Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A new Vulnerability Findings class #698

Merged
merged 7 commits into from
Aug 1, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 21 additions & 10 deletions dictionary.json
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@
"description": "The permissions that were granted to the in a platform-native format.",
"type": "integer_t"
},
"affected_packages": {
"caption": "Affected Software Packages",
"description": "List of software packages identified as affected by a vulnerability/vulnerabilities.",
"is_array": true,
"type": "affected_package"
},
"alert": {
"caption": "Client TLS Alert",
"description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.",
Expand Down Expand Up @@ -992,6 +998,7 @@
"cvss": {
"caption": "CVSS Score",
"description": "The CVSS object details Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) scores from the advisory that are related to the vulnerability.",
"is_array": true,
"type": "cvss"
},
"cwe": {
Expand Down Expand Up @@ -1376,7 +1383,7 @@
},
"finding": {
"caption": "Finding",
"description": "Finding object provides details related to a finding generated by security tool",
"description": "The Finding object provides details about a finding/detection generated by a security tool.",
"type": "finding"
},
"fingerprint": {
Expand Down Expand Up @@ -2171,12 +2178,16 @@
"description": "The user that owns the file/object.",
"type": "user"
},
"packages": {
"package": {
"caption": "Software Packages",
"description": "List of vulnerable packages as identified by the security product",
"is_array": true,
"description": "The Software Package object describes details about a software package. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/'>d3f:SoftwarePackage</a>.",
"type": "package"
},
"package_manager": {
"caption": "Package Manager",
"description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.",
"type": "string_t"
},
"packet_uid": {
"caption": "Packet UID",
"description": "The packet identifier assigned by the protocol.",
Expand Down Expand Up @@ -2395,6 +2406,11 @@
"description": "If a proxy connection is present, the connection from the client to the proxy server.",
"type": "network_proxy"
},
"purl":{
"caption": "Package URL",
"description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.",
"type": "string_t"
},
"query": {
"caption": "DNS Query",
"description": "The Domain Name System (DNS) query.",
Expand Down Expand Up @@ -2452,7 +2468,7 @@
},
"references": {
"caption": "References",
"description": "Supporting reference URLs",
"description": "A list of reference URLs supporting the finding/detection.",
"is_array": true,
"type": "string_t"
},
Expand Down Expand Up @@ -2977,11 +2993,6 @@
"description": "The unique identifier of a virtual subnet.",
"type": "string_t"
},
"supporting_data": {
"caption": "Supporting Data",
"description": "Additional data supporting a finding as provided by security tool",
"type": "json_t"
},
"surname": {
"caption": "Surname",
"description": "The last or family name for the user.",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{
"caption": "Findings",
"name": "findings",
"caption": "Finding",
"category": "findings",
"extends": "base_event",
"description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or actions performed by security products.",
"extends": "base_event",
"name": "finding",
"attributes": {
"activity_id": {
"enum": {
Expand Down
2 changes: 1 addition & 1 deletion events/findings/security_finding.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"caption": "Security Finding",
"category": "findings",
"description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products",
"extends": "findings",
"extends": "finding",
"name": "security_finding",
"uid": 1,
"attributes": {
Expand Down
76 changes: 76 additions & 0 deletions events/findings/vulnerability_finding.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
{
"caption": "Vulnerability Finding",
"category": "findings",
"description": "Vulnerability Finding events describe findings generated by vulnerability scanning tools.",
"extends": "finding",
"name": "vulnerability_finding",
"uid": 2,
"attributes": {
"analytic": {
"group": "primary",
"requirement": "recommended"
},
"confidence": {
"group": "context",
"requirement": "optional"
},
"confidence_id": {
"group": "context",
"requirement": "recommended"
},
"confidence_score": {
"group": "context",
"requirement": "optional"
},
"device": {
"description": "Describes details about the device that is affected by the vulnerability/vulnerabilities.",
"group": "primary",
"requirement": "recommended"
},
"finding": {
"group": "primary",
"requirement": "required"
},
"resource": {
"description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.",
"group": "primary",
"requirement": "recommended"
},
"remediation": {
"group": "context",
"requirement": "optional"
},
"status": {
"description": "The normalized status of the vulnerability finding.",
"group": "context",
"requirement": "optional"
},
"status_id": {
"description": "The normalized status identifier of the vulnerability finding.",
"enum": {
"1": {
"caption": "New",
"description": "The vulnerability finding is new and yet to be reviewed."
},
"2": {
"caption": "In Progress",
"description": "The vulnerability finding is under review."
},
"3": {
"caption": "Suppressed",
"description": "The vulnerability finding was reviewed, considered as a false positive and is now suppressed."
},
"4": {
"caption": "Resolved",
"description": "The vulnerability finding was reviewed and remediated and is now considered resolved."
}
},
"group": "context",
"requirement": "recommended"
},
"vulnerabilities": {
"group": "primary",
"requirement": "required"
}
}
}
11 changes: 11 additions & 0 deletions objects/affected_package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"caption": "Affected Software Package",
"description": "The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.",
"extends": "package",
"name": "affected_package",
"attributes": {
"package_manager": {
"requirement": "optional"
}
}
}
9 changes: 3 additions & 6 deletions objects/analytic.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,7 @@
"requirement": "optional"
},
"name": {
"description": "The name of the analytic that generated the finding.",
"requirement": "required"
"description": "The name of the analytic that generated the finding."
