Merge pull request #93 from oswalpalash/merge-project-tools

Merge gsd-project with gsd-tools

README.md

@@ -99,3 +99,11 @@ Each project has its own README and supporting documents. Included below is a sh
 - **README:** [Local Scripts README](local-scripts/README.md)
 - **Short Description:** _TODO_ - Ask @kurtseifried
 - **Depends on:** _None_
+
+### GSD Project Notes
+
+- **Website:** _N/A_
+- **Location:** `gsd-tools/gsd-project/`
+- **README:** [GSD URL Processing README](gsd-project/README.md)
+- **Short Description:** Project Plans which contains all the GSD project plans and related material. 
+- **Depends on:** _None_

gsd-project/.gitignore

@@ -0,0 +1,6 @@
+# Script generated content
+analysis/cve/allitems.csv
+analysis/cve/nvdcve-1.1-20*.json
+
+# Obsidian.md config
+.obsidian

gsd-project/LICENSE

@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.

gsd-project/README.md

@@ -0,0 +1,110 @@
+# Global Security Database Project Plans
+
+The Global Security Database is a new Working Group project from the Cloud Security Alliance meant to address the gaps in the current vulnerability identifier space.
+
+The world of vulnerability identifiers has changed drastically in the last 20 years while the infrastructure and management of public and private vulnerability data have changed very little. This has created a sizable gap between the current needs of industry and the ability of existing projects to be effective.
+
+This is the Global Security Database (GSD) Project Plans which contains all the GSD project plans and related material. For more informaiton please see https://csaurl.org/gsd-quick-links.
+
+For more information please see https://csaurl.org/gsd-quick-links.
+
+## Contributing
+
+See the [Contribution Guide](CONTRIBUTING.md).
+
+## Resources
+
+[NIST The Bugs Framework](https://samate.nist.gov/BF/)
+
+# Table of contents
+
+*** TODO ***
+
+## Quick Links
+
+* Quick links (this section): https://csaurl.org/gsd-quick-links
+* Website: https://globalsecuritydatabase.org
+* Request a GSD: https://requests.globalsecuritydatabase.org/ 
+* Edit a GSD entry: https://edit.globalsecuritydatabase.org/
+* WG Landing Page: https://csaurl.org/gsd-landing-page
+* Circle Community (Forums): https://csaurl.org/gsd-circle 
+* Mailing-list: https://csaurl.org/gsd-mailing-list
+* Github: https://csaurl.org/gsd-github
+* WG Meeting Agenda: https://csaurl.org/gsd-agenda
+* GitHub Repos: https://globalsecuritydatabase.org/repos/ 
+* Slack: https://csaurl.org/csa-public-slack #gsd-working-group
+* Press mentions: https://globalsecuritydatabase.org/press
+
+## GSD Repos
+
+There are 2 primary repositories in GitHub.
+
+### gsd-database
+
+The gsd-database repo is the actual data for identifiers in the Global Security Database in the form of GSD-YEAR-INTEGER. To maintain easier compatibility with the CVE ecosystem we have decided to reserve numbers below 1 million for CVE data, using the same integer to make matching up entries easy.
+
+#### Issues
+
+Please file any data related issues in the gsd-database repo. If you need to file issues against the data format(s) themselves please file an issue in the gsd-project repo.
+
+### gsd-tools
+
+The gsd-tools repo is the Global Security Database (GSD) tools repo which contains all the GSD tools. For more informaiton please see https://csaurl.org/gsd-quick-links.
+
+### Issues
+
+Please file any tooling related issues in the gsd-tools repo. If you need to file issues against the data format(s) themselves please file an issue in the gsd-project repo.
+
+# Goals / Vision
+
+The goal and vision of the Global Security Database is to create a new security identifier ecosystem that complements existings standards and systems, but also allows for future growth and change. IT is constantly changing (TCP-IP, the Web, the Cloud, IoT, Blockchains, etc.) and we need vulnerability and secuerity identifiers that change with it.
+
+# Project Roadmap
+
+Currently we are working on standing up basic technology, e.g. these repos, the editing button for current entries, and so on. If you have an item for the roadmap or other ideas please file an issue in gsd-project to make us aware, or bring it up on the mailing list/circle/slack/etc. so it can be captured and discussed.
+
+# GSD Contacts / communications channels
+
+* Circle Community (Forums): https://csaurl.org/gsd-circle 
+* Mailing-list: https://csaurl.org/gsd-mailing-list
+* Slack: https://csaurl.org/csa-public-slack #gsd-working-group
+
+# Meetings
+
+## Meeting times and locations
+
+## Meeting agendas
+
+## Meeting recordings
+
+# Governance
+
+## Charter
+
+https://cloudsecurityalliance.org/artifacts/global-security-database-working-group-charter/
+
+## Roles
+
+## Process
+
+## Related groups, activities and events
+
+### Global Security Vulnerability Summit
+
+https://events.linuxfoundation.org/open-source-summit-north-america/about/global-security-vulnerability-summit/
+
+June 23 – 24 in Austin Texas
+
+## GSD Project Chairs
+
+# Licenses
+
+We use the Creative Commons Legal Code  CC0 1.0 Universal for the gsd-database and gsd-project and Apache License Version 2.0, January 2004 for the gsd-tools.
+
+# Participation
+
+The GSD uses the Contributor Covenant Code of Conduct CODE_OF_CONDUCT.md *** TODO ***
+
+## Identity and attribution for participation
+
+Currently the GSD requires identity/atttribution for participation in GitHub to a GitHub account, this is a technical limitation/feature of the platform. Participation in the public email lists/Twitter/etc. for example does NOT require a GitHub account (or any identity beyond a working email address/Twitter account/etc.). Truly anonymous participation is not explicitly supported, however pseudonymity is supported and welcome.

