Replies: 15 comments 12 replies
-
Exporting VEX documents will be a large task, which we have to implement step by step. To start it, I analyzed the OpenVEX and CSAF (VEX profile) specifications against SecObserve's attributes:
Steps could be:
Steps 4. and 5. will be quite large and be designed later. |
Beta Was this translation helpful? Give feedback.
-
Feature flag is in development: #1125 |
Beta Was this translation helpful? Give feedback.
-
@dervoeti @lfrancke What is a good strategy to generate VEX documents:
|
Beta Was this translation helpful? Give feedback.
-
The branch https://github.com/MaibornWolff/SecObserve/tree/feat/vex_poc contains an initial implementation of the backend to generate VEX documents for CSAF and OpenVEX:
What is missing:
To test it you have to:
Looking forward to your feedback 😃 |
Beta Was this translation helpful? Give feedback.
-
The It seems to be a meaningful implemention to me, but I am looking forward very much for your feedback. |
Beta Was this translation helpful? Give feedback.
-
I made 2 major changes:
|
Beta Was this translation helpful? Give feedback.
-
Another change: I wasn't happy with the usage of uuid to make the filenames unique. After a look how other CSAF providers are doing it, it is now a combination of prefix, year and a counter. This should be really it from my side. |
Beta Was this translation helpful? Give feedback.
-
That looks pretty good already, thanks!
Things to consider:
I'm not sure what's the best way to solve this, this is quite complex. Perhaps users could optionally provide a list of remediations when selecting "Risk accepted" in the assessment dialog. Happy to implement this, but I wanted to discuss the best way to do it first. |
Beta Was this translation helpful? Give feedback.
-
I see what you mean, but have to think about, what the best solution is. I don't think it's the status "Risk accepted", that means it is as it is, I cannot do something at the moment and accept the risk that is involved with the vulnerability. We might need a list of remediations with different categories, that are editable for imported vulnerabilities. They would need to be concatenated for OpenVEX. But I wouldn't include that in the current branch. I would like to merge the current branch into dev and release it soon. It is marked as experimental and must explicitely be activated. Then we can go from there with enhancements and changes. |
Beta Was this translation helpful? Give feedback.
-
Yep, totally fine, the current state is already quite useful. Just wanted to mention this since we were thinking about what else we would need in our VEX statements. But I also think that it's a good idea to implement this in a separate step, since it might turn out to be a complicated task. |
Beta Was this translation helpful? Give feedback.
-
I just found a merged PR for Trivy, which amends how they deal with VEX documents: aquasecurity/trivy#5923 It might be a good idea, to generate CSAF documents like their test example https://github.com/juan131/trivy/blob/main/pkg/vex/testdata/csaf-not-affected-sub-components.json. Currently in our CSAF documents all vulnerabilities are mapped to the SecObserve product. Maybe it is better to map the vulnerability to its component and the components is related to the product. This would be similar to how we produce OpenVEX documents with products and subcomponents. |
Beta Was this translation helpful? Give feedback.
-
I think that's a very good idea and it's probably even necessary to implement it like that. A vulnerability might affect multiple components of a product and you might want to issue different statements for each affected component of the product. The vulnerability might be exploitable in component A but not in component B, even though scanners report the vulnerability in both components. In that case you could provide a workaround for component A and set component B to "Not affected". That's already possible in SecObserve, since you'd have two different observations in that case, but this level of detail needs to be reflected in VEX documents as well. |
Beta Was this translation helpful? Give feedback.
-
I've been giving this some more thought today, it seems to be more complex than I thought (as always), this is the result: #1254 |
Beta Was this translation helpful? Give feedback.
-
With the new release 1.9.1 not only the generation of CSAF with components (see above) is productive, but there is a change in the authorization. VEX documents that have been created for a product now follows the product authorization. Maintainers and owners of a product can generate, update and delete VEX documents. |
Beta Was this translation helpful? Give feedback.
-
Discussion closed as generation of VEX documents is implemented |
Beta Was this translation helpful? Give feedback.
-
When exporting vulnerability assessments as VEX, a justification is recommended if the status is set to "Not affected". A list of possible justifications was published by CISA, both OpenVEX and CSAF adopted this list.
Suggestion: Add a new field "justification" to the
Observation
model and define the list of possible options according to the CISA document. Add a dropdown for this to the "Observation Assessment" dialog and only show it if the status "Not affected" is selected.I could try to implement this, if you think this makes sense.
Beta Was this translation helpful? Give feedback.
All reactions