dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

CRAVEX: Export VEX document: CSAF

Open pombredanne opened this issue 1 year ago • 2 comments

Export the results of the vulnerabilities triage and processing as CSAF VEX document

pombredanne avatar May 08 '24 18:05 pombredanne

Looking for current example CSAF files with actual data and for a definitive version of the current specfification.

Also, for reference see https://github.com/oasis-tcs/csaf and https://www.redhat.com/en/blog/common-security-advisory-framework-csaf-beta-files-now-available (2022-06-17).

DennisClark avatar May 17 '24 14:05 DennisClark

Specific public examples of CSAF 2.0 documents from Schneider Electric can be found here: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

One example is attached.

sevd-2023-101-05.json

DennisClark avatar Jun 07 '24 18:06 DennisClark

I am not sure this requires mucho design, does it? Based on what we have for CycloneDX this should be easy.

pombredanne avatar Dec 02 '24 16:12 pombredanne

Documentation

  • SPEC https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html
  • Schema 2.0 https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/json_schema/csaf_json_schema.json
  • Tools listing https://oasis-open.github.io/csaf-documentation/tools.html
  • FAQ https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/guidance/faq.md#what-is-vex-and-how-is-it-supported-in-csaf
  • Examples https://github.com/oasis-tcs/csaf/tree/master/csaf_2.0/examples/csaf

Tools

  • Python lib https://github.com/anthonyharrison/csaf
  • CSAF Viewer/Editor https://secvisogram.github.io/

VEX use cases

  • https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf

A VEX document is a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities.

The goal of Vulnerability Exploitability eXchange (VEX) is to allow a software supplier or other parties to assert the status of specific vulnerabilities in a particular product.

The OASIS Common Security Advisory Framework (CSAF) defines ‘product’ as “any deliverable (e.g., software, hardware, specification, …) which can be referred to with a name.

This document covers many variations of VEX use cases:

  • Single Product, Single Vulnerability: CSAF VEX vs CycloneDX VEX
  • Single Product, Multiple Vulnerabilities: CSAF VEX vs CycloneDX VEX
  • Multiple Products, Single Vulnerability
  • Multiple Products, Multiple Vulnerabilities

tdruez avatar Dec 03 '24 03:12 tdruez

Implemented in https://github.com/aboutcode-org/dejacode/pull/213

tdruez avatar Dec 19 '24 12:12 tdruez

@keshav-space @DennisClark @tdruez I created a simple step by-step doc as an experiment and attached it here DejaCode-CRAVEX-CSAF-export.pdf

pombredanne avatar Dec 19 '24 13:12 pombredanne