Add CVSS mapping #86
Add CVSS mapping #86
Conversation
| @@ -0,0 +1,2 @@ | |||
| *.pyc | |||
There was a problem hiding this comment.
the sys.dont_write_bytecode = True is supposed to keep these out. did that not work?
There was a problem hiding this comment.
Hm. I moved that line into main() because it looked silly in the imports and I didn't know what it did. But apparently it needs to be before the import of validate_deprecated_mapping to stop it generating validate_deprecated_mapping.pyc. Is there any particular reason to suppress generating .pyc files other than cluttering up the directory? Because I would assume there are (minor) performance benefits from keeping them.
There was a problem hiding this comment.
ya good point, better to just delete that line.
tessereth
force-pushed
the
add-cvss-mapping
branch
from
6f2695b to
9e604c5
Compare
tessereth
force-pushed
the
add-cvss-mapping
branch
from
9e604c5 to
78d8fdd
Compare
validate_vrt.py
Outdated
| @@ -2,6 +2,7 @@ | |||
| import json | |||
| import jsonschema | |||
| import sys | |||
| # Don't create *.pyc files | |||
| sys.dont_write_bytecode = True | |||
There was a problem hiding this comment.
Are we removing this? I don't recall if it had something to do with the build process or if its just better solved by the gitignore.
There was a problem hiding this comment.
Oh right. Gone now.
| { | ||
| "metadata": { | ||
| "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N" | ||
| }, |
There was a problem hiding this comment.
what do you think about putting the version in the metadata instead of the filename?
There was a problem hiding this comment.
But what happens if we ever decide to add cvss v2 or a theoretical cvss v4? Having a file cvss.json with metadata.{cvss_}version = 3.0 would make that harder. Not that I think those are likely anytime soon but I'd rather not block it if it's easily avoided.
There was a problem hiding this comment.
I could be misunderstanding the situation, but I was thinking of treating it the same way we do with the vrt json. Since no single version of vrt will have mappings to multiple versions of cvss, when a new cvss version comes out we would need to create a new version of the vrt to include the updated mapping. All nodes from previous vrt versions will always map to the latest cvss version through the deprecated node mapping.
@barnett or @plr0man may have more insight on the intended use?
There was a problem hiding this comment.
another idea could be to only have the latest_version in the metadata and mappings to different versions as keys in the json like:
{
"id": "server_security_misconfiguration",
"children": [
{
"id": "unsafe_cross_origin_resource_sharing",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"cvss_v4": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
}
]
}
There was a problem hiding this comment.
I think the default CVSS version is more a matter of customers' preference. If CVSS v4 ever comes out we would still be using CVSS v3 by default, until we would see most of our customers switch over to v4, which might or might not happen. If we had customers that prefer v2, we might consider adding that mapping too.
There was a problem hiding this comment.
Ah ok. I didn't realize that we'd be maintaining multiple cvss mappings simultaneously. Good to know.
README.md
Outdated
| @@ -105,6 +105,46 @@ _2 nodes being collapsed into 1_ | |||
| } | |||
| ``` | |||
|
|
|||
| ### Mapping to other systems | |||
|
What do you think of adding validation that the mapping is declared at the highest possible level? i.e. if child nodes share a mapping it is only declared on the parent. |
I'm not sure. I thought about it, but then I was looking at some nodes with only one child and it seemed better from a readability point of view to include the child. @plr0man as someone actually editing these files, would you find it useful to be alerted if all children have the same value or just annoying that you're forced to move things up a tier when you don't want to? |
This is true. I was merely thinking from a consistency point of view it would be better to either declare them all at the highest possible level or at every leaf node. Since I'm not the one who will primarily be maintaining it, I'm happy to go with whatever you or @plr0man think works best. |
|
From my perspective flexibility when all children share the same mapping is best |
mappings/cvss_v3.schema.json
Outdated
| { | ||
| "$schema": "http://json-schema.org/draft-04/schema#", | ||
| "title": "Vulnerability Rating Taxonomy", | ||
| "description": "A Taxonomy of potential vulnerabilities with suggested technical priority rating", |
There was a problem hiding this comment.
Do we want to update the title and description?
mappings/cvss_v3.schema.json
Outdated
| "required": ["default"] | ||
| }, | ||
| "VRTid": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" }, | ||
| "CVSSv3": { "type": "string", "pattern": "^AV:./AC:./PR:./UI:./S:./C:./I:./A:.$" }, |
There was a problem hiding this comment.
How about "^AV:[NALP]/AC:[LH]/PR:[NLH]/UI:[NR]/S:[UC]/C:[NLH]/I:[NLH]/A:[NLH]$"?
|
So I added a new node and still got |
|
Ah, yeah. It only checks that all leaf nodes have mappings and because the node you added has a It does fail validation. I'm pretty sure you have to have at least one children, so I might update As for whether we should have mappings for internal nodes... I assume given they don't have a priority, not having a cvss mapping is reasonable. |
|
Yeah, that error message a problem with the jsonschema library we use to do that validation. Not a lot we can do about it. |
There was a problem hiding this comment.
Thank you @tessereth for putting so much thought and effort into it. @adamrdavid great thanks to you too for overlooking every step of the implementation. You guys crushed it and made sure none of SecOps requests were left unanswered! And this is not just CVSS, we broke ground for any future mappings.
This PR continues the work started in #33. After the conversation there, I decided to add the mapping to a separate file and given how much that changes things, I thought I'd make it a new PR. Also noting we're not planning on using CWE right away, this only adds CVSS for simplicity. But we should be able to add CWE later without too much hassle. My assumption is, any additional mappings would be added as a separate file in the
mappingsdirectory.cvss_v3.json(and possible other mapping files to come later) has the following properties:cvss_v3attribute can be specified at any depth. The most specific value will be used.cvss_v3is provided on a parent node, thechildrenattribute does not need to be provided and if it is, not all children are required. Only includechildrenwhere you need to override the mapped value.This also updates
validate_vrt.pyto check that:cvss_v3.jsonmatches its schema fileTODO