Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving vulnerabilities in CycloneDX

Evolving vulnerabilities in CycloneDX

My talk from the FOSDEM Software Composition Analysis devroom. A quick intro to CycloneDX, some comments on the current vulnerability extension and some suggested improvements.

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

February 07, 2021
Tweet

Transcript

  1. Evolving vulnerabilities in CycloneDX Gareth Rushgrove

  2. Gareth Rushgrove VP Products, Snyk Devops Weekly curator Conftest/Open Policy

    Agent maintainer Open Source contributor @garethr
  3. Agenda 01 02 03

  4. CycloneDX Very quick introduction

  5. - Originally extracted from OWASP Dependency-Track - Open specification -

    Open Source under Apache 2.0 - Tools for generating SBoMs for Maven, Gradle, .NET, Node, Rust, Python, PHP, Ruby and Cocoapods - cyclonedx.org and github.com/CycloneDX CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
  6. - Define a vendor agnostic specification independent of language or

    ecosystem - Specification should be machine readable - Specification should be easy to implement with minimal effort - Specification should be simple and performant to parse - Specification should provide lightweight schema definitions for JSON and XML - Specification should reuse parts of existing specs where beneficial - Specification should be extensible to support specialized and future use cases - Specification should be decentralized, authoritative, and security focused - Specification should promote continuous component analysis - Should support hardware, libraries, frameworks, applications, containers, and operating systems
  7. None
  8. None
  9. Evolving vulnerabilities Data modelling and suggested improvements

  10. Vulnerability extension Adds property to CycloneDX SBOM

  11. Example vulnerability data in CycloneDX

  12. Vulnerabilities are complex Real world vulnerability data comes in lots

    of shapes and sizes
  13. Support for sources on ratings _SUGGESTING_

  14. Support multiple sources _SUGGESTING_

  15. Arbitrary scores as well as complex CVSS _SUGGESTING_

  16. Structured data for advisories _SUGGESTING_

  17. Conclusion Next steps and getting involved

  18. Feedback I’d love feedback on the open PR

  19. Experiment Lots of tools to try out and contribute to

  20. Discuss Join in at groups.io/g/CycloneDX and cyclonedx.org/slack/invite