Open mprpic opened 3 years ago
Having fields to store CNA's defect IDs (bugzilla, jira), advisory IDs for direct reference/retrieval (instead of iterating through references) is useful for internal automation or cross referencing. We use Vulnogram to take a JIRA id as input and produce a CVE JSON draft as an output, so the JIRA id that was used for creating the first cut JSON is stored in this field. It is useful to our customers if they need additional support on the CVE and they/support can look up the JIRA/bugzilla id for additional details.
Discovery is a field to encode the source of vulnerability discovery. A consumer may consider a CVE discovered or encountered during normal usage more important than a CVE discovered under special laboratory conditions.
Vulnogram has four values: INTERNAL: this vulnerability was found by the CNA's internal research. EXTERNAL: this vulnerability was found during research external to a CNA. USER: This vulnerability was discovered during product use. UNKNOWN: Source of discovery is not defined or is unknown.
Some CNA's have also expressed the need for a fifth value: UPSTREAM: This vulnerability was found by an upstream vendor (who likely is not a CNA or did not assign a CVE).
Instead of discovery:value pairs we can perhaps define four new CVE tags "cna-internal-discovery", "cna-external-discovery", "found-during-use", and "upsteam-problem"?
Source was left as an unstructured object as a carryover from the CVE 4.0. It's been an unstructured object as we have not had agreement within the community about what a source could be, nor a definitive list of value to make it an enumeration.
Different publishers have historically used different structures within the property to describe how the vulnerability was discovered and reported.
If source
is supposed to be a free-for-all container to include arbitrary key-value data, then let's at least remove the current description that mentions CNA chains (which I still have no idea what that means).
It also doesn't feel very tidy to have an unstructured object in an official spec. Isn't that what x_
properties are for?
submitted #60 for this
Discussed this in the September 12, 2024 QWG Meeting. Maybe just use discovery field with a subset of the current Vulnogram options. NOT upstream as this doesn't work well in this context. Mine the List and determine how it is used currently. Maybe abandon source object and start over with needed fields.
The following are observations from the CVE data as of Sep 18, 2024.
field cve_count
1 discovery 39262
2 advisory 14905
3 defect 5032
4 lang 949
5 value 949
6 defects 360
7 found_during 1
There seems to be some confusion about what goes in this field, but the current values break down like this:
EXTERNAL : 17715
UNKNOWN : 16837
INTERNAL : 4064
USER : 600
Will Dormann of CERT: 12
: 9
Internal : 5
Discovery statement : 5
Brett Casper [/](https://file+.vscode-resource.vscode-cdn.net/) Wisco: 3
external : 2
Neil Graves, Jorian : 2
UPSTREAM : 2
Dr. Florian Hauser, : 1
CUSTOMER : 1
Toronto-Dominion Ban: 1
Niv Levy : 1
ING Bank N.V. : 1
External : 1
https://www.whitesourcesoftware.com/vuln: 64
cisco-sa-rv-overflow-WUnUgv4U : 61
cisco-sa-sb-rv-rce-overflow-ygHByAK : 35
cisco-sa-rv-overflow-ghZP68yj : 30
ICSA-22-081-01 : 29
AMD-SB-1000 : 27
AMD-SB-1032 : 27
https://www.mend.io/vulnerability-databa: 26
AMD-SB-4002, AMD-SB-3002, AMD-SB-5001 : 21
AMD-SB-1021 : 20
AMD-SB-1027 : 19
https://us-cert.cisa.gov/ics/advisories/: 17
cisco-sa-smb-mult-vuln-KA9PK6D : 15
cisco-sa-fmc-xss-LATZYzxs : 15
cisco-sa-rv-stored-xss-vqz7gC8W : 15
VDE-2023-019 : 15
ICSA-22-298-06 : 14
VDE-2023-018 : 14
cisco-sa-20181003-webex-rce : 13
ODOO-SA-2020-12-02 : 13
cisco-sa-20191016-spa-rce : 13
ICSA-21-280-05 : 13
cisco-sa-csm-mult-xss-7hmOKQTt : 13
VDE-2024-011 : 13
JSA10918 : 12
...
TVN-202409018 : 1
TVN-202409019 : 1
TVN-202409020 : 1
TVN-202409026 : 1
this is split between objects (dict) and arrays and strings as outline in #317
The CVEs with the "lang" and "value" combinations appear to treat this as the "credits" portion, for example:
{"lang": "en", "value": "Mat Powell of Trend Micro Zero Day Initiative"}
appears in 181 CVEs.
one last addition, If I look for any value in the "source" section, out of all the CVEs published in a 90 day rolling window, we are somewhere around 40% of CVEs including something in this section of the data:
Both the CNA and ADP containers include a
source
attribute that is defined as:What is the use case for this object? Can we get an example of its intended values? Vulnogram seems to use it to generate:
but none of that is defined in the schema and the values seem fairly arbitrary (assuming they will remain the same for 5.0).