Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Provide advisories as CSAF #1685

Open
tschmidtb51 opened this issue Feb 9, 2023 · 3 comments
Open

Feature: Provide advisories as CSAF #1685

tschmidtb51 opened this issue Feb 9, 2023 · 3 comments

Comments

@tschmidtb51
Copy link

tschmidtb51 commented Feb 9, 2023

Dear GitHub team,
it would be nice, if your security advisories would also be available in the Common Security Advisory Framework. CSAF specifies a standard way to distribute security advisories so that they can be retrieved automatically. This method scales well for all issuing parties. It is also the @cisagov recommended format as CISA's EAD Eric Goldstein pointes out in his blog post Transforming the vulnerability management landscape.

A conversion from the GitHub advisory format to CSAF seems to be possible.

CSAF version of GHSA-2275-rpf5-xv8h { "document": { "aggregate_severity": { "text": "HIGH" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "Github", "namespace": "https://github.com/github/advisory-database/" }, "references": [ { "category": "self", "summary": "NIST NVD entry", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25906" }, { "category": "external", "summary": "Package", "url": "https://github.com/stefanjudis/is-http2" }, { "category": "external", "summary": "Vulnerability details", "url": "https://security.snyk.io/vuln/SNYK-JS-ISHTTP2-3153878" }, { "category": "external", "summary": "Problem", "url": "https://github.com/stefanjudis/is-http2/blob/master/index.js#L23" } ], "title": "is-http2 vulnerable to Improper Input Validation", "tracking": { "aliases": [ "CVE-2022-25906" ], "current_release_date": "2023-02-08T11:00:00.000Z", "generator": { "date": "2023-02-09T10:46:55.818Z", "engine": { "name": "Secvisogram", "version": "2.0.0" } }, "id": "GHSA-2275-rpf5-xv8h", "initial_release_date": "2023-02-01T06:30:30Z", "revision_history": [ { "date": "2023-02-01T06:30:30Z", "number": "1", "summary": "Initial version." }, { "date": "2023-02-02T17:13:07Z", "number": "2", "summary": "Add afffected packages, update references." }, { "date": "2023-02-08T22:40:04Z", "number": "3", "summary": "Add CWE and correct title." } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:npm/<=1.2.0", "product": { "name": "stefanjudis is-http2 vers:npm/<=1.2.0", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "is-http2" } ], "category": "vendor", "name": "stefanjudis" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-25906", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "involvements": [ { "date": "2023-02-02T17:13:07Z", "party": "other", "status": "completed", "summary": "Reviewed by Github" } ], "notes": [ { "category": "description", "text": "All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.", "title": "CVE description" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ] } ] }

As GitHub hosts many open source projects it would be beneficial, if you would integrate this as most of the required metadata could be configured in the project or is already available.

See csaf.io and the videos for more details.

Thank you for considering. I'm happy to have a chat (also offline).

@KateCatlin
Copy link
Collaborator

Thanks @tschmidtb51 for reaching out! I'll leave this Issue open in case other folks want to comment and upvote it. Cheers!

@santosomar
Copy link

Dear GitHub Team,

I echo @tschmidtb51 comments and request your support for the Common Security Advisory Framework (CSAF) standard. As you may know, this framework is becoming increasingly important for supply chain security, as it allows them to create and consume security advisories in a consistent and standardized way. It also supports the Vulnerability Exploitability eXchange (VEX).

As the leading platform for open source development, GitHub has the opportunity to be at the forefront of this movement and provide a valuable service to its users. By supporting the CSAF standard, GitHub can help to make security information more accessible, while also facilitating collaboration and knowledge-sharing across the whole ecosystem.

We believe that the inclusion of CSAF support in GitHub would be a significant step forward for the entire industry, and we urge you to consider implementing this functionality soon. We are confident that this would be a valuable addition to your platform, and we look forward to working with you to help make it a reality.

Thank you for your time and consideration.

Regards,

Omar Santos
CSAF Chair

@joshbuker
Copy link

@tschmidtb51

Broken link on the CISA blog post, new link appears to be: https://www.cisa.gov/news-events/news/transforming-vulnerability-management-landscape

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants