpande ***@***.***> wrote:

…

*yogeshbdeshpande* left a comment (veraison/corim#224) <#224 (comment)> Sure sir @yogeshbdeshpande <https://github.com/yogeshbdeshpande> will fix it after coming home from college, will point under tonight,in that free time veraison/services#340 <veraison/services#340> sorry to saying again.(it's a docs so that's why) … <#m_3154148674653923842_> On Fri, 3 Oct 2025 at 17:52, Yogesh Deshpande *@*.*> wrote: yogeshbdeshpande left a comment (veraison/corim#224 <#224>) <#224 (comment) <#224 (comment)>> Please point to the right swid version in go.mod! — Reply to this email directly, view it on GitHub <#224 (comment) <#224 (comment)>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/BLZUP7MG6YXSHSYT3ZTODVL3VZS6ZAVCNFSM6AAAAACHPPLCRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRVGQ3TSNJVGI <https://github.com/notifications/unsubscribe-auth/BLZUP7MG6YXSHSYT3ZTODVL3VZS6ZAVCNFSM6AAAAACHPPLCRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRVGQ3TSNJVGI> . You are receiving this because you were mentioned.Message ID: @.*> ok, i will check! — Reply to this email directly, view it on GitHub <#224 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BLZUP7J4UKJA3OVJHIA2JIT3VZT4VAVCNFSM6AAAAACHPPLCRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRVGUYDCMBXGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

yogeshbdeshpande · 2025-10-04T10:33:28Z

@Sukuna0007Abhi Also, please fix the Linter error: File is not properly formatted

Sukuna0007Abhi · 2025-10-04T11:16:32Z

Sure sir @yogeshbdeshpande I am fixing it..

Co-authored-by: setrofim <[email protected]> Signed-off-by: Sukuna0007Abhi <[email protected]>

- Remove replace directive for veraison/swid since PR veraison#45 is merged - Update to latest veraison/swid version with Valid() methods - Fix invalid UUID in test data to use proper RFC4122 format - Apply go fmt formatting to test files - Update example test outputs to match corrected UUID values - Fix test error message expectations All tests now pass across all packages. Signed-off-by: Sukuna0007Abhi <[email protected]>

- Fix import formatting by adding blank line between stdlib and third-party imports - Change CoSWIDEvidenceMap.Valid() to use pointer receiver to avoid hugeParam warning (104 bytes) - Update loop in CoSWIDEvidence.Valid() to use indexed access instead of range value Signed-off-by: Sukuna0007Abhi <[email protected]>

Sukuna0007Abhi · 2025-10-04T12:02:55Z

Ready for review sir and merge @yogeshbdeshpande @setrofim

coev/coswid_evidence.go

coev/coswidtriple.go

coev/coswid_evidence.go

Signed-off-by: Sukuna0007Abhi <[email protected]>

Sukuna0007Abhi · 2025-10-05T14:07:06Z

Hi sir @yogeshbdeshpande the linters error is fixed and my commits are signed off , now I think it's ready for merge/review,

yogeshbdeshpande

LGTM!

yogeshbdeshpande · 2025-10-05T17:13:50Z

Let @setrofim : review it on Monday, and once he approves the same, we can Merge!

Sukuna0007Abhi · 2025-10-05T17:19:35Z

Thanks sir @yogeshbdeshpande , kindly sorry to say , could you also review this one as sir @setrofim approved it also veraison/services#342 in your free time, thank you so much sir

setrofim

LGTM

Sukuna0007Abhi · 2025-10-06T16:31:35Z

Thanks sir @yogeshbdeshpande sir @setrofim

Sukuna0007Abhi commented Sep 25, 2025

View reviewed changes

go.mod Outdated Show resolved Hide resolved

Sukuna0007Abhi mentioned this pull request Sep 29, 2025

feat: update repo guide with new repositories added in last 6 months veraison/docs#66

Merged

setrofim reviewed Oct 1, 2025

View reviewed changes

coev/coswid_evidence.go Outdated Show resolved Hide resolved

Sukuna0007Abhi force-pushed the feature-branch branch 2 times, most recently from 4f6db50 to 355b58a Compare October 4, 2025 11:30

Sukuna0007Abhi and others added 2 commits October 4, 2025 11:52

Update coev/coswid_evidence.go

6364ae7

Co-authored-by: setrofim <[email protected]> Signed-off-by: Sukuna0007Abhi <[email protected]>

Sukuna0007Abhi force-pushed the feature-branch branch from 5601b5e to f651356 Compare October 4, 2025 11:53

Sukuna0007Abhi requested review from setrofim and yogeshbdeshpande October 4, 2025 12:03