-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include additional metadata in vulnerability occurrences for CSAF. #70
Conversation
@@ -391,6 +429,23 @@ def __init__( | |||
self.confidentiality_impact = confidentiality_impact | |||
self.integrity_impact = integrity_impact | |||
self.availability_impact = availability_impact | |||
self.vector_string = vector_string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this vector string different from attack_vector?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@prabhu Yes, attack vector is an enum like NETWORK, PHYSICAL, etc. while the vector string is something like CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vector string is a required component to give a cvss_v3 score in CSAF. CSAF 2.0 validates this by specifying the use of either the cvss v3.0 or v3.1 schemas.
vdb/lib/__init__.py
Outdated
package_issue: PackageIssue | ||
short_description: str | ||
long_description: str | ||
related_urls: list | ||
effective_severity: Severity | ||
matched_by: str | ||
vdetails: VulnerabilityDetail |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
VulnerabilityDetail includes VulnerabilityLocation as a property fixed_location. Can we retrieve the vulnerability detail in a different way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@prabhu CSAF requires a product status, so either fixed location or affected versions must be listed (so I would want the min affected versions). Package is also needed to include any scoring, as a list of affected packages is required. The cpe may be something I want to add as well, but I haven't addressed it yet. If you prefer, I can add these as discrete properties of a VulnerabilityOccurrence, but they are needed to be able to generate a valid CSAF.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool. Let's add them as discrete properties so that we don't create any cycles.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@prabhu I'm not sure what you mean by cycles, but I am happy to extract to discrete properties.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
VulnerabilityDetail could have VulnerabilityLocation as a property.
@cerrussell any ideas about the test failures? |
@prabhu Yep, I know what it is, fixing now |
0b3e5a0
to
aa7f1f9
Compare
Refine metadata to be included in vulnerability occurrence for CSAF, standardized date formatting. Signed-off-by: Caroline Russell <[email protected]> Check for empty date. Signed-off-by: Caroline Russell <[email protected]> Minor CSAF changes Signed-off-by: Caroline Russell <[email protected]> More metadata for CSAF Signed-off-by: Caroline Russell <[email protected]> Added original date of vulnerability for use with CSAF Signed-off-by: Caroline Russell <[email protected]> Additional mods to collect more csaf info Signed-off-by: Caroline Russell <[email protected]> Modifications to enable cvssv3 to be stored in csaf. Signed-off-by: Caroline Russell <[email protected]>
aa7f1f9
to
96227d1
Compare
Signed-off-by: Caroline Russell <[email protected]> Refactor convert_time, expand handled formats Note: dateutil could simplify this further, but would add an additional dependency. Revisit in future if date parsing continues to be problematic. Signed-off-by: Caroline Russell <[email protected]>
96227d1
to
76fb7f0
Compare
Add Python 3.12 Signed-off-by: Caroline Russell <[email protected]> Don't checkout vuln-list Signed-off-by: Caroline Russell <[email protected]> Change runs-on to matrix, add Python 3.12 Signed-off-by: Caroline Russell <[email protected]>
76fb7f0
to
26682f3
Compare
Added backwards-compatible functionality needed for CSAF generation.