Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support CycloneDX Vulnerability Exploitability Exchange (VEX) report #553

Open
VinodAnandan opened this issue May 12, 2022 · 4 comments
Open
Labels
enhancement New feature or request

Comments

@VinodAnandan
Copy link
Contributor

The known vulnerabilities inherited from the use of third-party and open source software and the exploitability of the vulnerabilities can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for both VEX and security advisory use cases.

  • VEX information can be represented inside an existing BOM, or in a dedicated VEX BOM
  • Supports known and unknown vulnerabilities against components and services
  • Communicates the vulnerability details, exploitability, and detailed analysis

More information :

https://cyclonedx.org/capabilities/vex/#vulnerability-exploitability-exchange-vex
https://github.com/CycloneDX/bom-examples/tree/master/VEX

Cc: @stevespringett

@henrikplate
Copy link
Contributor

Hello @VinodAnandan, Do you suggest an extension or new feature of Steady to generate VEX BOMs for scanned applications, to reflect the results of Steady's static or dynamic reachability analysis? Say Steady takes as input an existing CycloneDX BOM, e.g., produced by CycloneDX' plugin, and enriches this information with regard to the reachability of contained vulnerable code.

@VinodAnandan
Copy link
Contributor Author

Hi @henrikplate. I was proposing the use case where Steady will be a SBOM+VEX producer.

CycloneDX will enable the exchange of the component information and vulnerability information in a standardized way. CycloneDX is already adopted by several tools ( https://cyclonedx.org/tool-center/ ) including OWASP Dependency Track. If "steady" can provide the VEX information along with BOM in a CycloneDX format ( https://github.com/CycloneDX/cyclonedx-core-java ) ,it can be used with other tools which support CyloneDX. The OWASP Dependency Track project consumes and produces CycloneDX SBOM and VEX ( https://docs.dependencytrack.org/ ) .

@henrikplate henrikplate added the enhancement New feature or request label May 22, 2022
@staedy
Copy link

staedy commented Apr 9, 2023

Hello dite moi ? quoi faire en Frencais Please thank [email protected]

@prabhu
Copy link

prabhu commented Aug 24, 2023

@henrikplate With the CycloneDX 1.5 specification, it is possible to set component and call-stack evidence in the generated document. cdxgen makes good use of these attributes with the evinse command.

Below are some links for your reference:

https://cyclonedx.org/docs/1.5/json/#components_items_evidence_occurrences
https://github.com/CycloneDX/cdxgen
https://github.com/CycloneDX/cdxgen/blob/master/ADVANCED.md#evinse-mode

cdxgen generates the evidence using static analysis with a tool called atom.
https://github.com/AppThreat/atom

Supporting evidences with steady would help end users consolidate information from the static and runtime tools. Please consider this request by integrating with CycloneDX and help improve the specification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants