No Support for CSAFv2, SBOM and your President's Orders? Why play standalone

google / osv.dev

Open source vulnerability DB and triage service.

https://osv.dev

Apache License 2.0

1.49k stars 182 forks source link

No Support for CSAFv2, SBOM and your President's Orders? Why play standalone #937

Closed brettforbes closed 1 year ago

brettforbes commented 1 year ago

Why do you want to push your own standard in front of what is mandated for the USA????????????

Why??? Anyone who touches your standard is doomed. They certainly could not sell to the government.

What rationale do you have to go against the Executive Orders???? Why even bother.

https://www.cisa.gov/blog/2022/11/10/transforming-vulnerability-management-landscape

Can you comprehend how much it sucks to be on the users side, and be faced with yet another island of poorly thought thought-through details??? Why can't the big vendors support the freaking standards?

Frankly this repo is just depressing

priamai commented 1 year ago

I am reading from the website:

All advisories in this database use the [OpenSSF OSV format](https://ossf.github.io/osv-schema/), which was developed in collaboration with open source communities.

The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.

Then following that link I can see that the current OSV schema:

Version 1.3.1 (September 28, 2022)

But was announced in 2021

And that blog mentions:

Our effort also aligns with the recent [US Executive Order on Improving the Nation’s Cybersecurity](https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity), which emphasized the need to remove barriers to sharing threat information in order to strengthen national infrastructure. This expanded shared vulnerability database marks an important step toward creating a more secure open-source environment for all users.

priamai commented 1 year ago

Looking back in chronological order CSAF

https://www.oasis-open.org/2022/11/28/common-security-advisory-framework-version-2-0-oasis-standard-is-now-published/

Common Security Advisory Framework Version 2.0 OASIS Standard 18 November 2022

So my guess is that Google has been working on their OSV schema in 2021 then CSAF was introduced? This is understandable but giving the resources available to Google why not moving into CSAF now?

oliverchang commented 1 year ago

Hi,

The OSV schema was created as a first class format for describing vulnerabilities in open source. Please see https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html for the full rationale on why we created it. The summary is there is no other simple format available that actually enforces machine readability and ties it to actual open source versioning practices (such as git commits).

OSV-Scanner provides SBOM support (with plans for automated VEX generation) to bridge the gaps with other standards.

We found the CSAF format lacking as a first class format for open source, but interoperability is still be possible -- it's completely possible to generate CSAF documents (VEX or advisories) from OSV schema entries, and something we could potentially build as part of the OSV-Scanner.

Closing this issue, but happy to discuss more.