Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce vulnerability component #1295

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Introduce vulnerability component #1295

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
197b528
introduce vulnerability
trisch-me Jul 29, 2024
a760ecd
fix for lint
trisch-me Jul 29, 2024
e519eff
remove unused keyword
trisch-me Jul 29, 2024
a436192
Merge branch 'main' into vulnerability
trisch-me Oct 28, 2024
e70e69c
Update .chloggen/vulnerability.yaml
trisch-me Oct 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .chloggen/vulnerability.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Use this changelog template to create an entry for release notes.
#
# If your change doesn't affect end users you should instead start
# your pull request title with [chore] or use the "Skip Changelog" label.

# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: new_component

# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
component: vulnerability

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Introduce `vulnerability.*` attribute namespace

# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
# The values here must be integers.
issues: [1295]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/bug_report.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ body:
- area:user-agent
- area:v8js
- area:vcs
- area:vulnerability
- area:webengine
# End semconv area list
- type: textarea
Expand Down
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/change_proposal.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ body:
- area:user-agent
- area:v8js
- area:vcs
- area:vulnerability
- area:webengine
# End semconv area list
- type: textarea
Expand Down
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/new-conventions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ body:
- area:user-agent
- area:v8js
- area:vcs
- area:vulnerability
- area:webengine
# End semconv area list
- type: textarea
Expand Down
1 change: 1 addition & 0 deletions docs/attributes-registry/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ Currently, the following namespaces exist:
- [User Agent](user-agent.md)
- [V8js](v8js.md)
- [VCS](vcs.md)
- [Vulnerability](vulnerability.md)
- [Webengine](webengine.md)

[developers recommendations]: ../general/attribute-naming.md#recommendations-for-application-developers
43 changes: 43 additions & 0 deletions docs/attributes-registry/vulnerability.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<!--- Hugo front matter used to generate the website version of this page:
--->

<!-- NOTE: THIS FILE IS AUTOGENERATED. DO NOT EDIT BY HAND. -->
<!-- see templates/registry/markdown/attribute_namespace.md.j2 -->

# Vulnerability

## Vulnerability

The vulnerability fields describe information about a vulnerability.

| Attribute | Type | Description | Examples | Stability |
| ----------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| `vulnerability.category` | string[] | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example [Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm). | `["Firewall"]` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.classification` | string | The classification of the vulnerability scoring system. For example, [CVSS](https://www.first.org/cvss/specification-document). | `CVSS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.description` | string | The description of the vulnerability that provides additional context of the vulnerability. For example [Common Vulnerabilities and Exposure CVE description](https://www.cve.org/ResourcesSupport/FAQs). | `A vulnerability in the firewall allows an attacker to bypass security controls.` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.enumeration` | string | The type of identifier used for this vulnerability. For example, [Common Vulnerabilities and Exposure CVE enumeration](https://www.cve.org/ResourcesSupport/FAQs). | `CVE` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.id` | string | The number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example, [Common Vulnerabilities and Exposure CVE ID](https://www.cve.org/ResourcesSupport/FAQs). | `CVE-2021-44228` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.reference` | string | A resource that provides additional information, context, and mitigations for the identified vulnerability. | `https://www.cve.org/CVERecord?id=CVE-2021-44228` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.report_id` | string | The report or scan identification number. | `20191018.0001` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.scanner.vendor` | string | The name of the scanner vendor that identified the vulnerability. | `Tenable` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.score.base` | double | The base score of the vulnerability. [1] | `7.5` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.score.environmental` | double | The environmental score of the vulnerability. [2] | `7.5` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.score.temporal` | double | The temporal score of the vulnerability. [3] | `7.5` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `vulnerability.score.version` | string | The version of the scoring system used to calculate the vulnerability score. | `3.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only comment here is whether or not it makes sense to have some of these be a CVSS specific attribute, particularly when I see things like score ranging from 0.0 to 10.0.

I like that this is based on the CVSS specification, what I can't tell as an outsider, what other standards can be mapped here. I'm waiting for more security folks to chime in on these to understand if this does, indeed, match expectations for how to communicate vulnerabilities via Events, etc.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jsuereth - agreed. If using numbers this should be clearly defined (ie. CVSS).

Also, what examples of "score.version" exist? The other examples in this file assume CVSS (like score), but the classification attribute technically allows for others which may not 1:1 align.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd agree that there could be some challenges in having the score.version allow for other systems. Some of the fields we've got here are specific to CVSS scoring (e.g. environmental and temporal scores). If the intent is to allow for other scoring regimes (and I do think that makes sense), I'd be inclined to have a vulnerability.score value and not have the other CVSS specific items.

It's also worth noting that generally scanners can't/shouldn't provide values for environmental and temporal metrics as those require information about the working environment of the impacted system that scanners often don't have.

One example of the type of score someone might want to add is EPSS (https://www.first.org/epss/model) which expresses a score as a percentage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jsuereth and folks I agree with the idea that we must allow other standards to be taken into account though CVSS is probably the most widely used. We do have also notation about CVSS in comments.

