Include additional metadata in vulnerability occurrences for CSAF. #70
Conversation
| @@ -391,6 +429,23 @@ def __init__( | |||
| self.confidentiality_impact = confidentiality_impact | |||
| self.integrity_impact = integrity_impact | |||
| self.availability_impact = availability_impact | |||
| self.vector_string = vector_string | |||
There was a problem hiding this comment.
Is this vector string different from attack_vector?
There was a problem hiding this comment.
@prabhu Yes, attack vector is an enum like NETWORK, PHYSICAL, etc. while the vector string is something like CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vector string is a required component to give a cvss_v3 score in CSAF. CSAF 2.0 validates this by specifying the use of either the cvss v3.0 or v3.1 schemas.
vdb/lib/__init__.py
Outdated
| package_issue: PackageIssue | ||
| short_description: str | ||
| long_description: str | ||
| related_urls: list | ||
| effective_severity: Severity | ||
| matched_by: str | ||
| vdetails: VulnerabilityDetail |
There was a problem hiding this comment.
VulnerabilityDetail includes VulnerabilityLocation as a property fixed_location. Can we retrieve the vulnerability detail in a different way?
There was a problem hiding this comment.
@prabhu CSAF requires a product status, so either fixed location or affected versions must be listed (so I would want the min affected versions). Package is also needed to include any scoring, as a list of affected packages is required. The cpe may be something I want to add as well, but I haven't addressed it yet. If you prefer, I can add these as discrete properties of a VulnerabilityOccurrence, but they are needed to be able to generate a valid CSAF.
There was a problem hiding this comment.
Cool. Let's add them as discrete properties so that we don't create any cycles.
There was a problem hiding this comment.
@prabhu I'm not sure what you mean by cycles, but I am happy to extract to discrete properties.
There was a problem hiding this comment.
VulnerabilityDetail could have VulnerabilityLocation as a property.
|
@cerrussell any ideas about the test failures? |
|
@prabhu Yep, I know what it is, fixing now |
cerrussell
force-pushed
the
feature/csaf
branch
from
0b3e5a0
to
aa7f1f9
Compare
Refine metadata to be included in vulnerability occurrence for CSAF, standardized date formatting. Signed-off-by: Caroline Russell <[email protected]> Check for empty date. Signed-off-by: Caroline Russell <[email protected]> Minor CSAF changes Signed-off-by: Caroline Russell <[email protected]> More metadata for CSAF Signed-off-by: Caroline Russell <[email protected]> Added original date of vulnerability for use with CSAF Signed-off-by: Caroline Russell <[email protected]> Additional mods to collect more csaf info Signed-off-by: Caroline Russell <[email protected]> Modifications to enable cvssv3 to be stored in csaf. Signed-off-by: Caroline Russell <[email protected]>
cerrussell
force-pushed
the
feature/csaf
branch
from
aa7f1f9
to
96227d1
Compare
Signed-off-by: Caroline Russell <[email protected]> Refactor convert_time, expand handled formats Note: dateutil could simplify this further, but would add an additional dependency. Revisit in future if date parsing continues to be problematic. Signed-off-by: Caroline Russell <[email protected]>
cerrussell
force-pushed
the
feature/csaf
branch
from
96227d1
to
76fb7f0
Compare
Add Python 3.12 Signed-off-by: Caroline Russell <[email protected]> Don't checkout vuln-list Signed-off-by: Caroline Russell <[email protected]> Change runs-on to matrix, add Python 3.12 Signed-off-by: Caroline Russell <[email protected]>
cerrussell
force-pushed
the
feature/csaf
branch
from
76fb7f0
to
26682f3
Compare
Added backwards-compatible functionality needed for CSAF generation.