Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ADP container cpes array without requiring product/version or collectionURL/packageName #321

Open
ccoffin opened this issue May 31, 2024 · 7 comments
Open

Allow ADP container cpes array without requiring product/version or collectionURL/packageName #321

ccoffin opened this issue May 31, 2024 · 7 comments
Labels
enhancement New feature or request section:affected_product Schema location is affected or product

Comments

@ccoffin
Copy link
Collaborator

ccoffin commented May 31, 2024

One of the identified use cases for becoming an ADP is to provide enriched vulnerability information to existing CVE records that were originally created by other CNAs. CPEs are a common use case for enriched vulnerability information as they can be provided by an ADP on top of the product and version information that was previously provided by the original CNA. With CPEs, the CVE record could be more easily automated if it includes machine-readable affected product information included in the CPE(s). To add CPE(s), they must be included within the cpes array. The cpes array is a child element of affected.

The current CVE schema has the following requirements block for affected:

cve-schema/schema/CVE_Record_Format.json

Lines 95 to 108 in 30f59c7

"allOf": [
{
"anyOf": [
{"required": ["vendor", "product"]},
{"required": ["collectionURL", "packageName"]}
]
},
{
"anyOf": [
{"required": ["versions"]},
{"required": ["defaultStatus"]}
]
}
],

This enforces the requirement that all CVE records must have an affected product and version, or collectionURL and packageName. affected is NOT a required element for an ADP, but if affected is included as part of an ADP record then it must meet the requirements above. This makes sense for CNAs who are defining the original CVE record, but maybe not so much for ADPs. An ADP may wish to just introduce one or more CPEs to a CVE record where the original vendor CNA has already provided text product and version info (but NOT CPEs). The cpes array for providing the CPE strings exists under affected, and because of this, the ADP is also required to enter product and version, or collectionURL and packageName information. This not only creates additional burden on the ADP to provide this information, but could also result in conflicting or inaccurate product and version information when compared with the original CNA container information.

The current schema already includes separate definitions for CNA and ADP containers. If others agree that ADPs should be allowed to provide CPEs without also having to define additional product and version information, we could create a new definition for ADP affected information that allows inclusion of the cpes array and does not require additional product and version information.
@ccoffin ccoffin mentioned this issue May 31, 2024
Closed
@todb-cisa todb-cisa mentioned this issue Jun 5, 2024
Closed
@andrewpollock
Copy link

I'll repeat what I said over in CVEProject/quality-workgroup#12 (comment) here:

My knowledge about CPEs is largely informed by https://en.wikipedia.org/wiki/Common_Platform_Enumeration because I find it easier to consume than anything else...

Separating vulnerable version identification from vulnerable product identification for a moment, in the light of CPEs (I believe) not yet being widely present on CVE List CVE records, I'd been wondering if the vendor and product components of a CPE string could be derived from the vendor and product fields in the affected object?

That would require tightening up the definition of what is expected to appear in vendor and product. My thought here was to say that it SHOULD correspond with what is defined in the NVD's CPE Dictionary when it exists, and where possible, vendor CNAs SHOULD correspond with the NVD to obtain a CPE Dictionary entry as part of their product's lifecycle (i.e. before a product's first CVE is required).

It is my understanding that while there is a perception that there's a bootstrapping/chicken-and-egg problem with CPEs (until a product has its first CVE, it doesn't have a defined CPE) this is something of a myth, and it's possible to proactively request CPEs (in bulk even) from the NVD. This would mean that in line with the Secretariat's request for (vendor) CNAs to start adding CPEs to their CVEs, they should also be requested to obtain CPE Dictionary entries for products they own that have not yet had CVEs reported for.

/cc @MrMegaZone

@pete2160
Copy link

pete2160 commented Jun 6, 2024 via email

@amanion-cisa
Copy link

Is the affected array validated upon submission to CVE Services?

A proposal: Allow a set of ADPs to submit affected arrays that only contain the cpes list. The set of ADPs today is just the CISA Vulnrichment ADP.

A workaround: When analyzing a new CVE Record, copy the affected array from the CNA, only add data to the cpes list (do not modify the rest of the affected data copied from the CNA, then publish. cc @esarneso.

@MrMegaZone
Copy link
Collaborator

Is the affected array validated upon submission to CVE Services?

Minimally at best. We know, for example, you can submit a version number 'type' (such as semver) with version numbers that aren't of that type. All of the vendor & product names, platforms, package names, etc., are free text fields so there's not really a way to validate those. There are no constraints other than post-hoc rule enforcement if a CNA misbehaves and, say, submits a CVE for another vendor, etc.

A proposal: Allow a set of ADPs to submit affected arrays that only contain the cpes list. The set of ADPs today is just the CISA Vulnrichment ADP.

A workaround: When analyzing a new CVE Record, copy the affected array from the CNA, only add data to the cpes list (do not modify the rest of the affected data copied from the CNA, then publish. cc @esarneso.

As a CNA I would rather provide my own CPEs (once we solve the issue of how to represent them in the schema - hopefully NVD's CPE Match format). If we want to allow someone else, as an ADP, to provide their take (as NVD already does), that's fine - but CNAs need to be able to speak for themselves.

The QWG is aware of the problems today with needing to provide an 'Affected' block to provide anything else, and I believe that's on the slate of issues to be addressed.

@pete2160
Copy link

pete2160 commented Aug 27, 2024 via email

@MrMegaZone
Copy link
Collaborator

I am looking for an aware individual working on the CPE update to come speak to the PSIRT SIG on Thursday morning - inform them early so they adopt easily]. I personally do not believe this is an area for ANY ADP to delve into. Pete

The schema changes haven't been finalized, and probably won't be usable until 5.2 releases, so there won't be anything to adopt in the short term. But we can go over the current discussion and how things are headed.

What time Thursday?

@pete2160
Copy link

pete2160 commented Aug 28, 2024 via email

@amanion-cisa amanion-cisa mentioned this issue Oct 7, 2024
Closed
@jayjacobs jayjacobs added the enhancement New feature or request label Oct 18, 2024
@jayjacobs jayjacobs added the section:affected_product Schema location is affected or product label Oct 30, 2024
@amanion-cisa amanion-cisa mentioned this issue Oct 31, 2024
Closed
@darakian darakian mentioned this issue Nov 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request section:affected_product Schema location is affected or product
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jayjacobs @ccoffin @andrewpollock @MrMegaZone @pete2160 @amanion-cisa