Vulnerability Description Schema

marta · August 31, 2021, 12:06pm

We would like to output JSON from the cve checker, to be used for a cross check with the IP compliance file and for other possible uses (like querying for updates of our packages). This post describes the proposed schema.

{
    "version": string,
	"layer": string,
	"package": {
                 "name": string,
                 "version": string,
                 "purl": string,
                 "products": [ {
                         "product": string
                 ] },
         },
         "issue":  [ {
                 "id": string,
            	 "summary": string,
                 "score": string,
                 "status": string,
	 ] ],
}

Where:

version is the schema version
layer is the package layer name
name is the name of the package
version is the version contained in the package
purl is the URL of the package, in the format described at https://github.com/package-url/purl-spec
products gives a list of product names contained in the package
issue is the table of issues in the package
id is the issue package, for example its CVE ID
summary is a short summary of the issue
score is the CVSS 3.1 base score
status is the current status in the package, can be “Patched”/“Unpatched”

Insprirations from: https://github.com/ossf/osv-schema

marta · August 31, 2021, 12:07pm

@Alberto_Pianon et al please comment
@landgraf might be of interest to you too

Alberto_Pianon · August 31, 2021, 2:15pm

makes sense!

Just a couple of questions:

do we need to include also vendor along with product? (see below the metadata included in curl recipe that we currently extract with tinfoilhat)
how do we create a valid purl for each package? (I guess that you are referring to this, right?)

          {
            "vendor": "haxx",
            "product": "curl"
          },
          {
            "vendor": "haxx",
            "product": "libcurl"
          },
          {
            "vendor": "curl",
            "product": "curl"
          },
          {
            "vendor": "curl",
            "product": "libcurl"
          },
          {
            "vendor": "libcurl",
            "product": "libcurl"
          },
          {
            "vendor": "daniel_stenberg",
            "product": "curl"
          }

landgraf · August 31, 2021, 5:56pm

typo. Should be “} ],”

Shouldn’t “issue” section contain affected product information as well. like “issue” : [{“id”: “CVE-2021-33909”, “product”: “linux”, “summary” : “kernel: size_t-to-int conversion vulnerability in the filesystem layer”, “score”: “CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H”}] ?

marta · September 6, 2021, 2:56pm

Thanks, fixes made. For the vendor, do you think it is useful in practice? We can get it via the CPE

marta · September 6, 2021, 2:58pm

This is a valid point. If we start including the complete score, we could just link to the OSV description that includes the same data. In this case it would be better to re-use OSV for that part. My idea was to include the basic information in our schema and then link for everything else to OSV and similar systems

Alberto_Pianon · September 7, 2021, 6:35am

@marta it seems that vendor is used by cve-check bb class to query the database:

github.com

openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L190

    
      
              bb.note("Recipe has been whitelisted, skipping check")
              return ([], [], [])
          
          
cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
          
          
import sqlite3
          db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
          conn = sqlite3.connect(db_file, uri=True)
          
          
# For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
          for product in products:
              if ":" in product:
                  vendor, product = product.split(":", 1)
              else:
                  vendor = "%"
          
          
    # Find all relevant CVE IDs.
              for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
                  cve = cverow[0]
          
          
        if cve in cve_whitelist:

marta · September 21, 2021, 10:24am

Yes, you’re right. We need it.

marta · January 20, 2022, 10:31am

Hello all,
Here is the example I have from the first proto. Some fields are harder to get than I was thinking, so there are some changes (vector and purl are not there). An example:

{
  "version": "1",
  "package": {
    "name": "automake-native",
    "layer": "meta",
    "version": "1.16.5",
    "issue": {
      "CVE-2009-4029": {
        "id": "CVE-2009-4029",
        "summary": "The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.",
        "scorev2": "4.4",
        "scorev3": "0.0",
        "vector": "LOCAL",
        "status": "Patched",
        "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4029"
      },
      "CVE-2012-3386": {
        "id": "CVE-2012-3386",
        "summary": "The \"make distcheck\" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.",
        "scorev2": "4.4",
        "scorev3": "0.0",
        "vector": "LOCAL",
        "status": "Patched",
        "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3386"
      }
    }
  }
}