Product identifiers with CycloneDX #23
Comments
|
This makes sense to me! I think having more precise identifiers of affected software is a great thing for the spec. And I agree this logic applies to SPDX, or any other SBOM format for that matter. |
|
"Minimum Requirements for Vulnerability Exploitability eXchange (VEX)" describes below:
https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf And "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)" says
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf Let's say generating SBOM for a container image. The primary component would be the container image itself like There are so many possibilities and I find it difficult to automate consuming OpenVEX in vulnerability scanners.
We've recently adopted No.3 in our scanner since it is the same approach as CycloneDX and it keeps implementation simple. But we can change it to something else if OpenVEX explicitly defines that. |
|
Hey @knqyf263 thanks a lot for raising this issue and for supporting OpenVEX, this is absolutely awesome 🎉 My first takeaway from this is that we need to update the spec to state that product should be (at least for now) any valid URI with package URL (purl) being the preferred intra-format method to link assessed elements. Now, regarding:
My view here is that using the BOM-Link (option 3 above) does not fulfill the product + subcomponent duplet. The reason for my reasoning is that a BOM-link is a pair of a bom identifier plus a bom-ref (pointing to an element in that doc). The first part designates the document and its version but does not necessarily imply you are referencing the root component. You may find that the VEX "product" is an element deeper in the SBOM graph and the assumption breaks down. I think a better solution when referencing data in a CDX document would be:
Now this being linked data, any of the options should be valid, right? You, of course, choose to be opinionated and start by handling a narrower scope in the beginning. Finally regarding this:
Keep in mind that the CycloneDX VEX implementation in 1.4 is based on frak of an early idea of VEX and does not conform yet to the minimum requirements for VEX. In particular for our discussion here, it does not support the notion of subcomponents. The vulnerability analysis has a single |
Yes, the above options should be valid, but too many and flexible options make implementation in scanners difficult and hard for users to understand. As you mentioned, it is preferable to have a more explicit specification and extend it as needed.
As mentioned above, The VEX document describes
Do you think the VEX "product" can be an element deeper in the SBOM graph, as you pointed out? And I know CycloneDX VEX doesn't meet the minimum requirements, but I feel like "product/subcomponent" is almost the same as "serial number+version/bom-ref" since the spec says the "product" is equivalent to the primary component.
If it is possible that the VEX "product" can be a deeper component, it is not the case, though. In that case, do we want to update the specification so that the "product" isn't necessarily the primary component? Anyway, if you think the option 1&3 is the best, I'm ok with that. I just want to define the OpenVEX spec explicitly. |
It is relevant to this issue, but I'd ask about some more specific usage of products with CycloneDX.
CycloneDX also supports VEX, which uses BOM-Link (URN + BOM-Ref) or BOM-Ref for referencing components.
https://cyclonedx.org/capabilities/vex/
For example:
It is clear which package it refers to as BOM-Ref must be unique in CycloneDX SBOM. It makes sense to me rather than PURL because there could be multiple same packages in SBOM. Let's say a container image has two binaries, A and B, that depend on vulnerable package X (v1.2.3). And CVE-2023-9999 affects package X in binary A and doesn't affect package X in binary B because of
vulnerable_code_not_in_execute_path.Package X could have the same PURL for A and B in this case. Therefore, it is better to use BOM-Ref for uniqueness. I'm guessing that's why OpenVEX defines subcomponents, but IMHO, it is not ideal that some OpenVEX use PURL, and others use BOM-Ref in products even though they both refer to CycloneDX SBOM. What if OpenVEX forces BOM-Ref as product identifiers in the case of CycloneDX SBOM? It conforms to the CycloneDX VEX spec and is much simpler.
Actually, SPDX is the same since it has package identifiers, but I'd put it aside for now.
I'd like to hear your thoughts. Thanks!
The text was updated successfully, but these errors were encountered: