From 2587935bd6b87d36edbf03740145610e00eeeb9a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 28 Dec 2023 23:27:12 -0600 Subject: [PATCH] Added initial support for vulnerability evidence Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 95 +++++++++++++++++++ .../1.6/valid-vulnerability-1.6.json | 21 ++++ 2 files changed, 116 insertions(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index a7f9bb05..2ce94366 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1635,6 +1635,98 @@ } } }, + "vulnerabilityEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "presence": { + "type": "array", + "description": "Evidence that substantiates the presence or absence of a vulnerability.", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the evidence that may contain additional information about the investigation." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + } + } + } + }, "compositions": { "type": "object", "title": "Compositions", @@ -2191,6 +2283,9 @@ } ] }, + "evidence": { + "$ref": "#/definitions/vulnerabilityEvidence" + }, "analysis": { "type": "object", "title": "Impact Analysis", diff --git a/tools/src/test/resources/1.6/valid-vulnerability-1.6.json b/tools/src/test/resources/1.6/valid-vulnerability-1.6.json index c0f77d36..b421b1b3 100644 --- a/tools/src/test/resources/1.6/valid-vulnerability-1.6.json +++ b/tools/src/test/resources/1.6/valid-vulnerability-1.6.json @@ -119,6 +119,27 @@ } ] }, + "evidence": { + "presence": [ + { + "methods": [ + { + "technique": "source-code-analysis", + "confidence": 0.7, + "value": "Value here", + "description": "Description here" + }, + { + "technique": "binary-analysis", + "confidence": 0.6, + "value": "Value here", + "description": "Description here" + } + ], + "confidence": 0.8 + } + ] + }, "analysis": { "state": "not_affected", "justification": "code_not_reachable",