New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Obtaining consumable OpenJDK vulnerability information #209
Comments
@tellison I've updated my scripts to use the CycloneDX format. You can see a sample file here: https://github.com/gdams/openjdk-cve-parser/blob/main/releases/2023-01-17.json Like you say, the only field I need to work out is affects.versions[].range as there's no easy way to compute this |
IMHO we shouldn't be pursuing the approach of parsing the OpenJDK webpage depiction of vulnerabilities, but rather approach the OpenJDK Vulnerability Group (OJVG) with a request for them to publish sufficient machine readable information to meet our requirements. The goal of this issue is to figure out what we ask OpenJDK to provide. It seems entirely reasonable for the OJVG to provide the required information as a Vulnerability Disclosure Report (VDR) themselves, but we can take the information we require in a different format too. The VDR is a living document, as CycloneDX state:
That is, as a new vulnerability is exposed, the VDR would be updated to refer to all the affected OpenJDK versions. I believe that we would like enough information from OpenJDK to be able to:
So back to the objective of this issue, we either go to OJVG and ask them to maintain a VDR, or we ask for a machime-readable set of fixed vulnerabilities per release. WDYT? |
FYI I found the correct link to that file: https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst |
Thinking about this again, and after a discussion with a few people here, I propose we create a Vulnerability Disclosure Report (as described above) for Temurin. The VDR would cover all versions, therefore not be in the releases repos, and it would be updated from information provided by the OpenJDK Vulnerability Group and third-parties (e.g. NIST). Practically, this would be:
Note that the VDR would not contain any non-public disclosures. The Temurin VDR should be available to all via (for example) The VDR would be used to augment Temurin's dynamic release notes rendering to inform users of vulnerabilities fixed in this release and vulnerabilities affecting this release. |
A first pass of an example Temurin VDR entry. Trying to blend the CycloneDX 1.5 schema with the information returned by NVD (example) and OpenJDK disclosures (example) that is likely useful to a Temurin user and can be used in a notes rendering as described above. Work in progress! {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"vulnerabilities": [
{
"id": "CVE-2023-25193",
"source": {
"name": "NVD",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193"
},
"properties": [
{
"name": "component",
"value": "client-libs/2d"
}
],
"published": "2023-02-04T20:15:08.027",
"updated": "2023-07-25T15:15:13.163",
"description": "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.",
"ratings": [
{
"source": {
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193",
"name": "NVD"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
],
"affects": {
"ref": "???????",
"versions": [
{
"range": [
"<8u333",
"<11.0.15.1",
"<17.0.3.1",
"<20.0.1.1"
]
}
]
}
}
]
} Thoughts:
|
Just thinking about how we should be requesting the fixed OpenJDK vulnerability information from upstream. We want it in machine readable format, with a consideration of publishing it from Adoptium for each release of Temurin in CycloneDX format. At present the information is provided on the OpenJDK website and via the release announcement e-mail to the mailing list.
So, considering the first step...
Current OpenJDK vulnerability advisories depict:
Maps to CycleDX vulnerabilities format
[1] Assume we have a BOM ref for Temurin as a whole. Maybe later refine for OpenJDK code vs. dependencies.
[2] Temurin affected version details
The spec states: > A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rstHowever, that link is invalid. We need to describe a range of Temurin versions following the Java version naming convention
[3] Not sure how to depict the CVS score for the fixed vulnerability in CycloneDX. Can always put it in as a generic `properties[].value, but seems that it should fit into a more structured location.
The text was updated successfully, but these errors were encountered: