Level of detail regarding components / observations

[dervoeti]

I've been thinking about what exactly we want to publish VEX statements about, or rather which level of detail is necessary.

I can think of three levels:

1. VEX about a vulnerability in a product ("Product XYZ is not affected by CVE-2024-1234")
2. VEX about a vulnerability in a component of a product ("Component A of product XYZ is not affected by CVE-2024-1234", this is what's currently implemented)
3. VEX about a vulnerability in a component of a product, but for each "path" through which the component is included (I'll explain this in the next section)

Currently, each product branch seems to have a flat list of affected components (the observations).

But a component can be referred to via different paths:

If we look at the SBOM for Apache druid-server 26.0.0 for example, we can see that jackson-databind@2.10.5.1 is a dependency of several components, like jackson-datatype-guava@2.10.5 and aws-java-sdk-core@1.12.317.

So, jackson-databind@2.10.5.1 is a transitive dependency of multiple other components and appears multiple times in the dependency tree, via different paths. In one of those paths, a vulnerability in jackson-databind@2.10.5.1 might be exploitable, while in another path the same vulnerability might not be exploitable (because the vulnerable code is not used).

This means that these different paths to the same component could be different observations.
The paths in the example would be
druid-server 26.0.0 -> jackson-datatype-guava@2.10.5 -> jackson-databind@2.10.5.1
and
druid-server 26.0.0 -> aws-java-sdk-core@1.12.317 -> jackson-databind@2.10.5.1.

That of course requires additional information (like an SBOM), at least something that provides the dependency tree, to know those paths. A simple scan of the container image won't suffice. Both Trivy and Grype are able to scan SBOMs and at least Grype seems to provide the correct component relations in the scan result (in the dependencies attribute, if the format of the scan result is CycloneDX). So, instead of a list of components, a product branch would have a tree of components. Every possible path to the vulnerable component could be a separate observation.

I realize that this is a lot of effort and I'm not sure whether this is really necessary, it just came to my mind and I wanted to mention it. SecObserve already does something with the dependsOn attribute (in the _filter_component_dependencies function), but it looks like only the first path to a component is resolved (and stored in origin_component_dependencies), not all paths.

For reference, this is the command I used to scan the druid-server SBOM with Grype:

grype --by-cve -o cyclonedx-json --file druid-26.0.0-sbom-scan-grype.json druid-server-26.0.0-cyclonedx.json

Another option would be to say "well, only issue a VEX for the path to the component that has the most severe effect", which might be good enough and would not require a tree structure (this is basically level 2 in the levels mentioned in the beginning). Or you could even say "only issue a VEX for the component that has the most severe effect" (this would be level 1).

---

I'd say from the VEX consumer side, the simplest level of detail would be sufficient (level 1). As a consumer of the software I want to know "Is my Apache Zookeeper 3.8.3 affected by CVE-2024-1234 and if yes, what do I need to do". I don't really care in which component the vulnerability is. It's either exploitable in at least one component or it isn't.

On the other hand, as a vendor creating those VEX statements, I might want to store my analysis result as detailed as possible. Which components exactly where affected, which were not.

These are only assumptions though.

I think the current solution is fine and a good compromise, but I wanted to spark a discussion about this in general. Can this just stay the way it is? Would a component tree be better than a component list (is this level of detail required)? Or can details be reduced even further, meaning that one observation per vulnerability in a product branch is sufficient, even if multiple components are affected?

[StefanFl]

Having a tree of observation according to the dependencies of an observation would generate a lot of entries. The dependency tree for the above mentioned example looks like this:

Druid:6.2.0 --> druid-processing:26.0.0 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-processing:26.0.0 --> jackson-datatype-guava:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-processing:26.0.0 --> jackson-datatype-joda:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-processing:26.0.0 --> jackson-jq:0.0.10 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-datatype-guava:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-datatype-joda:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-jq:0.0.10 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-kms:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-kms:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-sts:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-sts:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> druid-gcp-common:26.0.0 --> jackson-module-guice:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> jackson-jaxrs-json-provider:2.10.5 --> jackson-jaxrs-base:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> jackson-jaxrs-json-provider:2.10.5 --> jackson-module-jaxb-annotations:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> jackson-jaxrs-smile-provider:2.10.5 --> jackson-jaxrs-base:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> jackson-jaxrs-smile-provider:2.10.5 --> jackson-module-jaxb-annotations:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> jackson-datatype-joda:2.10.5 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> jackson-databind:2.10.5.1
Druid:6.2.0 --> jackson-module-guice:2.10.5 --> jackson-databind:2.10.5.1

Grype found 4 observations for jackson-databind, so we would get 26*4 = 104 entries, just for this component. To be fair, that's the worst one in the druid example, but some other components have more than one dependency. There would be a lot of different paths to assess, I can't image too many people would do that.

In my opinion we have a good compromise at the moment, but this discussion shows, it would help a lot for the assessment, to have the full tree of dependencies available. I have implemented this and it's part of the dev branch already. Then it should be possible to work with the "well, only issue a VEX for the path to the component that has the most severe effect" approach.

[StefanFl]

Another thing I learned is, that Grype and Trivy change the dependencies of an SBOM, when you analyze a CycloneDX SBOM and get the result as CycloneDX as well. I hoped to get exactly the same components and dependencies, enriched with vulnerabilities. Unfortunately this is not what happened. The example above was generated with the original SBOM.

• Grype removed the component in the metadata and so you loose the root of the dependency tree. Now it looks like this:

  druid-aws-common:26.0.0 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-kms:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-kms:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-sts:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> aws-java-sdk-sts:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-datatype-guava:2.10.5 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-datatype-joda:2.10.5 --> jackson-databind:2.10.5.1
  druid-aws-common:26.0.0 --> druid-processing:26.0.0 --> jackson-jq:0.0.10 --> jackson-databind:2.10.5.1
  jackson-jaxrs-json-provider:2.10.5 --> jackson-jaxrs-base:2.10.5 --> jackson-databind:2.10.5.1
  jackson-jaxrs-json-provider:2.10.5 --> jackson-module-jaxb-annotations:2.10.5 --> jackson-databind:2.10.5.1
  jackson-jaxrs-smile-provider:2.10.5 --> jackson-jaxrs-base:2.10.5 --> jackson-databind:2.10.5.1
  jackson-jaxrs-smile-provider:2.10.5 --> jackson-module-jaxb-annotations:2.10.5 --> jackson-databind:2.10.5.1
  druid-gcp-common:26.0.0 --> jackson-module-guice:2.10.5 --> jackson-databind:2.10.5.1
  

• Trivy added a second druid-server component, leading to these dependencies:

  druid-server:26.0.0 --> druid-server:26.0.0 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> jackson-datatype-joda:2.10.5 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> jackson-jaxrs-json-provider:2.10.5 --> jackson-jaxrs-base:2.10.5 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> jackson-jaxrs-json-provider:2.10.5 --> jackson-module-jaxb-annotations:2.10.5 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> jackson-jaxrs-smile-provider:2.10.5 --> jackson-jaxrs-base:2.10.5 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> jackson-jaxrs-smile-provider:2.10.5 --> jackson-module-jaxb-annotations:2.10.5 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> jackson-module-guice:2.10.5 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-kms:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> aws-java-sdk-kms:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-s3:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> druid-server:26.0.0 --> druid-aws-common:26.0.0 --> aws-java-sdk-sts:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  ...
  druid-server:26.0.0 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> aws-java-sdk-core:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> aws-java-sdk-ec2:1.12.317 --> jmespath-java:1.12.317 --> jackson-databind:2.10.5.1
  druid-server:26.0.0 --> aws-java-sdk-kms:1.12.317 --> aws-java-sdk-core:1.12.317 --> ja ...
  

Not what I expected.

[dervoeti]

Thanks for the feedback! I agree, the current compromise is fine and there's no value in swamping analysts with thousands of observations. I just checked out the current dev version, looks nice, I think it's enough to provide the analyst with this information.

Now there's one open question left: In the VEX documents, do we want to list the affected components or just relate the vulnerability to the product branch? Listing the components brings more information into the VEX, but the question is whether this is really needed, or if the approach "Only issue a VEX for the component that's affected most severely" is better. This would keep the VEX simpler and currently, in the VEX, there's not too much information provided about the component anyway (just the identifier, nothing about how the component is brought in or who the vendor is). I stumbled across this when thinking about how to structure the _components_ section in the product tree of the CSAF document.

[StefanFl]

Having the component with the relationship in the VEX document like it is implemented currently, makes it more unambiguous. When we have 2 components with the same vulnerability, one affected and the other one not_affected, then a person or a tool reading the document can better understand, what's going on. Without the component it is not that clear anymore, why the decision was taken.

We could have 2 components with the same vulnerability, both not_affected but with different justifications. Without the component we could report only one justification, eg. from the first component. But with the components the decisions are reported completely.

And Trivy for example has implemented the usage of components and relationships recently, so we know they are used by tools.