steady icon indicating copy to clipboard operation
steady copied to clipboard

Published 20 hours ago verified publisher icon eclipse

Support CycloneDX Vulnerability Exploitability Exchange (VEX) report

Open VinodAnandan opened this issue 2 years ago • 4 comments

The known vulnerabilities inherited from the use of third-party and open source software and the exploitability of the vulnerabilities can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for both VEX and security advisory use cases.

  • VEX information can be represented inside an existing BOM, or in a dedicated VEX BOM
  • Supports known and unknown vulnerabilities against components and services
  • Communicates the vulnerability details, exploitability, and detailed analysis

More information :

https://cyclonedx.org/capabilities/vex/#vulnerability-exploitability-exchange-vex https://github.com/CycloneDX/bom-examples/tree/master/VEX

Cc: @stevespringett

VinodAnandan avatar May 12 '22 20:05 VinodAnandan

Hello @VinodAnandan, Do you suggest an extension or new feature of Steady to generate VEX BOMs for scanned applications, to reflect the results of Steady's static or dynamic reachability analysis? Say Steady takes as input an existing CycloneDX BOM, e.g., produced by CycloneDX' plugin, and enriches this information with regard to the reachability of contained vulnerable code.

henrikplate avatar May 18 '22 14:05 henrikplate

Hi @henrikplate. I was proposing the use case where Steady will be a SBOM+VEX producer.

CycloneDX will enable the exchange of the component information and vulnerability information in a standardized way. CycloneDX is already adopted by several tools ( https://cyclonedx.org/tool-center/ ) including OWASP Dependency Track. If "steady" can provide the VEX information along with BOM in a CycloneDX format ( https://github.com/CycloneDX/cyclonedx-core-java ) ,it can be used with other tools which support CyloneDX. The OWASP Dependency Track project consumes and produces CycloneDX SBOM and VEX ( https://docs.dependencytrack.org/ ) .

VinodAnandan avatar May 22 '22 16:05 VinodAnandan

Hello dite moi ? quoi faire en Frencais Please thank [email protected]

staedy avatar Apr 09 '23 15:04 staedy

@henrikplate With the CycloneDX 1.5 specification, it is possible to set component and call-stack evidence in the generated document. cdxgen makes good use of these attributes with the evinse command.

Below are some links for your reference:

https://cyclonedx.org/docs/1.5/json/#components_items_evidence_occurrences https://github.com/CycloneDX/cdxgen https://github.com/CycloneDX/cdxgen/blob/master/ADVANCED.md#evinse-mode

cdxgen generates the evidence using static analysis with a tool called atom. https://github.com/AppThreat/atom

Supporting evidences with steady would help end users consolidate information from the static and runtime tools. Please consider this request by integrating with CycloneDX and help improve the specification.

prabhu avatar Aug 24 '23 18:08 prabhu