Support CycloneDX Vulnerability Exploitability Exchange (VEX) report

eclipse / steady

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/

Apache License 2.0

517 stars 124 forks source link

Support CycloneDX Vulnerability Exploitability Exchange (VEX) report #553

Open VinodAnandan opened 2 years ago

VinodAnandan commented 2 years ago

The known vulnerabilities inherited from the use of third-party and open source software and the exploitability of the vulnerabilities can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for both VEX and security advisory use cases.

VEX information can be represented inside an existing BOM, or in a dedicated VEX BOM
Supports known and unknown vulnerabilities against components and services
Communicates the vulnerability details, exploitability, and detailed analysis

More information :

https://cyclonedx.org/capabilities/vex/#vulnerability-exploitability-exchange-vex https://github.com/CycloneDX/bom-examples/tree/master/VEX

Cc: @stevespringett

henrikplate commented 2 years ago

Hello @VinodAnandan, Do you suggest an extension or new feature of Steady to generate VEX BOMs for scanned applications, to reflect the results of Steady's static or dynamic reachability analysis? Say Steady takes as input an existing CycloneDX BOM, e.g., produced by CycloneDX' plugin, and enriches this information with regard to the reachability of contained vulnerable code.

VinodAnandan commented 2 years ago

Hi @henrikplate. I was proposing the use case where Steady will be a SBOM+VEX producer.

CycloneDX will enable the exchange of the component information and vulnerability information in a standardized way. CycloneDX is already adopted by several tools ( https://cyclonedx.org/tool-center/ ) including OWASP Dependency Track. If "steady" can provide the VEX information along with BOM in a CycloneDX format ( https://github.com/CycloneDX/cyclonedx-core-java ) ,it can be used with other tools which support CyloneDX. The OWASP Dependency Track project consumes and produces CycloneDX SBOM and VEX ( https://docs.dependencytrack.org/ ) .

staedy commented 1 year ago

Hello dite moi ? quoi faire en Frencais Please thank staedy@outlook.fr

prabhu commented 11 months ago

@henrikplate With the CycloneDX 1.5 specification, it is possible to set component and call-stack evidence in the generated document. cdxgen makes good use of these attributes with the evinse command.

Below are some links for your reference:

https://cyclonedx.org/docs/1.5/json/#components_items_evidence_occurrences https://github.com/CycloneDX/cdxgen https://github.com/CycloneDX/cdxgen/blob/master/ADVANCED.md#evinse-mode

cdxgen generates the evidence using static analysis with a tool called atom. https://github.com/AppThreat/atom

Supporting evidences with steady would help end users consolidate information from the static and runtime tools. Please consider this request by integrating with CycloneDX and help improve the specification.