From 498d73b5dc4af8814aa29db658a9909f171413e1 Mon Sep 17 00:00:00 2001 From: gscanniello <133205298+gscanniello@users.noreply.github.com> Date: Thu, 10 Oct 2024 16:46:39 +0200 Subject: [PATCH] add VEX file with vulnerabilities information to SBOM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dear project owners, We are a group of researchers investigating the usefulness of augmenting Software Bills of Materials (SBOMs) with information about known vulnerabilities of third-party dependencies. As claimed in previous interview-based studies, a major limitation—according to software practitioners—of existing SBOMs is the lack of information about known vulnerabilities. For this reason, we would like to investigate how augmented SBOMs are received in open-source projects. To this aim, we have identified popular open-source repositories on GitHub that provided SBOMs, statically detected vulnerabilities on their dependencies in the OSV database, and, based on its output, we have augmented your repository’s SBOM by leveraging the OpenVEX implementation of the Vulnerability Exploitability eXchange (VEX). The JSON file in this pull request consists of statements each indicating i) the software products (i.e., dependencies) that may be affected by a vulnerability. These are linked to the SBOM components through the @id field in their Persistent uniform resource locator (pURL); ii) a CVE affecting the product; iii) an impact status defined by VEX. By default, all statements have status `under_investigation` as it is not yet known whether these product versions are actually affected by the vulnerability. After investigating the vulnerability, further statuses can be `affected`, `not_affected`, `fixed`. It is possible to motivate the new status in a `justification` field (see https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf for more information). We open this pull request containing a VEX file related to the SBOM of your project, and hope it will be considered. We would also like to hear your opinion on the usefulness (or not) of this information by answering a 3-minute anonymous survey: https://ww2.unipark.de/uc/sbom/ Thanks in advance, and regards, Davide Fucci (Blekinge Institute of Technology, Sweden) Simone Romano and Giuseppe Scaniello (University of Salerno, Italy), Massimiliano Di Penta (University of Sannio, Italy) --- sbom.vex.json | 250 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 sbom.vex.json diff --git a/sbom.vex.json b/sbom.vex.json new file mode 100644 index 0000000..8447e5d --- /dev/null +++ b/sbom.vex.json @@ -0,0 +1,250 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-1709140b590e9da9a9db6cd5c3e5fd164b2f2348534a70b001c1e9901e2ab7cf", + "author": "Unknown Author", + "timestamp": "2024-10-04T14:02:32.738057+02:00", + "last_updated": "2024-10-04T14:02:33.236518+02:00", + "version": 20, + "statements": [ + { + "vulnerability": { + "name": "CVE-2022-23491" + }, + "timestamp": "2024-10-04T14:02:32.738058+02:00", + "products": [ + { + "@id": "pkg:pypi/certifi@2022.6.15" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2022-40896" + }, + "timestamp": "2024-10-04T14:02:32.766805+02:00", + "products": [ + { + "@id": "pkg:pypi/pygments@2.13.0" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2022-42969" + }, + "timestamp": "2024-10-04T14:02:32.794203+02:00", + "products": [ + { + "@id": "pkg:pypi/py@1.11.0" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2023-29483" + }, + "timestamp": "2024-10-04T14:02:32.819791+02:00", + "products": [ + { + "@id": "pkg:pypi/dnspython@2.2.1" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2023-29483" + }, + "timestamp": "2024-10-04T14:02:32.84462+02:00", + "products": [ + { + "@id": "pkg:pypi/eventlet@2.2.1" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2023-32309" + }, + "timestamp": "2024-10-04T14:02:32.869842+02:00", + "products": [ + { + "@id": "pkg:pypi/pymdown-extensions@9.5" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2023-32681" + }, + "timestamp": "2024-10-04T14:02:32.896445+02:00", + "products": [ + { + "@id": "pkg:pypi/requests@2.28.1" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2023-37920" + }, + "timestamp": "2024-10-04T14:02:32.921116+02:00", + "products": [ + { + "@id": "pkg:pypi/certifi@2022.6.15" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2023-43804" + }, + "timestamp": "2024-10-04T14:02:32.947675+02:00", + "products": [ + { + "@id": "pkg:pypi/urllib3@1.26.11" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2023-45803" + }, + "timestamp": "2024-10-04T14:02:32.972798+02:00", + "products": [ + { + "@id": "pkg:pypi/urllib3@1.26.11" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-21503" + }, + "timestamp": "2024-10-04T14:02:32.999671+02:00", + "products": [ + { + "@id": "pkg:pypi/black@22.6.0" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-22195" + }, + "timestamp": "2024-10-04T14:02:33.025518+02:00", + "products": [ + { + "@id": "pkg:pypi/jinja2@3.1.2" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-34064" + }, + "timestamp": "2024-10-04T14:02:33.053184+02:00", + "products": [ + { + "@id": "pkg:pypi/jinja2@3.1.2" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-35195" + }, + "timestamp": "2024-10-04T14:02:33.078018+02:00", + "products": [ + { + "@id": "pkg:pypi/requests@2.28.1" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-3651" + }, + "timestamp": "2024-10-04T14:02:33.103982+02:00", + "products": [ + { + "@id": "pkg:pypi/idna@3.3" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-3772" + }, + "timestamp": "2024-10-04T14:02:33.129508+02:00", + "products": [ + { + "@id": "pkg:pypi/pydantic@1.9.2" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-37891" + }, + "timestamp": "2024-10-04T14:02:33.155386+02:00", + "products": [ + { + "@id": "pkg:pypi/urllib3@1.26.11" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-39689" + }, + "timestamp": "2024-10-04T14:02:33.182201+02:00", + "products": [ + { + "@id": "pkg:pypi/certifi@2022.6.15" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-5569" + }, + "timestamp": "2024-10-04T14:02:33.207842+02:00", + "products": [ + { + "@id": "pkg:pypi/zipp@3.8.1" + } + ], + "status": "under_investigation" + }, + { + "vulnerability": { + "name": "CVE-2024-6345" + }, + "timestamp": "2024-10-04T14:02:33.236521+02:00", + "products": [ + { + "@id": "pkg:pypi/setuptools@65.6.3" + } + ], + "status": "under_investigation" + } + ] +}