Hi all,
In April 12th Defects meeting we were discussing changing the security
profile<https://github.com/spdx/spdx-3-model/tree/security-profile/security-profile>
to be better able to support VEX use cases.
We ran into the reoccurring issue of when to use a property and when to use a
relationship, included some examples below.
Know we discuss this in a recent tech call. Do we have any written
guidance/design principles? Can we discuss this further tomorrow?
Below an excerpt of SPDX 3.0 Vulnerability example as currently found on
GitHub, issue we found is that changing any VEX property would require
publishing the whole vulnerability which is not ideal. Idea is to move VEX and
maybe other categorization into their own elements so SPDX creator can update
just the categorization and timestamp for each categorization creation using
SPDX 3.0 Element's creationInfo.
"@type": "Vulnerability",
"@id": "urn:spdx.dev:cve-2020-2849",
"summary": "Use of a Broken or Risky Cryptographic Algorithm",
"description": "The npm package `elliptic` before version 6.5.4 are vulnerable
to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js.
There is no check to confirm that the public key point passed into the derive
function actually exists on the secp256k1 curve. This results in the potential
for the private key used in this implementation to be revealed after a number
of ECDH operations are performed.",
"modified": "2021-03-08T16:02:43Z",
"published": "2021-03-08T16:06:50Z",
"categorizations": [
{
"@type": "VexNotAffectedVulnerabilityCategorization ",
"@id": "urn:spdx.dev:vex-cve-2020-2849",
"status": "notAffected",
"impact": "Our version of this package was modified and does not include
code affected by cve-2020-2849.",
"justification": "vulnerabileCodeNotPresent",
"source": "https://vex-system...";,
}
],
{
"@type": "Relationship",
"relationshipType": "advisory",
"to": "urn:spdx.dev:vex-cve-2020-2849",
"from": ["urn:npmjs.com:elliptic-6.5.3",
"urn:npmjs.com:elliptic-6.5.3-subcomponent-1"]
},
Option A: Only use properties to link a VEX to other SPDX elements - easy for
VEX publishers and readers as everything is in 1element
{
"@type": "VexNotAffectedVulnerabilityCategorization",
"@id": "urn:spdx.dev:vex-cve-2020-2849-1",
"status": "notAffected",
"impact": "We are not using this component",
"justification": "componentNotPresent",
"source": "https://vex-system...";,
"elements": {
"product": ["urn:npmjs.com:elliptic-6.5.3"],
"packages": ["urn:npmjs.com:elliptic-6.5.3",
"urn:npmjs.com:elliptic-6.5.3-subcomponent-1"],
"files": ["urn:npmjs.com:elliptic-6.5.3-subcomponent-files-1"],
"snippets": ["urn:npmjs.com:elliptic-6.5.3-subcomponent-snippet-1"],
"vulnerabilities": [ "urn:spdx.dev:cve-2020-2849" ]
}
Option B: Specific property for vulnerability as VEX is always connected to one
or more vulnerabilities, using relationships for linking to packages /
"products", files, snippets as they may change.
{
"@type": "VexNotAffectedVulnerabilityCategorization ",
"@id": "urn:spdx.dev:vex-cve-2020-2849",
"status": "notAffected",
"impact": "Our version of this package was modified and does not include code
affected by cve-2020-2849.",
"justification": "vulnerabileCodeNotPresent",
"source": "https://vex-system...";,
"vulnerability": [ "urn:spdx.dev:cve-2020-2849" ]
},
{
"@type": "Relationship",
"relationshipType": "advisory",
"to": "urn:spdx.dev:vex-cve-2020-2849",
"from": ["urn:npmjs.com:elliptic-6.5.3",
"urn:npmjs.com:elliptic-6.5.3-subcomponent-1"]
},
Option C: Feel free to propose other ways ..
Warm regards,
Thomas
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5081): https://lists.spdx.org/g/Spdx-tech/message/5081
Mute This Topic: https://lists.spdx.org/mt/98321857/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
