search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
526 stars 197 forks source link

VCIO: Collect CISA Known Exploited Vulnerabilities #1028

Open mjherzog opened 1 year ago

mjherzog commented 1 year ago

CISA publishes a catalog of Known Exploited Vulnerabilities at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. The data appears to use CVE as a key. I downloaded the current CSV catalog of 860 items - there is also a JSON download and an option to subscribe to updates by email. This data seems highly relevant for assessing the severity of a known vulnerability even if it seems limited to a pretty small subset of CVE vulnerabilities. We should consider using this data in the improver work flow.

pombredanne commented 11 months ago

From https://github.com/nexB/vulnerablecode/issues/849

Add CISA known exploited vulnerabilities https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

DennisClark commented 8 months ago

A question came up about the meaning or significance of the "dueDate" field in the schema at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities_schema.json
which states that it is a required field, but the only description provided is "The date the required action is due in the format YYYY-MM-DD".

A perusal of the data at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json shows many of the dueDate values as being rather old, such as 2021-11-17

It seems that the dueDate applies to USA federal civilian executive branch (FCEB) agencies and it otherwise appears to exist for historical reasons, perhaps suggesting the importance or urgency of the Remediation, but not necessarily a legal obligation for an entity outside of FCEB agencies.

from this page: https://www.cisa.gov/known-exploited-vulnerabilities 

Criteria #3 - Clear Remediation Guidance

CISA adds known exploited vulnerabilities to the catalog when there is a clear action for the affected organization to take. The remediation action referenced in BOD 22-01 requires federal civilian executive branch (FCEB) agencies to take the following actions for all vulnerabilities in the KEV, and CISA strongly encourages all organizations to do the same:

    Apply updates per vendor instructions. There is an update available from the security vendor, and users should apply it.
    Remove from agency networks if the impacted product is end-of-life or cannot be updated otherwise.
DennisClark commented 8 months ago

The TLA KEV is used on the CISA website to refer to Known Exploited Vulnerabilities

DennisClark commented 8 months ago

The KEV catalog entries are identified by a CVE value; however, the additional data provided in the KEV entries are probably best directly associated with a VCID in VulnerableCode, so the following fields should be added to a vulnerability model definition, perhaps as a separate table with a 0-to-1 relationship (note that I have expanded the definitions beyond the rather basic descriptions provided in the KEV schema to make them more relevant to VCIO):

kev_date_added (from dateAdded) UI label: KEV Date Added string in date format YYYY-MM-DD The date the vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog in the format YYYY-MM-DD.

kev_description (from shortDescription) UI label: KEV Description string Description of the vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, usually a refinement of the original CVE description.

kev_required_action (from requiredAction) UI label: KEV Required Action string The required action to address the vulnerability, typically to apply vendor updates or apply vendor mitigations or to discontinue use.

kev_due_date (from dueDate) UI label: KEV Due Date string in date format YYYY-MM-DD The date the required action is due in the format YYYY-MM-DD, which applies to all USA federal civilian executive branch (FCEB) agencies, but all organizations are strongly encouraged to execute the required action.

kev_resources_and_notes (from notes) UI label: KEV Resources and Notes string (may contain URL values) Additional notes and resources about the vulnerability, often a URL to vendor instructions.

kev_knownRansomwareCampaignUse (from knownRansomwareCampaignUse) UI label: KEV Ransomware Campaign Use string Values are 'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; or 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware.

DennisClark commented 8 months ago

Suggested appearance in the VCIO UI: I think the new fields would be best placed, only if there are any values obtained by an Improver from the KEV, on the Essentials tab, as additional rows at the end of the summary table, right after the Status row.

DennisClark commented 8 months ago

We of course need an Improver to gather the KEV entries. Note that the dateAdded field is required in the KEV catalog, so that is probably the best way to search for new ones.

DennisClark commented 8 months ago

@TG1999 @pombredanne I think we are ready to assign this one to a developer.

ziadhany commented 7 months ago

I think this issue is interesting, and I'll assign it to myself, if no one working on it

@TG1999 @pombredanne I think we are ready to assign this one to a developer.

TG1999 commented 7 months ago

@ziadhany go ahead!

ziadhany commented 2 months ago

Done! closed by #1422

pombredanne commented 1 month ago

I am reopening this until we have this is verified as deployed on https://public.vulnerablecode.io

pombredanne commented 1 month ago

See in particular: