You are viewing a plain text version of this content. The canonical link for it is here.

Posted to security-discuss@community.apache.org by Arnout Engelen <en...@apache.org> on 2022/12/13 14:09:22 UTC

Experimenting with VEX

Hello security-discuss,

Some projects quite regularly get questions about whether their
releases are affected by vulnerabilities published for their
dependencies. With all the enthusiasm around SBOM and security
scanning, I think we can expect the number of such questions to rise.

To reduce noise and duplication of efforts, it seems useful to publish
any knowledge we have about the (non)exploitability of 'upstream'
vulnerabilities related to our projects in a machine-readable way.
There are various 'VEX' file formats in active development to share
such information (CSAF, CycloneDX).

I think it would be useful to start experimenting with publishing such
VEX files, and to engage with downstream users to see whether this
indeed helps them improve the signal/noise ratio of their security
scanning. I've been trying out various tools in this area, and it
looks like there's still a lot of work to be done in the wider
ecosystem: especially around how to share/discover this information[1]
and how to identify software[2]. It would be useful to gain more
experience on what the most important gaps are.

Does anyone have thoughts around this, and/or would like to join such
experiments with their projects? I'm happy to participate with
hands-on assistance. I'm planning on taking the first steps with the
Solr project soon[3].


Kind regards,

Arnout

[1]: CSAF appears to have some mechanisms for that, but I'm not sure
how widely-supported this is
[2]: https://github.com/package-url/purl-spec seems interesting
[3]: https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz

---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
For additional commands, e-mail: security-discuss-help@community.apache.org

Re: Experimenting with VEX

Posted by Brandon Lum <lu...@google.com.INVALID>.

I've been having conversations with OSV.dev folks about VEX and we're
looking to publish a blog post sharing some OSV perspectives of VEX in a
couple weeks! But there is interest and much relevance of VEX with
OSV!  +Oliver
Chang <oc...@google.com>

For consumption, some of us are also looking to consume VEX documents as
part of open source GUAC <https://github.com/guacsec/guac> project. It will
be an exercise in resolving the VEX statements with the vulnerability
reports and SBOMs consumed.

On a side note, the VEX community is working on defining a data model
<https://docs.google.com/document/d/1uZPzQUoeoaCTaEmd7nQDf4lCl5ctpsNANh0phNC7IL0/edit>
- aiming to provide a consistent set of fields across implementations. The
hope is that the exercise will provide consistency across consumption.

On Tue, Dec 13, 2022 at 11:28 PM Mike Drob <md...@apache.org> wrote:

> The purl spec is currently used by osv.dev in their schema and I've seen
> other folks consolidating in that direction, so I think that bit has
> promise.
>
> On Tue, Dec 13, 2022 at 8:41 AM Arnout Engelen <en...@apache.org> wrote:
>
> > On 2022/12/13 14:22:05 Gary Gregory wrote:
> > > FYI, Apache Commons' parent POM uses CycloneDX and SPDX, so all Common
> > > Components now generate those files and they end up in the Maven
> > > repository.
> > >
> > > Is there a CSAF maven plugin we should use as well?
> >
> > Not that I know of - my impression is that for the SBOM (which can be
> > generated once and published with the artifact) indeed CycloneDX and SPDX
> > appear to be the main candidates. VEX is different in that it should be
> > updated as more information about vulnerabilities becomes available. I've
> > mainly been experimenting with CycloneDX so far, but that's not a
> > particular endorsement, it simply seemed like a suitable starting point.
> >
> > > Since it is early in the game for Commons and VEX, I went with the more
> > is better approach.
> >
> > Yes, I fully agree we're in the "try many things and see what works and
> > what needs work" stage - not just at Apache but generally ;)
> >
> >
> > Arnout
> >
> > > On Tue, Dec 13, 2022, 09:10 Arnout Engelen <en...@apache.org> wrote:
> > >
> > > > Hello security-discuss,
> > > >
> > > > Some projects quite regularly get questions about whether their
> > > > releases are affected by vulnerabilities published for their
> > > > dependencies. With all the enthusiasm around SBOM and security
> > > > scanning, I think we can expect the number of such questions to rise.
> > > >
> > > > To reduce noise and duplication of efforts, it seems useful to
> publish
> > > > any knowledge we have about the (non)exploitability of 'upstream'
> > > > vulnerabilities related to our projects in a machine-readable way.
> > > > There are various 'VEX' file formats in active development to share
> > > > such information (CSAF, CycloneDX).
> > > >
> > > > I think it would be useful to start experimenting with publishing
> such
> > > > VEX files, and to engage with downstream users to see whether this
> > > > indeed helps them improve the signal/noise ratio of their security
> > > > scanning. I've been trying out various tools in this area, and it
> > > > looks like there's still a lot of work to be done in the wider
> > > > ecosystem: especially around how to share/discover this
> information[1]
> > > > and how to identify software[2]. It would be useful to gain more
> > > > experience on what the most important gaps are.
> > > >
> > > > Does anyone have thoughts around this, and/or would like to join such
> > > > experiments with their projects? I'm happy to participate with
> > > > hands-on assistance. I'm planning on taking the first steps with the
> > > > Solr project soon[3].
> > > >
> > > >
> > > > Kind regards,
> > > >
> > > > Arnout
> > > >
> > > > [1]: CSAF appears to have some mechanisms for that, but I'm not sure
> > > > how widely-supported this is
> > > > [2]: https://github.com/package-url/purl-spec seems interesting
> > > > [3]:
> https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> > security-discuss-unsubscribe@community.apache.org
> > > > For additional commands, e-mail:
> > > > security-discuss-help@community.apache.org
> > > >
> > > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> security-discuss-unsubscribe@community.apache.org
> > For additional commands, e-mail:
> > security-discuss-help@community.apache.org
> >
> >
>

