Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE ADP integration #12

Open
zmanion opened this issue Mar 10, 2021 · 3 comments
Open

CVE ADP integration #12

zmanion opened this issue Mar 10, 2021 · 3 comments
Labels
enhancement New feature or request p4_trivial Priority: trivial

Comments

@zmanion
Copy link
Contributor

zmanion commented Mar 10, 2021

CVE ADP (Authorized Data Publisher) allows an authorized entity to add data to CVE entries, specifically entries that the ADP does not "own" / is not the CNA for.

The ADP rules and tech are under development (March 2021).

Further requirements are not well defined, but the feature is that vulnerability information from VINCE can be communicated through the ADP mechanism.
@sei-vsarvepalli
Copy link
Contributor

Is this more than the SSVC scoring that will be published? If there are other aspects apart from "adpContainer/metrics" object listed below, we need to decide what aspects of ADP we are interested in publishing.

https://github.com/CVEProject/cve-schema/blob/c8638e22e534bb5dc38a7985f558248b7f61efba/schema/v5.0/CVE_JSON_5.0.schema#L573

Other potential areas where CERT/CC can contribute are

  1. "affected" -> related to products affected by the advisory
  2. "solutions" -> Information about solutions or remediations available for this vulnerability
  3. "workarounds" -> Workarounds and mitigations for this vulnerability.
  4. "exploits" -> Information about exploits of the vulnerability.
  5. "credits" -> Statements acknowledging specific people, organizations, or tools recognizing the work done in researching and reporting this vulnerability.

While all these are possible, they are not available as distinct fields in VINCE or VINCE Vulnerabilities Notice API to provide such data natively.

Vijay

@zmanion
Copy link
Contributor Author

zmanion commented Aug 20, 2021

For the ADP Pilot, the proposal so far is limited to the following SSVC decision points:

  • Exploitation (source: @ahouseholder's collection)
  • Technical Impact (source: CVSS base)
  • Automatable/Value Density/Utility (source: CISA, CERT/CC, others?)
    I'd like to get through the pilot with intentionally limited and clear scope, but we can consider all sorts of additions assuming ADPs move forward.

About "Affected" -- that's complicated, see the OSV/CVE discussion going on now, and also SBoM.

"Exploits" can probably be tagged references but may also need to wait until ADPs are in production.

@zmanion
Copy link
Contributor Author

zmanion commented May 26, 2022

Just noting the ADP pilot is on hold pending CVE Services 2.x and JSON 5 production releases.

@zmanion zmanion added enhancement New feature or request p4_trivial Priority: trivial labels May 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request p4_trivial Priority: trivial
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zmanion @sei-vsarvepalli