From adb75ab77d0702287628e1b0764056ae9f371ca8 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 3 Oct 2021 00:21:51 -0500 Subject: [PATCH 01/26] #38 - Added initial support for vulnerabilities as part of core spec. Based on work by @garethr. --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 280 ++++++++++++++++++ .../1.4/valid-vulnerability-1.4.json | 90 ++++++ 2 files changed, 370 insertions(+) create mode 100644 tools/src/test/resources/1.4/valid-vulnerability-1.4.json diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 9c77d9c9..e4b794ef 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -85,6 +85,14 @@ "uniqueItems": true, "title": "Compositions", "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." + }, + "vulnerabilities": { + "$id": "#/properties/vulnerabilities", + "type": "array", + "items": {"$ref": "#/definitions/vulnerability"}, + "uniqueItems": true, + "title": "Vulnerabilities", + "description": "Vulnerabilities identified in components or services." } }, "definitions": { @@ -1074,6 +1082,278 @@ "description": "The value of the property." } } + }, + "advisory": { + "type": "object", + "title": "Advisory", + "description": "Location of additional advisory information.", + "required": ["url"], + "additionalProperties": false, + "properties": { + "title": { + "type": "string" + }, + "url": { + "type": "string", + "format": "iri-reference" + } + } + }, + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the risk analysis method. If an other risk analysis method is used other than whats defined in scoreSourceType, the user is expected to translate appropriately to match with an element value below.", + "enum": [ + "critical", + "high", + "medium", + "low", + "none", + "unknown" + ] + }, + "scoreMethod": { + "type": "string", + "title": "method", + "description": "Specifies the risk scoring methodology/standard used.", + "enum": [ + "CVSSv2", + "CVSSv3", + "CVSSv31", + "OWASP", + "Other" + ] + }, + "impactAnalysisState": { + "type": "string", + "title": "Impact Analysis State", + "description": "Textual representation of the state of the impact analysis.", + "enum": [ + "exploitable", + "in_triage", + "false_positive", + "not_affected", + "not_set" + ] + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the risk ratings of a vulnerability.", + "additionalProperties": false, + "properties": { + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "score": { + "type": "number", + "title": "Score", + "description": "The numerical score of the rating." + }, + "severity": { + "$ref": "#/definitions/severity" + }, + "method": { + "$ref": "#/definitions/scoreMethod" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability" + }, + "justification": { + "type": "string", + "title": "Justification", + "description": "An optional reason for rating the vulnerability as it was" + } + } + }, + "vulnerabilitySource": { + "type": "object", + "title": "Source", + "description": "The source of the vulnerability where it is documented. Usually the name of the organization publishing vulnerability information", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2019-15842" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", + "National Vulnerability Database", + "OSS Index", + "VulnDB", + "NPM Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines the structure of a vulnerability.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "type": "string", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref should be unique." + }, + "id": { + "type": "string", + "title": "ID", + "description": "The id of the vulnerability as defined by the risk scoring methodology. For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)" + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "references": { + "type": "array", + "title": "References", + "description": "", + "additionalItems": false, + "items": { + "required": [ + "id", + "source" + ], + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "The id of the vulnerability as defined by the risk scoring methodology. For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)" + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + } + } + } + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", + "items": { + "$ref": "#/definitions/rating" + } + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "items": { + "$ref": "#/definitions/cwe" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the vulnerability as provided by the source." + }, + "detail": { + "type": "string", + "title": "Details", + "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause." + }, + "recommendation": { + "type": "string", + "title": "Details", + "description": "Recommendations of how the vulnerability can be remediated or mitigated." + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "items": { + "$ref": "#/definitions/advisory" + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the vulnerability was created." + }, + "published": { + "type": "string", + "format": "date-time", + "title": "Published", + "description": "The date and time (timestamp) when the vulnerability was first published." + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Updated", + "description": "The date and time (timestamp) when the vulnerability was last updated." + }, + "credits": { + "type": "string", + "title": "Credits", + "description": "Individuals or organizations credited by with the discovery of the vulnerability." + }, + "tools": { + "type": "array", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + }, + "analysis": { + "type": "object", + "title": "Impact Analysis", + "description": "An assessment of the impact and exploitability of the vulnerability.", + "additionalProperties": false, + "properties": { + "state": { + "$ref": "#/definitions/impactAnalysisState" + }, + "impact": { + "type": "string", + "title": "Impact", + "description": "A description of the impact." + }, + "detail": { + "type": "string", + "title": "Detail", + "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability." + } + } + }, + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "Affects", + "description": "The bom-ref identifiers of the components or services that are affected by the vulnerability." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", + "items": { + "$ref": "#/definitions/property" + } + } + } } } } diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json new file mode 100644 index 00000000..8880fb46 --- /dev/null +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -0,0 +1,90 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9", + "type": "library", + "group": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "2.9.9", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9" + } + ], + "vulnerabilities": [ + { + "bom-ref": "6eee14da-8f42-4cc4-bb65-203235f02415", + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "source": { + "name": "Snyk", + "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111" + }, + "references": [ + { + "id": "CVE-2018-7489", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + } + ], + "ratings": [ + { + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0" + }, + "score": 9.8, + "severity": "Critical", + "method": "CVSSv3", + "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "justification": "An optional reason for rating the vulnerability as it was" + } + ], + "cwes": [ + 184, + 502 + ], + "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", + "details": "", + "remediation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.", + "advisories": [ + { + "title": "GitHub Commit", + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" + }, + { + "title": "GitHub Issue", + "url": "https://github.com/FasterXML/jackson-databind/issues/1931" + } + ], + "created": "2021-01-01T00:00:00.000Z", + "published": "2021-01-01T00:00:00.000Z", + "updated": "2021-01-01T00:00:00.000Z", + "credits": "", + "tools": [ + { + "vendor": "Snyk", + "name": "Snyk CLI (Linux)", + "version": "1.729.0", + "hashes": [ + { + "alg": "SHA-256", + "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d" + } + ] + } + ], + "analysis": { + "state": "Exploitable", + "impact": "", + "details": "" + }, + "affects": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9" + ] + } + ] +} \ No newline at end of file From 173b781583fa2c476d90c3bd60e101141e3f7fce Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 3 Oct 2021 00:56:16 -0500 Subject: [PATCH 02/26] Corrected issues preventing validation --- .../test/resources/1.4/valid-vulnerability-1.4.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json index 8880fb46..adc9ed55 100644 --- a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -37,7 +37,7 @@ "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0" }, "score": 9.8, - "severity": "Critical", + "severity": "critical", "method": "CVSSv3", "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "justification": "An optional reason for rating the vulnerability as it was" @@ -48,8 +48,8 @@ 502 ], "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", - "details": "", - "remediation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.", + "detail": "", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.", "advisories": [ { "title": "GitHub Commit", @@ -78,9 +78,9 @@ } ], "analysis": { - "state": "Exploitable", + "state": "exploitable", "impact": "", - "details": "" + "detail": "" }, "affects": [ "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9" From a04e72f06bb2b52b476f45cfce1c640f5aa3dbfb Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 4 Oct 2021 22:55:56 -0500 Subject: [PATCH 03/26] Clarified description of when the vulnerability was created per https://github.com/CycloneDX/specification/pull/91#discussion_r721860406 Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index e4b794ef..2e6b822d 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1290,19 +1290,19 @@ "type": "string", "format": "date-time", "title": "Created", - "description": "The date and time (timestamp) when the vulnerability was created." + "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database." }, "published": { "type": "string", "format": "date-time", "title": "Published", - "description": "The date and time (timestamp) when the vulnerability was first published." + "description": "The date and time (timestamp) when the vulnerability record was first published." }, "updated": { "type": "string", "format": "date-time", "title": "Updated", - "description": "The date and time (timestamp) when the vulnerability was last updated." + "description": "The date and time (timestamp) when the vulnerability record was last updated." }, "credits": { "type": "string", From 821fdfa4d60ab17bdc563676f4f318dbf619d645 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 15 Oct 2021 16:38:53 -0500 Subject: [PATCH 04/26] Refactored 'affects' by incorporating ranges and versions into individual objects that require a ref. Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 39 +++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 2e6b822d..efef1414 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1339,8 +1339,30 @@ "affects": { "type": "array", "uniqueItems": true, + "additionalItems": false, "items": { - "type": "string" + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "type": "string", + "title": "Reference", + "description": "References a component or services by the object bom-ref" + }, + "ranges": { + "$ref": "#/definitions/versionRangeArray" + }, + "versions": { + "type": "array", + "title": "Versions", + "description": "Zero or more individual versions. Version can be combined with ranges.", + "items": { + "type": "string" + } + } + } }, "title": "Affects", "description": "The bom-ref identifiers of the components or services that are affected by the vulnerability." @@ -1354,6 +1376,21 @@ } } } + }, + "versionRangeArray": { + "type": "array", + "title": "Ranges", + "description": "Zero or more version ranges", + "additionalItems": false, + "items": { + "$ref": "#/definitions/versionRange" + } + }, + "versionRange": { + "type": "string", + "title": "Range", + "description": "A simplified version range specification derived from node-semver. A version range is a set of comparators which specify versions that satisfy the range. A comparator is composed of an operator and a version. The set of primitive operators is: < Less than, <= Less than or equal to, > Greater than, >= Greater than or equal to, and = Equal. If no operator is specified, then equality is assumed, so this operator is optional, but MAY be included. Comparators can be joined by whitespace to form a comparator set. Only a single comparator set is allowed per range specified in the BOM. No further node-semver syntax is supported. Semver 2.0 and higher is required.", + "examples": [ ">=1.2.7 <1.3.0", ">=1.2.7" ] } } } From df947e91edd6c8b37f0f6a5672834424c0240c33 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 15 Oct 2021 16:39:13 -0500 Subject: [PATCH 05/26] Refactored 'affects' by incorporating ranges and versions into individual objects that require a ref. Signed-off-by: Steve Springett --- .../test/resources/1.4/valid-vulnerability-1.4.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json index adc9ed55..bfe5c2be 100644 --- a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -83,7 +83,15 @@ "detail": "" }, "affects": [ - "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9" + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9", + "ranges": [ + "<2.6.7.5", + "2.8.0 >= 2.8.11.0", + "2.9.0 >= 2.9.4" + ], + "versions": ["1.0"] + } ] } ] From d2902352bfa7d5539630fd0698d120e33ed278c4 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 15 Oct 2021 17:02:08 -0500 Subject: [PATCH 06/26] spelling Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index efef1414..d1c44324 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1349,7 +1349,7 @@ "ref": { "type": "string", "title": "Reference", - "description": "References a component or services by the object bom-ref" + "description": "References a component or service by the objects bom-ref" }, "ranges": { "$ref": "#/definitions/versionRangeArray" From b7e37c6f7125d6c5ee2cf03323144fe81608c438 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 12 Nov 2021 00:17:42 -0600 Subject: [PATCH 07/26] Added not_affected justifications based on discussion https://github.com/CycloneDX/specification/pull/91#discussion_r744877510 Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 19 +++++++++++++++++++ .../1.4/valid-vulnerability-1.4.json | 3 ++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index d1c44324..2f86f5b3 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1142,6 +1142,22 @@ "not_set" ] }, + "impactAnalysisJustification": { + "type": "string", + "title": "Impact Analysis Justification", + "description": "The rationale of why the impact analysis state was asserted. code_not_present = the code has been removed, tree-shaked. code_not_reachable = the vulnerable code is not invoked at runtime. requires_configuration = exploitability requires a configurable option to be set/unset. requires_dependency = exploitability requires a dependency that is not present. requires_environment = exploitability requires a certain environment which is not present. protected_by_compiler = exploitability requires a compiler flag to be set/unset. protected_at_runtime = exploits are prevented at runtime. protected_at_perimeter = attacks are blocked at physical, logical, or network perimeter. protected_by_mitigating_control = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", + "enum": [ + "code_not_present", + "code_not_reachable", + "requires_configuration", + "requires_dependency", + "requires_environment", + "protected_by_compiler", + "protected_at_runtime", + "protected_at_perimeter", + "protected_by_mitigating_control" + ] + }, "rating": { "type": "object", "title": "Rating", @@ -1324,6 +1340,9 @@ "state": { "$ref": "#/definitions/impactAnalysisState" }, + "justification": { + "$ref": "#/definitions/impactAnalysisJustification" + }, "impact": { "type": "string", "title": "Impact", diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json index bfe5c2be..cac56c8f 100644 --- a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -78,7 +78,8 @@ } ], "analysis": { - "state": "exploitable", + "state": "not_affected", + "justification": "code_not_reachable", "impact": "", "detail": "" }, From f15b46296c3578e15d7c33148803068bb00bba19 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 12 Nov 2021 00:24:25 -0600 Subject: [PATCH 08/26] Removed not_set as its implied if value is not specified. Added explicit resolved and resolved_with_pedigree. In some cases, it may be necessary to simply state an issue is resolved without providing evidence of the resolution. Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 2f86f5b3..54e32083 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1133,13 +1133,14 @@ "impactAnalysisState": { "type": "string", "title": "Impact Analysis State", - "description": "Textual representation of the state of the impact analysis.", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. resolved = the vulnerability has been remediated. resolved_with_pedigree = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). exploitable = the vulnerability may be directly or indirectly exploitable. in_triage = the vulnerability is being investigated. false_positive = the vulnerability is not specific to the component or service and was falsely identified or associated. not_affected = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", "enum": [ + "resolved", + "resolved_with_pedigree", "exploitable", "in_triage", "false_positive", - "not_affected", - "not_set" + "not_affected" ] }, "impactAnalysisJustification": { From 052e7022f5425b8543678005febc2edfad8ed142 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 17 Nov 2021 23:27:38 -0600 Subject: [PATCH 09/26] Added description for vulnerability reference Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 54e32083..473c10f5 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1243,7 +1243,7 @@ "references": { "type": "array", "title": "References", - "description": "", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have a different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", "additionalItems": false, "items": { "required": [ From 485456c34b349a030d8e30385008559d902ca3a2 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 17 Nov 2021 23:29:12 -0600 Subject: [PATCH 10/26] Added description for vulnerability reference Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 473c10f5..4c4d0fab 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1243,7 +1243,7 @@ "references": { "type": "array", "title": "References", - "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have a different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", "additionalItems": false, "items": { "required": [ From 8db5a20be769d4e1e2a7afda1c93576e292ee1b0 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 19 Nov 2021 17:11:02 -0600 Subject: [PATCH 11/26] Standardizing on version range syntax from CVE v5.0 JSON schema Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 83 +++++++++++++++---- .../1.4/valid-vulnerability-1.4.json | 20 +++-- 2 files changed, 77 insertions(+), 26 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 4c4d0fab..e13208b8 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1371,15 +1371,64 @@ "title": "Reference", "description": "References a component or service by the objects bom-ref" }, - "ranges": { - "$ref": "#/definitions/versionRangeArray" - }, "versions": { "type": "array", "title": "Versions", - "description": "Zero or more individual versions. Version can be combined with ranges.", + "description": "Zero or more individual versions or range of versions. This capability derived from the CVE v5.0 schema available from https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json", "items": { - "type": "string" + "properties": { + "version": { + "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", + "$ref": "#/definitions/version" + }, + "status": { + "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.", + "$ref": "#/definitions/affectedStatus" + }, + "versionType": { + "type": "string", + "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.", + "minLength": 1, + "maxLength": 128, + "examples": [ + "custom", + "git", + "maven", + "python", + "rpm", + "semver" + ] + }, + "lessThan": { + "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.", + "$ref": "#/definitions/version" + }, + "lessThanOrEqual": { + "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", + "$ref": "#/definitions/version" + }, + "changes": { + "type": "array", + "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "The start of a single status change during the range.", + "required": ["at", "status"], + "properties": { + "at": { + "description": "The version at which a status change occurs.", + "$ref": "#/definitions/version" + }, + "status": { + "description": "The new status in the range starting at the given version.", + "$ref": "#/definitions/affectedStatus" + } + } + } + } + } } } } @@ -1397,20 +1446,20 @@ } } }, - "versionRangeArray": { - "type": "array", - "title": "Ranges", - "description": "Zero or more version ranges", - "additionalItems": false, - "items": { - "$ref": "#/definitions/versionRange" - } + "affectedStatus": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ] }, - "versionRange": { + "version": { + "description": "A single version of a component or service, as expressed in its own version numbering scheme.", "type": "string", - "title": "Range", - "description": "A simplified version range specification derived from node-semver. A version range is a set of comparators which specify versions that satisfy the range. A comparator is composed of an operator and a version. The set of primitive operators is: < Less than, <= Less than or equal to, > Greater than, >= Greater than or equal to, and = Equal. If no operator is specified, then equality is assumed, so this operator is optional, but MAY be included. Comparators can be joined by whitespace to form a comparator set. Only a single comparator set is allowed per range specified in the BOM. No further node-semver syntax is supported. Semver 2.0 and higher is required.", - "examples": [ ">=1.2.7 <1.3.0", ">=1.2.7" ] + "minLength": 1, + "maxLength": 1024 } } } diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json index cac56c8f..c0122833 100644 --- a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -5,12 +5,12 @@ "version": 1, "components": [ { - "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9", + "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4", "type": "library", "group": "com.fasterxml.jackson.core", "name": "jackson-databind", - "version": "2.9.9", - "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9" + "version": "2.9.4", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" } ], "vulnerabilities": [ @@ -86,12 +86,14 @@ "affects": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9", - "ranges": [ - "<2.6.7.5", - "2.8.0 >= 2.8.11.0", - "2.9.0 >= 2.9.4" - ], - "versions": ["1.0"] + "versions": [ + { + "version": "2.9.0", + "versionType": "semver", + "lessThanOrEqual": "2.9.4", + "status": "affected" + } + ] } ] } From 35b5bc026cf1c62e9828f0c2a2f8056602ec2246 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 19 Nov 2021 22:34:43 -0600 Subject: [PATCH 12/26] Minor hardening. Added default to affected status as unlike the CVE 5.0 spec, CycloneDX does not support specifying a default. Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index e13208b8..044af199 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1375,7 +1375,9 @@ "type": "array", "title": "Versions", "description": "Zero or more individual versions or range of versions. This capability derived from the CVE v5.0 schema available from https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json", + "additionalItems": false, "items": { + "additionalProperties": false, "properties": { "version": { "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", @@ -1383,7 +1385,8 @@ }, "status": { "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.", - "$ref": "#/definitions/affectedStatus" + "$ref": "#/definitions/affectedStatus", + "default": "affected" }, "versionType": { "type": "string", @@ -1412,10 +1415,12 @@ "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", "minItems": 1, "uniqueItems": true, + "additionalItems": false, "items": { "type": "object", "description": "The start of a single status change during the range.", "required": ["at", "status"], + "additionalProperties": false, "properties": { "at": { "description": "The version at which a status change occurs.", From d3f0e5013231720adcb208c6dffbe8ce7862f05a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 22 Nov 2021 15:20:01 -0600 Subject: [PATCH 13/26] Documentation updates Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.xsd | 8 +-- schema/bom-1.4-strict-SNAPSHOT.schema.json | 57 +++++++++++++--------- 2 files changed, 38 insertions(+), 27 deletions(-) diff --git a/schema/bom-1.4-SNAPSHOT.xsd b/schema/bom-1.4-SNAPSHOT.xsd index c5ffebb7..27cd6533 100644 --- a/schema/bom-1.4-SNAPSHOT.xsd +++ b/schema/bom-1.4-SNAPSHOT.xsd @@ -138,22 +138,22 @@ limitations under the License. - Specifies a tool (manual or automated). + Information about the automated or manual tool used - The vendor of the tool used to create the BOM. + The name of the vendor who created the tool - The name of the tool used to create the BOM. + The name of the tool - The version of the tool used to create the BOM. + The version of the tool diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 044af199..86812074 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -150,23 +150,23 @@ "tool": { "type": "object", "title": "Tool", - "description": "The tool used to create the BOM.", + "description": "Information about the automated or manual tool used", "additionalProperties": false, "properties": { "vendor": { "type": "string", "title": "Tool Vendor", - "description": "The date and time (timestamp) when the document was created." + "description": "The name of the vendor who created the tool" }, "name": { "type": "string", "title": "Tool