Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explore possibility to integrate additional taxonomies / tools and relation to CWE #123

Open
sthagen opened this issue Sep 2, 2020 · 5 comments

Comments

@sthagen
Copy link
Contributor

sthagen commented Sep 2, 2020

As suggested by @tolim we should analyze how useful and easy it would be to allow references to related or further databases (in addition to the CWE information). Cf. #102 for details.

Proposal:

  1. Poll for use cases among the TC members and possibly via mailing list or this issue
  2. Start with a samle like CWE-79 to showcase what to refer in the candidate database (cf. Shall CSAF v2.0 keep the CW ID only refs or add longer descriptions? #102 for the Mitre ATT&CK database)
@tschmidtb51
Copy link
Contributor

I heard yesterday an interesting presentation about SSVC (Stakeholder-Specific Vulnerability Categorization). This might be interesting but I don't know whether we should try to include it in CSAF 2.0. There is more information available at CERTCC/SSVC. There is also a JSON schema which we could reference (unfortunately draft-04 which becomes deprecated for more and more libs. However, we could suggest to upgrade it to a later version...).

@mprpic
Copy link
Contributor

mprpic commented Apr 22, 2021

Just a note for posterity but the CVE JSON schema opted for a general-purpose taxonomy object to accommodate things like SSVC or ATT&CK: CVEProject/cve-schema#6. Personally, I prefer explicit attributes instead of general-purpose ones.

@sthagen
Copy link
Contributor Author

sthagen commented Apr 22, 2021

I will inspect both references over the next days ... famous words

@tschmidtb51
Copy link
Contributor

Personally, I prefer explicit attributes instead of general-purpose ones.

Me too.

@tschmidtb51
Copy link
Contributor

If anyone has a pressing need for that - please provide some suggestions / PR. Other than that I would suggest to defer the issue to CSAF 2.x.

@zmanion: What about SSVC? Is that something CERT/CC requires to be in CSAF 2.0?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants