-
-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is CISA-Use-Cases /Case-7/ valid example #41
Comments
A component ref might be unique, while the component is not necessarily version-pinned. Please read CycloneDX/specification#310 (comment) Does this answer your question? |
Not exactly, what does it mean that component ref might be unique ? According to standard, it is unique and points to exact component in exact sbom. What is the goal in standard to give additional level of filter if bom-ref is so unique? It brings additional level of complexity when parsing, because you cannot rely on bom-ref. And producer of vex must know which exact component was scanned, as he/she filled bom ref in vex? You cannot cover with bom-ref more than one sbom at the end. You can only add many refs in affects field. Going back to example, vex specifies that one version of product jkl is affected CVE-2021-44228, others are not. But bom 2 does not specify version of product jkl. So what should be applied if some software wants to do it automatically ? Is this specific bom ref affected or not ? Thx |
Read "A component ref might be unique [...]" as "even though component ref is unique, [...]"
see VEX bom-examples/VEX/CISA-Use-Cases/Case-7/vex.json Lines 164 to 172 in 7d52984
references the following product bom-examples/VEX/CISA-Use-Cases/Case-7/bom-2.json Lines 8 to 12 in 7d52984
and the VEX states, that a known vulnerability affects this very certain product in a certain version range. Is there something unclear? Maybe read the use-case description again? A VEX document might list all known vulnerabilities, and state whether certain versions of a product are exploitable(=affected) or not. |
The idea is clear, the case is in making standard easy to use for software that operates on it :) So in general, what you say is that standard does not enforce the quality of provided sbom files and vex :) Like the sboms from example are actually very low quality sboms and the correct thing to do is either request from vendor to ship better sbom, or do it yourselves. In example you cannot automatically apply vex to the product relaying only on database build based on sbom and vex, without additional (human?) analysis, as the same vex has also
And I think a lot of people have issues how to use it actually, even with tools like dependency track DependencyTrack/dependency-track#2741 |
I mean, try to import this example to dependency track (or point to other tool/test that works?), nothing is applied and even base component is not identified well :) also, affects versions and how to use them are not mentioned even in cyclonedx guide (latest), https://cyclonedx.org/guides/sbom/OWASP_CycloneDX-SBOM-Guide-en.pdf . IMO it states clearly that only ref itself matters as it "provides a direct link to the precise component within a BOM" . So is it missing in guide that "if additional version is specified, additional check is needed as it might be just VEX that at the end might not apply due to version mismatch " :) |
@tomekkolo what is your point? Dependency-Track (and most other tools) do not support every VEX use case. They will improve over time. The guide you mention is specific to SBOM. Only a small subset of functionality of the spec is mentioned in the guide. There is another guide in development specifically for VDR+VEX, and a handful of other guides (SaaSBOM, ML-BOM, MBOM, CBOM, etc) also being developed. Moving this thread to a discussion. |
Hey, But anyway, if you have some links to new vdr/vex guide it would be great, maybe I'm missing something. |
Or just drop in vex affects bom-ref to be mandatory parameter, and allow users to specify one of: bom ref/purl/etc ? That would be super clear to use imo. |
For me the version/version range in affects is really helpful because I can create suggestions based on it how to fix it in the report: |
in https://github.com/CycloneDX/bom-examples/tree/master/VEX/CISA-Use-Cases/Case-7 boms do not contain version of the software, but vex file affects sections contain versions or version ranges (i.e.
bom-examples/VEX/CISA-Use-Cases/Case-7/vex.json
Line 169 in 7d52984
What is the point of having affects section specifying also component ref and versions, if component ref is unique ? Ot is it just additional information ?
The text was updated successfully, but these errors were encountered: