vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

Published 20 hours ago verified publisher icon nexB

VCIO: Collect CISA Known Exploited Vulnerabilities

Open mjherzog opened this issue 2 years ago • 12 comments

CISA publishes a catalog of Known Exploited Vulnerabilities at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. The data appears to use CVE as a key. I downloaded the current CSV catalog of 860 items - there is also a JSON download and an option to subscribe to updates by email. This data seems highly relevant for assessing the severity of a known vulnerability even if it seems limited to a pretty small subset of CVE vulnerabilities. We should consider using this data in the improver work flow.

mjherzog avatar Dec 05 '22 22:12 mjherzog

From https://github.com/nexB/vulnerablecode/issues/849

Add CISA known exploited vulnerabilities https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

pombredanne avatar Nov 03 '23 10:11 pombredanne

A question came up about the meaning or significance of the "dueDate" field in the schema at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities_schema.json
which states that it is a required field, but the only description provided is "The date the required action is due in the format YYYY-MM-DD".

A perusal of the data at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json shows many of the dueDate values as being rather old, such as 2021-11-17

It seems that the dueDate applies to USA federal civilian executive branch (FCEB) agencies and it otherwise appears to exist for historical reasons, perhaps suggesting the importance or urgency of the Remediation, but not necessarily a legal obligation for an entity outside of FCEB agencies.

from this page: https://www.cisa.gov/known-exploited-vulnerabilities

Criteria #3 - Clear Remediation Guidance

CISA adds known exploited vulnerabilities to the catalog when there is a clear action for the affected organization to take. The remediation action referenced in BOD 22-01 requires federal civilian executive branch (FCEB) agencies to take the following actions for all vulnerabilities in the KEV, and CISA strongly encourages all organizations to do the same:

    Apply updates per vendor instructions. There is an update available from the security vendor, and users should apply it.
    Remove from agency networks if the impacted product is end-of-life or cannot be updated otherwise.

DennisClark avatar Feb 06 '24 17:02 DennisClark

The TLA KEV is used on the CISA website to refer to Known Exploited Vulnerabilities

DennisClark avatar Feb 06 '24 17:02 DennisClark

The KEV catalog entries are identified by a CVE value; however, the additional data provided in the KEV entries are probably best directly associated with a VCID in VulnerableCode, so the following fields should be added to a vulnerability model definition, perhaps as a separate table with a 0-to-1 relationship (note that I have expanded the definitions beyond the rather basic descriptions provided in the KEV schema to make them more relevant to VCIO):

kev_date_added (from dateAdded) UI label: KEV Date Added string in date format YYYY-MM-DD The date the vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog in the format YYYY-MM-DD.

kev_description (from shortDescription) UI label: KEV Description string Description of the vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, usually a refinement of the original CVE description.

kev_required_action (from requiredAction) UI label: KEV Required Action string The required action to address the vulnerability, typically to apply vendor updates or apply vendor mitigations or to discontinue use.

kev_due_date (from dueDate) UI label: KEV Due Date string in date format YYYY-MM-DD The date the required action is due in the format YYYY-MM-DD, which applies to all USA federal civilian executive branch (FCEB) agencies, but all organizations are strongly encouraged to execute the required action.

kev_resources_and_notes (from notes) UI label: KEV Resources and Notes string (may contain URL values) Additional notes and resources about the vulnerability, often a URL to vendor instructions.

kev_knownRansomwareCampaignUse (from knownRansomwareCampaignUse) UI label: KEV Ransomware Campaign Use string Values are 'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; or 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware.

DennisClark avatar Feb 06 '24 18:02 DennisClark

Suggested appearance in the VCIO UI: I think the new fields would be best placed, only if there are any values obtained by an Improver from the KEV, on the Essentials tab, as additional rows at the end of the summary table, right after the Status row.

DennisClark avatar Feb 06 '24 18:02 DennisClark

We of course need an Improver to gather the KEV entries. Note that the dateAdded field is required in the KEV catalog, so that is probably the best way to search for new ones.

DennisClark avatar Feb 06 '24 18:02 DennisClark

@TG1999 @pombredanne I think we are ready to assign this one to a developer.

DennisClark avatar Feb 06 '24 18:02 DennisClark

I think this issue is interesting, and I'll assign it to myself, if no one working on it

@TG1999 @pombredanne I think we are ready to assign this one to a developer.

ziadhany avatar Feb 17 '24 15:02 ziadhany

@ziadhany go ahead!

TG1999 avatar Feb 19 '24 07:02 TG1999

Done! closed by #1422

ziadhany avatar Jul 15 '24 16:07 ziadhany

I am reopening this until we have this is verified as deployed on https://public.vulnerablecode.io

pombredanne avatar Aug 15 '24 15:08 pombredanne

See in particular:

  • https://github.com/aboutcode-org/vulnerablecode/issues/1532

pombredanne avatar Aug 15 '24 15:08 pombredanne