Rework VulnerabilityResolutionReason for CRA / DORA requirements
#10886
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -40,6 +40,7 @@ enum class VulnerabilityResolutionReason { | |
| * The code in which the vulnerability was found is neither invoked in the project's code nor indirectly | ||
| * via another open source component. | ||
| */ | ||
| @Deprecated("Use NOT_EXPLOITABLE_VULNERABILITY instead", replaceWith = ReplaceWith("NOT_EXPLOITABLE_VULNERABILITY")) | ||
| INEFFECTIVE_VULNERABILITY, | ||
|
|
||
| /** | ||
|
|
@@ -60,6 +61,12 @@ enum class VulnerabilityResolutionReason { | |
| */ | ||
| NOT_A_VULNERABILITY, | ||
|
|
||
| /** | ||
| * The vulnerability exists in a component, but is not exploitable due to the product's specific architecture or | ||
| * configuration. | ||
| */ | ||
| NOT_EXPLOITABLE_VULNERABILITY, | ||
|
||
|
|
||
| /** | ||
| * The vulnerability is acknowledged, but a conscious, documented decision is made to not apply a fix or mitigation. | ||
| */ | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at 1, I propose to name it
NOT_AFFECTED*.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@willebra please comment.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the VEX status document describes primarily vulnerability handling statuses (AFFECTED, UNDER INVESTIGATION), but then has a bit of reasons for why to resolve these (FIXED, NOT AFFECTED). I believe the rationale in VulnerabilityResolutionReason in ORT is about providing a justification for why a vulnerability was resolved. It should not be mixed with handling status. As it provides justifications, and those are valuable parts in proving proper handling of vulnerabilities, this should be more detailed than just on the level of "Fixed" and "Not affected".
As to the
NOT_EXPLOITABLE_VULNERABILITYis directly following from EU regulations, where the obligation to address vulnerabilities is tied to the vulnerability being exploitable. Therefore a resolution reason "not_exploitable" clearly ties the decision to these requirements, making it easy for the users to understand what it means, and align in their internal policies with that - since the same docs need to be also aligned with regulations. The EU regulations have not invented this concept, so it is also being used in U.S. CISA's Known Exploited Vulnerabilities and in the Exploit Prediction Scoring System (EPSS). The VEX status document clearly also revolves around the concept of exploitability, so this term is not foreign there either. Possibly NOT_EXPLOITABLE is equal with NOT AFFECTED, but I haven't investigated the VEX status document in detail.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fviernau @willebra My first thoughts we similar to Frank to align VulnerabilityResolutionReason closes to VEX enums but as you correctly pointed out VEX is status and our resolution is about the why a vulnerability finding was resolved. This use case is what is vulnerability-analysis's justification in CycloneDX.
Question is do we align with what CycloneDX or CSAF have or do we go our own way? My thinking was that vulnerability resolutions need to be translatable to SBOM so one can in a machine readable standard inform customers why a vulnerability finding / CVE is not applicable. Would like to see a mapping from ORT to CycloneDX/CSAF vulnerability impact justifications.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These justifications seem to be for triage-results? I.e. not the final result how the issue was fixed, but the potential result of a triage? All of these seem detailed justifications that fall under
NOT_EXPLOITABLE_VULNERABILITY. Logically, these should be exit points from the vulnerability management process, and if none can apply, then actual fixing/remediating should occur? What is missing here are the different flavous of "this should be fixed" or "this was fixed", but that is understandable, it these are just exit-points.This is why we would need end results when fixing/remediating was necessary:
FIXED_VULNERABILITYWORKAROUND_FOR_VULNERABILITY,MITIGATED_VULNERABILITY. (In VulnerabilityResolutionReason we don't follow the statuses, just the end-results, so therefore the "this should be fixed" does not belong here.)(By the way, the more CRA/ISO27001/WG9 way to say fixed, would be
REMEDIATED_VULNERABILITYinstead ofFIXED_VULNERABILITY.)I'm following/participating in the work of CEN/CENELEC in JT13, WG9, which is creating the standard for vulnerability handling on the assignment of the EU Comission. That will be the foundational standard for the EU CRA vulnerability handling. The justifications proposed in this PR derive from the CRA, but the standards work is still going forward. It seems to remain at the same high level as the current ORT enums and the proposed ORT enums, so the current PR is okay from this perspective.
The standard text has six steps:
Anyhow, it would be good to satisfy as many schemes for vulnerability handling as possible, i.e. being CycloneDX "compatible" and CRA "compatible". That can be done in code or in process. We need the highest level at least in code. And then when going to detailed reasons, they can be either code - if reasonable - or comments/process. E.g. the current PR's list of enums could be nicely used with the list from CycloneDX, by applying
NOT_EXPLOITABLE_VULNERABILITY, and then writing the more specific CycloneDX-justification there as a comment, possibly using the MITIGATED_VULNERABILITY. The high level in this PR seems therefore already aligned with CycloneDX, and then also the other high-level enums are covered, which the highlighed part of the CycloneDX-doc does not cover (they are likely elsewhere there?).