-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vulnerability attestation: ITE-9 specification #268
Conversation
Signed-off-by: Hector Fernandez <[email protected]>
spec/predicates/vuln.md
Outdated
|
||
> The timestamp of when the vulnerability DB was updated last time. | ||
|
||
**scanner.result** object |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is the most important, we should have a set struct that people should follow. For example, a field to specify vulnerabilityIDs and such.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed.
I'd probably expect a list of vulnerability identifiers coupled with severity. If you'd like to allow scanners to add additional custom information perhaps let them add annotations?
E.g.
scanner.result = [{"id": "CVE-123", "severity": "medium", "annotations": { "cvss_score": 5.2 }}, {...}]
I could see having different lists for CVEs vs OSV results?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds good to me 👍🏻 !
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TomHennen @pxp928 This suggestion makes sense to me. But I wanted to stay away from the defined format to represent the results at least for now. Users may prefer to use SARIF,or any other custom JSON format to set the results of the scan. I'd say a second iteration should define the format of this result
struct.
wdyt ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO the real value from predicates is having the predicates be well defined so that consumers know how to use it. Without result being well defined I don't think there's much value. Perhaps I'm missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TomHennen Sure! I highlighted it on the Purpose
section. My initial goal was to define the metadata around the results which could help to exchange these attestations without having to solve the problem of which format to use when sharing the results of a vulnerability scan by any scanner.
However I am happy to move on defining a structure for the result's section if we feel we are ready to come to an agreement. cc @znewman01
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @hectorj2f, yes we should define a starting structure for the results for an initial release that we can iterate on if needed. For example, having a list of vulnerabilityIDs might be a start. Not sure if we want to include this but we could also have severity:
{
"severity": [ {
"type": string,
"score": string
} ]
}
similar to the osv implementation: https://ossf.github.io/osv-schema/#severity-field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sgtm! I'll add these suggestions.
spec/predicates/vuln.md
Outdated
|
||
The in-toto [attestation] framework and a [Vulnerability scanner tool]. | ||
|
||
## Use Cases |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: for some reason Markdown doesn't seem to identify this as a header?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
having a look at this!
spec/predicates/vuln.md
Outdated
## Use Cases | ||
|
||
When sharing the results of a vulnerability scan using an attestation, there is certain metadata that is crucial to trust and reuse this information. | ||
Information about the scanner used during the scanning is relevant to trust these resuls. The state of the vulnerability database used to search for vulnerabilities defines the accuracy of the results. Other metadata information such as the timestamp when the scan finished could define the reusability of these results. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: resuls -> results
spec/predicates/vuln.md
Outdated
|
||
> The timestamp of when the vulnerability DB was updated last time. | ||
|
||
**scanner.result** object |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed.
I'd probably expect a list of vulnerability identifiers coupled with severity. If you'd like to allow scanners to add additional custom information perhaps let them add annotations?
E.g.
scanner.result = [{"id": "CVE-123", "severity": "medium", "annotations": { "cvss_score": 5.2 }}, {...}]
I could see having different lists for CVEs vs OSV results?
@hectorj2f can you talk about what the benefits of this attestation format vs wrapping SARIF in an in-toto statement? |
@colek42 Without going into details of defining a specific output format here (e.g. Sarif) for the scanner results, the main purpose consists on defining a set of metadata fields to exchange these attestations without having to worry about which output format was used by the scanner to share the results here. These metadata fields will help anyone consuming these attestations to know things about the used scanner, the state of the database and other values. It is more of a standarization of a set of fields that could help to exchange and trust the results from these attestations. For instance, if I get a vulnerability attestation but I know the vulnerability database used by this scanner hasn't been updated since months. I'll discard these results. Other aspects, such as the version/source of the scanner can represent for certain customers and reason to ignore these attestations. However if I now focus on the benefits of a different format versus Sarif. I'd say Sarif is a language conceived to render data in a GUI and consequently it ignores additional data that you can only get from custom output formats (e.g. grype json or trivy json output formats). In addition to that, the sarif specification is massive because it is used to render all kind of scanning results (not just vulnerability scanning). |
@hectorj2f thank you. That makes complete sense. |
Signed-off-by: Hector Fernandez <[email protected]>
7baf38a
to
69d51fc
Compare
Signed-off-by: Hector Fernandez <[email protected]>
@marcelamelara Thanks for the review. I've addressed your comments. Could you have another look :) ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! This looks good for an initial release. Thanks @hectorj2f!
@hectorj2f do you think you could add a proto definition for this predicate in https://github.com/in-toto/attestation/tree/main/protos/in_toto_attestation/predicates? |
@adityasaky Sure. Would it be okay to add it as part of a separate PR ? |
Sure, I think that's fine. |
@TomHennen Could you have another look at this PR ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making this changes, this is looking good!
bb378fc
to
1defc95
Compare
@TomHennen Thanks for the review, I addressed your comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes, just a couple minor things to cleanup.
1defc95
to
3f8160a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Just one minor comment.
Signed-off-by: Hector Fernandez <[email protected]>
3f8160a
to
3caded8
Compare
Thanks for working through this Hector! |
Thanks to everyone for the reviews 🎉 ! |
As a continuation of the discussion initiated in #58 and the Slack thread, I decided to propose a vulnerability scan-specific in-toto predicate.
This ITE-9 document describes a vulnerability predicate type to represent vulnerability reports from the scanners in an "exportable" manner and independently of the format chosen to output the scanning results.
Note that, the fields proposed for this new predicate type are inspired by the cosign specification for the vulnerability attestations.