- CramHacks
- Posts
- [CramHacks] Newsletter #9: CVSS v4.0 Released!
[CramHacks] Newsletter #9: CVSS v4.0 Released!
CramHacks Chronicles: Key Insights On Software Supply Chain Risks
Kyle Kelly
November 08, 2023
🥳 Happy Monday! 🥳
Today is a Good Day to Have a Good Day.
News & Updates
The Common Vulnerability Scoring System (CVSS) v4.0 Specification Document was published on November 1st, 2023. The following diagrams represent CVSS v3.1 and v4.0. As you can see, there’s now a 4th "Supplemental Metric” and under the “Base Metric” group, system confidentiality, integrity, and availability metrics.
👋 There are a lot of people on the web saying they’re super excited about this. I have no idea why, unless maybe you work for a vulnerability management solution. Version 4.0 is likely to cause higher than usual CVSS scores, but the improvements made to Exploit Maturity enable vulnerability management platforms and the alike to offer better enriched CVSS score assignments.
CVSS v3.1
CVSS v4.0
The Fintech Open Source Foundation (FINOS) has released its 2023 State of Open Source in Financial Services. On page 2, you’ll get everything you are looking for; thank you for a beautifully designed summary of key data.
👋 My favorites:
52% of respondents report having an Open Source Program Offices (OSPO) in their organization.
👋 more than I would’ve thought
A total of 91% of respondents are confident that the OSS they are consuming is well-maintained and up to date.
👋 sounds like some people are a little too confident 😅.
The document is largely trying to convey who and when VEX information should be issued; but the part you probably care about is if and when might it be required?
“There may be legal requirements that create an obligation to issue VEX information. Contract terms could require that a supplier provides VEX information. Industries or sectors could develop guidance about using VEX. Governments could require the use of VEX, for example, in safety-regulated sectors.”
Kelly Shortridge & Ryan Petrich have published their 39 page request for information (RFI) submission.
👋 If either of you are reading this, how about a table of contents next time?😆 There are some absolute 💣️‘s in this submission.
As a security researcher, I want to see perfect code and perfect practices, but you can’t argue with hard facts: “There would need to be two NotPetya-level incidents per year within the United States for losses to reach even 1% of the economic benefits stimulated by software.”
I haven’t given it a thorough read yet, but when I do, you all might hear more about it.
Trail of Bits, in collaboration with Alpha-Omega and OpenSSF, are embarking on a six-month project to bring cryptographically verifiable build provenance to homebrew-core. This will allow end users to validate packages installed via brew install come from the official Homebrew CI/CD.
👋 This is dope - thank you everyone for your efforts!
Tools & Features
“The npm sbom command generates a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either SPDX or CycloneDX format.”
👋 Shout out to Jamie Tanna for publishing an article on using dependency-management-data with npm's SPDX and CycloneDX SBOM export functionality.
“Dependency Management Data (DMD) is a set of tooling to get a better understanding of the use of dependencies across your organisation.”
Google’s Andrew Pollock and Oliver Chang announce OSV’s latest features:
Adding six new ecosystems to the database
The determineversion API, which expanded access to C/C++ vulnerabilities for OSS-Fuzz projects
Notably, OSV has committed to include vulnerable commit ranges in advisories. This in combination with Google’s determineversion API, which can be used to determine the likely version of a dependency, enables OSV to report on known vulnerabilities for C/C++ projects.
👋 If you’re a C/C++ shop and have been looking at all these fancy supply chain tools; you are probably feeling left out… I’m excited to try OSVs approach, but I’m a bit skeptical if this is the solution we’ve been waiting for - but that solution might never come, so maybe I should just be happy with what we got.
“Minder is an open source platform that helps teams automate and enforce security practices like artifact signing and verification consistently across multiple repos.“
“Trusty is a free-to-use service that helps developers make safer dependency choices.”
👋 Definitely check these out; I’m a bit more excited about Minder, especially given Stacklok is offering a free hosted platform to use Minder with any public repositories. Trusty is neat, but it reminds me how disappointed I am in package managers for not already doing a lot of this, or vetting packages so these tools aren’t necessary.
Justin Pagano shares why vulnerability management programs should be craving more proactive solutions versus the traditional reactive ones. This isn’t necessarily software supply chain specific, but it resonated with me because of the research work I do with Semgrep, via reachability analysis.
👋 I specifically liked how Justin pointed out something that’s obvious, but I don’t think is taken advantage of. It has long been believed that auto-patching is dangerous because it may break things, but that shouldn’t deter us from it entirely. By applying auto-patching workflows based on priority assignments, you’ll be amazed how much better you might sleep at night.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or just want to chat? Slide into my inbox! 💌
If you think someone could benefit from this, don’t hesitate to forward.
See you next Monday!
-Kyle