Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Formally include Common Weakness Enumeration (CWE) in the schema #254

Open
andrewpollock opened this issue Jul 26, 2024 · 3 comments
Open
Assignees
Labels
discussion enhancement New feature or request

Comments

@andrewpollock
Copy link
Collaborator

Problem statement:

OSS users using OSV for vulnerability management have no standardized way to categorize vulnerabilities that they are currently or have historically been impacted by.

Researchers have no way taxonomize OSV records and produce interesting research based on OSV-provenanced data.

CWE is the industry standard way of taxonomizing vulnerabilities.

The GitHub Advisory Database, the largest publisher of OSV records by volume, is using database_specific.cwe_ids[] today, e.g. https://github.com/github/advisory-database/blob/0e3918c95bbd48455145dd8755a532e72445e05e/advisories/github-reviewed/2023/12/GHSA-45x7-px36-x8w8/GHSA-45x7-px36-x8w8.json#L578-L582

Related:

@andrewpollock andrewpollock added enhancement New feature or request discussion labels Jul 26, 2024
@andrewpollock andrewpollock self-assigned this Sep 26, 2024
@andrewpollock
Copy link
Collaborator Author

@oliverchang WDYT, a straight out CWE field, or something more like severity (category)?

@andrewpollock
Copy link
Collaborator Author

Looking at CVE 5, they have problemTypes

@oliverchang
Copy link
Contributor

So far, OSV has focused on being a minimal and lean schema focused on enabling vulnerability scanners to produce actionable and accurate results (and by extension, for database maintainers to be able to encode the necessary information to enable that).

CWEs primary use case appears to be for historical analysis purposes (e.g. analysing trends on types of vulnerabilities found in the past) and generally don't seem very useful for vulnerability scanners -- are there any other use cases I'm not aware of? Theoretically, someone doing analysis on vulnerabilities in open source can easily join OSV's data with another (such as NVD, CISA vuln enrichment) to collate this data.

OSV's goal is also to provide backwards compatibility with all schema changes, and as such while it's cheap in the moment to add a new field, it's expensive in the sense of never being able to remove it while adding incremental complexity to the schema as a whole. We'd have to balance the benefits of encoding this directly in OSV against that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants