Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving vulnerabilities in CycloneDX

Evolving vulnerabilities in CycloneDX

My talk from the FOSDEM Software Composition Analysis devroom. A quick intro to CycloneDX, some comments on the current vulnerability extension and some suggested improvements.

Gareth Rushgrove

February 07, 2021
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. Evolving vulnerabilities
    in CycloneDX
    Gareth Rushgrove

    View full-size slide

  2. Gareth Rushgrove
    VP Products, Snyk
    Devops Weekly curator
    Conftest/Open Policy Agent maintainer
    Open Source contributor
    @garethr

    View full-size slide

  3. Agenda 01
    02
    03

    View full-size slide

  4. CycloneDX
    Very quick introduction

    View full-size slide

  5. - Originally extracted from OWASP Dependency-Track
    - Open specification
    - Open Source under Apache 2.0
    - Tools for generating SBoMs for Maven, Gradle, .NET,
    Node, Rust, Python, PHP, Ruby and Cocoapods
    - cyclonedx.org and github.com/CycloneDX
    CycloneDX is a lightweight software bill of materials
    (SBOM) standard designed for use in application security
    contexts and supply chain component analysis.

    View full-size slide

  6. - Define a vendor agnostic specification independent of language or ecosystem
    - Specification should be machine readable
    - Specification should be easy to implement with minimal effort
    - Specification should be simple and performant to parse
    - Specification should provide lightweight schema definitions for JSON and XML
    - Specification should reuse parts of existing specs where beneficial
    - Specification should be extensible to support specialized and future use cases
    - Specification should be decentralized, authoritative, and security focused
    - Specification should promote continuous component analysis
    - Should support hardware, libraries, frameworks, applications, containers, and operating systems

    View full-size slide

  7. Evolving vulnerabilities
    Data modelling and suggested improvements

    View full-size slide

  8. Vulnerability extension
    Adds property
    to CycloneDX SBOM

    View full-size slide

  9. Example vulnerability data in CycloneDX

    View full-size slide

  10. Vulnerabilities are complex
    Real world vulnerability data comes in
    lots of shapes and sizes

    View full-size slide

  11. Support for sources on ratings
    _SUGGESTING_

    View full-size slide

  12. Support multiple sources
    _SUGGESTING_

    View full-size slide

  13. Arbitrary scores as well as complex CVSS
    _SUGGESTING_

    View full-size slide

  14. Structured data for advisories
    _SUGGESTING_

    View full-size slide

  15. Conclusion
    Next steps and getting involved

    View full-size slide

  16. Feedback
    I’d love feedback on the open PR

    View full-size slide

  17. Experiment
    Lots of tools to try out
    and contribute to

    View full-size slide

  18. Discuss
    Join in at groups.io/g/CycloneDX
    and cyclonedx.org/slack/invite

    View full-size slide