jsonschema
jsonschema copied to clipboard
qri-io
Fail to deal with external schemata
Hallo,
We have faced the following problem during the validation of some json files:
The Validation of the CVE-2018-0171-modified.json file with csaf_json_schema.json schema throws an Error:
/vulnerabilities/0/scores/0/cvss_v3: did not match any of the specified OneOf schemas and thus this valid document is classified as invalid.
Validator confirms the validity of this file against this schema also.
It seems that something goes wrong when processing oneOf on #ref external schemata.
Tested with qri-io/jsonschema v0.2.1 und go v1.17.1
Minimizing the linked schema and json file in the last comment by removing some attributes and adjusting the usage example to use these minimized files like following:
import (
"context"
"encoding/json"
"fmt"
"github.com/qri-io/jsonschema"
)
func main() {
ctx := context.Background()
var schemaData = []byte(`{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json",
"title": "Common Security Advisory Framework",
"description": "Representation of security advisory information as a JSON document.",
"type": "object",
"properties": {
"scores": {
"title": "List of scores",
"description": "contains score objects for the current vulnerability.",
"type": "array",
"minItems": 1,
"items": {
"title": "Score",
"description": "specifies information about (at least one) score of the vulnerability and for which products the given value applies.",
"type": "object",
"properties": {
"cvss_v2": {
"$ref": "https://www.first.org/cvss/cvss-v2.0.json"
},
"cvss_v3": {
"oneOf": [
{
"$ref": "https://www.first.org/cvss/cvss-v3.0.json"
},
{
"$ref": "https://www.first.org/cvss/cvss-v3.1.json"
}
]
}
}
}
}
}
}`)
rs := &jsonschema.Schema{}
if err := json.Unmarshal(schemaData, rs); err != nil {
panic("unmarshal schema: " + err.Error())
}
var valid = []byte(`{
"scores": [
{
"cvss_v3": {
"version": "3.0",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
}
]
}`)
errs, err := rs.ValidateBytes(ctx, valid)
if err != nil {
panic(err)
}
if len(errs) > 0 {
fmt.Println(errs[0].Error())
}
}
Throws the error: /scores/0/cvss_v3: {"baseScore":9.8,"ba... did not match any of the specified OneOf schemas
This excerpt from debug output indicates that the problem is not being able to resolve a ref.
[Ref] Validating
[AddError] Error: failed to resolve schema for ref #/definitions/scoreType
[Schema] Validating
[AddError] Error: schema is nil
[AddSubErrors] Error: failed to resolve schema for ref #/definitions/scoreType
[AddSubErrors] Error: schema is nil
Furthermore, there is a warning earlier in the debug output that leads to the root cause.
[Schema] WARN: 'definitions' is not supported and will be ignored
Validation is failing because the schema being used is written to comply with JSON Schema draft-07 and qri-io/jsonschema primarily targets JSON Schema 2019-09. Specifically, between revisions, the functionality associated with the "definitions" keyword was moved to the new "$defs" keyword. See issue #97 for more discussion.
For this particular case, registering the "definitions" keyword with the "$def" keyword handler before any validation occurs, as shown below, should allow for your provided test case to validate as expected.
jsonschema.RegisterKeyword("definitions", jsonschema.NewDefs)