gsd-project/TODO.md

@@ -0,0 +1,13 @@
+# GSD Projects
+
+The gsd-project repo is designed to support the project, meeting times, agendas, minutes, planning, roadmaps, vision, etc. are contained here.
+### Todo
+- [ ] Update README.md
+- [ ] Policy - Policy mostly doesn't exist today. We need to write down a lot of what's happening in the project as well as future goals. This TODO list should probably exist there too. You can find the closest thing to a policy repo here https://github.com/cloudsecurityalliance/gsd-project-plans It's very disorganized and needs organization.
+- [ ] GSD needs a logo
+
+### In progress
+
+### Completed
+
+### Cancelled

gsd-project/Vulnerability Identifier Landscape.md

@@ -0,0 +1,19 @@
+# Vulnerability Identifier Landscape
+
+This list may be incomplete. If there is a project that you feel should be listed but is currently missing, please open a pull request to add it!
+
+- SBOM Formats
+	- [CycloneDX](https://cyclonedx.org/)
+	- [SPDX](https://spdx.dev/)
+- Software ID Formats
+	- [cpe](https://nvd.nist.gov/products/cpe)
+	- [pURL](https://github.com/package-url/purl-spec)
+- Vulnerability Applicability
+	- [VEX](https://cyclonedx.org/capabilities/vex/)
+- Vulnerability ID Formats
+	- [OSV Schema](https://ossf.github.io/osv-schema/)
+	- [CSAF](https://oasis-open.github.io/csaf-documentation/)
+- Vuln ID Centralization
+	- [GSD](https://globalsecuritydatabase.org)
+	- [OSV Database](https://osv.dev)
+	- [GitHub Advisory Database](https://github.com/github/advisory-database)

gsd-project/analysis/cve/CVE-Data-Sources.md

@@ -0,0 +1,36 @@
+# Notes on CVE Data Sources
+
+Not all CVE Data Sources are equal.
+
+| Data | MITRE - GitHub (JSON) | MITRE - Download page | NVD - Download page |
+| --- | --- | --- | --- |
+|URL | https://github.com/cveproject/cvelist	| https://cve.mitre.org/data/downloads/index.html	| https://nvd.nist.gov/vuln/data-feeds |
+|FORMAT|JSON|CSV/HTML/TXT/XML|JSON|
+|Example| https://github.com/CVEProject/cvelist/blob/master/2021/44xxx/CVE-2021-44228.json | https://cve.mitre.org/data/downloads/allitems.csv |	https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz |
+|ID|YES|YES|YES|
+|STATE|YES|In Description|ALWAYS PUBLIC|
+|description|YES|YES|YES|
+|MACHINE_affects|YES|NO|CPE FORMAT|
+|MACHINE_credit|YES|NO|NO|
+|MACHINE_impact|YES|NO|YES|
+|MACHINE_cvss|YES|NO|YES|
+|MACHINE_problemtype|YES|NO|YES|
+|MACHINE_references|YES|YES|YES|
+|MACHINE_source|YES|NO|NO|
+|publishedDate|NO|Assigned|YES|
+|lastmodifiedDate|NO|NO|YES|
+|ASSIGNER|YES|NO|YES|
+|MACHINE_CPE|NO|NO|YES|
+
+## NVD API
+
+The NVD API (https://nvd.nist.gov/developers/vulnerabilities) appears to serve identical JSON as is in the JSON downloads.
+
+# In summary:
+
+* The MITRE Download page files (CSV/HTML/TXT/XML|JSON) contain far less data than the MITRE GitHub repo and the NVD JSON files. Don't use them.
+* MITRE only publishes the "publishedDate" which is whhen the CVE was assigned OR RESERVED, so it can be months in advance of the CVE actually being used
+* MITRE's machine readable affected data is usually incomplete, and missing in roughly 25% of entries, NVD has analysts add affected data in CPE format
+* The NVD publishedDate and the MITRE Assigned data are often different, it appears sometimes NVD uses the date of the first source becoming public (sometimes years or a decade in advance)
+
+The best source of CVE data that contains information (e.g. STATE is PUBLIC) is the NVD files/API. If you want to track RESERVED and so on you will want to get the MITRE GitHub JSON data.