Closed terriko closed 7 months ago
Need to also consider looking at supporing Vulnerability Disclosure Reports (VDR) as referenced in NIST SP800-21
This is also of relevance
Closing this (and all the other leftover gsoc ideas from previous years) in order to help folk focus on the new project idea descriptions.
cve-bin-tool: Integration of new formats into triage workflow
Project description
When cve-bin-tool's current triage system was created, there was very little adoption of standardized formats for reporting vulnerabilities. That's starting to change. We're expecting a lot of upheaval in this space over the next year as people start to comply with things like US Executive Order 14028, “Improving the Nation’s Cybersecurity” (which roughly says that you need to report components and provide evidence that you're not shipping vulnerable ones, but leaves exactly how you do that a little vague). But I think we're at the point where even if the standards change, the work we do to implement any one will likely carry over to make implementing others easier.
We think our triage workflow in the future will look something like this:
It's likely that this new workflow will replace our old one entirely, although we may support both for some time. Right now VEX is an evolving format and @anthonyharrison has integrated the CycloneDX version of the format and has a partially finished PR for CSAF (see https://github.com/intel/cve-bin-tool/issues/2427 for more discussion) here: #2401 . OpenVex may also be a possibility.
This project will involve:
Related reading
Skills
Difficulty level
Project Length
GSoC Participants Only
This issue is a potential project idea for GSoC 2023, and is reserved for completion by a selected GSoC contributor. Please do not work on it outside of that program. If you'd like to apply to do it through GSoC, please start by reading #2230 .