Skip to content

feat: align xarf-python with XARF v4 spec and JavaScript reference #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tknecht wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: align xarf-python with XARF v4 spec and JavaScript reference #4

tknecht wants to merge 6 commits into from

Conversation

@tknecht
Copy link
Contributor

@tknecht tknecht commented Jan 13, 2026

Summary

Aligns the xarf-python library with the XARF v4 specification and the xarf-javascript reference implementation.

Changes

Phase 1: Schema Infrastructure

  • Bundle 35 JSON schemas from xarf-spec into xarf/schemas/v4/
  • Add SchemaRegistry singleton for centralized schema access
  • Add SchemaValidator for JSON Schema validation

Phase 2: Validation Alignment

  • Rename XARFReporter to ContactInfo (with backward-compatible alias)
  • Change type field to domain in ContactInfo (per v4 spec)
  • Add required sender field to XARFReport
  • Make evidence_source optional (x-recommended in v4)
  • Add new category models: InfrastructureReport, CopyrightReport, VulnerabilityReport, ReputationReport
  • Modernize type annotations (Python 3.9+)

Phase 3: Generator Alignment

  • Update generate_report() to use ContactInfo dicts with domain field
  • Make sender required (per v4 spec)
  • Use SchemaRegistry for dynamic category/type validation
  • Update hash format to algorithm:hexvalue

Testing

  • 207 tests pass (1 skipped)
  • 88% code coverage
  • All pre-commit hooks pass (ruff, mypy, vulture, pydocstyle)

Breaking Changes

The generator API has changed:

# Old API (deprecated)
generator.generate_report(
    category="messaging",
    report_type="spam",
    source_identifier="192.0.2.1",
    reporter_contact="abuse@example.com",
    reporter_org="Example Org",
)

# New API (v4 compliant)
generator.generate_report(
    category="messaging",
    report_type="spam",
    source_identifier="192.0.2.1",
    reporter={
        "org": "Example Org",
        "contact": "abuse@example.com",
        "domain": "example.com",
    },
    sender={
        "org": "Example Org",
        "contact": "abuse@example.com",
        "domain": "example.com",
    },
)

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 13, 2026
View reviewed changes
tests/test_generator_v2.py
Comment on lines +577 to +583
generator.generate_report(
category="messaging",
report_type="spam",
source_identifier="192.0.2.1",
reporter_contact="abuse@test.com", # type: ignore[call-arg]
reporter_org="Test Org", # type: ignore[call-arg]
)

Check failure

Code scanning / CodeQL

Wrong name for an argument in a call

Keyword argument 'reporter_org' is not a supported parameter name of [method XARFGenerator.generate_report](1). Keyword argument 'reporter_contact' is not a supported parameter name of [method XARFGenerator.generate_report](1).

Copilot Autofix

AI 2 days ago

In general, the problem occurs because generate_report is being called with keyword arguments (reporter_contact, reporter_org) that are not parameters of the method. To fix this without changing functionality, the test should still exercise the “old API is invalid” path but do so without using parameter names that don’t exist on the function, thus avoiding the specific static-analysis rule.

The best minimal fix within tests/test_generator_v2.py is:

  • Stop passing the two unsupported keywords reporter_contact and reporter_org.
  • Instead, pass a single clearly-invalid keyword argument such as reporter="abuse@test.com", assuming the actual API expects a dict for reporter, not a string. This still triggers an error (either XARFError from validation or TypeError from incorrect type), preserving the original test intent: “Old reporter_contact string API should still work (deprecated)” and “Old API should fail – we require the new dict format.”
  • Remove the # type: ignore[call-arg] hints because we are no longer using unsupported parameter names.

Concretely, in the TestBackwardCompatibility.test_reporter_contact_string_deprecated method:

  • Replace the existing call:
generator.generate_report(
    category="messaging",
    report_type="spam",
    source_identifier="192.0.2.1",
    reporter_contact="abuse@test.com",  # type: ignore[call-arg]
    reporter_org="Test Org",  # type: ignore[call-arg]
)

with:

generator.generate_report(
    category="messaging",
    report_type="spam",
    source_identifier="192.0.2.1",
    reporter="abuse@test.com",  # old API passed string instead of reporter dict
)

No new imports, helper methods, or definitions are needed.

