search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
359 stars 56 forks source link

[FEATURE]: EPSS Score on Vulnerability model #481

Open mcombuechen opened 3 months ago

mcombuechen commented 3 months ago

Describe the feature

Vulnerabilities can have an EPSS score attached to them. This describes the probability of a vulnerability being exploited. As of spec version 1.6, there is no clear way to attach this to a CycloneDX Vulnerability.

A vulnerability does have a slot for ratings, but it is not clear whether it can be used to include the EPSS, which consists of two values (the probability score itself, a percentile). It might be worth introducing a new slot for this vulnerability attribute.

Possible solutions

Shooting from the hip.

type Vulnerability {
  bom-ref string
  // ...
  epss    EpssScore
}

type EpssScore {
  probability float
  percentile  float
}

Alternatives

Getting it into the ratings, but it does not really fit the "severity" category that ratings was intended for.

Additional context

Support for EPSS was added to SPDX 3.0: https://spdx.github.io/spdx-spec/v3.0/model/Security/Classes/EpssVulnAssessmentRelationship/

stevespringett commented 3 months ago

Thanks for the suggestion. There are a few challenges with supporting EPSS in any specification today.

  1. Its dynamic and subject to change every 24 hours.
  2. EPSS is not versioned.
  3. Updates to the EPSS model occur with little to no notice to adopters.

Because EPSS is not versioned, and the scores can change whenever changes to the model occur, it will be important to capture the timestamp of when the EPSS was generated. It appears that SPDX v3.0 does not have support for this. They have a publishedTime, but that is in reference to the vulnerability, not when when the EPSS was calculated.

Another potential challenge is the use of two fields today (probability and percentile). Since EPSS is not versioned, there is nothing prohibiting the EPSS team from adding or removing other fields, making any standard that supports it incompatible with the current EPSS specification.

Adding an unversioned pseudo standard to CycloneDX which is pursuing both Ecma and ISO standardization will be problematic. It will likely (and rightfully) be questioned.

If we can get the EPSS team to formally version EPSS, then that would reduce possible issues with CycloneDX adoption and standardization efforts.

We may want to ping Sasha Romanosky, or one of the other EPSS chairs.

thiago-gitlab commented 3 months ago

Thanks for the insightful response, @stevespringett. I've asked about KEV in the Slack thread, but I figured I should do it here since it's more discoverable by others.

Have you got any thoughts on supporting KEV in CDX?

stevespringett commented 3 months ago

@thiago-gitlab,

KEV defines the following properties: property description
cveID The CVE ID of the vulnerability in the format CVE-YYYY-NNNN, note that the number portion can have more than 4 digits
vendorProject The vendor or project name for the vulnerability
product The vulnerability product
vulnerabilityName The name of the vulnerability
dateAdded The date the vulnerability was added to the catalog in the format YYYY-MM-DD
shortDescription A short description of the vulnerability
requiredAction The required action to address the vulnerability
dueDate The date the required action is due in the format YYYY-MM-DD
knownRansomwareCampaignUse 'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware
notes Any additional notes about the vulnerability

knownRansomwareCampaignUse is interesting but limited to only ransomware, which is unfortunate. The requiredAction and dueDate are U.S. Government specific. In fact, KEV itself is U.S. specific. If CycloneDX supported a catalogue of known exploitable vulnerabilities, it would need to do so in a more inclusive way. If you're interested in that, please create a new ticket and we can discuss there.