Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow linkage to multiple vulnerability identifiers #3

Closed
david-waltermire opened this issue Aug 1, 2018 · 3 comments
Closed

Allow linkage to multiple vulnerability identifiers #3

david-waltermire opened this issue Aug 1, 2018 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@david-waltermire
Copy link
Collaborator

The vulnerability object needs a property that is used to identify it. This will typically be a CVE ID, but may be an identifier from another identification scheme.

  1. A new object is needed that allows an identification scheme and identifier value to be provided.
  2. A means to link to such an object is needed on the vulnerability, perhaps using a relationship (e.g. identifiedBy).
  3. It may be desirable to allow linkage to multiple identifiers to allow multiple identification schemes to be used. The semantics of such a relationship needs to be clear. Do both identifiers identify the same vulnerability? Is there a difference in vulnerability scope that makes both not the same?

In the vulnerability object, the text starting with "An identifier" and ending with "many organizations" needs to be removed and transitioned to this new linkage. This will probably eliminate the need for "KnownChains".

@david-waltermire david-waltermire added the bug Something isn't working label Aug 1, 2018
@david-waltermire david-waltermire added this to the 0.5 M1 Initial Public Discussion Draft Release milestone Aug 1, 2018
@david-waltermire david-waltermire changed the title Document a Vulnerability Object Indentification Property Allow linkage to multiple vulnerability identifiers Aug 1, 2018
@Chris-Turner-NIST
Copy link
Collaborator

New object created similar to the product object where an ID scheme and ID need to be supplied as properties.
Known chain serves a fundamentally different purpose than identified by and should link to this to allow for better semantic flexibility.

Chris-Turner-NIST added a commit that referenced this issue Aug 31, 2018
…ns of type/subtype/values/properties. Also added changes to handle issues #3, #15, #9, #16 and #14
@Chris-Turner-NIST
Copy link
Collaborator

The semantics of such a relationship needs to be clear. Do both identifiers identify the same vulnerability? Is there a difference in vulnerability scope that makes both not the same?

Generally speaking, if multiple identifications schemes are used than the IDs supplies would still reference the same vulnerability. I'm not entirely sure how we could limit the scope of what is being identified as that would be controlled by the rules of the ID schemes themselves.

@Chris-Turner-NIST
Copy link
Collaborator

The current design of Vulnerability Identifier Object allows for multiple "identifiedBy" relationships to the vulnerability. In the event a vulnerability is identified by multiple systems and those systems can be defined within the properties of the vulnerability identifier we can inherently create a relationship of hasAlias between the two identifiers. This should suffice as mapping a vulnerability across different identification schemes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants