Closed hoggmania closed 10 months ago
Vulnerability spec: https://cyclonedx.org/docs/1.5/json/#vulnerabilities
Maintainers may wish to alter the severity or an aspect of the vector. Cunsuming organisations may wish to manage a vulnerability and alter the vector/severity.
The $.vulnerabilities[].ratings[].severity
is handled by CycloneDX document authors.
Every author is able to put in the value that they like. Consumers are also free to alter the CycloneDX document to their needs (as long as they change the $.serialNumber
/$.version
).
$.vulnerabilities[].ratings[].severity
might be bound to a source
. You are not expected to modify the severity of others.
If an organization disagrees with an existing severity, they can add their own severity and add themselves as source.
Considering this, @hoggmania, is your request solved?
see also
Here's an example of what modified severity looks like. https://github.com/CycloneDX/bom-examples/blob/master/VEX/vex.json
Docs: https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_ratings
Its a common use case that CycloneDX has supported for several releases. What we don't want, is multiple ways to accomplish modified severity. @hoggmania please let us know if there's anything in the existing implementation that's missing.
Feeling very sorry for wasting people's time when I missed this.....should have tried a bit more RTFM.
Much appreciated!
@jkowalleck I sort of get the logic and it sort of works with the CycloneDX VEX :-) And maybe its just me... but I expect the CycloneDX doc with the vuln info to be generated by a vuln scanner tool/vendor where it would be immutable in some cases (e.g., could be stored in a 3rd party container registry) and the severity rating change would be done by a consumer in a separate doc. Sounds like you are saying that the consumer would need to duplicate that CycloneDX doc and add their severity as as record, right?
@kcq You could use the external reference type exploitability-statement
to specify an external VEX, and if you wanted to include modified severity in that external file, you could.
The classification of a vulnerability in NVD can be somewhat divisive & debatable.
Maintainers may wish to alter the severity or an aspect of the vector. Cunsuming organisations may wish to manage a vulnerability and alter the vector/severity.
Adding attributes to a VEX that allow the vector to be altered or severity changed would allow significant reuse in the SCA field and indeed allow SCA providers to integrate in a standard way ino such systems as OWASP Dependency Track.
OpenVEX is also debating such use cases at https://github.com/openvex/spec/issues/31