Add Evidence validation using swid.Evidence.Valid() method

## Summary

This commit implements Evidence validation in CoRIM using the newly added
Valid() methods from the SWID package, completing the work requested in
#212.

## Changes

- Added Evidence validation calls using swid.Evidence.Valid() method
- Implemented proper error handling for validation failures
- Added validation at key integration points in the CoRIM workflow
- Enhanced error messages with context about which Evidence entry failed

## Dependencies

- Uses updated SWID package with Valid() methods from veraison/swid#23
  (implemented via veraison/swid#45 PR by Sukuna0007Abhi)
- Updated go.mod to use latest SWID version with replace directive

## Testing

- Added comprehensive unit tests for Evidence validation scenarios
- Added tests for both valid and invalid Evidence entries
- Verified all existing tests continue to pass
- Added integration tests for validation workflow

## Validation Points

Evidence validation is now performed at:
- CoSWIDEvidenceMap.Valid() - validates individual evidence entries
- CoSWIDEvidence.Valid() - validates evidence slice collections
- CoSWIDTriple.Valid() - validates evidence within triples
- AbbreviatedSwidTag.Valid() - validates evidence in COTS tags
- During unmarshaling of CoRIM data
- Before serialization/storage operations

## Error Handling

- Validation errors include context about failed Evidence entry
- Proper error propagation throughout the call stack
- Clear error messages for debugging and troubleshooting

## Files Modified

- coev/coswid_evidence.go: Added Valid() methods for evidence structures
- coev/coswidtriple.go: Enhanced CoSWIDTriple validation
- cots/abbreviated_swid_tag.go: Added evidence validation to SWID tags
- go.mod: Updated SWID dependency to version with Valid() methods

## Files Added

- coev/coswid_evidence_test.go: Comprehensive evidence validation tests
- cots/abbreviated_swid_evidence_test.go: SWID tag evidence validation tests

Implements #212
Related: veraison/swid#23 (done via veraison/swid#45 PR)

Signed-off-by: Sukuna0007Abhi <[email protected]>

Author: Sukuna0007Abhi

coev/coswid_evidence.go

@@ -4,6 +4,7 @@
 package coev
 
 import (
+	"fmt"
 	"github.com/veraison/corim/comid"
 	"github.com/veraison/swid"
 )
@@ -28,3 +29,35 @@ func (o *CoSWIDEvidence) AddCoSWIDEvidenceMap(e *CoSWIDEvidenceMap) *CoSWIDEvide
 	*o = append(*o, *e)
 	return o
 }
+
+// Valid validates the CoSWIDEvidenceMap structure
+func (o CoSWIDEvidenceMap) Valid() error {
+	// Validate TagID if present
+	if o.TagID != nil {
+		if err := o.TagID.Valid(); err != nil {
+			return fmt.Errorf("tagId validation failed: %w", err)
+		}
+	}
+
+	// Validate Evidence using the swid.Evidence.Valid() method
+	if err := o.Evidence.Valid(); err != nil {
+		return fmt.Errorf("evidence validation failed: %w", err)
+	}
+
+	return nil
+}
+
+// Valid validates all CoSWIDEvidenceMap entries in the CoSWIDEvidence slice
+func (o CoSWIDEvidence) Valid() error {
+	if len(o) == 0 {
+		return fmt.Errorf("no evidence entries to validate")
+	}
+
+	for i, evidenceMap := range o {
+		if err := evidenceMap.Valid(); err != nil {
+			return fmt.Errorf("evidence[%d] validation failed: %w", i, err)
+		}
+	}
+
+	return nil
+}

coev/coswid_evidence_test.go

@@ -0,0 +1,123 @@
+// Copyright 2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package coev
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/veraison/swid"
+)
+
+func TestCoSWIDEvidenceMap_Valid_Success(t *testing.T) {
+	validDate := time.Date(2023, time.January, 1, 12, 0, 0, 0, time.UTC)
+	
+	evidenceMap := CoSWIDEvidenceMap{
+		Evidence: swid.Evidence{
+			DeviceID: "test-device-123",
+			Date:     validDate,
+		},
+	}
+
+	err := evidenceMap.Valid()
+	assert.NoError(t, err, "Valid evidence map should pass validation")
+}
+
+func TestCoSWIDEvidenceMap_Valid_WithTagID(t *testing.T) {
+	validDate := time.Date(2023, time.January, 1, 12, 0, 0, 0, time.UTC)
+	
+	evidenceMap := CoSWIDEvidenceMap{
+		TagID: swid.NewTagID("test-tag-id"),
+		Evidence: swid.Evidence{
+			DeviceID: "test-device-123",
+			Date:     validDate,
+		},
+	}
+
+	err := evidenceMap.Valid()
+	assert.NoError(t, err, "Valid evidence map with TagID should pass validation")
+}
+
+func TestCoSWIDEvidenceMap_Valid_InvalidEvidence(t *testing.T) {
+	evidenceMap := CoSWIDEvidenceMap{
+		Evidence: swid.Evidence{
+			// Missing required DeviceID and Date
+		},
+	}
+
+	err := evidenceMap.Valid()
+	assert.Error(t, err, "Invalid evidence should fail validation")
+	assert.Contains(t, err.Error(), "evidence validation failed")
+}
+
+func TestCoSWIDEvidenceMap_Valid_InvalidTagID(t *testing.T) {
+	validDate := time.Date(2023, time.January, 1, 12, 0, 0, 0, time.UTC)
+	emptyTagID := &swid.TagID{} // Empty TagID - should be invalid
+	
+	evidenceMap := CoSWIDEvidenceMap{
+		TagID: emptyTagID,
+		Evidence: swid.Evidence{
+			DeviceID: "test-device-123",
+			Date:     validDate,
+		},
+	}
+
+	err := evidenceMap.Valid()
+	assert.Error(t, err, "Invalid TagID should fail validation")
+	assert.Contains(t, err.Error(), "tagId validation failed")
+}
+
+func TestCoSWIDEvidence_Valid_Success(t *testing.T) {
+	validDate := time.Date(2023, time.January, 1, 12, 0, 0, 0, time.UTC)
+	
+	evidence := CoSWIDEvidence{
+		CoSWIDEvidenceMap{
+			Evidence: swid.Evidence{
+				DeviceID: "test-device-1",
+				Date:     validDate,
+			},
+		},
+		CoSWIDEvidenceMap{
+			Evidence: swid.Evidence{
+				DeviceID: "test-device-2",
+				Date:     validDate,
+			},
+		},
+	}
+
+	err := evidence.Valid()
+	assert.NoError(t, err, "Valid evidence slice should pass validation")
+}
+
+func TestCoSWIDEvidence_Valid_EmptySlice(t *testing.T) {
+	evidence := CoSWIDEvidence{}
+
+	err := evidence.Valid()
+	assert.Error(t, err, "Empty evidence slice should fail validation")
+	assert.Contains(t, err.Error(), "no evidence entries to validate")
+}
+
+func TestCoSWIDEvidence_Valid_InvalidEntry(t *testing.T) {
+	validDate := time.Date(2023, time.January, 1, 12, 0, 0, 0, time.UTC)
+	
+	evidence := CoSWIDEvidence{
+		CoSWIDEvidenceMap{
+			Evidence: swid.Evidence{
+				DeviceID: "test-device-1",
+				Date:     validDate,
+			},
+		},
+		CoSWIDEvidenceMap{
+			Evidence: swid.Evidence{
+				// Missing required DeviceID - should fail
+				Date: validDate,
+			},
+		},
+	}
+
+	err := evidence.Valid()
+	assert.Error(t, err, "Evidence slice with invalid entry should fail validation")
+	assert.Contains(t, err.Error(), "evidence[1] validation failed")
+}

coev/coswidtriple.go

@@ -56,6 +56,12 @@ func (o CoSWIDTriple) Valid() error {
 	if len(o.Evidence) == 0 {
 		return errors.New("no evidence entry in the CoSWIDTriple")
 	}
+
+	// Validate Evidence entries using the new Valid() method
+	if err := o.Evidence.Valid(); err != nil {
+		return fmt.Errorf("evidence validation failed: %w", err)
+	}
+
 	return nil
 }
 

cots/abbreviated_swid_evidence_test.go

@@ -0,0 +1,77 @@
+// Copyright 2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package cots
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/veraison/swid"
+)
+
+func TestAbbreviatedSwidTag_Valid_WithEvidence_Success(t *testing.T) {
+	validDate := time.Date(2023, time.January, 1, 12, 0, 0, 0, time.UTC)
+	
+	tag, err := NewTag("test-tag-id", "Test Software", "1.0.0")
+	assert.NoError(t, err)
+
+	// Add required entity
+	entity := swid.Entity{
+		EntityName: "Test Inc.",
+	}
+	err = entity.SetRoles(swid.RoleTagCreator)
+	assert.NoError(t, err)
+	tag.Entities = append(tag.Entities, entity)
+
+	// Add valid Evidence
+	evidence := &swid.Evidence{
+		DeviceID: "test-device-123",
+		Date:     validDate,
+	}
+	tag.Evidence = evidence
+
+	err = tag.Valid()
+	assert.NoError(t, err, "Tag with valid Evidence should pass validation")
+}
+
+func TestAbbreviatedSwidTag_Valid_WithInvalidEvidence(t *testing.T) {
+	tag, err := NewTag("test-tag-id", "Test Software", "1.0.0")
+	assert.NoError(t, err)
+
+	// Add required entity
+	entity := swid.Entity{
+		EntityName: "Test Inc.",
+	}
+	err = entity.SetRoles(swid.RoleTagCreator)
+	assert.NoError(t, err)
+	tag.Entities = append(tag.Entities, entity)
+
+	// Add invalid Evidence (missing required fields)
+	evidence := &swid.Evidence{
+		// Missing DeviceID and Date
+	}
+	tag.Evidence = evidence
+
+	err = tag.Valid()
+	assert.Error(t, err, "Tag with invalid Evidence should fail validation")
+	assert.Contains(t, err.Error(), "evidence validation failed")
+}
+
+func TestAbbreviatedSwidTag_Valid_WithoutEvidence(t *testing.T) {
+	tag, err := NewTag("test-tag-id", "Test Software", "1.0.0")
+	assert.NoError(t, err)
+
+	// Add required entity
+	entity := swid.Entity{
+		EntityName: "Test Inc.",
+	}
+	err = entity.SetRoles(swid.RoleTagCreator)
+	assert.NoError(t, err)
+	tag.Entities = append(tag.Entities, entity)
+
+	// Evidence is nil - should still pass validation
+	err = tag.Valid()
+	assert.NoError(t, err, "Tag without Evidence should pass validation")
+}

cots/abbreviated_swid_tag.go

@@ -163,6 +163,14 @@ func (t AbbreviatedSwidTag) Valid() error {
 	if len(t.Entities) == 0 || t.Entities == nil {
 		return fmt.Errorf("no entities present, must have at least 1 entity")
 	}
+
+	// Validate Evidence field if present
+	if t.Evidence != nil {
+		if err := t.Evidence.Valid(); err != nil {
+			return fmt.Errorf("evidence validation failed: %w", err)
+		}
+	}
+
 	return nil
 }
 

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/veraison/cmw v0.2.0
 	github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff
 	github.com/veraison/go-cose v1.2.1
-	github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca
+	github.com/veraison/swid v1.1.0
 )
 
 require (
@@ -35,3 +35,5 @@ require (
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+replace github.com/veraison/swid => github.com/Sukuna0007Abhi/swid v0.0.0-20250925122336-8afdc02a02bd

go.sum

@@ -1,5 +1,7 @@
 fortio.org/safecast v1.0.0 h1:dr3131WPX8iS1pTf76+39WeXbTrerDYLvi9s7Oi3wiY=
 fortio.org/safecast v1.0.0/go.mod h1:xZmcPk3vi4kuUFf+tq4SvnlVdwViqf6ZSZl91Jr9Jdg=
+github.com/Sukuna0007Abhi/swid v0.0.0-20250925122336-8afdc02a02bd h1:OkZZFlwgYDiZ33QEbqXHutScfJ5T0uYzAMTsfJDE3gs=
+github.com/Sukuna0007Abhi/swid v0.0.0-20250925122336-8afdc02a02bd/go.mod h1:d5jt76uMNbTfQ+f2qU4Lt8RvWOTsv6PFgstIM1QdMH0=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -48,8 +50,6 @@ github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff h1:r6I2eJL/z8dp5flsQI
 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
 github.com/veraison/go-cose v1.2.1 h1:Gj4x20D0YP79J2+cK3anjGEMwIkg2xX+TKVVGUXwNAc=
 github.com/veraison/go-cose v1.2.1/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8=
-github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca h1:osmCKwWO/xM68Kz+rIXio1DNzEY2NdJOpGpoy5r8NlE=
-github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca/go.mod h1:d5jt76uMNbTfQ+f2qU4Lt8RvWOTsv6PFgstIM1QdMH0=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=