Skip to content

Commit

Permalink
CSAF Generation (#141)
Browse files Browse the repository at this point in the history 
Feat: CSAF Generation

* Preliminary CSAF generation

Signed-off-by: Caroline Russell <[email protected]>

Improvements to tracking, handling of revisions, formatting, downloading default csaf.toml

Signed-off-by: Caroline Russell <[email protected]>

Improved handling of references, dates, and cwes, creation of csaf.toml if not found.

Signed-off-by: Caroline Russell <[email protected]>

Added docstrings to csaf.py, refined cvss_v3 for csaf

Signed-off-by: Caroline Russell <[email protected]>

Enhanced csaf, adding: reference summaries, logic for release dates, product tree import, removal of fields with no data

Signed-off-by: Caroline Russell <[email protected]>

Created csaf metadata and settings file, configured import and parsing, resolved validation issues

Signed-off-by: Caroline Russell <[email protected]>

Added more data to CSAF, created toml for user settings and metadata

Signed-off-by: Caroline Russell <[email protected]>

* CSAF improvements, accuracy, error handling

Signed-off-by: Caroline Russell <[email protected]>

Fix Python compatibility issue by replacing match with if statements.

Signed-off-by: Caroline Russell <[email protected]>

Test fix

Signed-off-by: Caroline Russell <[email protected]>

Write csaf.toml back out to update tracking.

Signed-off-by: Caroline Russell <[email protected]>

* CSAF Tests

Modify tests due to change in csaf.toml

Signed-off-by: Caroline Russell <[email protected]>

Fix regex errors

Signed-off-by: Caroline Russell <[email protected]>

CSAF Tests

Signed-off-by: Caroline Russell <[email protected]>

* Created CSAF Readme

Signed-off-by: Caroline Russell <[email protected]>

* Toml, dates, revisions improvements

Minor fixes and date improvements.

Signed-off-by: Caroline Russell <[email protected]>

Simplifications and improvements: reduced toml nesting, only reset IDs we generate, remove tomli and requests as dependencies

Signed-off-by: Caroline Russell <[email protected]>

Modify revisions per csaf spec, store csaf.toml string in csaf.py

Signed-off-by: Caroline Russell <[email protected]>

Add depscan version tracking to toml to enable backwards compatibility should toml options change, reformat documentation.

Signed-off-by: Caroline Russell <[email protected]>

---------

Signed-off-by: Caroline Russell <[email protected]>
  • Loading branch information
@cerrussell
cerrussell authored Oct 15, 2023
1 parent 261e42e commit afed790
Show file tree
Hide file tree
Showing 8 changed files with 2,716 additions and 27 deletions.
32 changes: 26 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
- Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization
- Package vulnerability scanning is performed locally and is quite fast. No server is used!
- Generate Software Bill-of-Materials (SBoM) with Vulnerability Exploitability Exchange (VEX) information
- Generate a Common Security Advisory Framework (CSAF) 2.0 document (check out the [CSAF Readme](contrib/CSAF_README.md))
- Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)

![Dependency Tree with Insights](docs/tree1.jpg)
Expand Down Expand Up @@ -138,24 +139,33 @@ depscan --src $PWD --reports-dir $PWD/reports
Full list of options are below:

```bash
usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
[--reports-dir REPORTS_DIR] [--no-error] [--deep]
usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
[--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
[--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]

Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.

options:
-h, --help show this help message and exit
--no-banner Do not display banner
--cache Cache vulnerability information in platform specific user_data_dir
--csaf Generate a CSAF
--sync Sync to receive the latest vulnerability data. Should have invoked cache first.
--suggest DEPRECATED: Suggest is the default mode for determining fix version.
--risk-audit Perform package risk audit (slow operation). Npm only.
--private-ns PRIVATE_NS
Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma
separated values accepted.
Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
-t PROJECT_TYPE, --type PROJECT_TYPE
Override project type if auto-detection is incorrect
--bom BOM Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
-i SRC_DIR, --src SRC_DIR
Source directory
-i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
Source directory or container image or binary file
-o REPORT_FILE, --report_file REPORT_FILE
DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
--reports-dir REPORTS_DIR
Reports directory
--no-error Continue on error to prevent build from breaking
--no-license-scan DEPRECATED: dep-scan does not perform license scanning by default
--deep Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
--no-universal Depscan would attempt to perform a single universal scan instead of individual scans per language type.
--no-vuln-table Do not print the table with the full list of vulnerabilities. This can help reduce console output.
Expand All @@ -167,6 +177,16 @@ usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit]
ThreatDB password
--threatdb-token THREATDB_TOKEN
ThreatDB token for token based submission
--privado-json PRIVADO_JSON
Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
--server Run depscan as a server
--server-host SERVER_HOST
depscan server host
--server-port SERVER_PORT
depscan server port
--cdxgen-server CDXGEN_SERVER
cdxgen server url. Eg: http://cdxgen:9090
-v, --version Display the version
```
### Scanning containers locally (Python version)
Expand Down
70 changes: 70 additions & 0 deletions contrib/CSAF_README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Purpose

Generate CSAF vex documents populated with vulnerability results from
OWASP dep-scan.


## Overview

1. Run depscan with the --csaf option.
2. Depscan will check if you already have a csaf.toml file in the target
directory before proceeding.
3. If you do not, the template will be downloaded from our repo and you will
be requested to fill it out before running depscan again.
4. You may want to store an extra [copy](csaf.toml) for your reference, as the
comments located in the template will not be present after your first
CSAF generation.
5. To produce a valid CSAF document, a number of fields must be included in
the toml. Some you may choose to set yourself, or we will set them for you.
Please see the official [CSAF 2.0](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html) standard for a full explanation of
requirements. A copy of the schema is available [here](csaf_json_schema.
json). See [TOML Requirements](#toml-requirements) for a brief overview.
6. Run depscan with the --csaf option again.
7. This time, a CSAF document will be written to the reports directory that
you specified using the --reports-dir option (default behavior creates a
reports directory in your current directory).

### The csaf.toml
The first time you run depscan with the --csaf option against a specific
directory, a csaf.toml template will be placed in your target directory and you
will be requested to fill it out before running depscan again. This is a
configuration file used to set metadata fields outside the vulnerabilities
section.

#### Requirements

In order to produce a valid CSAF, certain sections are required. An overview
is below, with required components in bold.
> Where a top level category, such as Note is not bolded, but one of its
> members is, that indicates the bolded are only required if the parent category
> is included, e.g. a note entry must include category and text, but a
> valid CSAF does not require that any notes be included.:

| TOML Field | Subcategories | Comments |
|-------------------|-------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **document** | **category<br>title** | default category is csaf_vex<br>category must match regex: `^[^\s\-_\.](.*[^\s\-_\.])?$` |
| **publisher** | **name**<br>**category**<br>**namespace**<br>contact_details | <br>valid categories: coordinator, discoverer, other, translator, user, vendor<br><br>e.g. an email address |
| note | **category**<br>**text**<br>audience<br>title | valid categories: description, details, faq, general, legal_disclaimer, other, summary<br><br>multiple note entries may be included under additional [note] headings |
| reference | **summary**<br>**url**<br>category | multiple reference entries may be included under additional [reference] headings<br><br>valid categories: self, external |
| distribution | text<br>tlp.**label**<br>tlp.url | If tlp is included, label is required<br>valid labels: AMBER, GREEN, RED, WHITE |
| product_tree | easy_import | We support importing a product tree from a json file, the path of which should be specified here. <br>[example](../test/data/product_tree.json) |
| **tracking** | **current_release_date**<br/>**initial_release_date**<br/>**version**<br/>**status**<br/>**id** | Please use ISO date formats if entering dates yourself.<br/><br/>valid statuses: draft, final, interim<br/>We will generate an id consisting of date and version if you do not include this, but id is best set by you |
| tracking.revision | date<br/>number<br/>summary | Leave this section alone. Depscan will add revision entries per final version. |
| depscan_version | | This field is automatically updated for our use to provide backward compatibility if the TOML options change |

>Although tracking and all of its components are required, if you do
not include them, we will use the current date/time and update the
version as appropriate.

>Feel free to preserve all fields on the toml if you may want them later.
> Entries without content will be omitted.
### Validation
Coming soon! For now, you can validate your generated CSAFs using a [JSON
schema
validator](https://www.jsonschemavalidator.net/) and the [csaf 2.0 schema](csaf_json_schema.json).

### Questions? Comments? Suggestions?
Feel free to reach out to us on [discord](https://discord.gg/DCNxzaeUpd) or start a discussion tagging
@cerrussell on the [OWASP Dep-Scan Repo](https://github.com/owasp-dep-scan/dep-scan).
65 changes: 65 additions & 0 deletions contrib/csaf.toml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
[document]
category = "csaf_vex"
title = "Your Title"

[publisher]
# Required
# Valid categories are: coordinator, discoverer, other, translator, user, vendor
category = "vendor"
name = "Vendor McVendorson"
namespace = "https://appthreat.com"
# Optional
contact_details = "[email protected]"

# Category and text are required to add a note, add as many notes.note as you need
# Valid categories are: description, details, faq, general, legal_disclaimer, other, summary
[[note]]
audience = ""
category = ""
text = ""
title = ""

[product_tree]
easy_import = ""

[distribution]
text = ""
# Label is required if tlp included
label = ""
url = ""

# Summary and url are required, include as many references.ref as you like
# Category can be either "external" or "self"
[[reference]]
category = ""
summary = ""
url = ""

[[reference]]
category = ""
summary = ""
url = ""

# An entry for the data in this section will be added to the revision_history if the status is final
# The current date/time is default if not provided
# id is required and best set by the document issuing authority
[tracking]
# Required
current_release_date = "" # ISO 8601
id = ""
initial_release_date = "" # ISO 8601
status = "draft"
version = ""

# Include as many revision entries as you like
[[tracking.revision]]
date = ""
number = ""
summary = ""







Loading

0 comments on commit afed790

Please sign in to comment.