-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support CycloneDX Vulnerability Exploitability Exchange (VEX) report #553
Comments
Hello @VinodAnandan, Do you suggest an extension or new feature of Steady to generate VEX BOMs for scanned applications, to reflect the results of Steady's static or dynamic reachability analysis? Say Steady takes as input an existing CycloneDX BOM, e.g., produced by CycloneDX' plugin, and enriches this information with regard to the reachability of contained vulnerable code. |
Hi @henrikplate. I was proposing the use case where Steady will be a SBOM+VEX producer. CycloneDX will enable the exchange of the component information and vulnerability information in a standardized way. CycloneDX is already adopted by several tools ( https://cyclonedx.org/tool-center/ ) including OWASP Dependency Track. If "steady" can provide the VEX information along with BOM in a CycloneDX format ( https://github.com/CycloneDX/cyclonedx-core-java ) ,it can be used with other tools which support CyloneDX. The OWASP Dependency Track project consumes and produces CycloneDX SBOM and VEX ( https://docs.dependencytrack.org/ ) . |
Hello dite moi ? quoi faire en Frencais Please thank [email protected] |
@henrikplate With the CycloneDX 1.5 specification, it is possible to set component and call-stack evidence in the generated document. cdxgen makes good use of these attributes with the evinse command. Below are some links for your reference: https://cyclonedx.org/docs/1.5/json/#components_items_evidence_occurrences cdxgen generates the evidence using static analysis with a tool called atom. Supporting evidences with steady would help end users consolidate information from the static and runtime tools. Please consider this request by integrating with CycloneDX and help improve the specification. |
The known vulnerabilities inherited from the use of third-party and open source software and the exploitability of the vulnerabilities can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for both VEX and security advisory use cases.
More information :
https://cyclonedx.org/capabilities/vex/#vulnerability-exploitability-exchange-vex
https://github.com/CycloneDX/bom-examples/tree/master/VEX
Cc: @stevespringett
The text was updated successfully, but these errors were encountered: