Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added initial support for vulnerability evidence #360

Closed
wants to merge 1 commit into from
Closed

Added initial support for vulnerability evidence #360

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 95 additions & 0 deletions schema/bom-1.6.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1635,6 +1635,98 @@
}
}
},
"vulnerabilityEvidence": {
"type": "object",
"title": "Evidence",
"description": "Provides the ability to document evidence collected through various forms of extraction or analysis.",
"additionalProperties": false,
"properties": {
"presence": {
"type": "array",
"description": "Evidence that substantiates the presence or absence of a vulnerability.",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"title": "Confidence",
"description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."
},
"methods": {
"type": "array",
"title": "Methods",
"description": "The methods used to extract and/or analyze the evidence.",
"items": {
"type": "object",
"required": [
"technique" ,
"confidence"
],
"additionalProperties": false,
"properties": {
"technique": {
"title": "Technique",
"description": "The technique used in this method of analysis.",
"type": "string",
"enum": [
"source-code-analysis",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For most CVEs, the exact technique used by the researcher to identify the CVE would be unknown. In case of vulnerabilities reported in custom code (say using SAST/DAST), then the key data to capture are the rules, policies, queries that helped identify the vulnerability, and some version information for scanners and their engines.

"binary-analysis",
"manifest-analysis",
"ast-fingerprint",
"hash-comparison",
"instrumentation",
"dynamic-analysis",
"filename",
"attestation",
"other"
]
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"title": "Confidence",
"description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."
},
"value": {
"type": "string",
"title": "Value",
"description": "The value or contents of the evidence."
},
"description": {
"type": "string",
"title": "Description",
"description": "A description of the evidence that may contain additional information about the investigation."
}
}
}
},
"tools": {
"type": "array",
"uniqueItems": true,
"items": {
"anyOf": [
{
"title": "Ref",
"$ref": "#/definitions/refLinkType"
},
{
"title": "BOM-Link Element",
"$ref": "#/definitions/bomLinkElementType"
}
]
},
"title": "BOM References",
"description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."
}
}
}
}
}
},
"compositions": {
"type": "object",
"title": "Compositions",
Expand Down Expand Up @@ -2191,6 +2283,9 @@
}
]
},
"evidence": {
"$ref": "#/definitions/vulnerabilityEvidence"
},
"analysis": {
"type": "object",
"title": "Impact Analysis",
Expand Down
21 changes: 21 additions & 0 deletions tools/src/test/resources/1.6/valid-vulnerability-1.6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,27 @@
}
]
},
"evidence": {
"presence": [
{
"methods": [
{
"technique": "source-code-analysis",
"confidence": 0.7,
"value": "Value here",
"description": "Description here"
},
{
"technique": "binary-analysis",
"confidence": 0.6,
"value": "Value here",
"description": "Description here"
}
],
"confidence": 0.8
}
]
},
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable",
Expand Down