specification icon indicating copy to clipboard operation
specification copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Enhance support for reporting of vulnerabilities during assessments

Open coderpatros opened this issue 3 years ago • 4 comments

The basic idea is to evolve the vulnerability model for things like pentest reports, bug bounty programs, etc. In particular, it would be great to have reproduction steps in a machine readable format if possible.

coderpatros avatar Jan 02 '22 08:01 coderpatros

@psiinon, is this something you'd be interested in providing feedback on?

The general idea is to enhance existing support for specifying vulnerabilities in CycloneDX which is defined here: https://cyclonedx.org/docs/1.4/json/#vulnerabilities

Vulnerabilities in CycloneDX are capable of representing vulns for both known vulns against components (e.g. CVEs) and unknown vulns against components and services. Its the unknown and services part that we really want to expand upon.

stevespringett avatar Apr 12 '22 18:04 stevespringett

@stevespringett count me in! Is there anything to look at right now? If not then np, just ping me when there is ... or if you want to discuss options etc :)

psiinon avatar Apr 13 '22 14:04 psiinon

Fantastic. Thanks @psiinon. We don't have anything just yet, but here's a question... Does something already exist that we can build upon or incorporate in some way?

stevespringett avatar Apr 13 '22 15:04 stevespringett

I'm aware of a few false starts in this area but nothing that I think is worth building on .. but I'll double check...

psiinon avatar Apr 13 '22 16:04 psiinon

re https://github.com/CycloneDX/specification/issues/119#issuecomment-1098146744 @psiinon you might want to review #200

jkowalleck avatar Mar 29 '23 10:03 jkowalleck