search

CVEProject / cve-schema

This repository is used for the development of the CVE JSON record format. Releases of the CVE JSON record format will also be published here. This repository is managed by the CVE Quality Working Group.
Creative Commons Zero v1.0 Universal
263 stars 146 forks source link

add aliases and related to Published.cveMetadata #89

Closed rsc closed 3 years ago

rsc commented 3 years ago

In our work with open-source vulnerability databases, we have found it critical to be able to match CVEs to equivalent entries in other databases as well as to related CVEs.

We propose adding two new fields in the cveMetadata object, named “aliases” and “related”. Both would be lists of strings.

The “aliases” list would be a list of vulnerability IDs in other databases that are considered the same as this CVE. For example, CVE-2020-28498 is also tracked as (that is, the same as) GHSA-r9p9-mrjm-926w, NPM-1648 and SNYK-JS-ELLIPTIC-1064899.

The “related” list would be a list of vulnerability IDs (CVEs or from other databases) that are considered closely related to this CVE. For example, the CVE mentioned in the last paragraph is closely related to - but not the same as - CVE-2020-35149, which is also tracked as GHSA-45q2-34rf-mr94, NPM-1649 and SNYK-JAVA-ORGWEBJARSNPM-1069836.

Using this proposal, the entry for CVE-2020-28498 could list in its cveMetadata:

"aliases": [
  "NPM-1648",
  "GHSA-r9p9-mrjm-926w",
  "SNYK-JS-ELLIPTIC-1064899"
],
"related": [
  "CVE-2020-35149",
  "NPM-1649",
  "GHSA-45q2-34rf-mr94",
  "SNYK-JAVA-ORGWEBJARSNPM-1069836"
],
chandanbn commented 3 years ago

References with URLs, names, and tags were meant to be one way to capture this. Perhaps we need two new tags "alias" and "related"? or just "related" tag, assuming lack of one indicates a directly relevant/equivalent reference. CERT CC had a similar proposal with few more relationships like subset/superset.

Do you see any identifier that would not have an URL?

      "references": [
        {
          "url": "https://github.com/npm/npm/issues/8517",
          "name": "NPM-8517",
          "tags": [
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/advisories/GHSA-r9p9-mrjm-926w",
          "name": "GHSA-r9p9-mrjm-926w",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f",
          "name": "441b7428b0e8f6636c42118ad2aaa186d3c34c3f",
          "tags": [
            "patch"
          ]
        },
        {
          "url": "https://github.com/indutny/elliptic/pull/244/commits",
          "name": "",
          "tags": [
            "patch",
            "permissions-required"
          ]
        },
        {
          "url": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899",
          "name": "SNYK-JS-ELLIPTIC-1064899",
          "tags": [
            "third-party-advisory",
            "vdb-entry"
          ]
        }
      ]
tcullum-rh commented 3 years ago

I'd prefer to use the reference tags for this purpose, as how @chandanbn showed above. I believe all of those other such listings will always (or at least should) have an associated URL, which also plays nicely with the "public reference" requirement of CVE records.

I'd argue that the term "alias" would not be proper here, because e.g. SNYK, GHSA, GHSL, NPM, etc... are not CVE records. I would expect that an "alias" of a CVE record is another name which refers to the actual CVE record, not a related entry in another system. That being said, I do agree with the "related" terminology, but wonder if we could use reference tags for this purpose as mentioned above.

IMO, if we were to do something such as try to make hard one-to-one mappings between CVE and other systems, we would need to ensure that the record specification for those systems is in alignment with CVE. E.G., would it be possible to have a GHSA which lists multiple CVEs? If so, it would make more sense to simply list that GHSA as a reference for the CVE.

rsc commented 3 years ago

Thanks for the feedback. Using references sounds great. I'm hesitant to assume another entry is a direct equivalent without an explicit signal, though. Perhaps that's what "vdb-entry" would be? And then "vdb-related" for things that are similar but not the same?

rsc commented 3 years ago

The only mention of vdb-related in the repo (other than the generated html) seems to be https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/tags/reference-tags.json, but it doesn't document what any of those tags mean. Are the meanings of the tags documented in another repo or document?

chandanbn commented 3 years ago

AI: add tag definitions to schema AI: introduce new "related" tag

tcullum-rh commented 3 years ago

@chandanbn do we have a preferred way of adding the tag defs to the schema with enums like this? Please see https://github.com/json-schema-org/json-schema-spec/issues/57 and https://groups.google.com/g/json-schema/c/w_5mVYB7OHg . Trying to do it in the least complex and cumbersome manner... We could just add one big description to the tags array, or add a little bit of complexity and use one of the solutions proposed there. I'm not super thrilled about either option tbh.

chandanbn commented 3 years ago

Just having the definitions in the "description" with as plain text string should be sufficient. You can use simple markdown for readability.

For eg., term1: definition.\n\nterm2: definition.\n\n