Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added vulnerabilities as part of core spec #91

Merged
merged 26 commits into from
Dec 20, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
adb75ab
#38 - Added initial support for vulnerabilities as part of core spec.…
stevespringett Oct 3, 2021
173b781
Corrected issues preventing validation
stevespringett Oct 3, 2021
a04e72f
Clarified description of when the vulnerability was created per https…
stevespringett Oct 5, 2021
821fdfa
Refactored 'affects' by incorporating ranges and versions into indivi…
stevespringett Oct 15, 2021
df947e9
Refactored 'affects' by incorporating ranges and versions into indivi…
stevespringett Oct 15, 2021
d290235
spelling
stevespringett Oct 15, 2021
b7e37c6
Added not_affected justifications based on discussion https://github.…
stevespringett Nov 12, 2021
f15b462
Removed not_set as its implied if value is not specified. Added expli…
stevespringett Nov 12, 2021
052e702
Added description for vulnerability reference
stevespringett Nov 18, 2021
485456c
Added description for vulnerability reference
stevespringett Nov 18, 2021
8db5a20
Standardizing on version range syntax from CVE v5.0 JSON schema
stevespringett Nov 19, 2021
35b5bc0
Minor hardening. Added default to affected status as unlike the CVE 5…
stevespringett Nov 20, 2021
d3f0e50
Documentation updates
stevespringett Nov 22, 2021
dcad6ef
Added info to severity
stevespringett Nov 22, 2021
6c62cc6
Documentation updates
stevespringett Nov 22, 2021
0ac6b87
#91 - Added analysis (vendor) response
stevespringett Dec 7, 2021
b42bbca
#91 - Changed credits from a string to structured data supporting an …
stevespringett Dec 7, 2021
9f9f4ca
Migrated from version range syntax defined in CVE 5.0 Schema to Packa…
stevespringett Dec 13, 2021
5ac7976
Minor doc updates
stevespringett Dec 13, 2021
1ec2ca4
Added XSD and XML example that are ported from the draft JSON schema.
stevespringett Dec 13, 2021
ae3a4ab
Added Protobuf and textproto example that are ported from the draft J…
stevespringett Dec 14, 2021
937b8fd
Changed SEVERITY_UNKNOWN to default
stevespringett Dec 17, 2021
7a7d7ad
Changed SEVERITY_UNKNOWN to default
stevespringett Dec 17, 2021
6201ede
Changed IMPACT_ANALYSIS_STATE_NULL to default
stevespringett Dec 17, 2021
c85bdd6
Changed IMPACT_ANALYSIS_JUSTIFICATION_NULL to default and VULNERABILI…
stevespringett Dec 17, 2021
0e1df61
Changed VULNERABILITY_AFFECTED_STATUS_UNKNOWN to default
stevespringett Dec 17, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
185 changes: 185 additions & 0 deletions schema/bom-1.4-SNAPSHOT.proto
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ message Bom {
repeated Dependency dependencies = 8;
// Provides the ability to document aggregate completeness
repeated Composition compositions = 9;
// Vulnerabilities identified in components or services.
repeated Vulnerability vulnerabilities = 10;
}

enum Classification {
Expand Down Expand Up @@ -450,3 +452,186 @@ message Evidence {
repeated LicenseChoice licenses = 1;
repeated EvidenceCopyright copyright = 2;
}

message Vulnerability {
// An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The identifier that uniquely identifies the vulnerability.
optional string id = 2;
// The source that published the vulnerability.
optional Source source = 3;
// Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
repeated VulnerabilityReference references = 4;
// List of vulnerability ratings
repeated VulnerabilityRating ratings = 5;
// List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)
repeated int32 cwes = 6;
// A description of the vulnerability as provided by the source.
optional string description = 7;
// If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
optional string detail = 8;
// Recommendations of how the vulnerability can be remediated or mitigated.
optional string recommendation = 9;
// Published advisories of the vulnerability if provided.
repeated Advisory advisories = 10;
// The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
optional google.protobuf.Timestamp created = 11;
// The date and time (timestamp) when the vulnerability record was first published.
optional google.protobuf.Timestamp published = 12;
// The date and time (timestamp) when the vulnerability record was last updated.
optional google.protobuf.Timestamp updated = 13;
// Individuals or organizations credited with the discovery of the vulnerability.
optional VulnerabilityCredits credits = 14;
// The tool(s) used to identify, confirm, or score the vulnerability.
repeated Tool tools = 15;
// An assessment of the impact and exploitability of the vulnerability.
optional VulnerabilityAnalysis analysis = 16;
// affects
repeated VulnerabilityAffects affects = 17;
}

message VulnerabilityReference {
// An identifier that uniquely identifies the vulnerability.
optional string id = 1;
// The source that published the vulnerability.
optional Source source = 2;
}

message VulnerabilityRating {
// The source that calculated the severity or risk rating of the vulnerability.
optional Source source = 1;
// The numerical score of the rating.
optional double score = 2;
// Textual representation of the severity that corresponds to the numerical score of the rating.
optional Severity severity = 3;
// Specifies the severity or risk scoring methodology or standard used.
optional ScoreMethod method = 4;
// Textual representation of the metric values used to score the vulnerability.
optional string vector = 5;
// An optional reason for rating the vulnerability as it was.
optional string justification = 6;
}

enum Severity {
SEVERITY_UNKNOWN = 0;
SEVERITY_CRITICAL = 1;
SEVERITY_HIGH = 2;
SEVERITY_MEDIUM = 3;
SEVERITY_LOW = 4;
SEVERITY_INFO = 5;
SEVERITY_NONE = 6;
}

enum ScoreMethod {
// An undefined score method
SCORE_METHOD_NULL = 0;
// Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/
SCORE_METHOD_CVSSV2 = 1;
// Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/
SCORE_METHOD_CVSSV3 = 2;
// Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/
SCORE_METHOD_CVSSV31 = 3;
// OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
SCORE_METHOD_OWASP = 4;
// Other scoring method
SCORE_METHOD_OTHER = 5;
}

message Advisory {
// An optional name of the advisory.
optional string title = 1;
// Location where the advisory can be obtained.
string url = 2;
}

message VulnerabilityCredits {
// The organizations credited with vulnerability discovery.
repeated OrganizationalEntity organizations = 1;
// The individuals, not associated with organizations, that are credited with vulnerability discovery.
repeated OrganizationalContact individuals = 2;
}

message VulnerabilityAnalysis {
// Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
optional ImpactAnalysisState state = 1;
// The rationale of why the impact analysis state was asserted.
optional ImpactAnalysisJustification justification = 2;
// A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
repeated VulnerabilityResponse response = 3;
// Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.
optional string detail = 4;
}

enum ImpactAnalysisState {
// An undefined impact analysis state
IMPACT_ANALYSIS_STATE_NULL = 0;
// The vulnerability has been remediated.
IMPACT_ANALYSIS_STATE_RESOLVED = 1;
// The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).
IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2;
// The vulnerability may be directly or indirectly exploitable.
IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3;
// The vulnerability is being investigated.
IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4;
// The vulnerability is not specific to the component or service and was falsely identified or associated.
IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5;
// The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.
IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6;
}

enum ImpactAnalysisJustification {
// An undefined impact analysis justification
IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0;
// The code has been removed or tree-shaked.
IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1;
// The vulnerable code is not invoked at runtime.
IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2;
// Exploitability requires a configurable option to be set/unset.
IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3;
// Exploitability requires a dependency that is not present.
IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4;
// Exploitability requires a certain environment which is not present.
IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5;
// Exploitability requires a compiler flag to be set/unset.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6;
// Exploits are prevented at runtime.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7;
// Attacks are blocked at physical, logical, or network perimeter.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8;
// Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9;
}

enum VulnerabilityResponse {
VULNERABILITY_RESPONSE_NULL = 0;
VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1;
VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2;
VULNERABILITY_RESPONSE_UPDATE = 3;
VULNERABILITY_RESPONSE_ROLLBACK = 4;
VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5;
}

message VulnerabilityAffects {
// References a component or service by the objects bom-ref
string ref = 1;
// Zero or more individual versions or range of versions.
repeated VulnerabilityAffectedVersions versions = 2;
}

message VulnerabilityAffectedVersions {
oneof choice {
// A single version of a component or service.
string version = 1;
// A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst
string range = 2;
}
// The vulnerability status for the version or range of versions.
optional VulnerabilityAffectedStatus status = 3;
}

enum VulnerabilityAffectedStatus {
// The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0;
VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1;
VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2;
}
Loading