At the OWASP SBOM Forum’s weekly meeting on Friday, we heard what the NVD’s big problem is: It no longer has funding. It turned out that the collapse on February 12 really was due to a funding shortfall – a massive shortfall, although perhaps not all the way to zero. Some people had suggested that the problem was cutbacks by NIST. I I pooh-poohed that idea, since budgets are set before the beginning of the government’s fiscal year, which is October 1.
However, it turns out I didn’t know where the lion’s share
of the NVD’s funding comes from. And guess what? It doesn’t come from NIST. It
was that other source that abruptly cut off the NVD’s funding in February. At
that point, the NVD probably had to release some staff members to join other
projects at NIST (as I’m sure you know, NIST does lots of work in cybersecurity.
There probably are always openings on other projects. I doubt anyone from the
NVD was put on the street, unless they decided to quit). The NVD kept “enriching”
a small number of CVEs, but at the meeting on Friday, someone (I think Andrey Lukashenkov
of Vulners) said they hadn’t done any enriching for ten days.
This means they (i.e., whoever is still working for the NVD)
are now just trying to maintain the database they have. This means that, if you
search the NVD for vulnerabilities applicable to a product you use, don’t
expect to find any recent vulnerabilities. Of course, those are the ones that
most users are concerned about. The NVD without data on recent vulnerabilities
is about as useful as a car without a steering wheel.
Why did that other source cut off their funding? I don’t
know, and finding out isn’t a big priority for me. What is a priority is
deciding where the software security community goes from here, as well as what
options are available to organizations concerned about identifying vulnerabilities
in the software they use.
As luck would have it, I’d realized a couple of months ago,
after the NVD’s problems became apparent, that there were too many individual
threads that needed to be pulled for there to be succinct answers to these
questions; therefore, there needed to be a group effort to pull the threads and
put together a coherent picture. This is why I formed the Vulnerability Database
Working Group of the OWASP SBOM Forum. I summarized my idea of the group’s
agenda in this post.
I still think it’s a good agenda, although the group will decide what we want
to discuss and what document(s) we want to produce – and those ideas are likely
to change as we go along.
However, there has been one significant change since I wrote
that post. Then, it was unclear what (if anything) CVE.org would do to step up
to replace the NVD. It’s now clear that they are doing a lot. There have been two
important changes:
The first change is that CVE Numbering Authorities (aka
CNAs. They include groups like GitHub and the Linux kernel, as well as software
developers like Red Hat and Microsoft, who report vulnerabilities in their own
products as well as other products that are in their scope. The CNAs report to
CVE.org) will now be encouraged
to include in their CVE reports the CPE name for the product, the CVSS score
and the CWEs. As the announcement by CVE.org points out, “This means the
authoritative source (within their CNA scope) of vulnerability information —
those closest to the products themselves — can accurately report enriched data
to CVE directly and contribute more substantially to the vulnerability
management process.” It never made sense for the NVD to create these items – or
override what the CNA had created, which often happened.
The other significant change is that CVE.org now supports what
was previously called v5.1 of the CVE JSON specification, but is now called the
“CVE
Record Format v5.1”. In early 2022, Steve Springett and Tony Turner of the
OWASP SBOM Forum submitted a pull request to CVE.org to get purl
identifiers included in the CVE spec. We missed the v5.0 spec, but made it
into v5.1. This means that, with some training, CNAs will now be able to include
purls in their CVE reports, although they may still have to include CPEs, and
software users (as well as developers) will bee able to find vulnerabilities for
open source products using purls (this will also be a boon to open source
software vulnerability databases like OSS Index and OSV).
Our reasons for advocating purl were described in this white
paper, which we published in September 2022 (see especially pages 4-6,
where we describe some of the many problems with CPE). In that paper, we also
described a way to handle proprietary software in purl (since purl currently
applies exclusively to open source software), based on use of SWID tags – but the
mechanism for making the SWID tags known to software users was left open. This
isn’t a technical problem but an organizational one, since it might require
creating a spec for software developers to follow when they want to advertise SWID
tags for their products. It would be nice to see that done sometime, but I don’t
have the time to lead it now.
The third topic in that paper was an identifier for
intelligent devices, since CPE is deficient in that area as well. We suggested
the GTIN and GMN identifiers, now used widely in global trade. I didn’t think
we were even going to push those identifiers at the time, yet it seems that Steve
and Tony must have included them in the pull request, because CVE says they’re
supported in 5.1 as well! If CNAs start including these in CVE reports for
devices, that might significantly change the whole “discipline” of vulnerability
management for devices, which is frankly not making much progress now. This is because
only a very small percentage of device makers report vulnerabilities in their
devices to CVE.org today.
I’m encouraged that CVE.org is picking up their game.
However, an organization that currently uses the NVD exclusively for
vulnerability data would not be well advised to simply switch their total
dependence over to CVE.org, since the “front end” capabilities needed for those
organizations to make use of the data are less robust in CVE than they are (or
were) in the NVD.
We will be discussing these and similar issues in the OWASP
Vulnerability Database Working Group in our meetings tomorrow and every two
weeks thereafter. If you would like to join the group, drop me an email.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com. Also, if you would like to learn more about or join the OWASP SBOM Forum, please email me.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment