JSON Schema for vulnerability extension? #37
Comments
|
Hi Gareth. Yes, there are plans to port the vulnerability extension to JSON. The vulnerability extension predates CycloneDX v1.2, and therefore JSON support. The porting of the extension to JSON should be relatively simple. What is much more vague, is how JSON schema supports the validation of two or more schema files when they do not refer to each other. In XML Schema, this is simple to do. I have not seen any examples of this in the JSON Schema world. So for example, the extensions can refer to the core (if necessary - hopefully not), but the core schema cannot refer to the extensions. It's this type of decoupling that I have not seen in JSON Schema, so I'm not entirely sure how that will impact the design of CycloneDX extensions for JSON, or the validation of them. Thoughts or expertise in this domain are highly welcome. |
|
Looks like the website has a few minor navigation issues i need to look at, but wanted to point you to https://cyclonedx.org/ext/vulnerability/ as well. |
|
Thanks for the info. I'm not sure a similar extension mechanism exists for JSON Schema unfortunately. My assumption is you'll need to maintain two schemas, one with and one without the extension, or simply indicate the extension properties as optional. So the complexity shifts to some build tooling rather than being a first-class part of the schema. |
|
I don't think that's going to scale. There are already 3 extensions. That's a few combinations of extensions+core schema to maintain. |
|
Yup, that's what I mean by probably needing to move the complexity into a build process, and generating the variant schemas. Which would solve the authoring problem at least. Consumption needs context in any case. |
|
I don't think moving this into a build process is something that would be possible coming from CycloneDX. If today, there are the four extensions available in JSON, and each was only at v1.0, then there would be a lot of permutations. Once additional versions of these become available, the number of permutations will exponentially increase. Add to that future extension that CycloneDX Core Team works on or that are available in various industries, then the number of permutations becomes unmanageable, even with automation.
In addition, there is already the published JSON schema which allows any unspecified property to exist and still validate, as well as a strict schema variant which prohibits this behavior. So there's already two different JSON schemas for the core due to bad design choices in JSON Schema itself. So, however many permutations we end up with, there will likely be double. The inability for JSON Schema to be extensible obviously affects CycloneDX the most. IMO we should likely do the following:
In other words, I think the CycloneDX project can create and publish JSON extensions, but I don't think we want to be in the business of providing possible permutations. There's going to simply be too many. Adopters of JSON will need to take on that responsibility themselves. Thoughts? |
|
A slight variant might be for the project to provide two JSON Schema variants - the base (provided now) and one with all official extensions at the latest version. Then push out any other permutation to the adopters. |
|
That may be possible. Two issues I see:
I remember Bootstrap v3 had the ability to specify what components you wanted included in a custom distribution. It had some checkboxes that allowed users to include or exclude specific parts of Bootstrap. CycloneDX could do something similar. Allow users to choose what (if any) extensions they want, along with the version of the extension they want incorporated into a custom schema. This would obviously only apply to JSON as there would be no need to have such functionality for XML. |
|
@garethr One other possibility for JSON extensions is to perform the validation twice, once for CycloneDX core and once for the extension we want to validate. This could be done in two ways:
The first approach can use existing tools. The second approach cannot as it will involve logic to extract and identify prior to the validation step. In both cases, validation would need to be performed twice however. Outside of the requirement to validate twice, do you see any issues here with supporting it this way? If not, then do you see any issues with requiring two validation steps? If we can figure out the details on how to support validation of JSON extensions in a way that does not negatively impact the CycloneDX team, I think creating the JSON vulnerability extension can be achieved in relatively short time. I'd like to get it in your hands to test with (and hopefully provide feedback) prior to release. |
|
