Add attribute to VDR/VEX to allow modification of severity

[hoggmania]

The classification of a vulnerability in NVD can be somewhat divisive & debatable.

Maintainers may wish to alter the severity or an aspect of the vector. Cunsuming organisations may wish to manage a vulnerability and alter the vector/severity.

Adding attributes to a VEX that allow the vector to be altered or severity changed would allow significant reuse in the SCA field and indeed allow SCA providers to integrate in a standard way ino such systems as OWASP Dependency Track.

OpenVEX is also debating such use cases at https://github.com/openvex/spec/issues/31

[jkowalleck]

Vulnerability spec: https://cyclonedx.org/docs/1.5/json/#vulnerabilities

Maintainers may wish to alter the severity or an aspect of the vector. Cunsuming organisations may wish to manage a vulnerability and alter the vector/severity.

The $.vulnerabilities[].ratings[].severity is handled by CycloneDX document authors. Every author is able to put in the value that they like. Consumers are also free to alter the CycloneDX document to their needs (as long as they change the $.serialNumber/$.version).

$.vulnerabilities[].ratings[].severity might be bound to a source. You are not expected to modify the severity of others. If an organization disagrees with an existing severity, they can add their own severity and add themselves as source.

Considering this, @hoggmania, is your request solved?

• I am not talking about implementation and processes, but about document standards here.

see also

• $.vulnerabilities[].recommendation
• $.vulnerabilities[].analysis

[stevespringett]

Here's an example of what modified severity looks like. https://github.com/CycloneDX/bom-examples/blob/master/VEX/vex.json

Docs: https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_ratings

Its a common use case that CycloneDX has supported for several releases. What we don't want, is multiple ways to accomplish modified severity. @hoggmania please let us know if there's anything in the existing implementation that's missing.

[hoggmania]

Feeling very sorry for wasting people's time when I missed this.....should have tried a bit more RTFM.

Much appreciated!

[kcq]

@jkowalleck I sort of get the logic and it sort of works with the CycloneDX VEX :-) And maybe its just me... but I expect the CycloneDX doc with the vuln info to be generated by a vuln scanner tool/vendor where it would be immutable in some cases (e.g., could be stored in a 3rd party container registry) and the severity rating change would be done by a consumer in a separate doc. Sounds like you are saying that the consumer would need to duplicate that CycloneDX doc and add their severity as as record, right?

[stevespringett]

@kcq You could use the external reference type exploitability-statement to specify an external VEX, and if you wanted to include modified severity in that external file, you could.