Similar to existing support for evidence for components, and other requests for evidence elsewhere, the request is to support evidence in the Vulnerability object. Specifically, what evidence can be provided to substantiate the presence or status of the vulnerability. Evidence can also be used in the "negative" context - to establish that a vulnerability is NOT AFFECTED, for example.
"metadata": {
"timestamp": "2023-10-23T16:52:01.762473+00:00",
"tools": [
{
"services": [
{
"bom-ref": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"provider": { ... },
"name": "...",
"version": "xxxx"
...
}
],
"components": [
{
"bom-ref": "dddddddd-dddd-dddd-dddddddddddd",
"provider": { ... },
"name": "...",
"version": "xxxx"
}
]
},
],
},
...
"vulnerabilities": [
{
"bom-ref": "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"id": "CVE-2023-38408",
"source": {
"name": "xxx",
"url": "https://website.com"
},
"description": "CVE Description",
"detail": "CVE Details",
"affects": [
{
"ref": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
],
"evidence": [
{
"presence": {
"confidence": 1.0,
"methods": {
"technique": "software-identifier"
},
"value": "cpe:2.3:a:openbsd:openssh:7.2:*:*:*:*:*:*:*"
},
"tools": {
"ref": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
},
"occurences": {
"location": {
"bom-ref": "cccccccc-cccc-cccc-cccccccccccc"
}
}
},
{
"presence": {
"confidence": 1.0,
"methods": {
"technique": "signature"
},
"value": "<some binary signature that indicates that PKCS#11 Feature is enabled>"
},
"tools": {
"ref": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
},
"occurences": {
"location": {
"file-name": "/usr/sbin/sshd",
"binary-offset": 3478,
"bom-ref": "cccccccc-cccc-cccc-cccccccccccc"
}
}
},
{
"presence": {
"confidence": 1.0,
"methods": {
"technique": "pen-testing"
},
"description": "[2023-11-06-15-21-51] - Pen testing team executed POC script from https://github.com/kali-mx/CVE-2023-38408/blob/main/CVE-2023-38408.sh and found that the binary was vulnerable. Here could be a longer description of the evidence provided by that team."
},
"tools": {
"ref": "dddddddd-dddd-dddd-dddddddddddd"
}
}
]
}
]
Request: Evidence for Vulnerabilities
Similar to existing support for evidence for components, and other requests for evidence elsewhere, the request is to support evidence in the
Vulnerabilityobject. Specifically, what evidence can be provided to substantiate the presence or status of the vulnerability. Evidence can also be used in the "negative" context - to establish that a vulnerability is NOT AFFECTED, for example.identityon component evidence) “Evidence that substantiates the presence or absence of the vulnerability.”Example