Name", - "description": "The date and time (timestamp) when the document was created." + "description": "The name of the tool" }, "version": { "type": "string", "title": "Tool Version", - "description": "The date and time (timestamp) when the document was created." + "description": "The version of the tool" }, "hashes": { "$id": "#/properties/hashes", @@ -271,7 +271,7 @@ "bom-ref": { "type": "string", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique." + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." }, "supplier": { "title": "Component Supplier", @@ -880,7 +880,7 @@ "bom-ref": { "type": "string", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique." + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." }, "provider": { "title": "Provider", @@ -1086,7 +1086,7 @@ "advisory": { "type": "object", "title": "Advisory", - "description": "Location of additional advisory information.", + "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.", "required": ["url"], "additionalProperties": false, "properties": { @@ -1108,7 +1108,7 @@ "severity": { "type": "string", "title": "Severity", - "description": "Textual representation of the severity of the vulnerability adopted by the risk analysis method. If an other risk analysis method is used other than whats defined in scoreSourceType, the user is expected to translate appropriately to match with an element value below.", + "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.", "enum": [ "critical", "high", @@ -1120,20 +1120,20 @@ }, "scoreMethod": { "type": "string", - "title": "method", - "description": "Specifies the risk scoring methodology/standard used.", + "title": "Method", + "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)", "enum": [ "CVSSv2", "CVSSv3", "CVSSv31", "OWASP", - "Other" + "other" ] }, "impactAnalysisState": { "type": "string", "title": "Impact Analysis State", - "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. resolved = the vulnerability has been remediated. resolved_with_pedigree = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). exploitable = the vulnerability may be directly or indirectly exploitable. in_triage = the vulnerability is being investigated. false_positive = the vulnerability is not specific to the component or service and was falsely identified or associated. not_affected = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", "enum": [ "resolved", "resolved_with_pedigree", @@ -1146,7 +1146,7 @@ "impactAnalysisJustification": { "type": "string", "title": "Impact Analysis Justification", - "description": "The rationale of why the impact analysis state was asserted. code_not_present = the code has been removed, tree-shaked. code_not_reachable = the vulnerable code is not invoked at runtime. requires_configuration = exploitability requires a configurable option to be set/unset. requires_dependency = exploitability requires a dependency that is not present. requires_environment = exploitability requires a certain environment which is not present. protected_by_compiler = exploitability requires a compiler flag to be set/unset. protected_at_runtime = exploits are prevented at runtime. protected_at_perimeter = attacks are blocked at physical, logical, or network perimeter. protected_by_mitigating_control = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", + "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", "enum": [ "code_not_present", "code_not_reachable", @@ -1162,7 +1162,7 @@ "rating": { "type": "object", "title": "Rating", - "description": "Defines the risk ratings of a vulnerability.", + "description": "Defines the severity or risk ratings of a vulnerability.", "additionalProperties": false, "properties": { "source": { @@ -1195,7 +1195,7 @@ "vulnerabilitySource": { "type": "object", "title": "Source", - "description": "The source of the vulnerability where it is documented. Usually the name of the organization publishing vulnerability information", + "description": "The source of vulnerability information. This is often the organization that published the vulnerability.", "additionalProperties": false, "properties": { "url": { @@ -1203,7 +1203,7 @@ "title": "URL", "description": "The url of the vulnerability documentation as provided by the source.", "examples": [ - "https://nvd.nist.gov/vuln/detail/CVE-2019-15842" + "https://nvd.nist.gov/vuln/detail/CVE-2021-39182" ] }, "name": { @@ -1215,7 +1215,7 @@ "National Vulnerability Database", "OSS Index", "VulnDB", - "NPM Advisories" + "GitHub Advisories" ] } } @@ -1223,18 +1223,23 @@ "vulnerability": { "type": "object", "title": "Vulnerability", - "description": "Defines the structure of a vulnerability.", + "description": "Defines a weakness in an component or service that could be exploited or triggered by a threat source.", "additionalProperties": false, "properties": { "bom-ref": { "type": "string", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref should be unique." + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." }, "id": { "type": "string", "title": "ID", - "description": "The id of the vulnerability as defined by the risk scoring methodology. For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)" + "description": "The identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] }, "source": { "$ref": "#/definitions/vulnerabilitySource", @@ -1255,7 +1260,12 @@ "id": { "type": "string", "title": "ID", - "description": "The id of the vulnerability as defined by the risk scoring methodology. For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)" + "description": "An identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] }, "source": { "$ref": "#/definitions/vulnerabilitySource", @@ -1276,6 +1286,7 @@ "type": "array", "title": "CWEs", "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "examples": ["399"], "items": { "$ref": "#/definitions/cwe" } @@ -1324,12 +1335,12 @@ "credits": { "type": "string", "title": "Credits", - "description": "Individuals or organizations credited by with the discovery of the vulnerability." + "description": "Individuals or organizations credited with the discovery of the vulnerability." }, "tools": { "type": "array", "title": "Creation Tools", - "description": "The tool(s) used in the creation of the BOM.", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", "items": {"$ref": "#/definitions/tool"} }, "analysis": { From dcad6efd74dbc8c21db563e5997a0e50e837b746 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 22 Nov 2021 15:45:25 -0600 Subject: [PATCH 14/26] Added info to severity Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 86812074..52e0e4b5 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1114,6 +1114,7 @@ "high", "medium", "low", + "info", "none", "unknown" ] From 6c62cc6628f424b5e6a12ccf0eade0dc6488bb93 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 22 Nov 2021 16:38:23 -0600 Subject: [PATCH 15/26] Documentation updates Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 52e0e4b5..4f46aa01 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1091,11 +1091,15 @@ "additionalProperties": false, "properties": { "title": { - "type": "string" + "type": "string", + "title": "Title", + "description": "An optional name of the advisory." }, "url": { "type": "string", - "format": "iri-reference" + "title": "URL", + "format": "iri-reference", + "description": "Location where the advisory can be obtained." } } }, @@ -1168,7 +1172,7 @@ "properties": { "source": { "$ref": "#/definitions/vulnerabilitySource", - "description": "The source that published the vulnerability." + "description": "The source that calculated the severity or risk rating of the vulnerability." }, "score": { "type": "number", @@ -1278,7 +1282,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", + "description": "List of the vulnerability ratings", "items": { "$ref": "#/definitions/rating" } @@ -1386,7 +1390,7 @@ "versions": { "type": "array", "title": "Versions", - "description": "Zero or more individual versions or range of versions. This capability derived from the CVE v5.0 schema available from https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json", + "description": "Zero or more individual versions or range of versions. This capability derived from the [CVE v5.0 schema](https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json) available under the CC0-1.0 License.", "additionalItems": false, "items": { "additionalProperties": false, From 0ac6b8726d1c1de5f89feeb5d3d353b717b2c312 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 6 Dec 2021 20:59:16 -0600 Subject: [PATCH 16/26] #91 - Added analysis (vendor) response Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 18 ++++++++++++++---- .../resources/1.4/valid-vulnerability-1.4.json | 2 +- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 4f46aa01..f29c2bff 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1360,10 +1360,20 @@ "justification": { "$ref": "#/definitions/impactAnalysisJustification" }, - "impact": { - "type": "string", - "title": "Impact", - "description": "A description of the impact." + "response": { + "type": "array", + "title": "Response", + "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.", + "items": { + "type": "string", + "enum": [ + "can_not_fix", + "will_not_fix", + "update", + "rollback", + "workaround_available" + ] + } }, "detail": { "type": "string", diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json index c0122833..aee6b20b 100644 --- a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -80,7 +80,7 @@ "analysis": { "state": "not_affected", "justification": "code_not_reachable", - "impact": "", + "response": ["will_not_fix", "update"], "detail": "" }, "affects": [ From b42bbca0ba3196c5c4ae204155b6352f85970cc5 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 6 Dec 2021 21:19:29 -0600 Subject: [PATCH 17/26] #91 - Changed credits from a string to structured data supporting an array of organizations and individuals. Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 25 +++++++++++++++++-- .../1.4/valid-vulnerability-1.4.json | 17 ++++++++++++- 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index f29c2bff..61e36a51 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1338,9 +1338,30 @@ "description": "The date and time (timestamp) when the vulnerability record was last updated." }, "credits": { - "type": "string", + "type": "object", "title": "Credits", - "description": "Individuals or organizations credited with the discovery of the vulnerability." + "description": "Individuals or organizations credited with the discovery of the vulnerability.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The organizations credited with vulnerability discovery.", + "additionalItems": false, + "items": { + "$ref": "#/definitions/organizationalEntity" + } + }, + "individuals": { + "type": "array", + "title": "Individuals", + "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.", + "additionalItems": false, + "items": { + "$ref": "#/definitions/organizationalContact" + } + } + } }, "tools": { "type": "array", diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json index aee6b20b..a24f99b1 100644 --- a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -63,7 +63,22 @@ "created": "2021-01-01T00:00:00.000Z", "published": "2021-01-01T00:00:00.000Z", "updated": "2021-01-01T00:00:00.000Z", - "credits": "", + "credits": { + "organizations": [ + { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ] + } + ], + "individuals": [ + { + "name": "Acme Distribution", + "email": "distribution@example.com" + } + ] + }, "tools": [ { "vendor": "Snyk", From 9f9f4ca3d301579a92984124898ee26551c21952 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 12 Dec 2021 18:00:59 -0600 Subject: [PATCH 18/26] Migrated from version range syntax defined in CVE 5.0 Schema to Package URL version range syntax, which is compatible with CVE 5.0 and OSV syntax. Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 71 ++++++------------- .../1.4/valid-vulnerability-1.4.json | 18 +++-- 2 files changed, 34 insertions(+), 55 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 61e36a51..68aad95e 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1421,64 +1421,31 @@ "versions": { "type": "array", "title": "Versions", - "description": "Zero or more individual versions or range of versions. This capability derived from the [CVE v5.0 schema](https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json) available under the CC0-1.0 License.", + "description": "Zero or more individual versions or range of versions.", "additionalItems": false, "items": { + "oneOf": [ + { + "required": ["version"] + }, + { + "required": ["range"] + } + ], "additionalProperties": false, "properties": { "version": { - "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", + "description": "A single version of a component or service.", + "$ref": "#/definitions/version" + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", "$ref": "#/definitions/version" }, "status": { - "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.", + "description": "The vulnerability status for the version or range of versions.", "$ref": "#/definitions/affectedStatus", "default": "affected" - }, - "versionType": { - "type": "string", - "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.", - "minLength": 1, - "maxLength": 128, - "examples": [ - "custom", - "git", - "maven", - "python", - "rpm", - "semver" - ] - }, - "lessThan": { - "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.", - "$ref": "#/definitions/version" - }, - "lessThanOrEqual": { - "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", - "$ref": "#/definitions/version" - }, - "changes": { - "type": "array", - "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", - "minItems": 1, - "uniqueItems": true, - "additionalItems": false, - "items": { - "type": "object", - "description": "The start of a single status change during the range.", - "required": ["at", "status"], - "additionalProperties": false, - "properties": { - "at": { - "description": "The version at which a status change occurs.", - "$ref": "#/definitions/version" - }, - "status": { - "description": "The new status in the range starting at the given version.", - "$ref": "#/definitions/affectedStatus" - } - } - } } } } @@ -1508,7 +1475,13 @@ ] }, "version": { - "description": "A single version of a component or service, as expressed in its own version numbering scheme.", + "description": "A single version of a component or service.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", "type": "string", "minLength": 1, "maxLength": 1024 diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json index a24f99b1..c4065f6c 100644 --- a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json @@ -74,8 +74,8 @@ ], "individuals": [ { - "name": "Acme Distribution", - "email": "distribution@example.com" + "name": "Jane Doe", + "email": "jane.doe@example.com" } ] }, @@ -96,16 +96,22 @@ "state": "not_affected", "justification": "code_not_reachable", "response": ["will_not_fix", "update"], - "detail": "" + "detail": "An optional explanation of why the application is not affected by the vulnerable component." }, "affects": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9", "versions": [ { - "version": "2.9.0", - "versionType": "semver", - "lessThanOrEqual": "2.9.4", + "range": "vers:semver/<2.6.7.5", + "status": "affected" + }, + { + "range": "vers:semver/2.7.0|<2.8.11.1", + "status": "affected" + }, + { + "range": "vers:semver/2.9.0|<2.9.5", "status": "affected" } ] From 5ac797697fc4123d9b19c3d3175164475aab1fa3 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 13 Dec 2021 16:37:45 -0600 Subject: [PATCH 19/26] Minor doc updates Signed-off-by: Steve Springett --- schema/bom-1.4-strict-SNAPSHOT.schema.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json index 68aad95e..80770426 100644 --- a/schema/bom-1.4-strict-SNAPSHOT.schema.json +++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json @@ -1180,7 +1180,8 @@ "description": "The numerical score of the rating." }, "severity": { - "$ref": "#/definitions/severity" + "$ref": "#/definitions/severity", + "description": "Textual representation of the severity that corresponds to the numerical score of the rating." }, "method": { "$ref": "#/definitions/scoreMethod" @@ -1282,7 +1283,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of the vulnerability ratings", + "description": "List of vulnerability ratings", "items": { "$ref": "#/definitions/rating" } @@ -1453,7 +1454,7 @@ } }, "title": "Affects", - "description": "The bom-ref identifiers of the components or services that are affected by the vulnerability." + "description": "The components or services that are affected by the vulnerability." }, "properties": { "type": "array", From 1ec2ca4237228459998a2d9de4fa863276529164 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 13 Dec 2021 16:39:50 -0600 Subject: [PATCH 20/26] Added XSD and XML example that are ported from the draft JSON schema. Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.xsd | 594 ++++++++++++++++++ .../resources/1.4/valid-vulnerability-1.4.xml | 121 ++++ 2 files changed, 715 insertions(+) create mode 100644 tools/src/test/resources/1.4/valid-vulnerability-1.4.xml diff --git a/schema/bom-1.4-SNAPSHOT.xsd b/schema/bom-1.4-SNAPSHOT.xsd index 27cd6533..e3bb7f9a 100644 --- a/schema/bom-1.4-SNAPSHOT.xsd +++ b/schema/bom-1.4-SNAPSHOT.xsd @@ -1549,6 +1549,595 @@ limitations under the License. + + + + + Defines a weakness in an component or service that could be exploited or triggered by a threat source. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + Zero or more pointers to vulnerabilities that are the equivalent of the + vulnerability specified. Often times, the same vulnerability may exist in multiple sources of + vulnerability intelligence, but have different identifiers. References provide a way to + correlate vulnerabilities across multiple sources of vulnerability intelligence. + + + + + + A pointer to a vulnerability that is the equivalent of the + vulnerability specified. + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + List of vulnerability ratings. + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + A description of the vulnerability as provided by the source. + + + + + If available, an in-depth description of the vulnerability as provided by the + source organization. Details often include examples, proof-of-concepts, and other information + useful in understanding root cause. + + + + + Recommendations of how the vulnerability can be remediated or mitigated. + + + + + + + Published advisories of the vulnerability if provided. + + + + + + + + + + The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + + + + + The date and time (timestamp) when the vulnerability record was first published. + + + + + The date and time (timestamp) when the vulnerability record was last updated. + + + + + Individuals or organizations credited with the discovery of the vulnerability. + + + + + + The organizations credited with vulnerability discovery. + + + + + + + + + + The individuals, not associated with organizations, that are credited with vulnerability discovery. + + + + + + + + + + + + + The tool(s) used to identify, confirm, or score the vulnerability. + + + + + + + + + + + + An assessment of the impact and exploitability of the vulnerability. + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + A response to the vulnerability by the manufacturer, supplier, or + project responsible for the affected component or service. More than one response + is allowed. Responses are strongly encouraged for vulnerabilities where the analysis + state is exploitable. + + + + + + + + + + + Detailed description of the impact including methods used during assessment. + If a vulnerability is not exploitable, this field should include specific details + on why the component or service is not impacted by this vulnerability. + + + + + + + + + The components or services that are affected by the vulnerability. + + + + + + + + + References a component or service by the objects bom-ref. + + + + + Zero or more individual versions or range of versions. + + + + + + + + + + A single version of a component or service. + + + + + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + + + + + + + The vulnerability status for the version or range of versions. + + + + + + + + + + + + + + + + + + + + An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The name of the source. + For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories + + + + + + The url of the vulnerability documentation as provided by the source. + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + + + + + + + + + + The source that calculated the severity or risk rating of the vulnerability. + + + + + The numerical score of the rating. + + + + + Textual representation of the severity that corresponds to the numerical score of the rating. + + + + + The risk scoring methodology/standard used. + + + + + Textual representation of the metric values used to score the vulnerability. + + + + + An optional reason for rating the vulnerability as it was. + + + + + + + + + + An optional name of the advisory. + + + + + Location where the advisory can be obtained. + + + + + + + + + Textual representation of the severity of the vulnerability adopted by the analysis method. If the + analysis method uses values other than what is provided, the user is expected to translate appropriately. + + + + + + + + + + + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The vulnerability has been remediated. + + + + + + + The vulnerability has been remediated and evidence of the changes are provided in the affected + components pedigree containing verifiable commit history and/or diff(s). + + + + + + + The vulnerability may be directly or indirectly exploitable. + + + + + + + The vulnerability is being investigated. + + + + + + + The vulnerability is not specific to the component or service and was falsely identified or associated. + + + + + + + The component or service is not affected by the vulnerability. Justification should be specified + for all not_affected cases. + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + The code has been removed or tree-shaked. + + + + + + + The vulnerable code is not invoked at runtime. + + + + + + + Exploitability requires a configurable option to be set/unset. + + + + + + + Exploitability requires a dependency that is not present. + + + + + + + Exploitability requires a certain environment which is not present. + + + + + + + Exploitability requires a compiler flag to be set/unset. + + + + + + + Exploits are prevented at runtime. + + + + + + + Attacks are blocked at physical, logical, or network perimeter. + + + + + + + Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + + + + + + + + + + Specifies the severity or risk scoring methodology or standard used. + + + + + + + The rating is based on CVSS v2 standard + https://www.first.org/cvss/v2/ + + + + + + + The rating is based on CVSS v3.0 standard + https://www.first.org/cvss/v3-0/ + + + + + + + The rating is based on CVSS v3.1 standard + https://www.first.org/cvss/v3-1/ + + + + + + + The rating is based on OWASP Risk Rating + https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + + + + + + + Use this if the risk scoring methodology is not based on any of the options above + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + + + + + + + + + The vulnerability status of a given version or range of versions of a product. The statuses + 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. + The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. + There can be many reasons for an 'unknown' status, including that an investigation has not been + undertaken or that a vendor has not disclosed the status. + + + + + + + + + + @@ -1591,6 +2180,11 @@ limitations under the License. stores, properties support duplicate names, each potentially having different values. + + + Vulnerabilities identified in components or services. + + diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.xml b/tools/src/test/resources/1.4/valid-vulnerability-1.4.xml new file mode 100644 index 00000000..46b4448a --- /dev/null +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.xml @@ -0,0 +1,121 @@ + + + + + com.fasterxml.jackson.core + jackson-databind + 2.9.4 + pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4 + + + + + SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111 + + Snyk + https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111 + + + + CVE-2018-7489 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + + CVE-2018-7489 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + + + + + NVD + https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0 + + 9.8 + critical + CVSSv3 + AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + An optional reason for rating the vulnerability as it was + + + + 184 + 502 + + FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. + + Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher. + + + GitHub Commit + https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 + + + GitHub Issue + https://github.com/FasterXML/jackson-databind/issues/1931 + + + 2021-01-01T00:00:00.000Z + 2021-01-01T00:00:00.000Z + 2021-01-01T00:00:00.000Z + + + + Acme, Inc. + https://example.com + + + + + Jane Doe + jane.doe@example.com + + + + + + Snyk + Snyk CLI (Linux) + 1.729.0 + + 2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d + + + + + not_affected + code_not_reachable + + will_not_fix + update + + An optional explanation of why the application is not affected by the vulnerable component. + + + + pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9 + + + vers:semver/<2.6.7.5 + affected + + + vers:semver/2.7.0|<2.8.11.1 + affected + + + vers:semver/2.9.0|<2.9.5 + affected + + + + + + + From ae3a4abc029c368d8d4e109910a800446a4cf66e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 13 Dec 2021 23:43:00 -0600 Subject: [PATCH 21/26] Added Protobuf and textproto example that are ported from the draft JSON schema. Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.proto | 178 ++++++++++++++++++ .../1.4/valid-vulnerability-1.4.textproto | 103 ++++++++++ 2 files changed, 281 insertions(+) create mode 100644 tools/src/test/resources/1.4/valid-vulnerability-1.4.textproto diff --git a/schema/bom-1.4-SNAPSHOT.proto b/schema/bom-1.4-SNAPSHOT.proto index d1512aa4..db5d539e 100644 --- a/schema/bom-1.4-SNAPSHOT.proto +++ b/schema/bom-1.4-SNAPSHOT.proto @@ -31,6 +31,8 @@ message Bom { repeated Dependency dependencies = 8; // Provides the ability to document aggregate completeness repeated Composition compositions = 9; + // Vulnerabilities identified in components or services. + repeated Vulnerability vulnerabilities = 10; } enum Classification { @@ -450,3 +452,179 @@ message Evidence { repeated LicenseChoice licenses = 1; repeated EvidenceCopyright copyright = 2; } + +message Vulnerability { + // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier that uniquely identifies the vulnerability. + optional string id = 2; + // The source that published the vulnerability. + optional Source source = 3; + // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. + repeated VulnerabilityReference references = 4; + // List of vulnerability ratings + repeated VulnerabilityRating ratings = 5; + // List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + repeated int32 cwes = 6; + // A description of the vulnerability as provided by the source. + optional string description = 7; + // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause. + optional string detail = 8; + // Recommendations of how the vulnerability can be remediated or mitigated. + optional string recommendation = 9; + // Published advisories of the vulnerability if provided. + repeated Advisory advisories = 10; + // The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + optional google.protobuf.Timestamp created = 11; + // The date and time (timestamp) when the vulnerability record was first published. + optional google.protobuf.Timestamp published = 12; + // The date and time (timestamp) when the vulnerability record was last updated. + optional google.protobuf.Timestamp updated = 13; + // Individuals or organizations credited with the discovery of the vulnerability. + optional VulnerabilityCredits credits = 14; + // The tool(s) used to identify, confirm, or score the vulnerability. + repeated Tool tools = 15; + // An assessment of the impact and exploitability of the vulnerability. + optional VulnerabilityAnalysis analysis = 16; + // affects + repeated VulnerabilityAffects affects = 17; +} + +message VulnerabilityReference { + // An identifier that uniquely identifies the vulnerability. + optional string id = 1; + // The source that published the vulnerability. + optional Source source = 2; +} + +message VulnerabilityRating { + // The source that calculated the severity or risk rating of the vulnerability. + optional Source source = 1; + // The numerical score of the rating. + optional double score = 2; + // Textual representation of the severity that corresponds to the numerical score of the rating. + optional Severity severity = 3; + // Specifies the severity or risk scoring methodology or standard used. + optional ScoreMethod method = 4; + // Textual representation of the metric values used to score the vulnerability. + optional string vector = 5; + // An optional reason for rating the vulnerability as it was. + optional string justification = 6; +} + +enum Severity { + SEVERITY_CRITICAL = 0; + SEVERITY_HIGH = 1; + SEVERITY_MEDIUM = 2; + SEVERITY_LOW = 3; + SEVERITY_INFO = 4; + SEVERITY_NONE = 5; + SEVERITY_UNKNOWN = 6; +} + +enum ScoreMethod { + // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ + SCORE_METHOD_CVSSV2 = 0; + // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/ + SCORE_METHOD_CVSSV3 = 1; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/ + SCORE_METHOD_CVSSV31 = 2; + // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + SCORE_METHOD_OWASP = 3; + // Other scoring method + SCORE_METHOD_OTHER = 4; +} + +message Advisory { + // An optional name of the advisory. + optional string title = 1; + // Location where the advisory can be obtained. + string url = 2; +} + +message VulnerabilityCredits { + // The organizations credited with vulnerability discovery. + repeated OrganizationalEntity organizations = 1; + // The individuals, not associated with organizations, that are credited with vulnerability discovery. + repeated OrganizationalContact individuals = 2; +} + +message VulnerabilityAnalysis { + // Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + optional ImpactAnalysisState state = 1; + // The rationale of why the impact analysis state was asserted. + optional ImpactAnalysisJustification justification = 2; + // A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable. + repeated VulnerabilityResponse response = 3; + // Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability. + optional string detail = 4; +} + +enum ImpactAnalysisState { + // The vulnerability has been remediated. + IMPACT_ANALYSIS_STATE_RESOLVED = 0; + // The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). + IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 1; + // The vulnerability may be directly or indirectly exploitable. + IMPACT_ANALYSIS_STATE_EXPLOITABLE = 2; + // The vulnerability is being investigated. + IMPACT_ANALYSIS_STATE_IN_TRIAGE = 3; + // The vulnerability is not specific to the component or service and was falsely identified or associated. + IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 4; + // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases. + IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 5; +} + +enum ImpactAnalysisJustification { + // The code has been removed or tree-shaked. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 0; + // The vulnerable code is not invoked at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 1; + // Exploitability requires a configurable option to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 2; + // Exploitability requires a dependency that is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 3; + // Exploitability requires a certain environment which is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 4; + // Exploitability requires a compiler flag to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 5; + // Exploits are prevented at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 6; + // Attacks are blocked at physical, logical, or network perimeter. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 7; + // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 8; +} + +enum VulnerabilityResponse { + VULNERABILITY_RESPONSE_CAN_NOT_FIX = 0; + VULNERABILITY_RESPONSE_WILL_NOT_FIX = 1; + VULNERABILITY_RESPONSE_UPDATE = 2; + VULNERABILITY_RESPONSE_ROLLBACK = 3; + VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 4; +} + +message VulnerabilityAffects { + // References a component or service by the objects bom-ref + string ref = 1; + // Zero or more individual versions or range of versions. + repeated VulnerabilityAffectedVersions versions = 2; +} + +message VulnerabilityAffectedVersions { + oneof choice { + // A single version of a component or service. + string version = 1; + // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + string range = 2; + } + // The vulnerability status for the version or range of versions. + optional VulnerabilityAffectedStatus status = 3; +} + +enum VulnerabilityAffectedStatus { + // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. + VULNERABILITY_AFFECTED_STATUS_AFFECTED = 0; + VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 1; + VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 2; +} diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.textproto b/tools/src/test/resources/1.4/valid-vulnerability-1.4.textproto new file mode 100644 index 00000000..bcc70e57 --- /dev/null +++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.textproto @@ -0,0 +1,103 @@ +spec_version: "1.4" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" + group: "com.fasterxml.jackson.core" + name: "jackson-databind" + version: "2.9.4" + purl: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" +} +vulnerabilities { + bom_ref: "6eee14da-8f42-4cc4-bb65-203235f02415" + id: "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111" + source: { + name: "Snyk" + url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111" + } + references: { + id: "CVE-2018-7489" + source: { + name: "NVD", + url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + } + ratings: { + source: { + name: "NVD" + url: "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0" + } + score: 9.8 + severity: SEVERITY_CRITICAL + method: SCORE_METHOD_CVSSV3 + vector: "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + justification: "An optional reason for rating the vulnerability as it was" + } + cwes: 184 + cwes: 502 + description: "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath." + detail: "" + recommendation: "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher." + advisories: { + title: "GitHub Commit" + url: "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" + } + advisories: { + title: "GitHub Issue" + url: "https://github.com/FasterXML/jackson-databind/issues/1931" + } + created: { + seconds: 3173618478 + nanos: 3 + } + published: { + seconds: 3173618478 + nanos: 3 + } + updated: { + seconds: 3173618478 + nanos: 3 + } + credits: { + organizations: { + name: "Acme, Inc." + url: "https://example.com" + } + individuals: { + name: "Jane Doe" + email: "jane.doe@example.com" + } + } + tools: { + vendor: "Snyk" + name: "Snyk CLI (Linux)" + version: "1.729.0" + hashes: { + alg: HASH_ALG_SHA_256 + value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d" + } + } + analysis: { + state: IMPACT_ANALYSIS_STATE_NOT_AFFECTED + justification: IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE + response: VULNERABILITY_RESPONSE_WILL_NOT_FIX + response: VULNERABILITY_RESPONSE_UPDATE + detail: "An optional explanation of why the application is not affected by the vulnerable component." + } + affects: { + ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9" + versions: { + range: "vers:semver/<2.6.7.5" + status: VULNERABILITY_AFFECTED_STATUS_AFFECTED + } + versions: { + range: "vers:semver/2.7.0|<2.8.11.1" + status: VULNERABILITY_AFFECTED_STATUS_AFFECTED + } + versions: { + range: "vers:semver/2.9.0|<2.9.5" + status: VULNERABILITY_AFFECTED_STATUS_AFFECTED + } + } +} From 937b8fd6d0f7856f4f2d92b6e3b99102386125d8 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 16 Dec 2021 22:23:52 -0600 Subject: [PATCH 22/26] Changed SEVERITY_UNKNOWN to default Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.proto | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/schema/bom-1.4-SNAPSHOT.proto b/schema/bom-1.4-SNAPSHOT.proto index db5d539e..81a4356e 100644 --- a/schema/bom-1.4-SNAPSHOT.proto +++ b/schema/bom-1.4-SNAPSHOT.proto @@ -513,13 +513,13 @@ message VulnerabilityRating { } enum Severity { - SEVERITY_CRITICAL = 0; - SEVERITY_HIGH = 1; - SEVERITY_MEDIUM = 2; - SEVERITY_LOW = 3; - SEVERITY_INFO = 4; - SEVERITY_NONE = 5; - SEVERITY_UNKNOWN = 6; + SEVERITY_UNKNOWN = 0; + SEVERITY_CRITICAL = 1; + SEVERITY_HIGH = 2; + SEVERITY_MEDIUM = 3; + SEVERITY_LOW = 4; + SEVERITY_INFO = 5; + SEVERITY_NONE = 6; } enum ScoreMethod { From 7a7d7ada967bf138be476c68c1072c2f0696bc78 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 16 Dec 2021 22:25:58 -0600 Subject: [PATCH 23/26] Changed SEVERITY_UNKNOWN to default Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.proto | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.4-SNAPSHOT.proto b/schema/bom-1.4-SNAPSHOT.proto index 81a4356e..67a3bd03 100644 --- a/schema/bom-1.4-SNAPSHOT.proto +++ b/schema/bom-1.4-SNAPSHOT.proto @@ -523,16 +523,18 @@ enum Severity { } enum ScoreMethod { + // An undefined score method + SCORE_METHOD_NULL = 0; // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ - SCORE_METHOD_CVSSV2 = 0; + SCORE_METHOD_CVSSV2 = 1; // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/ - SCORE_METHOD_CVSSV3 = 1; + SCORE_METHOD_CVSSV3 = 2; // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/ - SCORE_METHOD_CVSSV31 = 2; + SCORE_METHOD_CVSSV31 = 3; // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology - SCORE_METHOD_OWASP = 3; + SCORE_METHOD_OWASP = 4; // Other scoring method - SCORE_METHOD_OTHER = 4; + SCORE_METHOD_OTHER = 5; } message Advisory { From 6201ede37ac9c730acfe414073fa281ab900ad98 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 16 Dec 2021 22:28:10 -0600 Subject: [PATCH 24/26] Changed IMPACT_ANALYSIS_STATE_NULL to default Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.proto | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.4-SNAPSHOT.proto b/schema/bom-1.4-SNAPSHOT.proto index 67a3bd03..cc71dd0a 100644 --- a/schema/bom-1.4-SNAPSHOT.proto +++ b/schema/bom-1.4-SNAPSHOT.proto @@ -563,18 +563,20 @@ message VulnerabilityAnalysis { } enum ImpactAnalysisState { + // An undefined impact analysis state + IMPACT_ANALYSIS_STATE_NULL = 0; // The vulnerability has been remediated. - IMPACT_ANALYSIS_STATE_RESOLVED = 0; + IMPACT_ANALYSIS_STATE_RESOLVED = 1; // The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). - IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 1; + IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2; // The vulnerability may be directly or indirectly exploitable. - IMPACT_ANALYSIS_STATE_EXPLOITABLE = 2; + IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3; // The vulnerability is being investigated. - IMPACT_ANALYSIS_STATE_IN_TRIAGE = 3; + IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4; // The vulnerability is not specific to the component or service and was falsely identified or associated. - IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 4; + IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5; // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases. - IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 5; + IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6; } enum ImpactAnalysisJustification { From c85bdd66a3fe7413bdc31c73dd9347acdb01860d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 16 Dec 2021 22:31:24 -0600 Subject: [PATCH 25/26] Changed IMPACT_ANALYSIS_JUSTIFICATION_NULL to default and VULNERABILITY_RESPONSE_NULL to default Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.proto | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/schema/bom-1.4-SNAPSHOT.proto b/schema/bom-1.4-SNAPSHOT.proto index cc71dd0a..1a5cacb2 100644 --- a/schema/bom-1.4-SNAPSHOT.proto +++ b/schema/bom-1.4-SNAPSHOT.proto @@ -580,32 +580,35 @@ enum ImpactAnalysisState { } enum ImpactAnalysisJustification { + // An undefined impact analysis justification + IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; // The code has been removed or tree-shaked. - IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 0; + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; // The vulnerable code is not invoked at runtime. - IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 1; + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2; // Exploitability requires a configurable option to be set/unset. - IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 2; + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3; // Exploitability requires a dependency that is not present. - IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 3; + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4; // Exploitability requires a certain environment which is not present. - IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 4; + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5; // Exploitability requires a compiler flag to be set/unset. - IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 5; + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6; // Exploits are prevented at runtime. - IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 6; + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7; // Attacks are blocked at physical, logical, or network perimeter. - IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 7; + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8; // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. - IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 8; + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9; } enum VulnerabilityResponse { - VULNERABILITY_RESPONSE_CAN_NOT_FIX = 0; - VULNERABILITY_RESPONSE_WILL_NOT_FIX = 1; - VULNERABILITY_RESPONSE_UPDATE = 2; - VULNERABILITY_RESPONSE_ROLLBACK = 3; - VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 4; + VULNERABILITY_RESPONSE_NULL = 0; + VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + VULNERABILITY_RESPONSE_UPDATE = 3; + VULNERABILITY_RESPONSE_ROLLBACK = 4; + VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; } message VulnerabilityAffects { From 0e1df61cef885ce82273b5afa0295358e1ca9c5a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 16 Dec 2021 22:33:17 -0600 Subject: [PATCH 26/26] Changed VULNERABILITY_AFFECTED_STATUS_UNKNOWN to default Signed-off-by: Steve Springett --- schema/bom-1.4-SNAPSHOT.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.4-SNAPSHOT.proto b/schema/bom-1.4-SNAPSHOT.proto index 1a5cacb2..d4dee08a 100644 --- a/schema/bom-1.4-SNAPSHOT.proto +++ b/schema/bom-1.4-SNAPSHOT.proto @@ -631,7 +631,7 @@ message VulnerabilityAffectedVersions { enum VulnerabilityAffectedStatus { // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. - VULNERABILITY_AFFECTED_STATUS_AFFECTED = 0; - VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 1; - VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 2; + VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; }