Security monitoring file format discussion

ermo

Motivation

@Ikey wants it to be easy to do automated CVE checks.

@ReillyBrogan suggested supporting the NIST CPE format as a way to search for CVEs related to a specific software asset (read: package).

Release Monitoring

It turns out that monitoring.yml is also useful in terms of checking release versions against a database of known upstream releases.

Hence, release monitoring syntax was added in version 5 of this spec.

Terms

I looked into what CPE is and came up with the following (based on the NIST CPE Naming Specification v2.3):

CPE = Common Platform Enumeration
WFN = Well Formed Name
FSB = Format String Binding

Discussion

The CPE Naming Standard version 2.3 (the one currently in use) was made to be extensible.

The FSB used to identify a particular product looks like this in CPE v2.3 (section 6.2):

cpe:2.3: part : vendor : product : version : update : edition : language : sw_edition : target_sw : target_hw : other

In the above FSB, a value of * means ANY. The part thing will always be a in our case, because a stands for application.

If we assume that the CPE v2.3 standard is extensible enough to last us, say, 5 years into the future, it should be fine to hide away the FSB prefix in our code, along with this rationale. This would allow us to concentrate on exposing the relevant keys (vendor, product, etc.) to the packager in YML format files.

Assuming that the product string will in many cases be the same as the package name property, it might also make sense to make the section that describes CPE properties a part of stone.yml, because it will allow us to use the package %(name) definition where appropriate.

Scalability notes

Consider that changing/validating the format string prefix in single place in the code has a time complexity of O(1).

In contrast, changing/validating the format string prefix if it's baked into the monitoring.yml file format has a time complexity of O(n) where 'n' is the number of packages with a monitoring.yml file. In addition, it introduces the possibility of syntax errors in each and every monitoring.yml file.

CVE tracking across CPE vendors/products

In some cases, products and vendors change over time but refer to the same code base.

To gain the ability to introspect a product's entire security history, it may be useful to be able to collate CVEs for all known aliases of a cpe product:vendor pair.

In the recommendation below, the aliases/historical renames are considered OPTIONAL per package and can be added at maintainer discretion.

In particular, the recommendation provides an intuitive way to manage the list of ignored CVEs even when product/vendor aliases or multiple products are present.

The recommendation in this post supersedes the below post titled "CPE Product:Vendor aliases".

@ReillyBrogan also notes that:

Reilly Brogan
Also, I see that you put "aliases/historical renames" as a comment. I would like to point out that it's possible for a package to be composed of several components and another reason for allowing multiple entries is to search for all of them
Take docker on Solus. It is composed of moby, docker-cli, and tini

Finally, note that the cpe: substruct was added to allow for future extensibility in the event that a downstream consumer needs to add its own internal security monitoring fields.

Recommendation

Version: 5

Implement as a file called monitoring.yaml (which sits next to stone.yaml per recipe) with the following format:

releases:
  id: <integer corresponding to package anitya id>
  rss: <valid URI to RSS/ATOM release feed>
  ignore:
    # ignore pertains to version to ignore. Supports globs. Example:
    - "253.*"
security:
  cpe:
  - vendor: somevendor
    product: someproduct
  # aliases/historical renames and/or multiple vendor/products in a single package
  - vendor: someoldvendor1
    product: someoldproduct1
  - vendor: someoldvendor2
    product: someoldproduct2
  ignore:
  - CVE-x
  - CVE-y
  - CVE-z

Make the implementation that looks up CPE strings construct a WFN as a FSB with a hardcoded prefix of cpe:2.3:a and tack on the vendor: and product: values from the security/cpe section.

ReillyBrogan

Version 3 of the syntax has my vote.

ermo Consider whether it would make more sense to list the product and vendor fields in the stone.yml recipe in order to be able to use %(name) substitution.

I think substitution here is a bad idea as it may result in unintended consequences of a package rename. For instance, someone may rename package foo to bar, but as it's still built from the same source it should have kept foo as the CPE product.

Ikey

Assuming cpe2.3 strings are easily formed - I feel separate vendor and product fields are more intuitive.

ermo

CPE Product:Vendor aliases

Status: obsolete/superseded (each cpe file now carries its own alternative vendor/product pairs)

In some cases, products and vendors change over time but refer to the same code base.

To gain the ability to introspect a product's entire security history, it may be useful to be able to collate CVEs for all known aliases of a cpe product:vendor pair.

To assist with scalability, it may make sense to keep exactly one global security-aliases.yml file in the root of each git recipe monorepo, which associates current vendor:product pairs with prior vendor:product pairs.

This file is entirely optional and is considered a COULD HAVE "add-on". The goal of the present proposal is simply to demonstrate that thought has been given to this scenario in the event that requirements arise where this functionality is important.

Note also that since this proposal deals with older iterations of a current product, the ability to ignore CVEs is deliberately left out of this proposal, as for our use case, this is mostly relevant to ignoring CVEs that are newer than what we care about. [TODO: This needs more thought].

Syntax proposal:

# each alias entry is in the compact nested mapping form
aliases:
# vendor bar was previously known as foo with with product baz.
# before that, it was vendor bar with product chickens, which then became bob
- vendor: bar
  product: bob
  aka:
  - vendor: bar
    product: chickens
  - vendor: foo
    product: baz
# vendor baz kept its name, but switched to product lol from chickens
- vendor: baz
  product: lol
  aka:
  - vendor: baz
    product chickens

ermo

ReillyBrogan I think substitution here is a bad idea as it may result in unintended consequences of a package rename. For instance, someone may rename package foo to bar, but as it's still built from the same source it should have kept foo as the CPE product.

Fair point and I agree.

ermo

Security monitoring.yml format recommendation updated to v3 w/proposal from @ReillyBrogan on matrix.

Reilly Brogan
       cpe:
       - vendor: gnu
         product: bash
       - vendor: gnu
         product: bash2-electric-boogaloo
       - vendor: gnu2
         product: bash
       ignore:
       - CVE-Whatever2
der_eismann
Do you need some sed magic help with the CPE PR?
Reilly Brogan
Well, I wanted to see what ermo thought about the revised format I posted above
ermo
What's the goal with the updated format above?
i.e. which requirements does it satisfy?
seems like it is intended to provide a list of CPE product:vendor components?
Reilly Brogan

ermo
seems like it is intended to provide a list of CPE product:vendor components?

Yes. So that the automation scripts can query multiple CPEs and collate the CVE results. Then there's a single list of CVEs to be ignored of the results
ermo
ack
It has the additional property of locality
so you only need to consult one file.
and the cpe: header makes sense
and it's per package whether you add the (older) extra CPE names
or you just leave the newest one in
feels like you used my syntax proposal from the forums?
Reilly Brogan

ermo
feels like you used my syntax proposal from the forums?

A little bit of this, a little bit of that

ermo

Updated first post to version 4.

Removed the "CONSIDER adding to stone.yml for access to %(name) definitions" due to @ReillyBrogan's objection above.

ermo

Updated first post spec to version 5.

Version adds release monitoring capability via the anitya database, and enables specifying version globs to ignore for the specified anitya id so as to avoid false positives when checking for updates.