Slide 1

Slide 1 text

Evolving vulnerabilities in CycloneDX Gareth Rushgrove

Slide 2

Slide 2 text

Gareth Rushgrove VP Products, Snyk Devops Weekly curator Conftest/Open Policy Agent maintainer Open Source contributor @garethr

Slide 3

Slide 3 text

Agenda 01 02 03

Slide 4

Slide 4 text

CycloneDX Very quick introduction

Slide 5

Slide 5 text

- Originally extracted from OWASP Dependency-Track - Open specification - Open Source under Apache 2.0 - Tools for generating SBoMs for Maven, Gradle, .NET, Node, Rust, Python, PHP, Ruby and Cocoapods - cyclonedx.org and github.com/CycloneDX CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Slide 6

Slide 6 text

- Define a vendor agnostic specification independent of language or ecosystem - Specification should be machine readable - Specification should be easy to implement with minimal effort - Specification should be simple and performant to parse - Specification should provide lightweight schema definitions for JSON and XML - Specification should reuse parts of existing specs where beneficial - Specification should be extensible to support specialized and future use cases - Specification should be decentralized, authoritative, and security focused - Specification should promote continuous component analysis - Should support hardware, libraries, frameworks, applications, containers, and operating systems

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Evolving vulnerabilities Data modelling and suggested improvements

Slide 10

Slide 10 text

Vulnerability extension Adds property to CycloneDX SBOM

Slide 11

Slide 11 text

Example vulnerability data in CycloneDX

Slide 12

Slide 12 text

Vulnerabilities are complex Real world vulnerability data comes in lots of shapes and sizes

Slide 13

Slide 13 text

Support for sources on ratings _SUGGESTING_

Slide 14

Slide 14 text

Support multiple sources _SUGGESTING_

Slide 15

Slide 15 text

Arbitrary scores as well as complex CVSS _SUGGESTING_

Slide 16

Slide 16 text

Structured data for advisories _SUGGESTING_

Slide 17

Slide 17 text

Conclusion Next steps and getting involved

Slide 18

Slide 18 text

Feedback I’d love feedback on the open PR

Slide 19

Slide 19 text

Experiment Lots of tools to try out and contribute to

Slide 20

Slide 20 text

Discuss Join in at groups.io/g/CycloneDX and cyclonedx.org/slack/invite