Closed sei-vsarvepalli closed 3 years ago
Please be aware that the CSAF schema has changed from the one you linked. The current one is available at csaf_json_schema.json.
More feedback from @tschmidtb51 on the example vulnerability advisory provided for VU#608209
I just had a look at it and it doesn't seem to be resolved. Can you please double check?
The spelling of NicheStack changes throughout the summary. Other than that - fully resolved.
b) Element 1 (faq): IMHO this should be category `other` as it doesn't
list the FAQ directly but points to the Vulnerability disclosure policy. Personally, I would add that as a document reference.
Resolved. :-)
self
).Not resolved.
Current and initial release dates do not match. (There is only one version so they should match.) If you want to tell the date when the vulnerability was released: Please use /vulnerabilities[]/release_date for that. The fields in /document/tracking are only for transporting metadata about that CSAF document.
b) ID: Shouldn't that be VU#608209? If not, why is the VU# on the
website advisory always up front?
Resolved. :-)
summary
.Not resolved.
b) CWE: is listed in the case of VU#257161 also in the title but not as
the dedicated field. Don't get me wrong here. It is perfectly fine to have that in the title, but to do statistics it would be much better, if the cwe field is filled ;-)
Not resolved.
c) CVSS values should be listed as scores
Not resolved.
d) product_status: It should be stated that the product is affected
and which version is fixed
Partially resolved: Affected product is listed. Patched products are not listed.
Resolved. :-)
b) product_id: That should be the product version I guess...
Resolved. :-)
c) (full product) name: Should more or less include the branches
above (name from product_name
+ product_version
)
Resolved. :-)
Additional comments / feedback:
"id": { "system_name": "Forescout Report", "text": " FSCT-2020-0055" }
Thanks again for supporting CSAF. I hope this is valuable to you.
If you have any question do not hesitate to contact me.
Hello @tschmidtb51
Here is where we are at present
Acknowledgements: I have internal VINCE production ticket that should provide anchors so we can take the person to the right section. This should be resolved soon.
Document/notes[] This array should be fixed. May be you are seeing an older copy? I don't have the "faq" category anymore. "notes": [ { "category": "summary", "text": "HCC's network stack InterNiche stack, also known as NicheLite, versions 4.3 and earlier for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by Forescout and Vdoo, who calls them by nickname INFRA:HALT.\r\n\r\nNicheStack can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Nichestack is typically used in embedded devices due to its low footprint. These recent vulnerabilities stem from common memory management issues and a lack of proper input validation seen in such lightweight networking stacks and operating systems. The impact of these vulnerabilities will vary depending on the device environment and the specific implementation of Nichestack by HCC's downstream customers and potentially by other supply chain stakeholders involved in adopting NicheStack software.", "title": "Summary" }, { "category": "legal_disclaimer", "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK.", "title": "Legal Disclaimer" } ]
Document/references[1] should have category "self" Yeh - currently I didn't have any category for this field. As I saw in the JSON, the "summary" and "url" fields are the only ones required. I will add "category" as "self" no problem. This to be fixed in the next PR.
(a) Document/tracking/ (current and initial release date) This should be fixed in the next PR. All dates are for the document as a "metadata" and not for the vulnerability.
Vulnerabilities (title to move to notes[0] with category "summary" For now, we don't have a shorter statement for each vulnerability. So the "title" will basically be the first sentence from CVE full description in our database.
I think the CVSS is fixed in the production. The "Sample" CSAF document was old, I will replace it soon. The CWE data is not available via API at this time as a distinct field. so we will work on it after fixing the API.
On your recommendations (7) is also currently not available a distinct field in our API output. So we will have to wait for the API fix first.
Thanks Vijay
Hello @sei-vsarvepalli,
please find my comments inline.
- Acknowledgements: I have internal VINCE production ticket that should provide anchors so we can take the person to the right section. This should be resolved soon.
Sounds great. Please also consider to change the VINCE API to directly support the fields from CSAF as this will help companies to generate their own advisories from the information present in VINCE. IMHO most of them don't want to link to your advisory just for the acknowledgments...
- Document/notes[] This array should be fixed. May be you are seeing an older copy? I don't have the "faq" category anymore.
"notes": [ { "category": "summary", "text": "HCC's network stack InterNiche stack, also known as NicheLite, versions 4.3 and earlier for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by Forescout and Vdoo, who calls them by nickname INFRA:HALT.\r\n\r\nNicheStack can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Nichestack is typically used in embedded devices due to its low footprint. These recent vulnerabilities stem from common memory management issues and a lack of proper input validation seen in such lightweight networking stacks and operating systems. The impact of these vulnerabilities will vary depending on the device environment and the specific implementation of Nichestack by HCC's downstream customers and potentially by other supply chain stakeholders involved in adopting NicheStack software.", "title": "Summary" }, { "category": "legal_disclaimer", "text": "THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK.", "title": "Legal Disclaimer" } ]
Correct. That was fixed. I marked point of the "faq" with:
Resolved. :-)
However, I mentioned that "NicheStack" is sometimes called "NicheStack" and sometimes "Nichestack"...
The spelling of NicheStack changes throughout the summary. Other than that - fully resolved.
But you are right: this is complain about first world problems....
- Document/references[1] should have category "self" Yeh - currently I didn't have any category for this field. As I saw in the JSON, the "summary" and "url" fields are the only ones required. I will add "category" as "self" no problem. This to be fixed in the next PR.
Perfect.
- (a) Document/tracking/ (current and initial release date) This should be fixed in the next PR. All dates are for the document as a "metadata" and not for the vulnerability.
Super.
5. Vulnerabilities (title to move to notes[0] with category "summary" For now, we don't have a shorter statement for each vulnerability. So the "title" will basically be the first sentence from CVE full description in our database.
I see two potential solutions:
/vulnerabilities[]/title
with an item in /vulnerabilities[]/notes[]
with category "summary" as the title is not a required field. This perfectly matches the current use (and is IMHO more reasonable as it was extracted from a full description). You can also consider to put the complete full description from your database in there.../vulnerabilities[]/title
again as the first 50 characters...I think the CVSS is fixed in the production. The "Sample" CSAF document was old, I will replace it soon. The CWE data is not available via API at this time as a distinct field. so we will work on it after fixing the API.
:+1:
On your recommendations (7) is also currently not available a distinct field in our API output. So we will have to wait for the API fix first.
:+1:
Thanks for keeping us updated on the development and changes. And: Feel free to request me for a review anytime ;-)
Looks like CSAF schema is ever-evolving and changing. The new schema has dropped the previous fields such as "text" and made the "category field compulsory in many locations. The link to the latest schema is below
https://github.com/oasis-tcs/csaf/blob/d3fb9c4108faa4799aab61dce2b74fca5381623b/csaf_2.0/json_schema/csaf_json_schema.json
Required update will be managed and merged once completed by @sei-vsarvepalli
Hope to also support a Javascript version of the converter that can readily convert VINCE and CERT KB API's to CSAF format.