Enhancement request to support the Common Security Advisory Framework (CSAF) format.

[santosomar]

The Common Security Advisory Framework Version 2.0 is now an approved specification in the industry. Details about the specification can be found at: https://csaf.io and https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html

CSAF is a language to exchange Security Advisories formulated in JSON. CSAF v2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. It also supports "Vulnerability Exploitability eXchange" (VEX) profiles to associate security vulnerability advisories with software bill of materials (SBOMs). The SBOMs can be either in SPDX, CycloneDX, or SWID formats.

This issue is to humbly request the support of CSAF as an option for the output/report of the tool.

[knqyf263]

If I understand correctly, CSAF is similar to OVAL and CVRF and they are input for vulnerability detection. Is there any benefit to output the result in CSAF format? For example, Trivy consumes OVAL and CVRF, but it doesn't generate the result in those formats.

[santosomar]

Hi @knqyf263 ,

Thank you for looking into this and your reply! Yes indeed. CSAF is the replacement or successor of CVRF. In CSAF 2.0 we introduced the ability to map vulnerabilities with an SBOM. This is done by using a VEX profile.

This profile is used to provide information of the "Vulnerability Exploitability eXchange". The main purpose of the VEX format is to state that and why a certain product is, or is not, affected by a vulnerability.

This enhancement request is to have the ability to have Trivy provide a report of the vulnerabilities found after the scan in CSAF format.

Thank you again!
Omar

[knqyf263]

@santosomar Thanks for your explanation! Sounds interesting. We've added the task to our backlog and we welcome any contributions!!

[tschmidtb51]

Just a quick remark: Here is a description how you link an SBOM component in CSAF as well as examples for CycloneDX and SPDX.

[mpermar]

@knqyf263 are there any plans to tackle that backlog item?

I have been checking this issue as our team is pretty interested in CSAF support and the main challenge I see seems to be the lack of golang libraries for CSAF (standard that is not particularly simple). I still could hack some silly (and invalid as per the above links from @tschmidtb51) filtering by just reusing OpenVEX's CSAF library. This is totally a quick hack and the wrong approach as OpenVEX is a totally different and unrelated VEX implementation and their CSAF support is mainly there to support filtering from vexctl. I would think either CSAF should provide some basic golang parsing tooling or this hypothetical little parsing library could exist in trivy codebase itself. So, reiterating, this is just a test.

bash-3.2$ trivy fs --format cyclonedx --output trivy.sbom.cdx ./go.mod
bash-3.2$ ./trivy sbom trivy.sbom.cdx
go.mod (gomod)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ 1.44.245          │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘


bash-3.2$ tail -n 51 trivy.csaf
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.2.3",
                "product": {
                  "name": "Aqua Security 1.2.3",
                  "product_id": "urn:cdx:9e28c9d8-786d-4cad-a98d-9828af22eed1/1#pkg:golang/github.com/aws/[email protected]"
                }
              }
            ],
            "category": "product_name",
            "name": "Foo"
          }
        ],
        "category": "vendor",
        "name": "Aqua Security"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-8911",
      "notes": [
        {
          "category": "description",
          "text": "Important vulnerability being triaged.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "urn:cdx:9e28c9d8-786d-4cad-a98d-9828af22eed1/1#pkg:golang/github.com/aws/[email protected]"
        ]
      },
      "threats": [
        {
          "category": "impact",
          "details": "Class with vulnerable code was removed before shipping.",
          "product_ids": [
            "urn:cdx:9e28c9d8-786d-4cad-a98d-9828af22eed1/1#pkg:golang/github.com/aws/[email protected]"
          ]
        }
      ]
    }
  ]
}

bash-3.2$ ./trivy sbom trivy.sbom.cdx --vex ./trivy.csaf
2023-05-12T12:29:50.270+0200	INFO	Vulnerability scanning is enabled
2023-05-12T12:29:50.275+0200	INFO	Detected SBOM format: cyclonedx-json
2023-05-12T12:29:50.285+0200	WARN	Ignore the OS package as no OS information is found.
2023-05-12T12:29:50.329+0200	INFO	Number of language-specific files: 1
2023-05-12T12:29:50.329+0200	INFO	Detecting gomod vulnerabilities...
2023-05-12T12:29:50.373+0200	INFO	Filtered out the detected vulnerability	{"VEX format": "OpenVEX", "vulnerability-id": "CVE-2020-8911", "status": "not_affected", "justification": ""}

go.mod (gomod)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW      │ 1.44.245          │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

@santosomar any golang libraries coming at least for VEX support from CSAF community?

[tschmidtb51]

@knqyf263, @mpermar, @shift: Please have a look at gocsaf/csaf#367 (comment)

If you have specific request, what (else) would be needed for your use case, please add comments in gocsaf/csaf#367