search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
152 stars 40 forks source link

Enhancements to the Vulnerabilities Property #185

Closed wrideout closed 3 years ago

wrideout commented 3 years ago

Introduction

While working with the proposed CSAF2.0 specification, it became apparent that several key pieces of information that Arista Networks provides to customers with regard to security advisory documentation could be better expressed within the spec. The specific information which we wish to convey are as follows:

Note: the use of “Hotfix” here is common enough, but there may be a better term that is more generic and still conveys the same meaning.

As CSAF2.0 stands today, all of the above items may be accounted for in a CSAF document via the use of Vulnerability mitigation entries and notes. However, in the interest of providing end users with a document which is parsable by automated tools, we believe the below changes may be beneficial and should be considered for inclusion in the next iteration of the CSAF standard. Ultimately the goal is to provide a standardized way to convey the proposed information without needing to rely on custom code to parse vulnerability mitigation or note info, which may vary depending on the originator of the CSAF document being parsed.

Vulnerability Symptoms

Currently any symptoms which accompany or otherwise indicate a vulnerability or exploit may be recorded via the use of the Notes attribute of the Vulnerability type. In some cases it may be advantageous to provide an optional, dedicated attribute for symptoms in the Vulnerability type.

See #186 for details.

Vulnerability Remediations

Configuration Change Mitigation

In order to clearly convey configuration changes which may provide a mitigatation for a vulnerability, we are suggesting a new type enum value for the remediation item type, named "configuration".

See #188 for details.

Hotfix Mitigation

Currently, the CSAF2.0 specification does not afford users with a clear section for describing hotfix information, outside of specifying a mitigation with type "mitigation". The creation of a new hotfix type would allow fo the storage and use of this information.

See #187 for details.

tschmidtb51 commented 3 years ago

@wrideout: Thanks for your contribution. I splitted it into 3 issues (#186, #187, #188) which will help us to keep track of the discussions and vote on them individually.

wrideout commented 3 years ago

@wrideout: Thanks for your contribution. I splitted it into 3 issues (#186, #187, #187) which will help us to keep track of the discussions and vote on them individually.

Just for clarity, that's #186, #187, #188

tschmidtb51 commented 3 years ago

@wrideout: Thanks for your contribution. I splitted it into 3 issues (#186, #187, #187) which will help us to keep track of the discussions and vote on them individually.

Just for clarity, that's #186, #187, #188

You're right. I corrected it.

tschmidtb51 commented 3 years ago

I guess this issue can be closed as we have the individual issues.

wrideout commented 3 years ago

Yes, I agree. Sorry for not getting back to you on this!

tschmidtb51 commented 3 years ago

Yes, I agree. Sorry for not getting back to you on this!

No worries. Thanks for your contribution.