I see here 2 ways of solving it

A

  • introducing score.standard field, which could be used to define the actual standard.
  • score.version and score.base will remain as is as common fields for all standards
  • if any standard requires more fields, those could be added with sub-namespacing in the beginning such score.cvss.temporal etc
  • as of now we will add only CVSS but the schema could be extended if needed

B

  • use every standard under it's own sub-namespace. i.e. current score fields all go under score.cvss.*
  • that way we will not have to define standard additionally.

I prefer the first option as it gives more flexibility in using any standard without updating schema, if we care only about score.base. But this will make base.score definition a bit vague, because different standards can define it using different measurements: 0.0 to 1.0, 0.0 to 10.0, 0.0 to 100.0 etc. But we can add it to the notes

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep that sounds like a good idea to me, Option A you've outlined there should help clarify this area.

Copy link

@leykin-valeriy leykin-valeriy Nov 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe there are two things that need to be considered:

  1. The severity/score reported by the vendor that found this vulnerability in a specific artifact.
  2. The various scores this vulnerability may get from various standards

A decision to make: Are we defining a vulnerability object that can later be referenced from a finding, or are we defining a vulnerability finding reported by a vendor on a vulnerable artifact?

Depending on the purpose, it could go in one or another direction.
For 1. - we would need to have a separate severity/score for the finding, and potentially an array of scores defined by various standards.
For 2. - we would still need a score used by the vendor as the base score, and potentially an array of additional scores that were considered by that vendor.

See this example of Snyk:

  • They talk about a vulnerability, define their own score, and reference multiple standards.
  • When they will run the assessment of an artifact against this vulnerability, they will generate a finding event, with the finding score adjusted to additional contextual information.

image

Here is an example of a possible OCSF representation generated from a vulnerability finding:

{
"activity_id": 1,
"category_uid": 2,
"class_uid": 2001,
"finding": {
"created_time": "2024-06-26T07:15:06.139000Z",
"first_seen_time": "2024-06-26T07:15:06.160000Z",
"last_seen_time": "2024-06-26T07:15:06.160000Z",
"modified_time": "2024-06-26T07:15:06.139000Z",
"product_uid": "snyk",
"src_url": "https://app.snyk.io/org/capability_xyz/project/fffffffff-aaaa-dddd-aaaa-dddddddd885e#issue-SNYK-JAVA-COMMICROSOFTAZURE-7246766",
"title": "pack/manager:2.155.0:/app/libs: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
"types": [
"PACKAGE_VULNERABILITY"
],
"uid": "ffffffffffff-e65a-fffff-8804-cacacacacaca:12345678901:us-east-1"
},
"metadata": {
"product": {
"name": "Snyk",
"url_string": "https://snyk.io",
"vendor_name": "Snyk"
},
"version": "1.0.0"
},
"resources": [
{
"data": {
"snyk_org_id": "bbbbbbbbb-dddd-4870-aaaa-abababababa",
"url": "https://app.snyk.io/org/capability_xyz/project/fffffffff-aaaa-dddd-aaaa-dddddddd885e"
},
"name": "pack/manager:2.155.0:/app/libs",
"type": "snyk_project",
"uid": "fffffffff-aaaa-dddd-aaaa-dddddddd885e"
}
],
"severity_id": 3,
"state": "New",
"state_id": 1,
"time": "2024-06-26T07:15:06.139000Z",
"type_uid": 200101,
"vulnerabilities": [
{
"cve": {
"created_time": "0001-01-01T00:00:00Z",
"cvss": {
"base_score": 7,
"version": ""
},
"modified_time": "0001-01-01T00:00:00Z",
"product": {
"name": "",
"vendor_name": ""
},
"uid": ""
}
},
{
"cve": {
"created_time": "0001-01-01T00:00:00Z",
"cvss": {
"base_score": 0,
"version": ""
},
"modified_time": "0001-01-01T00:00:00Z",
"product": {
"name": "",
"vendor_name": ""
},
"uid": "CVE-2024-35255"
},
"fix_available": true,
"packages": [
{
"epoch": "0001-01-01T00:00:00Z",
"name": "com.microsoft.azure",
"version": "msal4j"
}
],
"severity": "medium"
}
]
}

| `vulnerability.severity` | string | The severity of the vulnerability. | `Low`; `Medium`; `High` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |

**[1]:** Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example, [CVSS](https://www.first.org/cvss/specification-document).
The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.

**[2]:** Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified base metrics, confidentiality, integrity, and availability requirements. For example, [CVSS](https://www.first.org/cvss/specification-document).

**[3]:** Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example, [CVSS](https://www.first.org/cvss/specification-document).

`vulnerability.severity` has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

| Value | Description | Stability |
| ---------- | ------------------------------ | ---------------------------------------------------------------- |
| `Critical` | Critical severity (9.0 - 10.0) | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `High` | High severity (7.0 - 8.9) | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `Low` | Low severity (0.1 - 3.9) | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
| `Medium` | Medium severity (4.0 - 6.9) | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
120 changes: 120 additions & 0 deletions model/registry/vulnerability.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
groups:
- id: registry.vulnerability
prefix: vulnerability
type: attribute_group
display_name: Vulnerability
brief: >
The vulnerability fields describe information about a vulnerability.
attributes:
- id: category
type: string[]
stability: experimental
brief: >
The type of system or architecture that the vulnerability affects. These may be platform-specific
(for example, Debian or SUSE) or general (for example, Database or Firewall). For example
[Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm).
examples: ['Firewall']
- id: classification
type: string
stability: experimental
brief: >
The classification of the vulnerability scoring system. For example, [CVSS](https://www.first.org/cvss/specification-document).
examples: ['CVSS']
- id: description
type: string
stability: experimental
brief: >
The description of the vulnerability that provides additional context of the vulnerability.
For example [Common Vulnerabilities and Exposure CVE description](https://www.cve.org/ResourcesSupport/FAQs).
examples: ['A vulnerability in the firewall allows an attacker to bypass security controls.']
- id: enumeration
type: string
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A vulnerability reported by a vendor might relate to multiple CVEs. Would it make sense to have the CVE enumeration as an array?
For example, https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094

stability: experimental
brief: >
The type of identifier used for this vulnerability. For example, [Common Vulnerabilities and Exposure CVE enumeration](https://www.cve.org/ResourcesSupport/FAQs).
examples: ['CVE']
- id: id
type: string
stability: experimental
brief: >
The number portion of a vulnerability entry. It includes a unique identification number for the vulnerability.
For example, [Common Vulnerabilities and Exposure CVE ID](https://www.cve.org/ResourcesSupport/FAQs).
examples: ['CVE-2021-44228']
- id: reference
type: string
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field might include multiple values, similar to the possible multiple CVEs related to a vulnerability.

stability: experimental
brief: >
A resource that provides additional information, context, and mitigations for the identified vulnerability.
examples: ['https://www.cve.org/CVERecord?id=CVE-2021-44228']
- id: report_id
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would there be a future case where report would be moved to a namespace where things like url.full could be added to link to the report, or other attributes?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the id of the scan, it would make sense to name scan.id

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adrielp as we have agreed during one of semconv on having id always in it's own namespace, I will update this field

type: string
stability: experimental
brief: >
The report or scan identification number.
examples: ['20191018.0001']
- id: scanner.vendor
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could come up with a namespace scan to include both the id, and the related vendor/product information.

type: string
stability: experimental
brief: >
The name of the scanner vendor that identified the vulnerability.
examples: ['Tenable']
- id: score.base
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the terminology of base, temporal, environmental, are all from the CVSS-domain, would it make sense to put this under the corresponding namespace, for example: cvssv2 or cvssv3?

type: double
stability: experimental
brief: >
The base score of the vulnerability.
note: >
Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think an "alternative" would be EPSS which is 0 - 1 so this description wouldn't fit that If the classification changed.

for exploitability metrics (attack vector, complexity, privileges, and user interaction),
impact metrics (confidentiality, integrity, and availability), and scope. For example, [CVSS](https://www.first.org/cvss/specification-document).

The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium",
and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are
defined in the CVSS v3.0 specification.
examples: [7.5]
- id: score.environmental
type: double
stability: experimental
brief: >
The environmental score of the vulnerability.
note: >
Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment
for any modified base metrics, confidentiality, integrity, and availability requirements. For example, [CVSS](https://www.first.org/cvss/specification-document).
examples: [7.5]
- id: score.temporal
type: double
stability: experimental
brief: >
The temporal score of the vulnerability.
note: >
Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for
code maturity, remediation level, and confidence. For example, [CVSS](https://www.first.org/cvss/specification-document).
examples: [7.5]
- id: score.version
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we always expect to have only one scoring system represented in the vulnerability?
For example, what if a vendor has its own scoring system and also adds the cvssv2 and cvssv3 info?
Should we allow to store all this information?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @leykin-valeriy I have provided 2 options in the comment above on how to include multiple standards into namespace, you can give you opinion there, which option do you like more (or maybe have another idea on how accomplish multiple standards)

type: string
stability: experimental
brief: >
The version of the scoring system used to calculate the vulnerability score.
examples: ['3.0']
- id: severity
brief: >
The severity of the vulnerability.
type:
members:
- id: low
value: 'Low'
brief: 'Low severity (0.1 - 3.9)'
Copy link
Contributor

@adrielp adrielp Aug 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
brief: 'Low severity (0.1 - 3.9)'
brief: 'Low severity (0.0 - 3.9)'

https://nvd.nist.gov/vuln-metrics/cvss

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in the latest cvss versions (3.x, 4.x) severity is scored from 0.1, because 0.0 means no vulnerability

stability: experimental
- id: medium
value: 'Medium'
brief: 'Medium severity (4.0 - 6.9)'
stability: experimental
- id: high
value: 'High'
brief: 'High severity (7.0 - 8.9)'
stability: experimental
- id: critical
value: 'Critical'
brief: 'Critical severity (9.0 - 10.0)'
stability: experimental
stability: experimental
Loading