diff --git a/dictionary.json b/dictionary.json
index 2e0436fb2..0dc534299 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -65,6 +65,12 @@
"description": "The permissions that were granted to the in a platform-native format.",
"type": "integer_t"
},
+ "affected_packages": {
+ "caption": "Affected Software Packages",
+ "description": "List of software packages identified as affected by a vulnerability/vulnerabilities.",
+ "is_array": true,
+ "type": "affected_package"
+ },
"alert": {
"caption": "Client TLS Alert",
"description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246.",
@@ -992,6 +998,7 @@
"cvss": {
"caption": "CVSS Score",
"description": "The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability.",
+ "is_array": true,
"type": "cvss"
},
"cwe": {
@@ -1376,7 +1383,7 @@
},
"finding": {
"caption": "Finding",
- "description": "Finding object provides details related to a finding generated by security tool",
+ "description": "The Finding object provides details about a finding/detection generated by a security tool.",
"type": "finding"
},
"fingerprint": {
@@ -2171,12 +2178,16 @@
"description": "The user that owns the file/object.",
"type": "user"
},
- "packages": {
+ "package": {
"caption": "Software Packages",
- "description": "List of vulnerable packages as identified by the security product",
- "is_array": true,
+ "description": "The Software Package object describes details about a software package. Defined by D3FEND d3f:SoftwarePackage.",
"type": "package"
},
+ "package_manager": {
+ "caption": "Package Manager",
+ "description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.",
+ "type": "string_t"
+ },
"packet_uid": {
"caption": "Packet UID",
"description": "The packet identifier assigned by the protocol.",
@@ -2395,6 +2406,11 @@
"description": "If a proxy connection is present, the connection from the client to the proxy server.",
"type": "network_proxy"
},
+ "purl":{
+ "caption": "Package URL",
+ "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.",
+ "type": "string_t"
+ },
"query": {
"caption": "DNS Query",
"description": "The Domain Name System (DNS) query.",
@@ -2452,7 +2468,7 @@
},
"references": {
"caption": "References",
- "description": "Supporting reference URLs",
+ "description": "A list of reference URLs supporting the finding/detection.",
"is_array": true,
"type": "string_t"
},
@@ -2977,11 +2993,6 @@
"description": "The unique identifier of a virtual subnet.",
"type": "string_t"
},
- "supporting_data": {
- "caption": "Supporting Data",
- "description": "Additional data supporting a finding as provided by security tool",
- "type": "json_t"
- },
"surname": {
"caption": "Surname",
"description": "The last or family name for the user.",
diff --git a/events/findings/findings.json b/events/findings/finding.json
similarity index 91%
rename from events/findings/findings.json
rename to events/findings/finding.json
index ab8561b77..d91048ecb 100644
--- a/events/findings/findings.json
+++ b/events/findings/finding.json
@@ -1,9 +1,9 @@
{
- "caption": "Findings",
- "name": "findings",
+ "caption": "Finding",
"category": "findings",
- "extends": "base_event",
"description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or actions performed by security products.",
+ "extends": "base_event",
+ "name": "finding",
"attributes": {
"activity_id": {
"enum": {
diff --git a/events/findings/security_finding.json b/events/findings/security_finding.json
index cb63fb12f..502206302 100644
--- a/events/findings/security_finding.json
+++ b/events/findings/security_finding.json
@@ -2,7 +2,7 @@
"caption": "Security Finding",
"category": "findings",
"description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products",
- "extends": "findings",
+ "extends": "finding",
"name": "security_finding",
"uid": 1,
"attributes": {
diff --git a/events/findings/vulnerability_finding.json b/events/findings/vulnerability_finding.json
new file mode 100644
index 000000000..51006563c
--- /dev/null
+++ b/events/findings/vulnerability_finding.json
@@ -0,0 +1,76 @@
+{
+ "caption": "Vulnerability Finding",
+ "category": "findings",
+ "description": "Vulnerability Finding events describe findings generated by vulnerability scanning tools.",
+ "extends": "finding",
+ "name": "vulnerability_finding",
+ "uid": 2,
+ "attributes": {
+ "analytic": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "confidence": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "confidence_id": {
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "confidence_score": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "device": {
+ "description": "Describes details about the device that is affected by the vulnerability/vulnerabilities.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "finding": {
+ "group": "primary",
+ "requirement": "required"
+ },
+ "resource": {
+ "description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "remediation": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "status": {
+ "description": "The normalized status of the vulnerability finding.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "status_id": {
+ "description": "The normalized status identifier of the vulnerability finding.",
+ "enum": {
+ "1": {
+ "caption": "New",
+ "description": "The vulnerability finding is new and yet to be reviewed."
+ },
+ "2": {
+ "caption": "In Progress",
+ "description": "The vulnerability finding is under review."
+ },
+ "3": {
+ "caption": "Suppressed",
+ "description": "The vulnerability finding was reviewed, considered as a false positive and is now suppressed."
+ },
+ "4": {
+ "caption": "Resolved",
+ "description": "The vulnerability finding was reviewed and remediated and is now considered resolved."
+ }
+ },
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "vulnerabilities": {
+ "group": "primary",
+ "requirement": "required"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/affected_package.json b/objects/affected_package.json
new file mode 100644
index 000000000..0c8367b17
--- /dev/null
+++ b/objects/affected_package.json
@@ -0,0 +1,11 @@
+{
+ "caption": "Affected Software Package",
+ "description": "The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.",
+ "extends": "package",
+ "name": "affected_package",
+ "attributes": {
+ "package_manager": {
+ "requirement": "optional"
+ }
+ }
+}
diff --git a/objects/analytic.json b/objects/analytic.json
index 099e22850..d5df79cbf 100644
--- a/objects/analytic.json
+++ b/objects/analytic.json
@@ -13,8 +13,7 @@
"requirement": "optional"
},
"name": {
- "description": "The name of the analytic that generated the finding.",
- "requirement": "required"
+ "description": "The name of the analytic that generated the finding."
},
"related_analytics": {
"description:": "Other analytics related to this analytic ",
@@ -49,13 +48,11 @@
}
},
"uid": {
- "description": "The unique identifier of the analytic that generated the finding.",
- "requirement": "recommended"
+ "description": "The unique identifier of the analytic that generated the finding."
},
"version": {
"description": "The analytic version. For example: 1.1.",
"requirement": "optional"
}
- },
- "constraints": {}
+ }
}
diff --git a/objects/cve.json b/objects/cve.json
index 87f0ad5b2..e73761a1b 100644
--- a/objects/cve.json
+++ b/objects/cve.json
@@ -7,7 +7,11 @@
"cvss": {
"requirement": "recommended"
},
- "cwe":{
+ "cwe": {
+ "requirement": "optional"
+ },
+ "desc": {
+ "description": "A brief description of the CVE Record.",
"requirement": "optional"
},
"modified_time": {
@@ -19,7 +23,7 @@
"requirement": "recommended"
},
"uid": {
- "caption": "CVE ID",
+ "caption": "CVE ID",
"description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.",
"requirement": "required"
},
@@ -27,10 +31,18 @@
"description": "The product where the vulnerability was discovered.",
"requirement": "optional"
},
+ "references": {
+ "description": "A list of reference URLs with additional information about the CVE Record.",
+ "requirement": "recommended"
+ },
+ "title": {
+ "description": "A title or a brief phrase summarizing the CVE record.",
+ "requirement": "recommended"
+ },
"type": {
- "caption": "Vulnerability Type",
+ "caption": "Vulnerability Type",
"description": "The vulnerability type as selected from a large dropdown menu during CVE refinement.
Most frequently used vulnerability types are: DoS, Code Execution, Overflow, Memory Corruption, Sql Injection, XSS, Directory Traversal, Http Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion. For more information see Vulnerabilities By Type distributions.",
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/finding.json b/objects/finding.json
index 13ade9884..f9741b7e3 100644
--- a/objects/finding.json
+++ b/objects/finding.json
@@ -1,6 +1,6 @@
{
"caption": "Finding",
- "description": "The Finding object contains details related to a security finding generated by a security tool or system. It encompasses information about potential security vulnerabilities, weaknesses, misconfigurations, or suspicious activities identified during security assessments or monitoring processes.",
+ "description": "The Finding object describes metadata related to a security finding generated by a security tool or system.",
"extends": "object",
"name": "finding",
"attributes": {
@@ -31,18 +31,12 @@
"related_events": {
"requirement": "optional"
},
- "remediation": {
- "requirement": "optional"
- },
"src_url": {
"description": "The URL pointing to the source of the finding.",
"requirement": "optional"
},
- "supporting_data": {
- "requirement": "optional"
- },
"title": {
- "description": "The title of the reported finding.",
+ "description": "A title or a brief phrase summarizing the reported finding.",
"requirement": "required"
},
"types": {
diff --git a/objects/package.json b/objects/package.json
index 638379117..67c20f831 100644
--- a/objects/package.json
+++ b/objects/package.json
@@ -18,6 +18,9 @@
"description": "The software package name.",
"requirement": "required"
},
+ "purl":{
+ "requirement": "optional"
+ },
"release": {
"requirement": "optional"
},
diff --git a/objects/product.json b/objects/product.json
index 41475a5e7..da8f4ade9 100644
--- a/objects/product.json
+++ b/objects/product.json
@@ -6,7 +6,7 @@
"attributes": {
"feature": {},
"lang": {
- "requirement": "recommended"
+ "requirement": "optional"
},
"name": {
"description": "The name of the product."
diff --git a/objects/vulnerability.json b/objects/vulnerability.json
index 49b9899ec..01067ac68 100644
--- a/objects/vulnerability.json
+++ b/objects/vulnerability.json
@@ -4,40 +4,43 @@
"extends": "object",
"name": "vulnerability",
"attributes": {
+ "affected_packages": {
+ "requirement": "recommended"
+ },
"cve": {
"requirement": "recommended"
},
"cwe": {
"requirement": "recommended"
},
- "desc": {
- "description": "The description of the vulnerability.",
+ "first_seen_time": {
+ "description": "The time when the vulnerability was first observed.",
"requirement": "optional"
},
"fix_available": {
"requirement": "optional"
},
- "kb_articles": {
+ "last_seen_time": {
+ "description": "The time when the vulnerability was most recently observed.",
"requirement": "optional"
},
- "packages": {
- "requirement": "recommended"
- },
"references": {
+ "description": "A list of reference URLs with additional information about the vulnerability.",
"requirement": "recommended"
},
"related_vulnerabilities": {
- "requirement": "recommended"
+ "requirement": "optional"
},
"severity": {
+ "description": "The vendor assigned severity of the vulnerability.",
"requirement": "optional"
},
"title": {
- "description": "The title of the vulnerability.",
- "requirement": "recommended"
+ "description": "A title or a brief phrase summarizing the discovered vulnerability.",
+ "requirement": "optional"
},
"vendor_name": {
- "description": "The vendor who identified the vulnerability.",
+ "description": "The name of the vendor that identified the vulnerability.",
"requirement": "optional"
}
},