Description
Dear GitHub team,
it would be nice, if your security advisories would also be available in the Common Security Advisory Framework. CSAF specifies a standard way to distribute security advisories so that they can be retrieved automatically. This method scales well for all issuing parties. It is also the @cisagov recommended format as CISA's EAD Eric Goldstein pointes out in his blog post Transforming the vulnerability management landscape.
A conversion from the GitHub advisory format to CSAF seems to be possible.
CSAF version of GHSA-2275-rpf5-xv8h
{ "document": { "aggregate_severity": { "text": "HIGH" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "Github", "namespace": "https://github.com/github/advisory-database/" }, "references": [ { "category": "self", "summary": "NIST NVD entry", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25906" }, { "category": "external", "summary": "Package", "url": "https://github.com/stefanjudis/is-http2" }, { "category": "external", "summary": "Vulnerability details", "url": "https://security.snyk.io/vuln/SNYK-JS-ISHTTP2-3153878" }, { "category": "external", "summary": "Problem", "url": "https://github.com/stefanjudis/is-http2/blob/master/index.js#L23" } ], "title": "is-http2 vulnerable to Improper Input Validation", "tracking": { "aliases": [ "CVE-2022-25906" ], "current_release_date": "2023-02-08T11:00:00.000Z", "generator": { "date": "2023-02-09T10:46:55.818Z", "engine": { "name": "Secvisogram", "version": "2.0.0" } }, "id": "GHSA-2275-rpf5-xv8h", "initial_release_date": "2023-02-01T06:30:30Z", "revision_history": [ { "date": "2023-02-01T06:30:30Z", "number": "1", "summary": "Initial version." }, { "date": "2023-02-02T17:13:07Z", "number": "2", "summary": "Add afffected packages, update references." }, { "date": "2023-02-08T22:40:04Z", "number": "3", "summary": "Add CWE and correct title." } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:npm/<=1.2.0", "product": { "name": "stefanjudis is-http2 vers:npm/<=1.2.0", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "is-http2" } ], "category": "vendor", "name": "stefanjudis" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-25906", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "involvements": [ { "date": "2023-02-02T17:13:07Z", "party": "other", "status": "completed", "summary": "Reviewed by Github" } ], "notes": [ { "category": "description", "text": "All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.", "title": "CVE description" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ] } ] }As GitHub hosts many open source projects it would be beneficial, if you would integrate this as most of the required metadata could be configured in the project or is already available.
See csaf.io and the videos for more details.
Thank you for considering. I'm happy to have a chat (also offline).