As GitHub hosts many open source projects it would be beneficial, if you would integrate this as most of the required metadata could be configured in the project or is already available.
As the leading platform for open source development, GitHub has the opportunity to be at the forefront of this movement and provide a valuable service to its users. By supporting the CSAF standard, GitHub can help to make security information more accessible, while also facilitating collaboration and knowledge-sharing across the whole ecosystem.
We believe that the inclusion of CSAF support in GitHub would be a significant step forward for the entire industry, and we urge you to consider implementing this functionality soon. We are confident that this would be a valuable addition to your platform, and we look forward to working with you to help make it a reality.
Dear GitHub team,
it would be nice, if your security advisories would also be available in the Common Security Advisory Framework. CSAF specifies a standard way to distribute security advisories so that they can be retrieved automatically. This method scales well for all issuing parties. It is also the @cisagov recommended format as CISA's EAD Eric Goldstein pointes out in his blog post Transforming the vulnerability management landscape.
A conversion from the GitHub advisory format to CSAF seems to be possible.
CSAF version of GHSA-2275-rpf5-xv8h
{ "document": { "aggregate_severity": { "text": "HIGH" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "other", "name": "Github", "namespace": "https://github.com/github/advisory-database/" }, "references": [ { "category": "self", "summary": "NIST NVD entry", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25906" }, { "category": "external", "summary": "Package", "url": "https://github.com/stefanjudis/is-http2" }, { "category": "external", "summary": "Vulnerability details", "url": "https://security.snyk.io/vuln/SNYK-JS-ISHTTP2-3153878" }, { "category": "external", "summary": "Problem", "url": "https://github.com/stefanjudis/is-http2/blob/master/index.js#L23" } ], "title": "is-http2 vulnerable to Improper Input Validation", "tracking": { "aliases": [ "CVE-2022-25906" ], "current_release_date": "2023-02-08T11:00:00.000Z", "generator": { "date": "2023-02-09T10:46:55.818Z", "engine": { "name": "Secvisogram", "version": "2.0.0" } }, "id": "GHSA-2275-rpf5-xv8h", "initial_release_date": "2023-02-01T06:30:30Z", "revision_history": [ { "date": "2023-02-01T06:30:30Z", "number": "1", "summary": "Initial version." }, { "date": "2023-02-02T17:13:07Z", "number": "2", "summary": "Add afffected packages, update references." }, { "date": "2023-02-08T22:40:04Z", "number": "3", "summary": "Add CWE and correct title." } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:npm/<=1.2.0", "product": { "name": "stefanjudis is-http2 vers:npm/<=1.2.0", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "is-http2" } ], "category": "vendor", "name": "stefanjudis" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-25906", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "involvements": [ { "date": "2023-02-02T17:13:07Z", "party": "other", "status": "completed", "summary": "Reviewed by Github" } ], "notes": [ { "category": "description", "text": "All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.", "title": "CVE description" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ] } ] }As GitHub hosts many open source projects it would be beneficial, if you would integrate this as most of the required metadata could be configured in the project or is already available.
See csaf.io and the videos for more details.
Thank you for considering. I'm happy to have a chat (also offline).
The text was updated successfully, but these errors were encountered: