-
-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[⭐] CSAF Standard #2198
Comments
Nice one! 🚀 The only thing that feels a bit odd is checking for some very generic words plus the CVE# that is already the filename visible in the FTP directory listing. Couldn't we instead write the challenge instructions so that the GitHub security advisory (GHSA#) should be posted? That requires opening the link or the actual file, no? Also, I don't think What do you think? |
GitHub currently does not offer advisories that are compliant to the CSAF standard, as discussed in this issue. However, tools like Trivy do support CSAF. Github security advisories are too generic as they do not provide the information from the vendor. By taking a look at GHSA, a developers/user can not identify if Juice Shop is affected. CSAF offers that the vendors provides the security information. I wouldn't mix GHSA and CSAF because it might cause confusion. I suggest the following improvements based on your input. Title: Inform the Juice Shop About an Old Advisory We can enable access to the advisories as a CSAF "trusted provider." New Attack Flow:
{
"canonical_url": "https://<host>/.well-known/csaf/provider-metadata.json",
"distributions": [
{
"rolie": {
"feeds": [
{
"summary": "All TLP:WHITE advisories of OWASP Juice Shop.",
"tlp_label": "WHITE",
"url": "<ORIGIN>/.well-known/csaf/feed-tlp-white.json"
}
]
}
}
],
"last_updated": "2024-02-30T20:20:56.169Z",
"list_on_CSAF_aggregators": false,
"metadata_version": "2.0",
"mirror_on_CSAF_aggregators": false,
"public_openpgp_keys": [
{
"fingerprint": "XXX",
"url": "https://XXX"
}
],
"publisher": {
"category": "vendor",
"name": "OWASP Juice Shop",
"namespace": "/juice-shop/juice-shop"
},
"role": "csaf_trusted_provider"
}
The Juice Shop will test if the submission contains juice-shop-sa-20200513-express-jwt. Hashes/Signatures for the CSAF documents will be provided as well to be a "trusted provider". From CSAF documentation:
As the Juice Shop is often started locally with HTTP, we will violate the specification here. To make it configurable to the user, we could generate the In the CSAF document, we will add an acknowledgement summary, that Juice Shop and the CSAF files are used for security training. Furthermore, that the Juice Shop shouldn't be deployed to production environments. Difficulty (depends slightly on where we put the CSAF files):
|
I like the idea of having this whole challenge play out in the |
⭐⭐⭐ as long as CSAF is mentioned in the description. Afterwards, it is just a look into the specification. |
This is amazing! Thank you @wurstbrot @bkimminich ! I really love the suggestion of having the user/player/student having to find the I think that ⭐⭐⭐ should be fine. An additional option could be for the user to verify the advisory using the SHA checksum |
@santosomar Thank you for the examples, I tried to find some but failed so far. For implementation purpose, the directory distribution feels easier than the ROLIE one. |
We could ask for the checksum (in)directly in the challenge description and check if it's submitted with the feedback to report the problem, like "Submit a suitable checksum as proof that you did your due diligence." |
An other submission sounds a bit boring. In addition, to describe what the user needs to do in order to submit the hash shows a part of the solution. What about a code challenge with wrong/correct commands to verify? Offline @bkimminich and I agreed that a coding challenge suites best for the verify step recommend by @santosomar . |
@santosomar
There is only once place in documentation mentioning Update: |
Sorry for the delay. Yes indeed. You could have multiple keys as you saw in the Siemens example. This is also good feedback to the CSAF TC to include in our faq and guidance documents. |
@santosomar I created an issue. Siemens as well as Cisco are stating to be a |
Thank you so much for opening the issue at the CSAF TC repo. To answer your question, I can only speak for Cisco. Very relevant to this conversation and feature (one of the reasons I also suggested it 😆). Cisco is working on some final minor tweaks on a few signature related issues in the publication process. They are expected to become a "trusted provider in just a few weeks. As a side note and for the benefit of everyone reading this issue, you can also see some examples of open source CSAF validation tools at https://csaf.io and also an example of a CSAF provider at https://github.com/csaf-poc/csaf_distribution/blob/main/docs/csaf_provider.md Many other companies are also adopting CSAF at a very rapid pace nowadays. RedHat, Oracle, CISA, Nozomi, Open Exchange, and Sick.com are other examples. Thank you again for all your time, help, and amazing contributions! |
@santosomar It would be very nice if you check the CSAF documents in the PR. I also think that a CSAF document for an application with intentional vulnerabilities might be something new, also for the CSAF standard. |
This issue has been automatically marked as |
This issue was closed because it has been stalled for 7 days with no activity. |
This issue has been automatically marked as |
This issue was closed because it has been stalled for 7 days with no activity. |
how to solve this problem ? Security Advisory I copied it the same way as above, but I don't get stars. |
Hi @yeajun001 , thank you for your request. What did you submit? You can also send me a message in owasp slack. |
Description
CSAF, or Common Security Advisory Framework, is a standardized format for documenting and sharing security advisories and vulnerabilities in an automated way. It provides a structured approach to convey crucial information about security issues, including their severity, impact, and recommended mitigation steps for a vendor's product. A vendor can also be an open-source project.
Challenge Description
Title: The new challenge Inform the shop about a remediation option for the known vulnerability CVE-2020-15084
Description: The Juice Shop is vulnerable to a known vulnerability in a library, and an advisory has been provided that the Juice Shop is known affected. A fix has not yet appeared. Ask the Juice Shop, including the CVE, when it will be mitigated.
A second advisory will be given about a fixed vulnerability to avoid making it too easy.
Expected difficulty
Possible attack flow
In the Juice Shop submission, the submission will be tested to contain CVE-2020-15084 and one of the following keywords:
to confirm the challenge has been performed. This will also match other words like "patched".
CSAF Document
I recommend using the product id
owasp-juice-shop
for the document.I am trying to find out how to link an SBOM within a container, as it looks like as if it was not documented
The text was updated successfully, but these errors were encountered: