Mapping to CWE and CVSS #33
Conversation
|
Thanks for your great work guys! This might be a good moment to discuss if we want reference and/or how-to info to be present in the main VRT file as more new entries (some heavy) are one the way. I am not opposed to having it all in one file, but I'm curious to hear your thoughts. Potential separation into two files:
Why I am considering this solution:
|
Can you give any more context? |
|
@jcran @barnett - given the idea of adding other mappings in the future, from a design perspective, do you feel we could instead consider a mapping file that refers to the VRT ID in lieu of incorporating this into the VRT itself? It would be beneficial to keep the VRT file fairly lightweight and focused. If we have CVSS/CWE live in a mapping file it allows this separation. |
|
bump Does this need to be moved to a separate file? |
|
After talking about this internally we’ve decided creating the mapping in a separate repository will be optimal. It allows us to keep the responsibilities separated and be able to define mappings to previous VRT releases, without adjusting previous version tags. The way we see it being the easiest to work with would be a format like below: {
"sensitive_data_exposure.sensative_data_hardcoded.oauth_secret": {
"cwe": ["CWE-311"],
"cvss_base_vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
}We would then have the logic check the most specific ID, then bump up a level if no match each time. So if no variant match, and a subcategory could match, we would pull that. This allows us to ease the work if the mapping is shared across all variants so that changes to those variants don’t require changes in the mapping. One question we had, will we need to support mapping of non-current VRT versions? For example, if we had a previous VRT version, would ya need to add a new mapping to the previous version but not the latest? I assume not, but wanted to confirm. |
vulnerability-rating-taxonomy.json
Outdated
| "priority": 4, | ||
| "mapping": { | ||
| "cwe": ["AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"], | ||
| "cvss_base_vector": "CWE-451" |
There was a problem hiding this comment.
CWE and CVSS fields mismatched
vulnerability-rating-taxonomy.json
Outdated
| "type": "variant", | ||
| "priority": 4, | ||
| "mapping": { | ||
| "cwe": ["CWE-933", "CWE-524"], |
There was a problem hiding this comment.
CWE-524 should go first as a smaller number, this way we can ensure we are able to locate cwe fields with identical values. In this case there is cache_control_for_a_non_sensitive_page that has "cwe": ["CWE-524", "CWE-933"],
|
I like the idea of mapping per subcategory level if a field is shared across all variants. I believe that CWE and CVSS mappings would have to be separated for that purpose. If you look at the variants with the same CWE you will notice that CVSS fields vary. Separating CVSS and CWE mappings would also provide the advantage of mapping multiple unrelated IDs to one CWE/CVSS field. Looks like there are 169 entries total, but only 38 unique CVSS fields and 49 unique CWE fields. |
|
First of all, this looks great and thanks for all the work people have put into this. I've updated this branch to match master. I added a bunch of TODO markers for new and merged nodes. I definitely don't have the knowledge to be able to set the values, so if anyone else has time, that would be great. As for other comments in this thread, I figured I'd include my two cents.
"id": "insecure_data_storage",
"type": "category",
"children": [
{
"id": "sensitive_application_data_stored_unencrypted",
"type": "subcategory",
"mapping": {
"cwe": ["CWE-312"]
},
"children": [
{
"id": "on_external_storage",
"type": "variant",
"mapping": {
"cvss_base_vector": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
},
{
"id": "on_internal_storage",
"name": "On Internal Storage",
"type": "variant",
"priority": 5,
"mapping": {
"cvss_base_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
}
]
}
Hm. Reading that, it suggests you want to do something like: So that does save you the effort of repeating the CWE and CVSS scores but then you have to repeat the vrt ids. So it may not end up helping that much. I can be persuaded on that, but in particular for CVSS, going in that direction doesn't make a lot of sense to me. |
|
@tessereth I agree the separate repo would be a bit much. I think the main arguments for having it in a different file are
This will make for more concise diffs, especially considering the possibility of adding another mapping. Though we will of course need to add more validation. If it is in a separate file, I'd vote for the format to have the vrt_ids as the root key instead of: We could still do it without repetition in one file by adding some logic to look at parent nodes for a mapping, but I don't think that is even necessary (repetition in json feels fine 🤷♂️ ). I could be swayed either way, so leaving that decision in your hands. As for the questions on versioning, that can all be handled by the deprecated node logic as is. The |
| @@ -75,6 +75,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p | |||
| - insufficient_security_configurability.weak_password_policy.allows_password_to_be_same_as_email_username | |||
|
|
|||
| ### Changed | |||
| - adjusted schema and added a (currently optional) CWE and CVSS base score for most entries | |||
There was a problem hiding this comment.
Let's keep the changelog chronological, meaning appending changelog entries to the bottom of a particular section
| "type": "object", | ||
| "properties": { | ||
| "cwe" : { | ||
| "type" : "array", |
There was a problem hiding this comment.
Can we have this part in one line?
| } | ||
| }, | ||
| "cvss_base_vector" : { | ||
| "type": "string", |
There was a problem hiding this comment.
Can we have this part in one line?
| "mapping": { | ||
| "cwe": ["AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"], | ||
| "cvss_base_vector": "CWE-451" | ||
| } |
There was a problem hiding this comment.
CWE and CVSS fields mismatched
| "priority": 4, | ||
| "mapping": { | ||
| "cwe": ["CWE-933", "CWE-524"], | ||
| "cvss_base_vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" |
There was a problem hiding this comment.
CWE-524 should go first as a smaller number, this way we can ensure we are able to locate cwe fields with identical values. In this case there is cache_control_for_a_non_sensitive_page that has "cwe": ["CWE-524", "CWE-933"],
|
I created a new pull request #86 so I'm not completely breaking the branch here. If interested parties could have a look that would be great. |
|
Closed in favor of the implementation in #86 |
Adding a mapping for CWE and CVSS based on the work @jhaddix and team have done. Note that it looks like there may be some updates to the VRT since this work was completed (so a few left to map), and we may want to roll some of these up to the top level category vs having many variants with the same. Consider this a first pass, and in need of additional eyeballs & help!
Resolves #32