Make "cpeApplicability" structure generic. #391
Conversation
There was a problem hiding this comment.
Probably ought to bump the version number of the schema itself prior to merging this PR. Right now that would be 5.1.2 under SchemaVer (though we use . separators not - separators as SchemaVer defines).
|
Feedback from QWG meeting:
|
|
The PR has been updated to point at EDIT: The rebase is done. No fixes from the feedback have yet been incorporated, but the diff should now show the correct information and there's only one commit. |
alilleybrinker
force-pushed
the
alilleybrinker/software-id
branch
from
509c24c to
751f6c8
Compare
|
To get some conversation going here I think there are three things going on in this PR
As I recall from the QWG meeting I think everyone is philosophically onboard with point 1. Point 2 somewhat depends on the forking question in 3, so where are people on that? Perhaps we should also consider what qualities we want/need out of a software identifier so that we can weigh the pros and cons. |
|
I believe that we also should separate the addition of PURL and OmniBOR in their own distinct PRs. The thinking is that these two additions will be prioritized differently and may be released separately. I would also like to understand more regarding the intent for item 1 in Jon's comment. Maybe we can have a quick discussion in the 3/27 meeting. |
alilleybrinker
force-pushed
the
alilleybrinker/software-id
branch
from
751f6c8 to
32b212a
Compare
alilleybrinker
changed the title
This "renames" (not actually a rename, see below) the existing "cpeApplicability" structure and its children from CPE-specific names to generic names. For example, "cpeApplicability" becomes "applicability." This is intended to permit future record format updates to add support for additional kinds of software identifiers. This change itself does not add any new kinds of software identifiers. The prior "cpeApplicability" structure remains entirely supported, though CNAs and any future ADPs enriching with software ID information should be encouraged to use the more expressive new "applicability" structure instead, and use of both at the same time should be treated as an error to avoid ambiguity. Signed-off-by: Andrew Lilley Brinker <[email protected]>
alilleybrinker
force-pushed
the
alilleybrinker/software-id
branch
from
32b212a to
f5dae04
Compare
|
@darakian, you'd asked if we make the First, here's an explainer: https://groups.google.com/g/json-schema/c/PiT9ZndbcCI Second, here's what it looks like in the schema (this is done under both the The |
|
I'm happy with PURLs not containing version information, that information is best encoded into the "affectedness" version ranges whereas the PURL is for identifying which records are relevant for a product. I don't think we'd need to vendor the entire PURL spec? I think keeping things relatively open-ended in terms of values should work just fine, after all there is a strong incentive for PURL users (ie: mostly open source projects) to have their records be discoverable by downstream users. |
|
As PURL is being standardised as part of the CycloneDX TC54 process there's no need for vendoring at this point, just a dialogue with the work group that works on PURL. Philippe Ombredanne is the lead. |
Yes, we've talked with Philippe and with Steve Springett. The rough consensus from the QWG so far has been that if CVE ships support for purl, it would either need to be vendored or they'd need to wait until the ECMA standard is official. There was not much support for moving forward with purl with only a reference to the specification as it exists on |
I had a brief conversation with @ccoffin where he raised that it may not be desirable to disallow use of both |
Just to clarify this is about using both structures in the same record at the same time correct? I agree that they should be mutually exclusive structures, but maybe there's a use case I'm not considering. If so, @ccoffin can you expand on the rational for allowing both at the same time? |
The `affected` array is an array containing `product` objects, which must at minimum include an "identifier" (which may be a composite identifier composed of multiple fields) along with a set of version bounds or a default status. Products may also specify an assortment of additional fields which further constrain the applicability of the CVE to its intended target hardware or software. Previously, the set of identifiers available were: - A `vendor` and `product` - A `collectionURL` and `packageName` This commit adds support for a new identifier, called `packageURL`, which uses the purl (Package URL) specification. The contents of the commit add this as a new field on the `product` type, with a description and examples, and also update the data constraints on the `product` type, both to make `packageURL` an option to fulfill the identifier requirement already in place on the type, and to ensure that the new `packageURL` field is not mixed with the existing `collectionURL` or `packageName` fields, as they are redundant with `packageURL` and including both increases the possibility of data inconsistency within a single CVE record. This