I committed an initial version that appears to work. It's a manual port of the existing XML version to JSON. This initial checkin is standalone, meaning that it doesn't take into consideration the rest of the BOM. Once we figure out how to property extend CycloneDX with JSON Schemas, then this work can be modified to meet whatever design choice we choose. Here's an example of a JSON document that can be validated with the extension. This is the exact same data as used in the XML example https://cyclonedx.org/ext/vulnerability/ {
"vulnerabilities": [
{
"id": "CVE-2018-7489",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489"
},
"ratings": [
{
"score": {
"base": 9.8,
"impact": 5.9,
"exploitability": 3.0
},
"severity": "Critical",
"method": "CVSSv3",
"vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"severity": "Low",
"method": "OWASP Risk",
"vector": "OWASP/K9:M1:O0:Z2/D1:X1:W1:L3/C2:I1:A1:T1/F1:R1:S2:P3/50"
}
],
"cwes": [
184, 502
],
"description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
"recommendations": [
"Upgrade"
],
"advisories": [
"https://github.com/FasterXML/jackson-databind/issues/1931",
"http://www.securityfocus.com/bid/103203",
"http://www.securitytracker.com/id/1040693",
"http://www.securitytracker.com/id/1041890"
]
}
]
} |
|
Looking at the JSON schema I see: "scoreValue": {
"type": "number",
"title": "Score",
"description": "Numerical representation of the vulnerability score. Must be a number between 0 - 10 (maps to lowest severity - highest severity)",
"multipleOf": 0.1,
"examples": [7.9, 10.0]
},But this definition isn't used elsewhere?
Reading the XSD, I don't think this is required in the JSON Schema as the "base": {
"type": "number",
"title": "Base Score",
"description": "The base score of the security vulnerability (Refer CVSS standard for example)",
"multipleOf": 0.1,
+ "minimum": 0,
+ "maximum": 10,
"examples": [2.9, 7.2]
}, |
|
Revisiting this as there's increased demand to support this in the wake of recent supply-chain attacks. With regard to supporting an unknown number of JSON extensions AND having them validate (see #37 (comment)), one approach that did not exist previously, is to use the CycloneDX CLI. This is a newer command line interface, written in .NET Core and is available on a wide variety of platforms as well as Docker. The CLI is a Swiss army knife of sorts as it performs conversion, validation, diff, and other utility functions. One possibility could be to add an option to the CLI that allows users to create their own custom JSON schema based on the extensions they want to use. The CLI could:
If the CLI could do these things, it would greatly simplify a lot of things. Not as simple as XML, but I think it would be acceptable. Thoughts on this approach? If acceptable, we might have a path forward and should be able to unblock this issue - and any updates to the vulnerability extension. |
|
I also think that JSON extension schemas need a prefix for ALL properties and definitions. Due to JSON not supporting namespaces, we need a way to avoid current and future collisions in property names and definitions. Something like |
|
I am +1 on using long, less than likely to collide names, given the other options I know of are JSON-LD, or at worst trying to emulate XML namespaces entirely. Feedback from here forward is just a bit informed from working on Would personally suggest Prefixing the properties COULD get messy long term implementation wise, because you'd have to add aliases to pick them up, in the case of something getting absorbed into the main project (or new Models, etc...). Making sure the top level is named in.a non colliding way makes it fairly easy in the case of something it into the main spec to just switch it to a real property and have things keep working (2 cents!) |
|
Another option would be to include all extensions in the dedicated part of the SBOM. Top level elements consist of:
It may be possible to add 'extensions' as another top level element and bundle all extensions in there, then simply use This approach may be cleaner than trying to add extensions to existing parts of the SBOM. We wouldn't have to worry as much about collisions of properties, but would still need to worry about collisions of definitions in the JSON Schema. If |
|
I am not against that (it probably simplifies some code stuff tbh) |
I see the XML schema has a specific schema extension for describing vulnerability information https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd
The main page says
However the
extfolder doesn't appear to have the JSON schema https://github.com/CycloneDX/specification/tree/master/schema/extAre there any plans to publish a JSON Schema with the vulnerability extension applied?
The text was updated successfully, but these errors were encountered: