chore: align vex output with CycloneDX schema (#2337)

Generate vex output that matches the bom-1.4.schema.json from CycloneDX.

Since vex formats are still in flux we can deviate from the CycloneDX
schema if needed, but so far the differences seemed mostly accidental
and it seems nice to be consistent.

Co-authored-by: Terri Oda <[email protected]>

Author: raboof

cve_bin_tool/input_engine.py

@@ -82,6 +82,14 @@ def validate_product(self, product: str) -> bool:
         return re.search(cpe_regex, product) is not None
 
     def input_vex(self) -> None:
+        def strip_remark(detail) -> str:
+            detail = re.sub("^" + Remarks.NewFound.name + "(: )?", "", detail)
+            detail = re.sub("^" + Remarks.Unexplored.name + "(: )?", "", detail)
+            detail = re.sub("^" + Remarks.Confirmed.name + "(: )?", "", detail)
+            detail = re.sub("^" + Remarks.Mitigated.name + "(: )?", "", detail)
+            detail = re.sub("^" + Remarks.Ignored.name + "(: )?", "", detail)
+            return detail
+
         analysis_state = {
             "under_review": Remarks.Unexplored,
             "in_triage": Remarks.Unexplored,
@@ -98,11 +106,11 @@ def input_vex(self) -> None:
                     state = Remarks.Unexplored
                     if analysis_status in analysis_state:
                         state = analysis_state[analysis_status]
-                    comments = vulnerability["analysis"]["detail"]
+                    comments = strip_remark(vulnerability["analysis"]["detail"])
                     severity = None
                     if "ratings" in vulnerability:
                         for rating in vulnerability["ratings"]:
-                            severity = rating["severity"]
+                            severity = rating["severity"].upper()
                     for affect in vulnerability["affects"]:
                         ref = affect["ref"]
                         version = None

cve_bin_tool/output_engine/__init__.py

@@ -631,18 +631,18 @@ def output_cves(self, outfile, output_type="console"):
 
     def generate_vex(self, all_cve_data: dict[ProductInfo, CVEData], filename: str):
         analysis_state = {
-            Remarks.NewFound: "under_review",
-            Remarks.Unexplored: "under_review",
+            Remarks.NewFound: "in_triage",
+            Remarks.Unexplored: "in_triage",
             Remarks.Confirmed: "exploitable",
             Remarks.Mitigated: "not_affected",
             Remarks.Ignored: "not_affected",
         }
         response_state = {
-            Remarks.NewFound: "Outstanding",
-            Remarks.Unexplored: "Not defined",
-            Remarks.Confirmed: "Upgrade required",
-            Remarks.Mitigated: "Resolved",
-            Remarks.Ignored: "No impact",
+            Remarks.NewFound: [],
+            Remarks.Unexplored: [],
+            Remarks.Confirmed: ["update"],
+            Remarks.Mitigated: [],
+            Remarks.Ignored: [],
         }
         # Generate VEX file
         vex_output = {"bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1}
@@ -676,8 +676,8 @@ def generate_vex(self, all_cve_data: dict[ProductInfo, CVEData], filename: str):
                             "name": "NVD",
                             "url": "https://nvd.nist.gov/vuln-metrics/cvss/" + url,
                         },
-                        "score": str(cve.score),
-                        "severity": cve.severity,
+                        "score": cve.score,
+                        "severity": cve.severity.lower(),
                         "method": "CVSSv" + str(cve.cvss_version),
                         "vector": cve.cvss_vector,
                     }
@@ -690,11 +690,15 @@ def generate_vex(self, all_cve_data: dict[ProductInfo, CVEData], filename: str):
                 vulnerability["created"] = "NOT_KNOWN"
                 vulnerability["published"] = "NOT_KNOWN"
                 vulnerability["updated"] = "NOT_KNOWN"
+                detail = (
+                    cve.remarks.name + ": " + cve.comments
+                    if cve.comments
+                    else cve.remarks.name
+                )
                 analysis = {
                     "state": analysis_state[cve.remarks],
                     "response": response_state[cve.remarks],
-                    "justification": "",
-                    "detail": cve.comments,
+                    "detail": detail,
                 }
                 vulnerability["analysis"] = analysis
                 bom_urn = "NOTKNOWN"