},
"related_analytics": {
"description:": "Other analytics related to this analytic ",
Expand Down Expand Up @@ -49,13 +48,11 @@
}
},
"uid": {
"description": "The unique identifier of the analytic that generated the finding.",
"requirement": "recommended"
"description": "The unique identifier of the analytic that generated the finding."
},
"version": {
"description": "The analytic version. For example: <code>1.1</code>.",
"requirement": "optional"
}
},
"constraints": {}
}
}
20 changes: 16 additions & 4 deletions objects/cve.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@
"cvss": {
"requirement": "recommended"
},
"cwe":{
"cwe": {
"requirement": "optional"
},
"desc": {
"description": "A brief description of the CVE Record.",
"requirement": "optional"
},
"modified_time": {
Expand All @@ -19,18 +23,26 @@
"requirement": "recommended"
},
"uid": {
"caption": "CVE ID",
"caption": "CVE ID",
"description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: <code>CVE-2021-12345</code>.",
"requirement": "required"
},
"product": {
"description": "The product where the vulnerability was discovered.",
"requirement": "optional"
},
"references": {
"description": "A list of reference URLs with additional information about the CVE Record.",
"requirement": "recommended"
},
"title": {
"description": "A title or a brief phrase summarizing the CVE record.",
"requirement": "recommended"
},
"type": {
"caption": "Vulnerability Type",
"caption": "Vulnerability Type",
"description": "<p>The vulnerability type as selected from a large dropdown menu during CVE refinement.</p>Most frequently used vulnerability types are: <code>DoS</code>, <code>Code Execution</code>, <code>Overflow</code>, <code>Memory Corruption</code>, <code>Sql Injection</code>, <code>XSS</code>, <code>Directory Traversal</code>, <code>Http Response Splitting</code>, <code>Bypass something</code>, <code>Gain Information</code>, <code>Gain Privileges</code>, <code>CSRF</code>, <code>File Inclusion</code>. For more information see <a target='_blank' href='https://www.cvedetails.com/vulnerabilities-by-types.php'>Vulnerabilities By Type</a> distributions.",
"requirement": "recommended"
}
}
}
}
10 changes: 2 additions & 8 deletions objects/finding.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"caption": "Finding",
"description": "The Finding object contains details related to a security finding generated by a security tool or system. It encompasses information about potential security vulnerabilities, weaknesses, misconfigurations, or suspicious activities identified during security assessments or monitoring processes.",
"description": "The Finding object describes metadata related to a security finding generated by a security tool or system.",
"extends": "object",
"name": "finding",
"attributes": {
Expand Down Expand Up @@ -31,18 +31,12 @@
"related_events": {
"requirement": "optional"
},
"remediation": {
"requirement": "optional"
},
"src_url": {
"description": "The URL pointing to the source of the finding.",
"requirement": "optional"
},
"supporting_data": {
"requirement": "optional"
},
"title": {
"description": "The title of the reported finding.",
"description": "A title or a brief phrase summarizing the reported finding.",
"requirement": "required"
},
"types": {
Expand Down
3 changes: 3 additions & 0 deletions objects/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@
"description": "The software package name.",
"requirement": "required"
},
"purl":{
"requirement": "optional"
},
"release": {
"requirement": "optional"
},
Expand Down
2 changes: 1 addition & 1 deletion objects/product.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"attributes": {
"feature": {},
"lang": {
"requirement": "recommended"
"requirement": "optional"
},
"name": {
"description": "The name of the product."
Expand Down
23 changes: 13 additions & 10 deletions objects/vulnerability.json
floydtree marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -4,40 +4,43 @@
"extends": "object",
"name": "vulnerability",
"attributes": {
"affected_packages": {
"requirement": "recommended"
},
"cve": {
"requirement": "recommended"
},
"cwe": {
"requirement": "recommended"
},
"desc": {
"description": "The description of the vulnerability.",
"first_seen_time": {
"description": "The time when the vulnerability was first observed.",
"requirement": "optional"
},
"fix_available": {
"requirement": "optional"
},
"kb_articles": {
"last_seen_time": {
"description": "The time when the vulnerability was most recently observed.",
"requirement": "optional"
},
"packages": {
"requirement": "recommended"
},
"references": {
"description": "A list of reference URLs with additional information about the vulnerability.",
"requirement": "recommended"
},
"related_vulnerabilities": {
"requirement": "recommended"
"requirement": "optional"
},
"severity": {
"description": "The vendor assigned severity of the vulnerability.",
"requirement": "optional"
},
"title": {
"description": "The title of the vulnerability.",
"requirement": "recommended"
"description": "A title or a brief phrase summarizing the discovered vulnerability.",
"requirement": "optional"
},
"vendor_name": {
"description": "The vendor who identified the vulnerability.",
"description": "The name of the vendor that identified the vulnerability.",
"requirement": "optional"
}
},
Expand Down