reduce complexity and clean up constraint checking

Author: daveshanley

functions/functions_test.go

@@ -8,5 +8,5 @@ import (
 
 func TestMapBuiltinFunctions(t *testing.T) {
 	funcs := MapBuiltinFunctions()
-	assert.Len(t, funcs.GetAllFunctions(), 80)
+	assert.Len(t, funcs.GetAllFunctions(), 81)
 }

functions/openapi/examples_schema.go

@@ -48,7 +48,7 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 		return results
 	}
 
-	// Get configuration values from context, use defaults if not set
+	// get configuration values from context, use defaults if not set
 	maxConcurrentValidations := ruleContext.MaxConcurrentValidations
 	if maxConcurrentValidations <= 0 {
 		maxConcurrentValidations = 10 // Default: 10 parallel validations
@@ -59,19 +59,19 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 		validationTimeout = 10 * time.Second // Default: 10 seconds
 	}
 
-	// Create a timeout context for the entire validation process
+	// create a timeout context for the entire validation process
 	ctx, cancel := context.WithTimeout(context.Background(), validationTimeout)
 	defer cancel()
 
-	// Create semaphore for concurrency limiting
+	// create semaphore for concurrency limiting
 	sem := make(chan struct{}, maxConcurrentValidations)
 
-	// Track active workers
+	// track active workers
 	var activeWorkers int32
 	var completedWorkers int32
 
 	buildResult := func(message, path string, key, node *yaml.Node, component v3.AcceptsRuleResults) model.RuleFunctionResult {
-		// Try to find all paths for this node if it's a schema
+		// try to find all paths for this node if it's a schema
 		var allPaths []string
 		if schema, ok := component.(*v3.Schema); ok {
 			_, allPaths = vacuumUtils.LocateSchemaPropertyPaths(ruleContext, schema, key, node)
@@ -85,7 +85,7 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 			Rule:      ruleContext.Rule,
 		}
 
-		// Set the Paths array if we found multiple locations
+		// set the Paths array if we found multiple locations
 		if len(allPaths) > 1 {
 			result.Paths = allPaths
 		}
@@ -97,9 +97,9 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 	var expLock sync.Mutex
 	var wg sync.WaitGroup
 
-	// Helper function to spawn workers with context and concurrency control
+	// helper function to spawn workers with context and concurrency control
 	spawnWorker := func(work func()) {
-		// Check if context is already cancelled before spawning
+		// check if context is already cancelled before spawning
 		select {
 		case <-ctx.Done():
 			return
@@ -114,26 +114,26 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 			defer atomic.AddInt32(&completedWorkers, 1)
 			defer atomic.AddInt32(&activeWorkers, -1)
 
-			// Recover from panics to prevent crashes
+			// recover from panics to prevent crashes
 			defer func() {
 				if r := recover(); r != nil {
-					// Log panic if logger available
+					// log panic if logger available
 					if ruleContext.Logger != nil {
 						ruleContext.Logger.Error("ExamplesSchema validation panic", "error", r)
 					}
 				}
 			}()
 
-			// Try to acquire semaphore with context
+			// try to acquire semaphore with context
 			select {
 			case sem <- struct{}{}:
 				defer func() { <-sem }()
 			case <-ctx.Done():
-				// Context cancelled while waiting for semaphore
+				// context cancelled while waiting for semaphore
 				return
 			}
 
-			// Check context again before starting work
+			// check context again before starting work
 			select {
 			case <-ctx.Done():
 				return
@@ -199,7 +199,7 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 		for i := range ruleContext.DrDocument.Schemas {
 			s := ruleContext.DrDocument.Schemas[i]
 			spawnWorker(func() {
-				// Check context at start of work
+				// check context at start of work
 				select {
 				case <-ctx.Done():
 					return
@@ -208,7 +208,7 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 
 				if s.Value.Examples != nil {
 					for x, ex := range s.Value.Examples {
-						// Check context in loop
+						// check context in loop
 						select {
 						case <-ctx.Done():
 							return
@@ -269,38 +269,100 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 		}
 	}
 
+	// exampleValidatorFunc defines the function signature for validating examples
+	type exampleValidatorFunc func(example any) (bool, []*errors.ValidationError)
+
+	// processValidationErrors converts validation errors to rule function results
+	processValidationErrors := func(
+		validationErrors []*errors.ValidationError,
+		path string,
+		keyNode, valueNode *yaml.Node,
+		schema *v3.Schema,
+	) []model.RuleFunctionResult {
+		var rx []model.RuleFunctionResult
+		for _, r := range validationErrors {
+			for _, err := range r.SchemaValidationErrors {
+				result := buildResult(
+					vacuumUtils.SuppliedOrDefault(ruleContext.Rule.Message, err.Reason),
+					path, keyNode, valueNode, schema)
+
+				// check if this is a banned error
+				banned := false
+				for g := range bannedErrors {
+					if strings.Contains(err.Reason, bannedErrors[g]) {
+						banned = true
+						break
+					}
+				}
+				if !banned {
+					rx = append(rx, result)
+				}
+			}
+		}
+		return rx
+	}
+
+	// createJSONValidator creates a validator for JSON examples
+	createJSONValidator := func(
+		iKey *int,
+		sKey, label string,
+		s *v3.Schema,
+		obj v3.AcceptsRuleResults,
+		node *yaml.Node,
+		keyNode *yaml.Node,
+	) exampleValidatorFunc {
+		return func(example any) (bool, []*errors.ValidationError) {
+			return validateSchema(iKey, sKey, label, s, obj, node, keyNode, example)
+		}
+	}
+
+	// createXMLValidator creates a validator for XML examples
+	createXMLValidator := func(s *v3.Schema, ver float32) exampleValidatorFunc {
+		return func(example any) (bool, []*errors.ValidationError) {
+			if xmlStr, ok := example.(string); ok {
+				if ver > 0 {
+					return validator.ValidateXMLStringWithVersion(s.Value, xmlStr, ver)
+				}
+				return validator.ValidateXMLString(s.Value, xmlStr)
+			}
+			return true, nil
+		}
+	}
+
 	parseExamples := func(s *v3.Schema,
 		obj v3.AcceptsRuleResults,
-		examples *orderedmap.Map[string,
-			*v3Base.Example]) []model.RuleFunctionResult {
+		examples *orderedmap.Map[string, *v3Base.Example],
+		validatorFunc exampleValidatorFunc) []model.RuleFunctionResult {
 
 		var rx []model.RuleFunctionResult
 		for examplesPairs := examples.First(); examplesPairs != nil; examplesPairs = examplesPairs.Next() {
-
 			example := examplesPairs.Value()
 			exampleKey := examplesPairs.Key()
 
 			var ex any
 			if example.Value != nil {
 				_ = example.Value.Decode(&ex)
-				result := validateSchema(nil, exampleKey, "examples", s, obj, example.Value, example.GoLow().KeyNode, ex)
-				if result != nil {
-					rx = append(rx, result...)
+				valid, validationErrors := validatorFunc(ex)
+
+				if !valid {
+					path := fmt.Sprintf("%s.examples['%s']", obj.(v3.Foundational).GenerateJSONPath(), exampleKey)
+					rx = append(rx, processValidationErrors(validationErrors, path,
+						example.GoLow().KeyNode, example.Value, s)...)
 				}
 			}
 		}
 		return rx
 	}
 
-	parseExample := func(s *v3.Schema, node, key *yaml.Node) []model.RuleFunctionResult {
-
+	parseExample := func(s *v3.Schema, node, key *yaml.Node, validatorFunc exampleValidatorFunc) []model.RuleFunctionResult {
 		var rx []model.RuleFunctionResult
 		var ex any
 		_ = node.Decode(&ex)
 
-		result := validateSchema(nil, "", "example", s, s, node, key, ex)
-		if result != nil {
-			rx = append(rx, result...)
+		valid, validationErrors := validatorFunc(ex)
+		if !valid {
+			path := ""
+			rx = append(rx, processValidationErrors(validationErrors, path, key, node, s)...)
 		}
 		return rx
 	}
@@ -309,25 +371,27 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 		for i := range ruleContext.DrDocument.Parameters {
 			p := ruleContext.DrDocument.Parameters[i]
 			spawnWorker(func() {
-				// Check context at start of work
+				// check context at start of work
 				select {
 				case <-ctx.Done():
 					return
 				default:
 				}
 
 				if p.Value.Examples.Len() >= 1 && p.SchemaProxy != nil {
+					jsonValidator := createJSONValidator(nil, "", "examples", p.SchemaProxy.Schema, p, nil, nil)
 					expLock.Lock()
 					if p.Value.Examples != nil && p.Value.Examples.Len() > 0 {
-						results = append(results, parseExamples(p.SchemaProxy.Schema, p, p.Value.Examples)...)
+						results = append(results, parseExamples(p.SchemaProxy.Schema, p, p.Value.Examples, jsonValidator)...)
 					}
 					expLock.Unlock()
 				} else {
 					if p.Value.Example != nil && p.SchemaProxy != nil {
+						jsonValidator := createJSONValidator(nil, "", "example", p.SchemaProxy.Schema, p, p.Value.Example, p.Value.GoLow().Example.GetKeyNode())
 						expLock.Lock()
 						if p.Value.Examples != nil && p.Value.Examples.Len() > 0 {
 							results = append(results, parseExample(p.SchemaProxy.Schema, p.Value.Example,
-								p.Value.GoLow().Example.GetKeyNode())...)
+								p.Value.GoLow().Example.GetKeyNode(), jsonValidator)...)
 						}
 						expLock.Unlock()
 					}
@@ -340,22 +404,24 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 		for i := range ruleContext.DrDocument.Headers {
 			h := ruleContext.DrDocument.Headers[i]
 			spawnWorker(func() {
-				// Check context at start of work
+				// check context at start of work
 				select {
 				case <-ctx.Done():
 					return
 				default:
 				}
 
 				if h.Value.Examples.Len() >= 1 && h.Schema != nil {
+					jsonValidator := createJSONValidator(nil, "", "examples", h.Schema.Schema, h, nil, nil)
 					expLock.Lock()
-					results = append(results, parseExamples(h.Schema.Schema, h, h.Value.Examples)...)
+					results = append(results, parseExamples(h.Schema.Schema, h, h.Value.Examples, jsonValidator)...)
 					expLock.Unlock()
 				} else {
 					if h.Value.Example != nil && h.Schema != nil {
+						jsonValidator := createJSONValidator(nil, "", "example", h.Schema.Schema, h, h.Value.Example, h.Value.GoLow().Example.GetKeyNode())
 						expLock.Lock()
 						results = append(results, parseExample(h.Schema.Schema, h.Value.Example,
-							h.Value.GoLow().Example.GetKeyNode())...)
+							h.Value.GoLow().Example.GetKeyNode(), jsonValidator)...)
 						expLock.Unlock()
 					}
 				}
@@ -368,22 +434,38 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 		for i := range ruleContext.DrDocument.MediaTypes {
 			mt := ruleContext.DrDocument.MediaTypes[i]
 			spawnWorker(func() {
-				// Check context at start of work
+				// check context at start of work
 				select {
 				case <-ctx.Done():
 					return
 				default:
 				}
 
+				// check if this is xml content type
+				mediaTypeStr := mt.GetKeyValue()
+				isXML := schema_validation.IsXMLContentType(mediaTypeStr)
+
 				if mt.Value.Examples.Len() >= 1 && mt.SchemaProxy != nil {
+					var exampleValidator exampleValidatorFunc
+					if isXML {
+						exampleValidator = createXMLValidator(mt.SchemaProxy.Schema, version)
+					} else {
+						exampleValidator = createJSONValidator(nil, "", "examples", mt.SchemaProxy.Schema, mt, nil, nil)
+					}
 					expLock.Lock()
-					results = append(results, parseExamples(mt.SchemaProxy.Schema, mt, mt.Value.Examples)...)
+					results = append(results, parseExamples(mt.SchemaProxy.Schema, mt, mt.Value.Examples, exampleValidator)...)
 					expLock.Unlock()
 				} else {
 					if mt.Value.Example != nil && mt.SchemaProxy != nil {
+						var exampleValidator exampleValidatorFunc
+						if isXML {
+							exampleValidator = createXMLValidator(mt.SchemaProxy.Schema, version)
+						} else {
+							exampleValidator = createJSONValidator(nil, "", "example", mt.SchemaProxy.Schema, mt, mt.Value.Example, mt.Value.GoLow().Example.GetKeyNode())
+						}
 						expLock.Lock()
 						results = append(results, parseExample(mt.SchemaProxy.Schema, mt.Value.Example,
-							mt.Value.GoLow().Example.GetKeyNode())...)
+							mt.Value.GoLow().Example.GetKeyNode(), exampleValidator)...)
 						expLock.Unlock()
 					}
 				}
@@ -392,7 +474,7 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 
 	}
 
-	// Wait for all workers to complete or context to timeout
+	// wait for all workers to complete or context to timeout
 	done := make(chan struct{})
 	go func() {
 		wg.Wait()
@@ -401,13 +483,13 @@ func (es ExamplesSchema) RunRule(_ []*yaml.Node, ruleContext model.RuleFunctionC
 
 	select {
 	case <-done:
-		// All workers completed normally
+		// all workers completed normally
 		if ruleContext.Logger != nil && atomic.LoadInt32(&completedWorkers) > 0 {
 			ruleContext.Logger.Debug("ExamplesSchema completed validations",
 				"completed", atomic.LoadInt32(&completedWorkers))
 		}
 	case <-ctx.Done():
-		// Timeout occurred - return whatever results we have
+		// timeout occurred - return whatever results we have
 		if ruleContext.Logger != nil {
 			ruleContext.Logger.Warn("ExamplesSchema validation timeout",
 				"timeout", validationTimeout,

rulesets/rulesets_test.go

@@ -14,9 +14,9 @@ import (
 	"time"
 )
 
-var totalRules = 65
+var totalRules = 66
+var totalRecommendedRules = 54
 var totalOwaspRules = 23
-var totalRecommendedRules = 53
 
 func TestBuildDefaultRuleSets(t *testing.T) {
 
@@ -551,7 +551,7 @@ rules:
 	rs, err := CreateRuleSetFromData([]byte(yamlA))
 	assert.NoError(t, err)
 	override := def.GenerateRuleSetFromSuppliedRuleSet(rs)
-	assert.Len(t, override.Rules, 55)
+	assert.Len(t, override.Rules, 56)
 	assert.Len(t, override.RuleDefinitions, 2)
 	assert.NotNil(t, rs.Rules["ding"])
 	assert.NotNil(t, rs.Rules["dong"])
@@ -740,7 +740,7 @@ func TestRuleSet_GetExtendsLocalSpec_Multi_Chain(t *testing.T) {
 	rs, err := CreateRuleSetFromData([]byte(yaml))
 	assert.NoError(t, err)
 	override := def.GenerateRuleSetFromSuppliedRuleSet(rs)
-	assert.Len(t, override.Rules, 66)
+	assert.Len(t, override.Rules, 67)
 	assert.Len(t, override.RuleDefinitions, 1)
 
 }