Re: Experimenting with VEX

Posted by Mike Drob <md...@apache.org>.

The purl spec is currently used by osv.dev in their schema and I've seen
other folks consolidating in that direction, so I think that bit has
promise.

On Tue, Dec 13, 2022 at 8:41 AM Arnout Engelen <en...@apache.org> wrote:

> On 2022/12/13 14:22:05 Gary Gregory wrote:
> > FYI, Apache Commons' parent POM uses CycloneDX and SPDX, so all Common
> > Components now generate those files and they end up in the Maven
> > repository.
> >
> > Is there a CSAF maven plugin we should use as well?
>
> Not that I know of - my impression is that for the SBOM (which can be
> generated once and published with the artifact) indeed CycloneDX and SPDX
> appear to be the main candidates. VEX is different in that it should be
> updated as more information about vulnerabilities becomes available. I've
> mainly been experimenting with CycloneDX so far, but that's not a
> particular endorsement, it simply seemed like a suitable starting point.
>
> > Since it is early in the game for Commons and VEX, I went with the more
> is better approach.
>
> Yes, I fully agree we're in the "try many things and see what works and
> what needs work" stage - not just at Apache but generally ;)
>
>
> Arnout
>
> > On Tue, Dec 13, 2022, 09:10 Arnout Engelen <en...@apache.org> wrote:
> >
> > > Hello security-discuss,
> > >
> > > Some projects quite regularly get questions about whether their
> > > releases are affected by vulnerabilities published for their
> > > dependencies. With all the enthusiasm around SBOM and security
> > > scanning, I think we can expect the number of such questions to rise.
> > >
> > > To reduce noise and duplication of efforts, it seems useful to publish
> > > any knowledge we have about the (non)exploitability of 'upstream'
> > > vulnerabilities related to our projects in a machine-readable way.
> > > There are various 'VEX' file formats in active development to share
> > > such information (CSAF, CycloneDX).
> > >
> > > I think it would be useful to start experimenting with publishing such
> > > VEX files, and to engage with downstream users to see whether this
> > > indeed helps them improve the signal/noise ratio of their security
> > > scanning. I've been trying out various tools in this area, and it
> > > looks like there's still a lot of work to be done in the wider
> > > ecosystem: especially around how to share/discover this information[1]
> > > and how to identify software[2]. It would be useful to gain more
> > > experience on what the most important gaps are.
> > >
> > > Does anyone have thoughts around this, and/or would like to join such
> > > experiments with their projects? I'm happy to participate with
> > > hands-on assistance. I'm planning on taking the first steps with the
> > > Solr project soon[3].
> > >
> > >
> > > Kind regards,
> > >
> > > Arnout
> > >
> > > [1]: CSAF appears to have some mechanisms for that, but I'm not sure
> > > how widely-supported this is
> > > [2]: https://github.com/package-url/purl-spec seems interesting
> > > [3]: https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> security-discuss-unsubscribe@community.apache.org
> > > For additional commands, e-mail:
> > > security-discuss-help@community.apache.org
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
> For additional commands, e-mail:
> security-discuss-help@community.apache.org
>
>

Re: Experimenting with VEX

Posted by Arnout Engelen <en...@apache.org>.

On 2022/12/13 14:22:05 Gary Gregory wrote:
> FYI, Apache Commons' parent POM uses CycloneDX and SPDX, so all Common
> Components now generate those files and they end up in the Maven
> repository.
> 
> Is there a CSAF maven plugin we should use as well?

Not that I know of - my impression is that for the SBOM (which can be generated once and published with the artifact) indeed CycloneDX and SPDX appear to be the main candidates. VEX is different in that it should be updated as more information about vulnerabilities becomes available. I've mainly been experimenting with CycloneDX so far, but that's not a particular endorsement, it simply seemed like a suitable starting point.

> Since it is early in the game for Commons and VEX, I went with the more is better approach.

Yes, I fully agree we're in the "try many things and see what works and what needs work" stage - not just at Apache but generally ;)


Arnout

> On Tue, Dec 13, 2022, 09:10 Arnout Engelen <en...@apache.org> wrote:
> 
> > Hello security-discuss,
> >
> > Some projects quite regularly get questions about whether their
> > releases are affected by vulnerabilities published for their
> > dependencies. With all the enthusiasm around SBOM and security
> > scanning, I think we can expect the number of such questions to rise.
> >
> > To reduce noise and duplication of efforts, it seems useful to publish
> > any knowledge we have about the (non)exploitability of 'upstream'
> > vulnerabilities related to our projects in a machine-readable way.
> > There are various 'VEX' file formats in active development to share
> > such information (CSAF, CycloneDX).
> >
> > I think it would be useful to start experimenting with publishing such
> > VEX files, and to engage with downstream users to see whether this
> > indeed helps them improve the signal/noise ratio of their security
> > scanning. I've been trying out various tools in this area, and it
> > looks like there's still a lot of work to be done in the wider
> > ecosystem: especially around how to share/discover this information[1]
> > and how to identify software[2]. It would be useful to gain more
> > experience on what the most important gaps are.
> >
> > Does anyone have thoughts around this, and/or would like to join such
> > experiments with their projects? I'm happy to participate with
> > hands-on assistance. I'm planning on taking the first steps with the
> > Solr project soon[3].
> >
> >
> > Kind regards,
> >
> > Arnout
> >
> > [1]: CSAF appears to have some mechanisms for that, but I'm not sure
> > how widely-supported this is
> > [2]: https://github.com/package-url/purl-spec seems interesting
> > [3]: https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
> > For additional commands, e-mail:
> > security-discuss-help@community.apache.org
> >
> >
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
For additional commands, e-mail: security-discuss-help@community.apache.org

Re: Experimenting with VEX

Posted by Gary Gregory <ga...@gmail.com>.

FYI, Apache Commons' parent POM uses CycloneDX and SPDX, so all Common
Components now generate those files and they end up in the Maven
repository.

Is there a CSAF maven plugin we should use as well? Since it is early in
the game for Commons and VEX, I went with the more is better approach.

Gary


On Tue, Dec 13, 2022, 09:10 Arnout Engelen <en...@apache.org> wrote:

> Hello security-discuss,
>
> Some projects quite regularly get questions about whether their
> releases are affected by vulnerabilities published for their
> dependencies. With all the enthusiasm around SBOM and security
> scanning, I think we can expect the number of such questions to rise.
>
> To reduce noise and duplication of efforts, it seems useful to publish
> any knowledge we have about the (non)exploitability of 'upstream'
> vulnerabilities related to our projects in a machine-readable way.
> There are various 'VEX' file formats in active development to share
> such information (CSAF, CycloneDX).
>
> I think it would be useful to start experimenting with publishing such
> VEX files, and to engage with downstream users to see whether this
> indeed helps them improve the signal/noise ratio of their security
> scanning. I've been trying out various tools in this area, and it
> looks like there's still a lot of work to be done in the wider
> ecosystem: especially around how to share/discover this information[1]
> and how to identify software[2]. It would be useful to gain more
> experience on what the most important gaps are.
>
> Does anyone have thoughts around this, and/or would like to join such
> experiments with their projects? I'm happy to participate with
> hands-on assistance. I'm planning on taking the first steps with the
> Solr project soon[3].
>
>
> Kind regards,
>
> Arnout
>
> [1]: CSAF appears to have some mechanisms for that, but I'm not sure
> how widely-supported this is
> [2]: https://github.com/package-url/purl-spec seems interesting
> [3]: https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
> For additional commands, e-mail:
> security-discuss-help@community.apache.org
>
>