Suggested changeset 1
tests/test_generator_v2.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/tests/test_generator_v2.py b/tests/test_generator_v2.py
--- a/tests/test_generator_v2.py
+++ b/tests/test_generator_v2.py
@@ -578,8 +578,7 @@
                 category="messaging",
                 report_type="spam",
                 source_identifier="192.0.2.1",
-                reporter_contact="abuse@test.com",  # type: ignore[call-arg]
-                reporter_org="Test Org",  # type: ignore[call-arg]
+                reporter="abuse@test.com",  # old API passed string instead of reporter dict
             )
 
 
EOF
@@ -578,8 +578,7 @@
category="messaging",
report_type="spam",
source_identifier="192.0.2.1",
reporter_contact="abuse@test.com", # type: ignore[call-arg]
reporter_org="Test Org", # type: ignore[call-arg]
reporter="abuse@test.com", # old API passed string instead of reporter dict
)


Copilot is powered by AI and may make mistakes. Always verify output.
a2xdeveloper
a2xdeveloper previously approved these changes Jan 13, 2026
View reviewed changes
@tknecht
feat: add schema-driven validation infrastructure (Phase 1)
12a444e 
- Bundle XARF v4 JSON schemas from xarf-spec (35 schema files)
- Add schema_utils.py for schema file discovery and loading
- Add SchemaRegistry singleton for centralized schema access
  - Dynamic category/type validation from schemas
  - Field metadata extraction (required, optional, recommended)
  - Evidence source validation
  - Category-specific field discovery
- Add SchemaValidator for JSON Schema validation using jsonschema
  - Validates against core schema and type-specific schemas
  - User-friendly error messages
  - Support for all 7 categories and 33 types
- Add comprehensive tests (67 new tests, all passing)
- Update pyproject.toml to include schemas in package
- Export new classes from xarf package

This aligns xarf-python with xarf-javascript reference implementation.
@tknecht
feat: align models and validation with XARF v4 spec (Phase 2)
93ee5c0 
- Update ContactInfo to use 'domain' instead of 'type'
- Add required 'sender' field to XARFReport
- Make 'evidence_source' optional (recommended)
- Add ValidationResult dataclass for validate() method
- Update v3 converter to produce v4-compliant output
- Update all tests to use v4-compliant test data
- Add shared test fixtures in conftest.py

Also:
- Replace black/isort/flake8/bandit with ruff in pre-commit
- Modernize type annotations (dict instead of Dict, etc.)
- Fix trailing whitespace and EOF issues in sample files
@tknecht
feat: align generator with XARF v4 spec (Phase 3)
238165e 
- Update generate_report() to use ContactInfo dicts with domain field
- Make sender required (per v4 spec)
- Make evidence_source optional (x-recommended in v4)
- Use SchemaRegistry for dynamic category/type validation
- Update hash format to algorithm:hexvalue
- Add 33 new tests for v4 generator compliance
@tknecht
chore: update CI to use ruff instead of black/isort/flake8/bandit
ebea530 
- Replace black, isort, flake8, bandit with ruff (includes S rules for security)
- Drop Python 3.8 support (mypy requires 3.9+)
- Add Python 3.13 to test matrix
- Simplify code-quality job to run checks sequentially
- Remove obsolete tool configs (black, isort, flake8, bandit, pylint)
@tknecht
chore: update ruff pre-commit hook to v0.14.0 and fix formatting
aec1dba
@tknecht
fix: resolve schema $refs locally instead of fetching from web
6d3f78c 
The type schemas have $id URLs pointing to https://xarf.org/schemas/v4/...
When jsonschema resolves $ref references, it was trying to fetch from
the web, which fails in CI (Cloudflare blocks the requests).

This fix builds a schema store that maps the $id URLs to locally
bundled schema files, ensuring all schema resolution happens locally.
@tknecht tknecht force-pushed the feature/schema-driven-validation branch from b8d1307 to 6d3f78c Compare January 13, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a2xdeveloper a2xdeveloper a2xdeveloper left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tknecht @a2xdeveloper