check json files with jq

[quarckster]

I added a simple JSON validator with jq utility. The script iterates over json files and exits with an error if any of JSON files in secjson is not valid. E.g.:

jq: parse error: Invalid numeric literal at line 23, column 60
Error in file: secjson/CVE-2009-3555.json
jq: parse error: Invalid literal at line 6, column 45
Error in file: secjson/CVE-2022-4450.json
jq: parse error: Invalid numeric literal at line 57, column 1068
Error in file: secjson/CVE-2024-6119.json

[levitte]

Er... did you look at those JSON files?

release-metadata/secjson/CVE-2009-3555.json

Line 23 in d83cf47

"value": "Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation."

release-metadata/secjson/CVE-2022-4450.json

Line 6 in d83cf47

"defaultStatus": "unaffected",

release-metadata/secjson/CVE-2024-6119.json

Line 57 in d83cf47

"value": "Issue summary: Applications performing certificate name checks (e.g., TLS<br>clients checking server certificates) may attempt to read an invalid memory<br>address resulting in abnormal termination of the application process.<br><br>Impact summary: Abnormal termination of an application can a cause a denial of<br>service.<br><br>Applications performing certificate name checks (e.g., TLS clients checking<br>server certificates) may attempt to read an invalid memory address when<br>comparing the expected name with an `otherName` subject alternative name of an<br>X.509 certificate. This may result in an exception that terminates the<br>application program.<br><br>Note that basic certificate chain validation (signatures, dates, ...) is not<br>affected, the denial of service can occur only when the application also<br>specifies an expected DNS name, Email address or IP address.<br><br>TLS servers rarely solicit client certificates, and even when they do, they<br>generally don't perform a name check against a reference identifier (expected<br>identity), but rather extract the presented identity after checking the<br>certificate chain. So TLS servers are generally not affected and the severity<br>of the issue is Moderate.<br><br>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue."

I think your jq version is drunk

[levitte]

I can see in actions that two of those errors are indeed reported for the current main branch.
jq is wrong, this shouldn't have been merged without scrutinizing the "errors"

[levitte]

(jq on my laptop doesn't report any error, but I probably have a newer version)

[quarckster]

I was testing how the json linter works and intentionally broke some of the files. Then I reverted changes and merged the PR.

[levitte]

Thank you