Description
Introduce VEX Support to DejaCode
enhance data model to support a Product VEX List
provide Export capabilities to product VEX documents that comply with industry-recognized formats
Here are a few suggested details (subject to improvement upon review):
A VEX (Vulnerability Exploitability Exchange) is an assertion about the status of a vulnerability in specific products.
In DejaCode a VEX exists only in the context of a Product. Our first implementation of VEX support will apply to Product Packages Vulnerabilities
The standard VEX Status can be as defined for the “state” field in the CDX VEX spec
https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis
"resolved"
"resolved_with_pedigree"
"exploitable"
"in_triage" applied automatically to a Package when a new vulnerability is identified for it.
"false_positive"
DejaCode should support this VEX Status list. To avoid adding too much complexity to the data model, this could simply be coded into DejaCode, rather than creating a new VEX Status code table.
Given that a Product Package can have more than one vulnerability (VCID) and that a vulnerability can apply to more than one Product Package, it is probably best to consider defining each VEX in DejaCode as relating to a Product Package Vulnerability. Consider an on-demand process (button or command) in DejaCode that collects all the Vulnerabilities currently associated with Product Packages and creates or refreshes a list that we can call “Product VEX List” (working title) and presents them on a new tab (“VEX List”) of the Product User View.
The “logical” key of a Product VEX List is Product+VCID+PackageID (or perhaps Product+PackageID+VCID), and the presentation should be in that order, with one row for each Product VEX. Supporting data elements should include:
VEX Status (default value “in_triage”) – modifiable
VEX Action. modifiable. free form text. If the status is "exploitable", a valid VEX must have an action statement that tells the product user what to do.
VEX Impact modifiable. free form text. If the status is "false_positive", a valid VEX must have an impact statement to further explain details.
VEX Notes. modifiable. free form text. Additional notes to explain the VEX.
DejaCode Processing:
From the Product VEX list, ability to open a Product VEX detail form that includes the various VEX fields discussed above.
From the Product VEX list, provide a navigation link to the Product Package details.
Provide full support for Product VEX in Reporting.
Provide full support for Product VEX in the DejaCode API.
(future) Generate DejaCode Notifications when a Product VEX is created and when the VEX Status is modified. Provide a link to the Product VEX from the Notification.
Some useful files, background, and links:
See the example VEX at
https://github.com/CycloneDX/bom-examples/blob/master/VEX/vex.json
There is a descriptive overview of the CycloneDX approach to VEX here
https://github.com/CycloneDX/bom-examples/tree/master/VEX
DejaCode supports SBOM with or without VEX, as well as VEX documents.
After we finish CycloneDX:
The CSAF standard format, recommended by the CycloneDX team, is described here:
https://www.oasis-open.org/2022/11/28/common-security-advisory-framework-version-2-0-oasis-standard-is-now-published/
The CSAF also provides a downloadable package of the spec here:
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.zip
The most useful file in that package for us is probably csaf_json_schema.json
Additional guidelines from CISA 2023-11-06 attached.
When-to-Issue-a-VEX-5
7959
08c.pdf.zip
Interesting commentary from Tom Alrich attached.
When will there be VEX tools.pdf