test/test_input_engine.py

@@ -148,6 +148,7 @@ def test_valid_file(self, filepath, parsed_data):
         "filepath, parsed_data",
         (
             (str(VEX_PATH / "test_triage.vex"), VEX_TRIAGE_DATA),
+            (str(VEX_PATH / "test_triage_cyclonedx.vex"), VEX_TRIAGE_DATA),
             (str(VEX_PATH / "bad.vex"), defaultdict(dict)),
         ),
     )

test/test_output_engine.py

@@ -13,13 +13,17 @@
 from datetime import datetime
 from pathlib import Path
 
+import requests
+from jsonschema import validate
 from rich.console import Console
 
 from cve_bin_tool.output_engine import OutputEngine, output_csv, output_json, output_pdf
 from cve_bin_tool.output_engine.console import output_console
 from cve_bin_tool.output_engine.util import format_output
 from cve_bin_tool.util import CVE, CVEData, ProductInfo, VersionInfo
 
+VEX_SCHEMA = "https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.4.schema.json"
+
 
 class TestOutputEngine(unittest.TestCase):
     """Test the OutputEngine class functions"""
@@ -616,8 +620,8 @@ class TestOutputEngine(unittest.TestCase):
                                 "name": "NVD",
                                 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-1234-1234&vector=C:H&version=2.0",
                             },
-                            "score": "4.2",
-                            "severity": "MEDIUM",
+                            "score": 4.2,
+                            "severity": "medium",
                             "method": "CVSSv2",
                             "vector": "C:H",
                         }
@@ -630,10 +634,9 @@ class TestOutputEngine(unittest.TestCase):
                     "published": "NOT_KNOWN",
                     "updated": "NOT_KNOWN",
                     "analysis": {
-                        "state": "under_review",
-                        "response": "Outstanding",
-                        "justification": "",
-                        "detail": "",
+                        "state": "in_triage",
+                        "response": [],
+                        "detail": "NewFound",
                     },
                     "affects": [{"ref": "urn:cdx:NOTKNOWN/1#product0-1.0"}],
                 },
@@ -649,8 +652,8 @@ class TestOutputEngine(unittest.TestCase):
                                 "name": "NVD",
                                 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-1234-1234&vector=CVSS2.0/C:H&version=2.0",
                             },
-                            "score": "1.2",
-                            "severity": "LOW",
+                            "score": 1.2,
+                            "severity": "low",
                             "method": "CVSSv2",
                             "vector": "CVSS2.0/C:H",
                         }
@@ -663,10 +666,9 @@ class TestOutputEngine(unittest.TestCase):
                     "published": "NOT_KNOWN",
                     "updated": "NOT_KNOWN",
                     "analysis": {
-                        "state": "under_review",
-                        "response": "Outstanding",
-                        "justification": "",
-                        "detail": "",
+                        "state": "in_triage",
+                        "response": [],
+                        "detail": "NewFound",
                     },
                     "affects": [{"ref": "urn:cdx:NOTKNOWN/1#product0-1.0"}],
                 },
@@ -682,8 +684,8 @@ class TestOutputEngine(unittest.TestCase):
                                 "name": "NVD",
                                 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-1234-1234&vector=CVSS3.0/C:H/I:L/A:M&version=3.1",
                             },
-                            "score": "2.5",
-                            "severity": "LOW",
+                            "score": 2.5,
+                            "severity": "low",
                             "method": "CVSSv3",
                             "vector": "CVSS3.0/C:H/I:L/A:M",
                         }
@@ -696,10 +698,9 @@ class TestOutputEngine(unittest.TestCase):
                     "published": "NOT_KNOWN",
                     "updated": "NOT_KNOWN",
                     "analysis": {
-                        "state": "under_review",
-                        "response": "Outstanding",
-                        "justification": "",
-                        "detail": "",
+                        "state": "in_triage",
+                        "response": [],
+                        "detail": "NewFound",
                     },
                     "affects": [{"ref": "urn:cdx:NOTKNOWN/1#product0-2.8.6"}],
                 },
@@ -715,8 +716,8 @@ class TestOutputEngine(unittest.TestCase):
                                 "name": "NVD",
                                 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-1234-1234&vector=C:H/I:L/A:M&version=2.0",
                             },
-                            "score": "7.5",
-                            "severity": "HIGH",
+                            "score": 7.5,
+                            "severity": "high",
                             "method": "CVSSv2",
                             "vector": "C:H/I:L/A:M",
                         }
@@ -729,10 +730,9 @@ class TestOutputEngine(unittest.TestCase):
                     "published": "NOT_KNOWN",
                     "updated": "NOT_KNOWN",
                     "analysis": {
-                        "state": "under_review",
-                        "response": "Outstanding",
-                        "justification": "",
-                        "detail": "",
+                        "state": "in_triage",
+                        "response": [],
+                        "detail": "NewFound",
                     },
                     "affects": [{"ref": "urn:cdx:NOTKNOWN/1#product1-3.2.1.0"}],
                 },
@@ -783,7 +783,10 @@ def test_output_vex(self):
         """Test creating VEX formatted file"""
         self.output_engine.generate_vex(self.MOCK_OUTPUT, "test.vex")
         with open("test.vex") as f:
-            self.assertEqual(json.load(f), self.VEX_FORMATTED_OUTPUT[0])
+            vex_json = json.load(f)
+            SCHEMA = requests.get(VEX_SCHEMA).json()
+            validate(vex_json, SCHEMA)
+            self.assertEqual(vex_json, self.VEX_FORMATTED_OUTPUT[0])
         Path("test.vex").unlink()
 
