Add validation functionality

[wagner-intevation]

Adds parameter --validate that supports https://github.com/secvisogram/csaf-validator-service to validate the resulting document.

Fixes #124

Result examples:

$ cvrf2csaf --validate --input-file examples/1.2/cvrf_example_a.xml --force
[...]
2025-05-29 09:25:11,415 - cvrf2csaf - INFO - Valdidation successful.
[...]

$cvrf2csaf --validate --input-file examples/1.2/cvrf_example_d.xml --force
[...]
2025-05-29 09:24:10,392 - cvrf2csaf - WARNING - Some errors occurred during conversion, but producing output as --force option is used.
[...]
2025-05-29 09:24:10,594 - cvrf2csaf - WARNING - Some errors were found at validation: [{'errors': [{'instancePath': '/document/tracking/revision_history/0/number', 'message': 'must match pattern "^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$"'}, {'instancePath': '/document/tracking/revision_history/1/number', 'message': 'must match pattern "^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$"'}], 'warnings': [], 'infos': [], 'isValid': False, 'name': 'csaf_2_0'}, {'errors': [{'instancePath': '/document/tracking/revision_history/0/number', 'message': 'must match pattern "^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$"'}, {'instancePath': '/document/tracking/revision_history/1/number', 'message': 'must match pattern "^(0|[1-9][0-9]*)$|^((0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)$"'}], 'warnings': [], 'infos': [], 'isValid': False, 'name': 'csaf_2_0_strict'}]
2025-05-29 09:24:10,595 - utils - INFO - Successfully wrote ./id0_invalid.json.
[...]

[wagner-intevation]

The remaining pylint error is not related to the PR:

cvrf2csaf/cvrf2csaf.py:254:0: R0915: Too many statements (52/50) (too-many-statements)

[bernhardreiter]

Thanks!

The remaining pylint error is not related to the PR: ``` cvrf2csaf/cvrf2csaf.py:254:0: R0915: Too many statements (52/50) (too-many-statements) ```

Can you also deal with it in another PR? (Silence or rewrite.)

[bernhardreiter]

A question is if validation should be the default - I guess it makes more sense as the output files should be valid CSAF documents and for this the mandatory tests are required to pass (and the optional and recommendation tests can be useful as warnings and recommendations).

[bernhardreiter]

A failure in the mandatory tests from the validator shall make the converter fail I think.

[wagner-intevation]

A failure in the mandatory tests from the validator shall make the converter fail I think.

That's what the code in https://github.com/csaf-tools/CVRF-CSAF-Converter/pull/132/files#diff-fa1a64ee695c90205cb0dc8aba4aa7a0dc8eb5e70ede667636ade192a8ddaaa1R359 does

A question is if validation should be the default

That also means any user of the converter also needs to setup the validator first

[bernhardreiter]

That also means any user of the converter also needs to setup the validator first

Yes, this is good. Please add this prerequisite to the documentation.
And at least warn if this validator is missing or cannot be called.
(Or throw an error, unless a flag like --force is given or so. We want to prevent too many options.)

If an error from the validator leads to an overall error from the converter, that is fine (I haven't tested this yet).

[wagner-intevation]

The validator is now required by default and can be disabled by a parameter. (inverse to previous behavior)

Yes, this is good. Please add this prerequisite to the documentation.

Added a paragraph on the requirement to the section "Getting started"

(Or throw an error, unless a flag like --force is given or so. We want to prevent too many options.)

As before, --force still allows to ignore validation errors.

I also added handling of http errors (hiding the traceback for e.g. connection failures) and lowered the logging level for the httpx class

[wagner-intevation]

As the pylint error (too many statements in main()) only appears in this branch, not in branch main, I added a fix for it in this PR, in a separate commit, instead of a separate PR.

This PR is now finally ready for a review.