Feature: Provide advisories as CSAF

[tschmidtb51]

Dear GitHub team,
it would be nice, if your security advisories would also be available in the Common Security Advisory Framework. CSAF specifies a standard way to distribute security advisories so that they can be retrieved automatically. This method scales well for all issuing parties. It is also the @cisagov recommended format as CISA's EAD Eric Goldstein pointes out in his blog post Transforming the vulnerability management landscape.

A conversion from the GitHub advisory format to CSAF seems to be possible.

CSAF version of GHSA-2275-rpf5-xv8h

{ "document": { "aggregate_severity": { "text": "HIGH" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "Github", "namespace": "https://github.com/github/advisory-database/" }, "references": [ { "category": "self", "summary": "NIST NVD entry", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25906" }, { "category": "external", "summary": "Package", "url": "https://github.com/stefanjudis/is-http2" }, { "category": "external", "summary": "Vulnerability details", "url": "https://security.snyk.io/vuln/SNYK-JS-ISHTTP2-3153878" }, { "category": "external", "summary": "Problem", "url": "https://github.com/stefanjudis/is-http2/blob/master/index.js#L23" } ], "title": "is-http2 vulnerable to Improper Input Validation", "tracking": { "aliases": [ "CVE-2022-25906" ], "current_release_date": "2023-02-08T11:00:00.000Z", "generator": { "date": "2023-02-09T10:46:55.818Z", "engine": { "name": "Secvisogram", "version": "2.0.0" } }, "id": "GHSA-2275-rpf5-xv8h", "initial_release_date": "2023-02-01T06:30:30Z", "revision_history": [ { "date": "2023-02-01T06:30:30Z", "number": "1", "summary": "Initial version." }, { "date": "2023-02-02T17:13:07Z", "number": "2", "summary": "Add afffected packages, update references." }, { "date": "2023-02-08T22:40:04Z", "number": "3", "summary": "Add CWE and correct title." } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:npm/<=1.2.0", "product": { "name": "stefanjudis is-http2 vers:npm/<=1.2.0", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "is-http2" } ], "category": "vendor", "name": "stefanjudis" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-25906", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "involvements": [ { "date": "2023-02-02T17:13:07Z", "party": "other", "status": "completed", "summary": "Reviewed by Github" } ], "notes": [ { "category": "description", "text": "All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.", "title": "CVE description" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ] } ] }

As GitHub hosts many open source projects it would be beneficial, if you would integrate this as most of the required metadata could be configured in the project or is already available.

See csaf.io and the videos for more details.

Thank you for considering. I'm happy to have a chat (also offline).

[KateCatlin]

Thanks @tschmidtb51 for reaching out! I'll leave this Issue open in case other folks want to comment and upvote it. Cheers!

[santosomar]

Dear GitHub Team,

I echo @tschmidtb51 comments and request your support for the Common Security Advisory Framework (CSAF) standard. As you may know, this framework is becoming increasingly important for supply chain security, as it allows them to create and consume security advisories in a consistent and standardized way. It also supports the Vulnerability Exploitability eXchange (VEX).

As the leading platform for open source development, GitHub has the opportunity to be at the forefront of this movement and provide a valuable service to its users. By supporting the CSAF standard, GitHub can help to make security information more accessible, while also facilitating collaboration and knowledge-sharing across the whole ecosystem.

We believe that the inclusion of CSAF support in GitHub would be a significant step forward for the entire industry, and we urge you to consider implementing this functionality soon. We are confident that this would be a valuable addition to your platform, and we look forward to working with you to help make it a reality.

Thank you for your time and consideration.

Regards,

Omar Santos
CSAF Chair

[joshbuker]

@tschmidtb51

Broken link on the CISA blog post, new link appears to be: https://www.cisa.gov/news-events/news/transforming-vulnerability-management-landscape