Global Security Database

 View Only
  • 1.  Roadmap discussion

    Posted Jan 19, 2022 05:54:00 PM
    From an email I sent earlier:

    This is part of what we're building with the community. So Josh Bressers/Buker/myself have some generally simple/concrete ideas:

    1) Data format (use OSV for now)
    2) Data store (GitHub)
    3) Data presentation (Josh Buker has a demo working e.g. https://gsd-demo.gsd-experiment-1.workers.dev/identifier/GSD-2021-1002352)

    We'd like to see a good edit interface on the display so if you're looking at something and spot a problem/missing data you hit edit, get run through GitHub auth and submit your changes, it gets done as an issue or PR and someone else (or a bot in the future?) approves it.

    We also want to work on the data format, OSV is good but incomplete for some things we need. Do we work with OSSF to extend it? Do a "branch"? Do something completely different?

    Also, a request form for people that is guided and has a good flow would be nice.

    We have a repo:
    https://github.com/cloudsecurityalliance/gsd-project-plans

    and a GitHub project (still not sure if this is the way to go, but worth a try) https://github.com/orgs/cloudsecurityalliance/projects/1

    And this discussion

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------


  • 2.  RE: Roadmap discussion

    Posted Jan 21, 2022 08:44:00 AM
    This is excellent!  Is there a specific list of things we know are missing with OSV?  I think it makes sense to at least try and work with ossf to get it extended.  It does already allow for a database_specific field which can contain any JSON at both the root and individual affected record level as well, so perhaps we can make use of that?

    ------------------------------
    Weston Steimel
    Senior Software Engineer
    Anchore
    ------------------------------



  • 3.  RE: Roadmap discussion

    Posted Jan 21, 2022 09:32:00 AM
    I've written it up in past:

    https://github.com/cloudsecurityalliance/gsd-project-plans/blob/main/data-formats/Thoughts-on-data-formats.md

    This talks about the GSD minimum case and ideal case(s), and links to others:

    Other security data format examples:

    CSAF2 https://docs.oasis-open.org/csaf/csaf/v2.0/csd01/csaf-v2.0-csd01.html
    CVE https://github.com/CVEProject/cve-schema/tree/master/schema
    CVRF https://www.icasi.org/cvrf/
    OSV https://ossf.github.io/osv-schema/
    OVAL https://oval.mitre.org/

    Other security data format examples for specific subtypes of data:

    CPE https://nvd.nist.gov/products/cpe (Product ID)
    CVSS https://www.first.org/cvss/ (Vulnerability Impact)
    CWE https://cwe.mitre.org/community/submissions/guidelines.html (Vulnerability Type)
    EPSS https://www.first.org/epss/ (Exploitation Prediction)
    purl https://github.com/package-url/purl-spec (Product ID)

    essentially a superset, but rather than invent yet another mega all-encompassing standard my hope was to have GSD simply use namespacing/data identification so we can directly use all the above standards directly (and people can reuse their tooling/etc).

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 4.  RE: Roadmap discussion

    Posted Jan 21, 2022 08:44:00 AM
    Excellent content!  Regarding OSV format, do we have a list of what we believe is missing?  I think it makes sense to work with the ossf to get it extended where possible.  Also, the schema contains a database_specific field which can hold any JSON at both the root and on each individual entry of the affected array, so perhaps we could make use of that?

    ------------------------------
    Weston Steimel
    Senior Software Engineer
    Anchore
    ------------------------------