The Community is now in read-only mode to prepare for the launch of the new Revenera Community. During this time, you will be unable to register, log in, or access customer resources from Nov 22nd-Nov 25th. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Providing Vulnerability Exclusion Data for the CycloneDX VEX Report in SBOM Insights

Providing Vulnerability Exclusion Data for the CycloneDX VEX Report in SBOM Insights

Introduction

SBOM Insights reports are generated for a given "bucket", which contains the SBOM parts used by the specific application or entity that the bucket represents.

The CycloneDX VDR (Vulnerability Disclosure Report) provides data about all the security vulnerabilities associated with the SBOM parts in a bucket. However, the CycloneDX VEX (Vulnerability Exploitability eXchange) report provides data for only vulnerability exclusions in a given bucket—that is, vulnerabilities that are associated with SBOM parts but, after your analysis, do not pose a security threat to your application. The details provided for each exclusion in this report justify why the vulnerability does not have the potential for exploitation within the context that the SBOM part associated with the vulnerability is used in your application.

Currently, the CycloneDX VEX report is blank unless you manually provide information for the exclusions. This process requires that you enter VEX details for each vulnerability exclusion associated with a given SBOM part in the Notes field for that part, as described in the following procedure.

When a VEX report is generated, SBOM Insights searches for VEX properties in the Notes field across SBOM parts in the selected bucket. For each exclusion encountered, a vulnerability section is added to the report, showing, among other information, an analysis subsection that lists the VEX details that you provided to explain the exclusion as it relates to a specific part. (See Excerpt from an Example CycloneDX VEX Report for an excerpt from an example VEX report.)

Instructions

Use the following procedure to create (or update) the contents to be included for a given SBOM part in the CycloneDX VEX report.

To provide the contents for the CycloneDX VEX report for a given SBOM part:

  1. Click Manage SBOM Parts in the left navigation panel to open the Manage SBOM Parts page. The SBOM of parts across all buckets in your Organization is displayed in a list grid.

    VEXreportData_start.png
  2. In the Bucket field, select the bucket containing the SBOM part associated with a security vulnerability whose analysis findings you want to include in the VEX report.

    The list is filtered to this bucket.

    VEXreportData_selectBucket.png
  3. Locate the SBOM part that you want to edit, and click anywhere within a non-linked portion of its row. A slideout (with the SBOM part name as its title) opens, showing details for the part.

    VEXreportData_selectPart.png
  4. Click Edit at the bottom of the slideout. A new slideout entitled Edit <SBOM part> opens, enabling you to update properties that define the current SBOM part.

    VEXreportData_editPart.png
  5. Scroll down to the Notes field.

    VEXreportData_Notes.png
  6. In the Notes field, enter the set of required VEX properties in JSON format for each excluded vulnerability, as shown in the following example (which defines two exclusions). For a description of the property keywords (state, justification, response, and detail) and their valid values, refer to the vulnerabilities - analysis section in CycloneDX JSON Reference on the CycloneDX site. (You should use valid VEX values for these properties, not custom values.)
    NOTE: If you provide JSON content to define exclusion data, do not enter any other content in the Notes field. Should additional content exist in the field when the VEX report is generated, no exclusion data for the given SBOM part is published in the report.
    {
        "Excluded Vulnerabilities": [
            {
                "name": "CVE-2021-9096",
                "state": "not_affected",
                "justification": "code_not_reachable",
                "response": "will_not_fix",
                "detail" : "This code is not executed"
            },
            {
                "name": "CVE-2021-34538",
                "state": "not_affected",
                "justification": "code_not_reachable",
                "response": "will_not_fix",
                "detail": "This code is not executed"
            }       
        ]
    }​
  7. Click Save.

    When a VEX report is generated, SBOM Insights validates that the keywords for the required VEX properties for each exclusion are spelled correctly (as shown in the example) and that the overall content is in correct JSON format.

    Currently, SBOM Insights does not validate the values for the VEX properties, but you should use valid values (as plans are in place to implement this validation in a future SBOM Insights release). Additionally, if the vulnerability entered for the name property is not associated with the given SBOM part, the data for that exclusion is not included in the report.

Excerpt from an Example CycloneDX VEX Report

The following shows an excerpt from an example CycloneDX VEX report whose contents were created using the procedure above. The analysis section is highlighted for one of the excluded vulnerabilities.

VEXreport.png

More Information

For more information about SBOM Insights reports and SBOM parts, refer to the following sections in the SBOM Insights online user documentation:

Labels (1)
No ratings
Version history
Last update:
‎Jun 21, 2023 02:37 PM
Updated by:
Contributors