Hi Andrew,
Joerg Roedel who is currently in Bilbao has met you and you asked to
reach out to person who could help with OSV.
This would be me, I am overseeing the security automation data
generation at SUSE.
We generate OVAL, CVRF and CSAF and CSAF VEX data at this time.
Ciao, Marcus
--
Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg
This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.
Hi,
I am generating these kind of advisories now for SUSE and openSUSE,
and relation has the CVE lists.
Can be found here:
https://ftp.suse.com/pub/projects/security/osv/
I would appreciate feedback if something is incorrect or missing.
What I see as gap:
- I cannot add CVSS scores to the advisory style OSV (besides potentially using the vendor specific fields).
- I cannot communicate some form of rating for the advisory (also except vendor specific fields).
Hi Andrew,
On Wed, Nov 08, 2023 at 10:28:40AM +1100, Andrew Pollock wrote:
> On Wed, 8 Nov 2023 at 03:08, Marcus Meissner <meis...@suse.de> wrote:
>
> > Hi,
> >
> > I am generating these kind of advisories now for SUSE and openSUSE,
> > and relation has the CVE lists.
> >
> > Can be found here:
> > https://ftp.suse.com/pub/projects/security/osv/
> >
> > I would appreciate feedback if something is incorrect or missing.
> >
> >
> Very cool! We'll take a look and collectively give you feedback, rather
> than giving it piecemeal so you can act on it all in one go.
Thank you!
> >
> > What I see as gap:
> >
> > - I cannot add CVSS scores to the advisory style OSV (besides potentially
> > using the vendor specific fields).
> >
>
> You can, see https://ossf.github.io/osv-schema/#severity-field
>
>
> > - I cannot communicate some form of rating for the advisory (also except
> > vendor specific fields).
> >
> >
> Can you elaborate on your needs with this "rating", beyond what
> https://ossf.github.io/osv-schema/#severity-field seeks to achieve?
The thing is that advisories contain 0-n CVEs and usually the CVSS v3
score is associated with a CVE, not with an advisory.
While the severity field could list multiple CVSS_V3 scores, it has no
CVE assocation for them.
Thats why I was also looking at seperate OSV tree, not indexed by
advisory but indexed by CVE. I have attached a sample JSON for this.
Ciao, Marcus
The next steps are to get a prefix added to the OSV-Schema, here's a few previous pull requests to look to for inspiration:With the ecosystem field, what we've done with other distributions, and I'd recommend we do here as well, is to have colon delimiting releases or products.
name
is the name of the source package. The ecosystem string might optionally have a :<RELEASE>
suffix to scope the package to a particular Debian release. <RELEASE>
is a numeric version specified in the Debian distro-info-data. For example, the ecosystem string “Debian:7” refers to the Debian 7 (wheezy) release.--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/CAAJmWJ%2Boxtj%3D%3DRb1P7ReAy8zz%3Dpc56%3DHhizn2Vej2ZHncHZnBQ%40mail.gmail.com.
Hi,
sorry for the delay in reply.
I will put a hold on the per-CVE id for now, or integrate it into the
per-advisory data via the private fields.
I thought about this ecosystem a bit and for me it seems a bit challenging to
follow the others, like "Debian:<nr>" or so due to the amount of
distinct products we have.
Or is there possibility to just say "with a prefix of 'SUSE' its the SUSE
ecosystem"?
Or would it make sense to have a bit of duplication, so something like this
for the bigger SUSE family:
"SUSE:SUSE Linux Enterprise Server 12 SP5"
"SUSE:SUSE Manager 4.3"
"SUSE:SUSE Linux Enterprise Module for Basesystem 15 SP4"
...
For openSUSE I could follow the Debian/Rocky/Alma pattern and use this:
"openSUSE:Leap 15.4"
"openSUSE:Leap Micro 5.5"
"openSUSE:Tumbleweed"
I was also looking a bit into scanner for identification purposes,
there would need some RPM query relation for each of them:
"SUSE:Linux Enterprise Server 12 SP5" <=> RPM sles-release == 12.5
And this might need to be a hardcoded list.
I so far did not go into reading up on "purl" specification, this
might probably best bet here for identification instead of hardcoding
relations.
> > For openSUSE I could follow the Debian/Rocky/Alma pattern and use this:
> >
> > "openSUSE:Leap 15.4"
> > "openSUSE:Leap Micro 5.5"
> > "openSUSE:Tumbleweed"
> >
>
> Sounds good! Similar question here regarding the bits that can come after
> ":" though. Is there an authoritative list or set of rules for how to
> specify the exact product in a consistent way?
This is a shorter list and association is similar easy.
Currently its around 20, growing by 3 - 4 each year