Suggestion: Add creation of CSAF VEX to distribute information about "irrelevant results"

MaibornWolff / SecObserve

SecObserve is an open source vulnerability management system for software development and cloud environments. It supports a variety of open source vulnerability scanners and integrates easily into CI/CD pipelines.

https://maibornwolff.github.io/SecObserve/

BSD 3-Clause "New" or "Revised" License

86 stars 7 forks source link

Suggestion: Add creation of CSAF VEX to distribute information about "irrelevant results" #747

Closed tschmidtb51 closed 6 months ago

tschmidtb51 commented 10 months ago

The README says:

With the help of automatically executed rules and manual assessments, the results can be efficiently evaluated to eliminate irrelevant results and accept risks. This allows the development team to concentrate on fixing the relevant vulnerabilities.

As we already have the information from manual assessments, what about creating CSAF VEX from them?

StefanFl commented 10 months ago

Hi @tschmidtb51, that's a good idea, thank you for that. A lot of information is already in SecObserve, but some would still be missing:

A lot of data for the document section, which might be configured statically.
The product_tree section should be not too bad, a product_id is missing and I have to check the relationships.
The vulnerabilities will need some work. First to be able to fulfil the meaning of all attributes of the CSAF specification and second an editorial function, maybe an entity decides not to disclose all observations.

I will put the CSAF VEX in the backlog, but it might need some time.

Do you by any chance know, if the EU Cyber Resiliance Act defines, how vendors have to report vulnerabilities? Will it be CSAF based?

tschmidtb51 commented 9 months ago

@StefanFl If you need more input: BSI is offering a series of CSAF workshops: https://www.allianz-fuer-cybersicherheit.de/Webs/ACS/DE/Netzwerk-Formate/Veranstaltungen-und-Austausch/CSAFversum/CSAF_english.html

Do you by any chance know, if the EU Cyber Resiliance Act defines, how vendors have to report vulnerabilities? Will it be CSAF based?

BSI is not directly involved in writing the CRA. Based on my knowledge, the CRA will not call out specific standards as this will be done through harmonized norms. IMHO, CSAF seems to be the obvious choice given that you have to provide information on the vulnerability and its remediation (=> security advisory).

StefanFl commented 6 months ago

Design and implementation have started:

But it will be a long way.

StefanFl commented 6 months ago

Draft PR: https://github.com/MaibornWolff/SecObserve/pull/1146

StefanFl commented 6 months ago

An experimental implementation for CSAF and OpenVex will be part of the next release.