Dependencycheck: Enhanced support for new NVD feeds and CVSSv3

Beta JSON feeds are now available from the NVD. The JSON feeds have CPE 2.3 syntax and include both CVSSv2 and CVSSv3 scores and impacts.

https://nvd.nist.gov/vuln/data-feeds#JSON_FEED

An updated XML feed with CVSSv3 and CPE 2.3 is not yet available.

The JSON feed continues to not support impact and exploitability scores. Therefore, if these are necessary, it is now possible to perform calculations and retrieve vectors for CVSSv2 and CVSSv3 https://github.com/stevespringett/cvss-calculator

When elaborating with #733 and related, I've found another issue that might be fixed by this new import. It might be worth checking.

Description: I've seen some cases where OS (Windows/Linux/MacOS) CPEs are imported as application CPEs. For example, you can compare original CVE-2010-1689 to imported data. In the original data, there is “cpe:/o:”, not “cpe:/a:”.

If desired, I can open a separate issue for it.

This enhancement request has now bubbled to the top and is slated for implementation next. See issue #1088 - ODC is not reporting on vulnerable libraries because the data in the older XML feeds does not include the necessary information for new vulnerabilities (2018 and some of the 2017 CVEs).

As part of this enhancement the version matching needs to be re-worked. In most cases the file type analyzer itself can identify the correct version number - ODC should just use the version number identified for the CPE.

What is the plan/ETA to move to CVSSv3 to collect the Severity?

The first version of the JSON data feed is now released, as stated in here.

Also, XML feeds are going to be removed after next April.

Let me know if I can help in any way

Hi @jeremylong @stevespringett, it looks like both of you have been looking into the transfer from CVSS V2 to CVSS V3. As a user of both Dependency-Check and Dependency-Track, this feature is critical to let us implement the Check + Track solution smoothly.

Could you please let me know what's the approximate releasing time/version you're planning? So that at our end we will adjust our plan as well.

I've had a look of the NVD update news where XML data feed 2.0 and 1.2.1 will be ceased from April 2019. Does it mean that Dependency-Check will have to update the data feed into JSON 1.0 AND by then, CVSS V3 will be supported?

Really appreciate your help! <3 <3 <3

@ZozoZoeLi Dependency-Track has supported CVSSv3 since the launch of v3.0 back in May. We dogfooded the beta JSON feed and provided feedback to the NVD during the first few months. Any CycloneDX BOMs that are imported and vulnerabilities identified will be CVSSv3 first and will fall back to CVSSv2 if v3 isn't available.

Dependency-Track treats Dependency-Check reports a pseudo-boms. It uses the initial vulnerabilities that Dependency-Check identified, but links those to internal CVEs and will always report CVSSv3 first, regardless of what the Dependency-Check report stated.

I know Jeremy is working hard on updating Dependency-Check to support CVSSv3 (along with an updated CPE spec). The update between CPE 2.2 and 2.3 is substantial and he's be working hard on https://github.com/stevespringett/CPE-Parser to the point where he's mostly rewritten the whole thing to not only do what it use to, but to be able to support CPE 2.3 in Dependency-Check, which is a requirement for the JSON feed.

Although this ticket may not have been pinged, I can say that we're making progress. There's just a lot of moving pieces to this thing.

Also note, that CVSS only applies to NVD findings. They previously applied to NPM findings as well (with the NSP Analyzer). But with the NPM Audit analyzer, CVSS, vectors, etc are no longer supported by NPM. So there will be vulnerabilities identified without a CVSS score. It's optional per the reporting model.

@stevespringett Thanks a lot for the update!

Yes, we have noticed that D-Track supports CVSS 3 and D-Check isn't there yet. Our concerns are:

1. People might get confused when they see a different score between D-Check's HTML report and D-Track's dashboard.

2. So far we have D-Check running against our GoCD pipeline and the build will fail when a dependency with >= 9 CVSS score occurs. Since D-Check is still with CVSS 2, this pipeline build becomes unreliable and we will have to rely on D-Track.

Ultimately it does sound like JSON 1.0 feed requires CPE 2.3, so my assumption would be correct? That D-Check will have to support CVSS 3 by the end of April 2019.

Regards,
Zoe

@ZozoZoeLi You are correct. And yes, it is confusing and although DTrack supports the ingestion of DCheck reports, it's not recommended, for this and other reasons. DTrack best practices have recently been added to the docs.

Hey @stevespringett and @jeremylong, according to our above discussions, I believe dependency-check is now with CPE parser 2.3 and also JSON feed 1.0 for dependency-check 5.0.0-m2. How come we're still with CVSS V2 instead of V3?

CVSSv2 and CVSSv3 are both supported in the JSON feed. Historical vulnerabilities are not rescored and will therefore only have CVSSv2 scores. For example:

https://nvd.nist.gov/vuln/detail/CVE-2007-0650

Newer vulnerabilities will typically have both v2 and v3 scores.