-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Taxonomy object #6
Conversation
Approved by QWG on 1/21/2021.
So are these mappings supposed to be universal to all types of taxonomies, including CWE? Because that sort of conflicts with the I know this was approved in the QWG but a bit more info about this would be appreciated for those that did not partake in those discussions. |
The object can be used for any taxonomy. ATT&CK was the original impetus, but the QWG did not want to have to create a new object for every taxonomy a CNA might want to include in a CVE record so it was made generic. For example, you could use it to map to the OWASP Top Ten. You can also use it to describe relationships between taxonomy items related to the CVE. For example, if you wanted describe the chain of CWEs in the vulnerability. |
Ok, I understand the need for a general object but that doesn't answer my question about potentially duplicating CWE information between
I can also imagine someone may start including CVSS scores in
I don't really see the upside of parsing a CWE chain into its components. In 99% of cases you will just want to display it as is. And in those 1% of research-oriented cases where you want to process the individual components for statistics purposes, parsing the chain is trivial. But I guess we'll be forced to use this mapping object since when I look at
|
This was discussed and a CVSS vector string can be seen as an uniq identifier (and pointer to scores in metrics section) so it does allow use of CVSS scores, and that is OK. |
It would be good to flatten the inline definitions for |
schema/v5.0/CVE_JSON_5.0.schema
Outdated
"taxonomyName": { | ||
"type": "string", | ||
"description": "The name of the taxonomy", | ||
"minLength": 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maxLength = 128
schema/v5.0/CVE_JSON_5.0.schema
Outdated
"taxonomyVersion": { | ||
"type": "string", | ||
"description": "The version of taxonomy the identifiers come from.", | ||
"minLength": 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maxLength = 128
schema/v5.0/CVE_JSON_5.0.schema
Outdated
"taxonomyId": { | ||
"type": "string", | ||
"description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.", | ||
"minLength": 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maxLength = 2k
schema/v5.0/CVE_JSON_5.0.schema
Outdated
"relationshipName": { | ||
"type": "string", | ||
"description": "A description of the relationship", | ||
"minLength": 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maxLength=128
schema/v5.0/CVE_JSON_5.0.schema
Outdated
"relationshipValue": { | ||
"type": "string", | ||
"description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier", | ||
"minLength": 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maxLength = 2k
}, | ||
"taxonomyRelations": { | ||
"type": "array", | ||
"description": "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re-arrange description
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the maxLengths.
Where will this be referenced? In the meeting I think we discussed that this could be used for CVSS scores and CWE for example (although we already have those elsewhere as @mprpic mentioned), but we also talked about being able to provide product-specific CVSS scores. Currently, nothing maps the CVSS score in the |
@tcullum-rh a CVSS metric string can be seen as a unique identifier in the domain of CVSS scores, so this is an example of one way to map CVSS to CPEs:
The CVSS metrics used as taxonomyId can also be seen as a pointers to the CVSS scores and scenario in the metrics object that provide more verbose context for the score. |
The updates to the schema can be found at CVEProject/cve-schema#6
General taxonomy object used to map CVEs to other taxonomies, like ATT&CK. Approved by QWG on 1/21/2021.
Example JSON:
“taxonomyMappings”: [
{
“taxonomyName”: “ATT&CK”,
“taxonomyVersion”: “7”,
“taxonomyRelations”: [
{
“taxonomyId”: “T1068”,
“relationshipName”: "Parent Tactic",
“relationshipValue”: “TA0004”
},
{
“taxonomyId”: “T1068”,
“relationshipName”: “CVE-to-ATT&CK Primary Impact”,
“relationshipValue”: “CVE-2019-15976”
}
]
}
]