Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Vulnerability Exchange (VEX) statements for CPython SBOMs to reference #2340

Open
sethmlarson opened this issue Dec 7, 2023 · 2 comments
Open

Add Vulnerability Exchange (VEX) statements for CPython SBOMs to reference #2340

sethmlarson opened this issue Dec 7, 2023 · 2 comments

Comments

@sethmlarson
Copy link
Contributor

Part of python/cpython#112302

Is your feature request related to a problem? Please describe.

CPython and its artifacts contain many dependencies which can have vulnerabilities. In the interest of not causing mass-confusion from SBOM consumers about the status of the vulnerabilities in dependencies (especially when those vulnerabilities aren't exploitable, like is usually the case for CPython's usage of OpenSSL) it is useful to provide a systematic and automatic mechanism to quell SBOM consumers questions on a potentially vulnerable component.

Describe the solution you'd like

  • VEX document(s) which are capable of referencing dependencies inside of CPython SBOMs and making determinations about affectedness of vulnerabilities.
  • Need to evaluate VEX formats (OpenVEX and CycloneDX are my current candidates)
  • Referenceable location (via HTTPS) so that CPython SBOMs can reference the document(s)
  • Easy way to update the VEX documents via GitHub PR process. Should be easy to contribute so core developers can do so when needed.
@sethmlarson sethmlarson mentioned this issue Dec 8, 2023
Open
@surfaceowl
Copy link
Sponsor

Are there standards for, and tools for, mapping (or translation) all of these different VEX formats to each other?

A quick search on the brought me here https://openssf.org/blog/2023/09/07/vdr-vex-openvex-and-csaf/... where I noticed this text listing multiple standards ...CycloneDX VEX, OpenVEX, and SPDX3.0 or CSAF...?

Would that be helpful when dealing with a huge tree of dependencies?

I can imagine all of the existing standards will be used by at least one library depended on by python across all the various platforms, linux images, languages, etc... so the above question came to mind right away.

@sethmlarson
Copy link
Contributor Author

@surfaceowl I'm not aware of any tooling that allows converting between the different formats, although I wouldn't be surprised if it exists.

We'll select our format based on some criteria like whether it works with existing tooling. I'm leaning towards OpenVEX currently since I've started using SPDX for CPython's SBOM, SBOM format agnostic, seems straightforward when compared to the others, and owned by the OpenSSF. This decision isn't set in stone, though, only evaluating from first impressions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sethmlarson @surfaceowl