-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOM/SPDX Generation: Add CPE information for CVE security s… #102
Conversation
Thank you for creating this PR. We will look into this PR and discuss with you here. |
Hi, thanks for the PR! I'd like some more information. Reading through the documentation, it seems that is not a valid way to set PURL? Looking at https://github.com/package-url/purl-spec seems it needs to a from a package manager. Do we need to set the PURL? It seems most docs suggest setting one of the identification options, so setting just CPE should be correct? Also found these docs for CPE: Seems CPE is marked legacy? Not sure what is meant by that; is this a still supported thing? Also I see the PR for that tool is still open? Is it going to be merged? Are there tools currently deployed that use this? Is there somewhere where I can see what CPEs exist and query them online? |
6c2c9c3
to
b0fa016
Compare
Removed PURL from the commit, as it is indeed not entirely necessary [see force push above]. We'll respond to other questions later today. |
b0fa016
to
ff566f0
Compare
Agree PURL does not make sense here. CPE is sufficient.
Yes, CPE is actively maintained by NIST as part of NVD. Any tool using NVD to report CVE's pretty much relies on the CPE information to map CVE's to packages in a SBOM.
The community is actively working on it. I don't see any reason for this to not get merged. That said the intel cve-bin-tool was only an example.
Yes, pretty much any tool that relies on NVD to report vulnerabilities should support it.
There are many commercial tools as well. Timesys Vigiles being one. Synopsys BlackDuck is a popular commercial tool that supports CPEs as stated here.
https://nvd.nist.gov/products/cpe/search |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the info! LGTM
This commit adds Common Platform Enumeration (CPE) information to the ouput SPDX files during SBOM generation.
This information is used by CVE security scanners (Timesys Vigiles, Intel's cve-bin-tool, etc)
Specifically, it appears FreeRTOS has 3 relevant CPEs which are currently active in the NVD:
So, I've added the ability to map these package names to the corresponding CPE strings in the NVD.
If additional CPEs are added to the NVD in the future, the lookup dictionary will need adjusted accordingly. Some of the assumed regex logic may also need adjusted in that case. In its current state, it does correctly work for all three package names.
I have tested this commit via:
Which shows the additional ExternalRef info being added to FreeRTOS-Kernel:
For the sake of finding some CVEs, I know 10.4.1 has a few. So I switched 10.5.1 to 10.4.1 and ran:
This shows:
This then shows the ExternalRef info for mbedtls:
Running this through cve-bin-tool:
Produces:
This then shows the proper ExternalRef info again:
Feeding this through cve-bin-tool again:
Produces:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.