You probably have heard aboutsoftware bill of materials (SBOMs)and the importance of knowing what software components are running in the applications and systems that you use (and what potential security vulnerabilities affect those components). I also recently publisheda videotalking about theCommon Security Advisory Framework (CSAF). Ok, but how do all these work together?
Let me try to explain this with stick-figures and high-level diagrams. Let’s say a user (Omar) purchases a product (Product X) from a vendor. Today’s applications and systems are built using numerous open-source and/or commercial software components. Omar wants to know what open-source or commercial software is used in Product X.
Omar is provided with an SBOM. There are different methods that can be used to distribute an SBOM, but I will keep things simple for now. The two “most popular” or “widely-adopted” SBOM machine readable formats are:
CycloneDX: a lightweight SBOM specification and an open-source OWASP standard.
Note: Check out the “Survey of Existing SBOM Formats and Standards”, created by theNTIAand other collaborators, to learn more about how these standards (along with others) are used in the industry.
No software is immune to security vulnerabilities. Each of these software components can be affected by different security vulnerabilities. Subsequently, the user wants to if any of these components are affected by any security vulnerabilities.
Not affected: No remediation is required regarding this vulnerability.
Affected: Actions are recommended to remediate or address this vulnerability.
Fixed: Represents that these product versions contain a fix for the vulnerability.
Under Investigation: It is not yet known whether these product versions are affected by the vulnerability. An update will be provided in a later release.
VEX information can be included in the SBOM (SPDX or CycloneDX) document at the time of creation. However, new vulnerabilities are found and disclosed on a regular basis.
This is why the CSAF VEX documents are so important! Any software supplier or other parties can assert the status of specific vulnerabilities in a particular product using theCSAF VEX profiles. TheOASIS CSAF TC GitHub Repositoryincludes several examples of CSAF / VEX documents (security advisories). Many vendors (i.e., Cisco, Red Hat, TIBCO, Oracle, Siemens, etc.), CERTs and government institutions (i.e., BSI, CERT@VDE, CISA, etc.) are now consuming and/or producing CSAF security advisories. It is expected that all these standards and formats will see significant adoption by most vendors, software providers, and consumers of technology.
Again, VEXallows a software supplier, provider, vendor, or other parties to assert the status of specific vulnerabilities in a particular product.
VEX information can be included in a Software Package Data Exchange (SPDX®) or CycloneDX SBOM document. However, as I explained in the previous article the VEX information in an SBOM document is “point-in-time” and becomes obsolete as more vulnerabilities are disclosed, fixed, and investigated. CSAF allows to provide a real-time status of the investigation and disposition of a vulnerability (under investigation, affected, not affected, or fixed). You can provide up-to-date VEX information via an application programming interface (API), via a ROLIE feed (see RFC 8322), or rendered/displayed in a web portal, as shown below:
A traditional CSAF security advisory can address one vulnerability or multiple vulnerabilities:
A CSAF VEX advisory can provide the status of one vulnerability in one product, as shown below:
A CSAF VEX advisory can also provide the status of multiple vulnerabilities that may affect/not affect a product:
Alternately, a CSAF VEX real-time advisory can provide the status of multiple products that may be affected by a given vulnerability. In other words, you can go to a vendor and ask: “tell me the status of CVE-2029–0123 in all your products (i.e., the products under investigation, affected, not affected, or fixed).
The OASIS CSAF Technical Committee (TC) providedseveral examplesof CSAF VEX documents in theirGitHub repository. These examples were contributed by the German Federal Office for Information Security — BSI. The following are a few of their examples and use cases:
The CSAF VEX compliments SBOMs and can be used to provide the most up-to-date status of a given vulnerability in a product or multiple products. It can also be used to provide the status of multiple vulnerabilities in a single product.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: