VINCE icon indicating copy to clipboard operation
VINCE copied to clipboard

Published 20 hours ago verified publisher icon CERTCC

CVE ADP integration

Open zmanion opened this issue 4 years ago • 3 comments

CVE ADP (Authorized Data Publisher) allows an authorized entity to add data to CVE entries, specifically entries that the ADP does not "own" / is not the CNA for.

The ADP rules and tech are under development (March 2021).

Further requirements are not well defined, but the feature is that vulnerability information from VINCE can be communicated through the ADP mechanism.

zmanion avatar Mar 10 '21 14:03 zmanion

Is this more than the SSVC scoring that will be published? If there are other aspects apart from "adpContainer/metrics" object listed below, we need to decide what aspects of ADP we are interested in publishing.

https://github.com/CVEProject/cve-schema/blob/c8638e22e534bb5dc38a7985f558248b7f61efba/schema/v5.0/CVE_JSON_5.0.schema#L573

Other potential areas where CERT/CC can contribute are

  1. "affected" -> related to products affected by the advisory
  2. "solutions" -> Information about solutions or remediations available for this vulnerability
  3. "workarounds" -> Workarounds and mitigations for this vulnerability.
  4. "exploits" -> Information about exploits of the vulnerability.
  5. "credits" -> Statements acknowledging specific people, organizations, or tools recognizing the work done in researching and reporting this vulnerability.

While all these are possible, they are not available as distinct fields in VINCE or VINCE Vulnerabilities Notice API to provide such data natively.

Vijay

sei-vsarvepalli avatar Aug 20 '21 01:08 sei-vsarvepalli

For the ADP Pilot, the proposal so far is limited to the following SSVC decision points:

  • Exploitation (source: @ahouseholder's collection)
  • Technical Impact (source: CVSS base)
  • Automatable/Value Density/Utility (source: CISA, CERT/CC, others?) I'd like to get through the pilot with intentionally limited and clear scope, but we can consider all sorts of additions assuming ADPs move forward.

About "Affected" -- that's complicated, see the OSV/CVE discussion going on now, and also SBoM.

"Exploits" can probably be tagged references but may also need to wait until ADPs are in production.

zmanion avatar Aug 20 '21 02:08 zmanion

Just noting the ADP pilot is on hold pending CVE Services 2.x and JSON 5 production releases.

zmanion avatar May 26 '22 20:05 zmanion