Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Take CycloneDX 1.2 patches into account when analysing CVE exposure #919

Open
steffenolsen opened this issue Feb 3, 2021 · 5 comments
Open

Take CycloneDX 1.2 patches into account when analysing CVE exposure #919

steffenolsen opened this issue Feb 3, 2021 · 5 comments
Labels
cdx-1.3 Related to CycloneDX specification v1.3 or earlier enhancement New feature or request help wanted Extra attention is needed needs milestone Issues or PRs that are pending a milestone assignment p2 Non-critical bugs, and features that help organizations to identify and reduce risk

Comments

@steffenolsen
Copy link

CycloneDX 1.2 have added support for Pedigrees such commits and patches. It is possible to specify that a patch/commit resolves vulnerabilities. This can make sense in some scenarios where patching components in a build system is preferred as a better option than upgrading the component (short term)

It would be great if this information could be taken into account when analysing CVEs for the components in DT, and that those CVE ids listed as resolved in an imported BOM is regarded as resolved by DT as well. The exact resolvent category to use in this case I am not sure of. I see that when auditing a CVE these possible values could be specified when suppressing the CVE

  • Not Set
  • False Positive
  • Not affected

Not sure if any one of them fits. I guess from a monitoring point of view, it would be nice to get to know what CVE has been patched.

Current Behavior:

Proposed Behavior:
@steffenolsen steffenolsen added the enhancement New feature or request label Feb 3, 2021
@stevespringett stevespringett added this to the 4.4 milestone Feb 3, 2021
@stevespringett stevespringett added the p2 Non-critical bugs, and features that help organizations to identify and reduce risk label Feb 3, 2021
@stevespringett
Copy link
Member

I'm going to move this out a bit. CycloneDX v1.4 will likely include some updates to the way it handles vulnerabilities and it would be best to wait for v1.4 to be released so that DT can align.

@stevespringett stevespringett modified the milestones: 4.4, 4.7 Sep 22, 2021
@stevespringett stevespringett mentioned this issue May 14, 2022
Open
@officerNordberg
Copy link
Contributor

I'd be happy to help out with this one.

@xRate1337
Copy link

Hi, is there any progress in shifting information about the status of the cves in dtrack over the sbom? I just saw the option to use the combination of cycloneDX and vex, but I can't figure out how to do it if I want to upload it once, because the referenzes are missing. Has someone a solution for getting patched yocto cves into dtrack directly?

@nscuro nscuro modified the milestones: 4.7, 4.8 Dec 14, 2022
@msymons msymons added the help wanted Extra attention is needed label Feb 9, 2023
@msymons msymons modified the milestones: 4.8, 4.9 Feb 9, 2023
@msymons
Copy link
Member

msymons commented Feb 9, 2023

Whilst I have re-assigned this enhacement request to the 4.9 milestone, I have also labelled it as "help wanted". PRs are always welcome.

On the plus side, understand that a re-assignment means that 4.8 will be seen a wee bit quicker, all other things being equal.

@stevespringett stevespringett mentioned this issue Mar 24, 2023
Closed
2 tasks
@msymons msymons added the cdx-1.3 Related to CycloneDX specification v1.3 or earlier label Jun 22, 2023
@nscuro nscuro modified the milestones: 4.9, 4.10 Sep 16, 2023
@nscuro nscuro added the needs milestone Issues or PRs that are pending a milestone assignment label Oct 26, 2023
@nscuro nscuro removed this from the 4.10 milestone Oct 26, 2023
@Jasper-Ben
Copy link

Hey @nscuro, it would be great if we could plan this into a milestone again! 🙂

Afaik there currently still isn't a "cleaner" way of handling CVE patches on the build system side than:

  1. Initial uploading of SBOM
  2. Waiting for SBOM to be processed
  3. Applying a seperate VEX file for resolving CVEs

Or am I missing something?
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cdx-1.3 Related to CycloneDX specification v1.3 or earlier enhancement New feature or request help wanted Extra attention is needed needs milestone Issues or PRs that are pending a milestone assignment p2 Non-critical bugs, and features that help organizations to identify and reduce risk
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@officerNordberg @stevespringett @msymons @nscuro @Jasper-Ben @steffenolsen @xRate1337