guac
guac copied to clipboard
guacsec
[feature] Community parsers
Is your feature request related to a problem? Please describe.
During last office hour, with @lumjjb and @mlieberman85 we discussed about "Community parsers".
Companies create both SBOM and VEX files and the goal for guac is to successfully ingest them in order to correlate data provided by those files.
For example, in https://access.redhat.com/security/cve/CVE-2022-2284, the CSAF/VEX file reports
"product_status": {
"known_affected": [
"red_hat_enterprise_linux_6:vim",
"red_hat_enterprise_linux_7:vim",
"red_hat_enterprise_linux_8:vim",
"red_hat_enterprise_linux_9:vim"
]
},
with vim having this entry in the product_tree:
{
"category": "product_version",
"name": "vim",
"product": {
"name": "vim",
"product_id": "vim"
}
}
This information means: "every vim version in RHEL 6, 7, 8, 9 is known affected", basically avoiding the VEX to list ALL the vim versions.
On the other side, into guac, having simply vim is not enough to fully identify all the related packages.
Describe the solution you'd like
The idea is to have something in place to ease for companies to contribute a "community parser" that would be in charge of managing properly the identification of the correlation between packages referenced in VEX files and package previously ingested into guac from SBOMs.
Since the VEX file isn't self reliant any more, community parsers should be allowed to query a running guac instance in order to (try to) identify the packages the VEX file refers to.
It's in companies own interest to provide, beside SBOM and VEX files, also a community parser for guac to ensure that their files ingestion will work fine.
It's in guac community's interest to be the tool able to ingest SBOM and VEX files thanks to contributions with community parser directly contributed from companies.
Describe alternatives you've considered No alternative identified.
Additional context If you need further details, just comment and I'll provide the required information.
