-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVEX Specification v0.2.0 #35
Conversation
This commit modifies the openvex spec to reflect the changes in the OpenVEX Enhancement Proposal 0014: Expansion of the VEX Product Field. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit updates the SPEC to incorporate the changes approved in the OpenVEX Enhancement Proposal 0015: Expansion of the Vulnerability Field. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit adds reference tables for the hash names and identifier labels to be used in the product data structure. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit bumps the spec to v0.2.0. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
PR is open implementing these changes in the go-vex libraries: openvex/go-vex#45 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question about IRIs, else LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work keeping the spec lined up alongside the tooling implementation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Thanks everyone! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a comment since I notice that I missed the merge window. I can open up a separate PR on these or leave that up to you. Let me know if you'd prefer to do it yourself.
@@ -190,12 +195,10 @@ The following table lists the fields of the OpenVEX statement struct. | |||
| --- | --- | --- | | |||
| @id | ✕ | Optional IRI identifying the statement to make it externally referenceable. | | |||
| version | ✕ | Optional integer representing the statement's version number. Defaults to zero, required when incremented. | | |||
| vulnerability | ✓ | Vulnerability SHOULD use existing and well known identifiers. For example: [CVE](https://cve.mitre.org/), [OSV](https://osv.dev/), [GHSA](https://github.com/advisories), a supplier's vulnerability tracking system such as [RHSA](https://access.redhat.com/security/security-updates/#/) or a propietary system. It is expected that vulnerability identification systems are external to and maintained separately from VEX.<br>`vulnerability` MAY be an IRI and MAY be arbitrary, created by the VEX document `author`. | | |||
| vuln_description | ✕ | Optional free-form text describing the vulnerability | | |||
| vulnerability | ✓ | A struct identifying the vulnerability. See the [Vulnerability Data Structure] section below for the complete data structure reference. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| vulnerability | ✓ | A struct identifying the vulnerability. See the [Vulnerability Data Structure] section below for the complete data structure reference. | | |
| vulnerability | ✓ | A struct identifying the vulnerability. See the [Vulnerability Data Structure](#Vulnerability Data Structure) section below for the complete data structure reference. | |
|
||
The product field should list as many software identifiers as possible to | ||
help VEX processors when matching the product. The use of | ||
[Package URLs](https://github.com/package-url/purl-spec) (purls) is recommended. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommend moving the URL to the bottom and making it a named link.
| timestamp | ✕ | Timestamp is the time at which the information expressed in the Statement was known to be true. Cascades down from the document, see [Inheritance](#Inheritance). | | ||
| last_updated | ✕ | Timestamp when the statement was last updated. | | ||
| products | ✕ | Product identifiers that the statement applies to. Any software identifier can be used and SHOULD be traceable to a described item in an SBOM. The use of [Package URLs](https://github.com/package-url/purl-spec) (purls) is recommended. While a product identifier is required to have a complete statement, this field is optional as it can cascade down from the encapsulating document, see [Inheritance](#Inheritance). | | ||
| subcomponents | ✕ | Identifiers of components where the vulnerability originates. While the statement asserts about the impact on the software product, listing `subcomponents` let scanners find identifiers to match their findings. | | ||
| products | ✕ | List of product structs that the statement applies to. See the [Product Data Structure] section below for the full description. While a product is required to have a complete statement, this field is optional as it can cascade down from the encapsulating document, see [Inheritance](#Inheritance). | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| products | ✕ | List of product structs that the statement applies to. See the [Product Data Structure] section below for the full description. While a product is required to have a complete statement, this field is optional as it can cascade down from the encapsulating document, see [Inheritance](#Inheritance). | | |
| products | ✕ | List of product structs that the statement applies to. See the [Product Data Structure](#Product Data Structure) section below for the full description. While a product is required to have a complete statement, this field is optional as it can cascade down from the encapsulating document, see [Inheritance](#Inheritance). | |
Agency](https://www.cisa.gov/) (CISA). | ||
a valid VEX implementation as defined in the [Minimum Requirements for VEX] | ||
document published on April 2023 as defined by the VEX Working Group coordinated | ||
by the [Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/) (CISA). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommend moving the URL to the bottom and making this a named link.
| --- | --- | --- | | ||
| @id | ✕ | Optional [IRI](#IRI) identifying the component to make it externally referenceable. | | ||
| identifiers | ✕ | A map of software identifiers where the key is the type and the value the identifier. OpenVEX favors the use of purl but others are recognized (see the Identifiers Labels table below) | | ||
| hashes | ✕ | Map of cryptographic hashes of the component. The key is the algorithm name based on the [Hash Function Textual Names](https://www.iana.org/assignments/named-information/named-information.xhtml) from IANA. See [Hash Names Table] for the full supported list. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also recommend moving the URL to the bottom and making it a named link.
| hashes | ✕ | Map of cryptographic hashes of the component. The key is the algorithm name based on the [Hash Function Textual Names](https://www.iana.org/assignments/named-information/named-information.xhtml) from IANA. See [Hash Names Table] for the full supported list. | | |
| hashes | ✕ | Map of cryptographic hashes of the component. The key is the algorithm name based on the [Hash Function Textual Names](https://www.iana.org/assignments/named-information/named-information.xhtml) from IANA. See [Hash Names Table](#Hash Names Table) for the full supported list. | |
|
||
The following list of hash names can be used as keys in the `hashes` field of the | ||
product field. These labels follow and extend the | ||
[Hash Function Textual Names](https://www.iana.org/assignments/named-information/named-information.xhtml) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommend moving the URL to the bottom and making this a named link.
| purl | [Package URL](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst) | | ||
| cpe22 | [Common Platform Enumeration v2.2](https://cpe.mitre.org/files/cpe-specification_2.2.pdf) | | ||
| cpe23 | [Common Platform Enumeration v2.3](https://csrc.nist.gov/pubs/ir/7695/final) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommend moving all links to the bottom.
| 2023-07-18 | Updated spec to reflect changes in [OPEV-0015: Expansion of the Vulnerability Field](https://github.com/openvex/community/blob/main/enhancements/opev-0015.md) | | ||
| 2023-07-18 | Updated spec to reflect changes in [OPEV-0014: Expansion of the VEX Product Field](https://github.com/openvex/community/blob/main/enhancements/opev-0014.md) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More links to consider moving.
Thanks for the thorough review @sudo-bmitch we're more than happy to add those comments to the review, do you want to open a PR? I can review it right away 🙏 |
This PR updates the OpenVEX specification to v0.2.0, a breaking change that expands the product and vulnerability fields to make them more expressive and better suited for future expansion.
This PR incorporates the changes discussed and approved by the SIG as part of the following OpenVEX Enhancement Proposals:
/cc OpenVEX Maintainers: @lumjjb @wagoodman @luhring @rnjudge
/cc OpenVEX SIG OPEV Contributors: @sudo-bmitch @SecurityCRob
Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev