Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving vulnerabilities in CycloneDX

Evolving vulnerabilities in CycloneDX

My talk from the FOSDEM Software Composition Analysis devroom. A quick intro to CycloneDX, some comments on the current vulnerability extension and some suggested improvements.

Gareth Rushgrove

February 07, 2021
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. Evolving vulnerabilities
    in CycloneDX
    Gareth Rushgrove

    View Slide

  2. Gareth Rushgrove
    VP Products, Snyk
    Devops Weekly curator
    Conftest/Open Policy Agent maintainer
    Open Source contributor
    @garethr

    View Slide

  3. Agenda 01
    02
    03

    View Slide

  4. CycloneDX
    Very quick introduction

    View Slide

  5. - Originally extracted from OWASP Dependency-Track
    - Open specification
    - Open Source under Apache 2.0
    - Tools for generating SBoMs for Maven, Gradle, .NET,
    Node, Rust, Python, PHP, Ruby and Cocoapods
    - cyclonedx.org and github.com/CycloneDX
    CycloneDX is a lightweight software bill of materials
    (SBOM) standard designed for use in application security
    contexts and supply chain component analysis.

    View Slide

  6. - Define a vendor agnostic specification independent of language or ecosystem
    - Specification should be machine readable
    - Specification should be easy to implement with minimal effort
    - Specification should be simple and performant to parse
    - Specification should provide lightweight schema definitions for JSON and XML
    - Specification should reuse parts of existing specs where beneficial
    - Specification should be extensible to support specialized and future use cases
    - Specification should be decentralized, authoritative, and security focused
    - Specification should promote continuous component analysis
    - Should support hardware, libraries, frameworks, applications, containers, and operating systems

    View Slide

  7. View Slide

  8. View Slide

  9. Evolving vulnerabilities
    Data modelling and suggested improvements

    View Slide

  10. Vulnerability extension
    Adds property
    to CycloneDX SBOM

    View Slide

  11. Example vulnerability data in CycloneDX

    View Slide

  12. Vulnerabilities are complex
    Real world vulnerability data comes in
    lots of shapes and sizes

    View Slide

  13. Support for sources on ratings
    _SUGGESTING_

    View Slide

  14. Support multiple sources
    _SUGGESTING_

    View Slide

  15. Arbitrary scores as well as complex CVSS
    _SUGGESTING_

    View Slide

  16. Structured data for advisories
    _SUGGESTING_

    View Slide

  17. Conclusion
    Next steps and getting involved

    View Slide

  18. Feedback
    I’d love feedback on the open PR

    View Slide

  19. Experiment
    Lots of tools to try out
    and contribute to

    View Slide

  20. Discuss
    Join in at groups.io/g/CycloneDX
    and cyclonedx.org/slack/invite

    View Slide