     @unittest.skipUnless(

test/vex/test_triage_cyclonedx.vex

@@ -0,0 +1,117 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "version": 1,
+  "vulnerabilities": [
+    {
+      "id": "CVE-2018-19664",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19664"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-19664&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1"
+          },
+          "score": 10,
+          "severity": "critical",
+          "method": "CVSSv3",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+        }
+      ],
+      "cwes": [],
+      "description": "Some description from the CVE",
+      "recommendation": "",
+      "advisories": [],
+      "created": "NOT_KNOWN",
+      "published": "NOT_KNOWN",
+      "updated": "NOT_KNOWN",
+      "analysis": {
+        "state": "exploitable",
+        "response": [ ],
+        "detail": "NewFound: High priority need to resolve fast"
+      },
+      "affects": [
+        {
+          "ref": "urn:cdx:NOTKNOWN/1#libjpeg-turbo-2.0.1"
+        }
+      ]
+    },
+    {
+      "id": "CVE-2021-1234",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1234"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-1234&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1"
+          },
+          "score": 7.5,
+          "severity": "high",
+          "method": "CVSSv3",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+        }
+      ],
+      "cwes": [],
+      "description": "Some description from the CVE",
+      "recommendation": "",
+      "advisories": [],
+      "created": "NOT_KNOWN",
+      "published": "NOT_KNOWN",
+      "updated": "NOT_KNOWN",
+      "analysis": {
+        "state": "in_triage",
+        "response": [ ],
+        "detail": "NewFound"
+      },
+      "affects": [
+        {
+          "ref": "urn:cdx:NOTKNOWN/1#glibc-2.33"
+        }
+      ]
+    },
+    {
+      "id": "CVE-2099-9999",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2099-9999"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-1234&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1"
+          },
+          "score": 7.5,
+          "severity": "high",
+          "method": "CVSSv3",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+        }
+      ],
+      "cwes": [],
+      "description": "Some description from the CVE",
+      "recommendation": "",
+      "advisories": [],
+      "created": "NOT_KNOWN",
+      "published": "NOT_KNOWN",
+      "updated": "NOT_KNOWN",
+      "analysis": {
+        "state": "not_affected",
+        "response": [ ],
+        "detail": "NewFound"
+      },
+      "affects": [
+        {
+          "ref": "log4j-2.14"
+        }
+      ]
+    }
+  ]
+}
+
+