Include support for root cause CVE tags

Chris-Turner-NIST commented 3 years ago

We previously discussed including support for CVE level tags (which can be applied to the CNA or ADP containers) that assist in identification of root cause.

Tag	Definition
Hardware Root Cause	Tag this to a CVE if the primary root cause of the security vulnerability is originated from the hardware component of the affected product(s). The intent is to facilitate Hardware Designers to learn how to prevent similar weakness. Even when a hardware vulnerability can be addressed by a SW workaround, the “Hardware Root Cause” tag should still be applied, since the focus is on how the issue is introduced, not how it is remediated.
Software Root Cause	Tag this to a CVE if the primary root cause of the security vulnerability is originated from the software component of the affected product(s). The intent is to facilitate Software Developers to learn how to prevent similar weakness.

Tag

Definition

Hardware Root Cause

Tag this to a CVE if the primary root cause of the security vulnerability is originated from the hardware component of the affected product(s). The intent is to facilitate Hardware Designers to learn how to prevent similar weakness. Even when a hardware vulnerability can be addressed by a SW workaround, the “Hardware Root Cause” tag should still be applied, since the focus is on how the issue is introduced, not how it is remediated.

Software Root Cause

Tag this to a CVE if the primary root cause of the security vulnerability is originated from the software component of the affected product(s). The intent is to facilitate Software Developers to learn how to prevent similar weakness.

This could be expanded to include other concepts such as protocol or specification root causes. Ex:

Tag	Definition
Specification Root Cause	Tag this to a CVE if the primary root cause of the security vulnerability is originated from the industry specification that the affected product(s) comply with. The intent is to facilitate Industry Specification Groups to learn how to prevent similar weakness. If the root cause of the CVE is related to inappropriate adoption of an industry standard (e.g., use of an obsolete cryptographic algorithm) or incorrect implementation of an industry standard (e.g., product does not implement the error recovery flow as captured in the protocol specification) in the affected product(s), the appropriate “Hardware Root Cause” or “Software Root Cause” should be applied instead.

Tag

Definition

Specification Root Cause

Tag this to a CVE if the primary root cause of the security vulnerability is originated from the industry specification that the affected product(s) comply with. The intent is to facilitate Industry Specification Groups to learn how to prevent similar weakness. If the root cause of the CVE is related to inappropriate adoption of an industry standard (e.g., use of an obsolete cryptographic algorithm) or incorrect implementation of an industry standard (e.g., product does not implement the error recovery flow as captured in the protocol specification) in the affected product(s), the appropriate “Hardware Root Cause” or “Software Root Cause” should be applied instead.

asummers-MITRE commented 1 year ago

Is this tag under consideration for inclusion?

chandanbn commented 1 year ago

"root-cause-hardware" : Capture: physical, circuits, unchangeable - unrelated from remedy.

CVEProject / cve-schema

Include support for root cause CVE tags #22