OSS vulnerability enrichment

[JafarAkhondali]

First of all, thanks for this great project 👍🏻
"We want to hear from you," so I'd like to ask about a new feature. Do you plan to improve vulnerability reports for OSS? For example, it would be nice to know what open-source project is related to the CVE (apart from CPE as the relation is indirect) + a reference with a tag that shows which commit introduced the vulnerability, and which commit fixed this vulnerability. Such data would be a huge help for ML models in finding and fixing new vulnerabilities.
Disclaimer: I worked on a research for fix commits, and I can share it if it's useful (the link is not here to prevent self-promotion)

[amanion-cisa]

Hello and thanks for the feedback. While I agree that identifying upstream open source components and cause/fix commits would be very helpful, that information is rarely available in the information we have access to when analyzing reports. And researching that information manually is expensive. So, probably out of scope for the current vulnrichment project.

Does your research automate the discovery of fix commits? This I assume? https://github.com/JafarAkhondali/Morefixes

There are discussions underway in the CVE ecosystem about how to capture and convey what I'll call "VEX-like" information: how software is affected (or not) by a vulnerability in an upstream component. If this progresses, vulnrichment might integrate VEX/upstream information in some way.

[JafarAkhondali]

Yes, that's the research. Thanks for the information! I understand. By the way, are you planning to add a link to the "POC" or "POCs" as well instead of only saying "exploitation" in SSVC ?

[todb-cisa]

Agreed that it's great feedback, but I do believe this is out of scope for the CISA-ADP, since we're pretty restricted (self-imposed and by the CVE board, jointly) on what we can add to our ADP container. That said, we can keep this open for another few days for more discussion.