Support CycloneDX Vulnerability Exploitability Exchange (VEX) report

[VinodAnandan]

The known vulnerabilities inherited from the use of third-party and open source software and the exploitability of the vulnerabilities can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for both VEX and security advisory use cases.

• VEX information can be represented inside an existing BOM, or in a dedicated VEX BOM
• Supports known and unknown vulnerabilities against components and services
• Communicates the vulnerability details, exploitability, and detailed analysis

More information :

https://cyclonedx.org/capabilities/vex/#vulnerability-exploitability-exchange-vex
https://github.com/CycloneDX/bom-examples/tree/master/VEX

Cc: @stevespringett

[henrikplate]

Hello @VinodAnandan, Do you suggest an extension or new feature of Steady to generate VEX BOMs for scanned applications, to reflect the results of Steady's static or dynamic reachability analysis? Say Steady takes as input an existing CycloneDX BOM, e.g., produced by CycloneDX' plugin, and enriches this information with regard to the reachability of contained vulnerable code.

[VinodAnandan]

Hi @henrikplate. I was proposing the use case where Steady will be a SBOM+VEX producer.

CycloneDX will enable the exchange of the component information and vulnerability information in a standardized way. CycloneDX is already adopted by several tools ( https://cyclonedx.org/tool-center/ ) including OWASP Dependency Track. If "steady" can provide the VEX information along with BOM in a CycloneDX format ( https://github.com/CycloneDX/cyclonedx-core-java ) ,it can be used with other tools which support CyloneDX. The OWASP Dependency Track project consumes and produces CycloneDX SBOM and VEX ( https://docs.dependencytrack.org/ ) .

[staedy]

Hello dite moi ? quoi faire en Frencais Please thank staedy@outlook.fr

[prabhu]

@henrikplate With the CycloneDX 1.5 specification, it is possible to set component and call-stack evidence in the generated document. cdxgen makes good use of these attributes with the evinse command.

Below are some links for your reference:

https://cyclonedx.org/docs/1.5/json/#components_items_evidence_occurrences
https://github.com/CycloneDX/cdxgen
https://github.com/CycloneDX/cdxgen/blob/master/ADVANCED.md#evinse-mode

cdxgen generates the evidence using static analysis with a tool called atom.
https://github.com/AppThreat/atom

Supporting evidences with steady would help end users consolidate information from the static and runtime tools. Please consider this request by integrating with CycloneDX and help improve the specification.