CRAVEX: Vulnerability exploitability: Reachability integration #103
Comments
|
A reachable vulnerability has a path from your code to the root cause of a vulnerability. Gauge risk by identifying whether a function related to the vulnerability is being called by your application, raising the chances of that vulnerability being exploitable in the context of your application. |
|
A "reachability ranking" appears to be relevant to product or other first-party code ("your code") and applies to that usage context. |
|
Here is my take: A definition of reachabilityfrom https://owasp.org/www-chapter-los-angeles/assets/prez/OWASPLA_prez_2024_03-1.pdf
Minimal designIn this context there are tools that can determine if a vulnerable piece of code is effectively used and reached in some way. The goal of this issue is to provide a way to track this information. For a simple start, we could have a trib-oolean field at the intersection of product packages and vulnerability that state if a this vulnerability is reachable or not reachable, or this fact is not known. Bonus if we have an extra field that explain how this was determined. We are going to provide a minimal UI to update the data in these new fields, so that a user can do this. And a way through the API to update the data so we can offer an entry point for tools to contribute their results And finally, this reachability should also influence the ranking of vulnerabilities in a product as detailed in: |
@DennisClark Could you review this design and provide name and help for those new fields so I can get started on the implementation. Thanks! |
|
@tdruez and @pombredanne I think we actually already cover the functionality described here in the ability to edit the Analysis of a product package vulnerability. I don't think we need to introduce anything completely new and we can declare this functionality covered by the Analysis fields. See example screenshot. 
|
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
…103 Signed-off-by: tdruez <[email protected]>
* Add `is_reachable` field on the VulnerabilityAnalysis model #103 Signed-off-by: tdruez <[email protected]> * Add support for "unknown" in the is_reachable filter #103 Signed-off-by: tdruez <[email protected]> * Add a VulnerabilityAnalysis REST API endpoint #103 Signed-off-by: tdruez <[email protected]> * Move the VulnerabilityAnalysisViewSet in the vulnerabilities module #103 Signed-off-by: tdruez <[email protected]> * Add unit tests for the VulnerabilityAnalysis API endpoint #103 Signed-off-by: tdruez <[email protected]> * Add unit test for patch method on VulnerabilityAnalysis API endpoint #103 Signed-off-by: tdruez <[email protected]> --------- Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
|
Implemented in #206 (comment) Changes:
|
pombredanne
moved this from Todo
to Done
in CRAVEX moved to https://github.com/orgs/aboutcode-org/projects/8
Create models and design API to integrate external tool's reachability analysis results inform vulnerability ranking
See also:
The text was updated successfully, but these errors were encountered: