It seems almost normal that a French citizen would follow goings-on in the US government having to do with vulnerability management much better than US citizens – or at least the US citizen who writes this blog (and no, that US citizen’s name isn’t ChatGPT!). Since I connected with Jean-Baptiste Maillet (JB for short) on LinkedIn earlier this year, I’ve learned a lot of things from him about vulnerability management and the vagaries of CVE, CPE and other TLAs (three-letter acronyms).
Moreover, he has curious reading habits. Early this week, he
put up a post
on LinkedIn about the meeting minutes of the CVE.org board on April 3. He knew
I’ve been speculating
a lot recently that the CVE.org database (formerly called MITRE, and still operated
by contractors from MITRE Corp.) would be a fairly easy substitute for the NVD.
This is both because CVE.org is much more modern and fully redundant (neither
of which adjectives applies to the NVD), and because it’s the original source
of most of the data in the NVD.
Even given those facts, I’ve been cautious about predicting
that CVE.org would replace the NVD as the US government’s go-to vulnerability
database. I reasoned that, since the only “boss” over both the NVD and CVE is
one Joseph Biden – and Mr. Biden seems to have more weighty issues on his mind
nowadays than the travails of the software supply chain security industry – the
likelihood that this switch would be made within, say, the next two years was
quite low.
However, I was quite pleased by what JB reported from
reading those minutes (which I’ve never even thought to read):
1. “The CVE Program will be reaching out to CNAs (the
top 10 code-owning CNAs by number of publications) to make sure they are aware
that they can submit enriched data (e.g., CPE, CWE, CVSS) directly to the CVE
Program, rather than submitting it separately to the NVD.”
This is quite significant: The CVE Numbering Authorities
(CNAs) create virtually all the CVE reports that go into CVE.org, the NVD and lots
of other public and private databases worldwide. Until recently, the CNAs have
been either not able or not allowed (depending on who you talk to) to create
CPE names (CPE is the only way software can be identified in the NVD) and CVSS
scores for their CVE reports.
NIST, which runs the NVD, for a long time discouraged the
CNAs from creating CPEs. And if the CNA created a CVSS score, NIST would create
their own score, almost always higher than what the CNA had created. What’s odd
about this is that CNAs are often large software developers (Red Hat, Oracle,
Microsoft, HPE, Schneider Electric, etc.) and most of the CVE reports they
create are for their own products. Why should NIST not have allowed CNAs
to name their own products, since I know some CNAs have complained that often
the NIST people make mistakes in creating CPE names? Of course, this makes it
difficult or impossible to find those products in the NVD (moreover, the
developer gets blamed when that happens).
Of course, NIST can’t complain that CVE.org is abrogating
their previous agreement allowing the NVD to create CPE names and CVSS scores,
since the NVD for 9-10 weeks has pretty much flatlined
when it comes to creating this data themselves.
2. CVE.org is going on a PR offensive (my term) to
explain these changes to their constituents. Meanwhile, the NVD still hasn’t
provided a word of explanation regarding what happened on the fateful day of
February 12, when it seems a black hole opened up under the NIST headquarters
in Gaithersburg, Maryland, from which the NVD has yet to emerge (not even in
the form of Hawking
Radiation!).
3. “…CNAs may not realize they can submit their data
to the CVE Program via JSON 5.1 and then that data will roll into the NVD.” My
ears (OK, my eyes) really perked up when I saw the magic number 5.1; I
certainly hope that wasn’t a typo. For background, the CNAs submit CVE reports to
CVE.org using the JSON data representation language, in a particular schema.
That schema has changed through the years. The current version
5.0 schema was adopted by CVE.org more than two years ago and was just recently
implemented by the NVD.
The 5.1 version is much improved, but has (or will have,
anyway) one very important feature that the OWASP SBOM Forum requested two years
ago: the capability to convey purl
along with CPE identifiers. This will be a big deal, since purl is far superior
to CPE as an identifier for open source software; see this
paper written by the SBOM Forum in 2022.
However, this doesn’t mean you’ll be able to look up vulnerabilities
using purl in CVE.org soon. First, the CNAs will have to be trained on creating
purls, and even when the CNAs start adding purls to the CVE reports, each vulnerability
database will need to support searches on purls (CVE.org will almost certainly
support purl searches much earlier than the NVD does – assuming the NVD even adopts
the 5.1 spec). However, at least we know purls will be coming.
To summarize, I’m quite pleased that CVE.org seems to be
moving ahead to at least fill the gap caused by the NVD’s still-unexplained
work slowdown (although “stoppage” might be an even better description of it). Maybe
we won’t need to request that President Biden drop everything else he’s doing
and negotiate a treaty between the Department of Commerce (which operates NIST
and the NVD) and DHS (which operates CVE.org and CISA). In fact, maybe we’ll
have a fully-functioning (and improved!) free government-operated vulnerability
database within say 3-6 months, without requiring any extraordinary actions by
either Department.
And this reminds me: The first meeting of the OWASP SBOM
Forum’s Vulnerability Database Working group will be next Tuesday (April 30) at
11AM Eastern Time (which we hope will be workable for people on the West Coast,
in Europe, and even in Israel – who mostly haven’t been able to attend the
regular Friday SBOM Forum meetings, since Friday is the beginning of their
weekend). We already have a diverse group signed up for the meetings, which
will be held biweekly. If you are interested in joining the group (and being
able to suggest improvements in documents we create, even if you can’t attend
the meetings), drop me an email.
Here is my tentative agenda
for the group, but the group will be able to suggest changes to that. I know
one of our first topics will be what improvements need to be made to CVE.org for
it to become the US government-operated vulnerability database (as
opposed to being an Alternate Data Provider to the NVD, which is its current
official role. Instead, the NVD would become an ADP to CVE.org). For example, I
don’t believe there’s currently the capability to do one-off queries to CVE.org;
this is certainly important for raising understanding of vulnerability
management among the general public.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment