VCIO: Collect CISA Known Exploited Vulnerabilities

[mjherzog]

CISA publishes a catalog of Known Exploited Vulnerabilities at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
The data appears to use CVE as a key. I downloaded the current CSV catalog of 860 items - there is also a JSON download and an option to subscribe to updates by email.
This data seems highly relevant for assessing the severity of a known vulnerability even if it seems limited to a pretty small subset of CVE vulnerabilities. We should consider using this data in the improver work flow.

[pombredanne]

From #849

Add CISA known exploited vulnerabilities
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

[DennisClark]

A question came up about the meaning or significance of the "dueDate" field in the schema at
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities_schema.json
which states that it is a required field, but the only description provided is
"The date the required action is due in the format YYYY-MM-DD".

A perusal of the data at
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
shows many of the dueDate values as being rather old, such as 2021-11-17

It seems that the dueDate applies to USA federal civilian executive branch (FCEB) agencies and it otherwise appears to exist for historical reasons, perhaps suggesting the importance or urgency of the Remediation, but not necessarily a legal obligation for an entity outside of FCEB agencies.

from this page: https://www.cisa.gov/known-exploited-vulnerabilities

Criteria #3 - Clear Remediation Guidance

CISA adds known exploited vulnerabilities to the catalog when there is a clear action for the affected organization to take. The remediation action referenced in BOD 22-01 requires federal civilian executive branch (FCEB) agencies to take the following actions for all vulnerabilities in the KEV, and CISA strongly encourages all organizations to do the same:

    Apply updates per vendor instructions. There is an update available from the security vendor, and users should apply it.
    Remove from agency networks if the impacted product is end-of-life or cannot be updated otherwise. 

[DennisClark]

The TLA KEV is used on the CISA website to refer to Known Exploited Vulnerabilities

[DennisClark]

The KEV catalog entries are identified by a CVE value; however, the additional data provided in the KEV entries are probably best directly associated with a VCID in VulnerableCode, so the following fields should be added to a vulnerability model definition, perhaps as a separate table with a 0-to-1 relationship (note that I have expanded the definitions beyond the rather basic descriptions provided in the KEV schema to make them more relevant to VCIO):

kev_date_added (from dateAdded)
UI label: KEV Date Added
string in date format YYYY-MM-DD
The date the vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog in the format YYYY-MM-DD.

kev_description (from shortDescription)
UI label: KEV Description
string
Description of the vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, usually a refinement of the original CVE description.

kev_required_action (from requiredAction)
UI label: KEV Required Action
string
The required action to address the vulnerability, typically to apply vendor updates or apply vendor mitigations or to discontinue use.

kev_due_date (from dueDate)
UI label: KEV Due Date
string in date format YYYY-MM-DD
The date the required action is due in the format YYYY-MM-DD, which applies to all USA federal civilian executive branch (FCEB) agencies, but all organizations are strongly encouraged to execute the required action.

kev_resources_and_notes (from notes)
UI label: KEV Resources and Notes
string (may contain URL values)
Additional notes and resources about the vulnerability, often a URL to vendor instructions.

kev_knownRansomwareCampaignUse (from knownRansomwareCampaignUse)
UI label: KEV Ransomware Campaign Use
string
Values are 'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; or 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware.

[DennisClark]

Suggested appearance in the VCIO UI: I think the new fields would be best placed, only if there are any values obtained by an Improver from the KEV, on the Essentials tab, as additional rows at the end of the summary table, right after the Status row.

[DennisClark]

We of course need an Improver to gather the KEV entries. Note that the dateAdded field is required in the KEV catalog, so that is probably the best way to search for new ones.

[DennisClark]

@TG1999 @pombredanne I think we are ready to assign this one to a developer.

[ziadhany]

I think this issue is interesting, and I'll assign it to myself, if no one working on it

@TG1999 @pombredanne I think we are ready to assign this one to a developer.

[TG1999]

@ziadhany go ahead!

[ziadhany]

Done! closed by #1422

[pombredanne]

I am reopening this until we have this is verified as deployed on https://public.vulnerablecode.io

[pombredanne]

See in particular:

• VCIO-next: Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete] #1532

[pombredanne]

The code here is done, I am closing this as we have some issue with the stability of the upstream data feed from CISA that is tracked separately. See:

• Collect raw data from CISA KEV and other sources and store them in git repo #1643
• VCIO-next: Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete] #1532