Added workarounds to vulnerability spec

stevespringett · stevespringett · commit 8d608985493d · 2023-03-26T10:41:25.000-05:00
Signed-off-by: Steve Springett &lt;steve@springett.us&gt;
diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto
@@ -606,6 +606,8 @@ message Vulnerability {
   optional google.protobuf.Timestamp rejected = 19;
   // Evidence used to reproduce the vulnerability.
   optional ProofOfConcept proofOfConcept = 20;
+  // A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.
+  optional string workaround = 21;
 }
 
 message ProofOfConcept {
diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json
@@ -1672,9 +1672,14 @@
         },
         "recommendation": {
           "type": "string",
-          "title": "Details",
+          "title": "Recommendation",
           "description": "Recommendations of how the vulnerability can be remediated or mitigated."
         },
+        "workaround": {
+          "type": "string",
+          "title": "Workarounds",
+          "description": "A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."
+        },
         "proofOfConcept": {
           "type": "object",
           "title": "Proof of Concept",
diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd
@@ -2102,6 +2102,11 @@ limitations under the License.
                     <xs:documentation>Recommendations of how the vulnerability can be remediated or mitigated.</xs:documentation>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="workaround" type="xs:string" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:element name="proofOfConcept" minOccurs="0" maxOccurs="1">
                 <xs:complexType>
                     <xs:annotation>
diff --git a/tools/src/test/resources/1.5/valid-vulnerability-1.5.json b/tools/src/test/resources/1.5/valid-vulnerability-1.5.json
@@ -50,6 +50,7 @@
       "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
       "detail": "",
       "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
+      "workaround": "Describe the workarounds here",
       "proofOfConcept": {
         "reproductionSteps": "Precise steps to reproduce go here",
         "environment": "Describe the environment",
diff --git a/tools/src/test/resources/1.5/valid-vulnerability-1.5.textproto b/tools/src/test/resources/1.5/valid-vulnerability-1.5.textproto
@@ -1,6 +1,3 @@
-# proto-file: bom-1.5.proto
-# proto-message: Bom
-
 spec_version: "1.5"
 version: 1
 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
@@ -142,4 +139,5 @@ vulnerabilities {
     name: "Bar"
     value: "Foo"
   }
+  workaround: "Describe the workarounds here"
 }
diff --git a/tools/src/test/resources/1.5/valid-vulnerability-1.5.xml b/tools/src/test/resources/1.5/valid-vulnerability-1.5.xml
@@ -51,6 +51,7 @@
             <description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</description>
             <detail></detail>
             <recommendation>Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.</recommendation>
+            <workaround>Describe the workarounds here</workaround>
             <proofOfConcept>
                 <reproductionSteps>Precise steps to reproduce go here</reproductionSteps>
                 <environment>Describe the environment</environment>

Original file line number	Diff line number	Diff line change
`@@ -606,6 +606,8 @@ message Vulnerability {`
`606`	`606`	`optional google.protobuf.Timestamp rejected = 19;`
`607`	`607`	`// Evidence used to reproduce the vulnerability.`
`608`	`608`	`optional ProofOfConcept proofOfConcept = 20;`
	`609`	`+ // A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.`
	`610`	`+ optional string workaround = 21;`
`609`	`611`	`}`
`610`	`612`
`611`	`613`	`message ProofOfConcept {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,3 @@`
`1`		`-# proto-file: bom-1.5.proto`
`2`		`-# proto-message: Bom`
`3`		`-`
`4`	`1`	`spec_version: "1.5"`
`5`	`2`	`version: 1`
`6`	`3`	`serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"`
`@@ -142,4 +139,5 @@ vulnerabilities {`
`142`	`139`	`name: "Bar"`
`143`	`140`	`value: "Foo"`
`144`	`141`	`}`
	`142`	`+ workaround: "Describe the workarounds here"`
`145`	`143`	`}`