inclusion of a new `packageURL` type which can be used instead of the existing pair of `collectionURL` and `packageName` would require consumers of CVE records to update their logic both to accept the new field, and to use it in places where they may today use the pair of `collectionURL` and `packageName`. This commit does not include a regular expression to parse Package URLs specifically. Rather, it reuses the existing `uriType` schema. So we can be sure after validating CVE records against this updated record format that the `packageURL` field is a URL, but not that it is a valid Package URL per the Package URL specification. It would be the responsibility of CVE Services to further validate the field to ensure values match the Package URL specification. We do not perform this validation in-schema due to the complexity of expressing the validation in the form of a regular expression. This work is submitted as an alternative formulation of the design proposed in the draft RFD on software identifiers [1], and as an alternative to the existing proposals for making the `cpeApplicability` structure generic [2] (instead of it being CPE-specific) and enhancing this new generic applicability structure with support for Package URLs [3]. If this change is accepted, then [2] and [3] should not be accepted. [1]: CVEProject#407 [2]: CVEProject#391 [3]: CVEProject#397 Signed-off-by: Andrew Lilley Brinker <[email protected]>
The `affected` array is an array containing `product` objects, which must at minimum include an "identifier" (which may be a composite identifier composed of multiple fields) along with a set of version bounds or a default status. Products may also specify an assortment of additional fields which further constrain the applicability of the CVE to its intended target hardware or software. Previously, the set of identifiers available were: - A `vendor` and `product` - A `collectionURL` and `packageName` This commit adds support for a new pair of fields to support using OmniBOR Artifact IDs as identifiers in the `affected` array: - `artifactID`: The OmniBOR Artifact ID for an artifact. - `artifactType`: An enum indicating whether the `artifactID` is for an artifact to search in a file system for, or whether it's a build input to search against OmniBOR Input Manifests. The commit also adds data constraints to ensure this new identifier pair is not used alongside fields that don't make sense to use with OmniBOR, including the other identifier schemes, further decomposition information like `programFiles` or `programRoutines`, and version information. This work is submitted as an alternative formulation of the design proposed in the draft RFD on software identifiers [1], and as an alternative to the existing proposals for making the `cpeApplicability` structure generic [2] (instead of it being CPE-specific) and enhancing this new generic applicability structure with support for OmniBOR Artifact IDs [3]. If this change is accepted, then [2] and [3] should not be accepted. [1]: CVEProject#407 [2]: CVEProject#391 [3]: CVEProject#396 Signed-off-by: Andrew Lilley Brinker <[email protected]>
|
Closing this, as the project has opted for an approach based on the |
This "renames" (not actually a rename, see below) the existing
"cpeApplicability" structure and its children from CPE-specific names
to generic names. For example, "cpeApplicability" becomes "applicability."
This is intended to permit future record format updates to add support for
additional kinds of software identifiers. This change itself does not add
any new kinds of software identifiers.
The prior "cpeApplicability" structure remains entirely supported, though
CNAs and any future ADPs enriching with software ID information should be
encouraged to use the more expressive new "applicability" structure instead,
and use of both at the same time should be treated as an error to avoid
ambiguity.
Original message from before the PR was split into three parts.
This adds support for Package URLs and OmniBOR Artifact IDs to be embedded in CVE records by introducing a new "applicability" structure for both CNAs and ADPs. This "applicability" structure is intended to replace usage of the existing "cpeApplicability" structure added recently for CPE support. It extends the prior schema of "cpeApplicability" in a backwards-compatible way, defining new "purl_match" and "omnibor_match" structures alongside the existing "match" now renamed "cpe_match".
The prior "cpeApplicability" structure remains entirely supported, though CNAs and any future ADPs enriching with software ID information should be encouraged to use the more expressive new "applicability" structure instead, and use of both at the same time should be treated as an error to avoid ambiguity.
This also opens the possibility of introducing more software identification schemes in the future by adding new "_match" variants within the "applicability" structure.
EDIT: This previously included two commits, the first of which was a formatting of the record format JSON file by a JSON auto-formatter. This commit has been removed, and the diff is now clean and only shows the relevant semantic changes.