Vulnerability Attestation

Introduction

The Vulnerability Attestation Schema extends the generic Attestation Schema to enable attestations related to software vulnerabilities. By referencing vulnerability details such as CVE or GHSA identifiers, this schema ensures a structured way to document and track vulnerabilities in software components.

Description

This schema includes:

• Type: The attestation type, set to "Vulnerability".
• Vulnerability Details: Provides details of the vulnerability, including identifiers, severity, description, and fixed versions.

Use Case

The Vulnerability Attestation Schema is used to:

1. Document Vulnerabilities: Attach vulnerability details to attestations for components.
2. Track Remediation: Keep track of versions and patches that address the vulnerability.
3. Support Compliance: Ensure that vulnerable components are tracked and managed in line with security standards.

This schema promotes transparency and accountability, ensuring that vulnerability information is communicated clearly across software supply chains.

Schemas

yaml

$id: https://github.com/nqminds/Trusted-AI-BOM/blob/main/packages/schemas/src/taibom-schemas/63-vulnerability-attestation.v1.0.0.schema.yaml
$schema: https://json-schema.org/draft/2020-12/schema
title: Vulnerability Attestation
description: |
  This schema extends the generic Attestation Schema to define an attestation for software vulnerabilities.
type: object
properties:
  component:
    type: object
    description: Component reference, including an ID and hash for the VC claim.
    properties:
      id:
        type: string
        description: The component ID (unique identifier) of the VC claim.
      hash:
        type: string
        description: Cryptographic hash (e.g., SHA-256) for verifying the integrity of the VC claim.
    required:
      - id
      - hash
  attestation:
    type: object
    properties:
      type:
        type: string
        enum:
          - vulnerability
        description: Type of attestation, set to "Vulnerability" for this schema.
      vulnerability:
        type: object
        description: Details about the vulnerability.
    required:
      - type
      - vulnerability
required:
  - component
  - attestation

json

{
  "$id": "https://github.com/nqminds/Trusted-AI-BOM/blob/main/packages/schemas/src/taibom-schemas/63-vulnerability-attestation.v1.0.0.schema.yaml",
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Vulnerability Attestation",
  "description": "This schema extends the generic Attestation Schema to define an attestation for software vulnerabilities.\n",
  "type": "object",
  "properties": {
    "component": {
      "type": "object",
      "description": "Component reference, including an ID and hash for the VC claim.",
      "properties": {
        "id": {
          "type": "string",
          "description": "The component ID (unique identifier) of the VC claim."
        },
        "hash": {
          "type": "string",
          "description": "Cryptographic hash (e.g., SHA-256) for verifying the integrity of the VC claim."
        }
      },
      "required": [
        "id",
        "hash"
      ]
    },
    "attestation": {
      "type": "object",
      "properties": {
        "type": {
          "type": "string",
          "enum": [
            "vulnerability"
          ],
          "description": "Type of attestation, set to \"Vulnerability\" for this schema."
        },
        "vulnerability": {
          "type": "object",
          "description": "Details about the vulnerability."
        }
      },
      "required": [
        "type",
        "vulnerability"
      ]
    }
  },
  "required": [
    "component",
    "attestation"
  ]
}

markdown

Vulnerability Attestation

This schema extends the generic Attestation Schema to define an attestation for software vulnerabilities.

The schema defines the following properties:

component (object, required)

Component reference, including an ID and hash for the VC claim.

Properties of the component object:

id (string, required)

The component ID (unique identifier) of the VC claim.

hash (string, required)

Cryptographic hash (e.g., SHA-256) for verifying the integrity of the VC claim.

attestation (object, required)

Properties of the attestation object:

type (string, enum, required)

Type of attestation, set to "Vulnerability" for this schema.

This element must be one of the following enum values:

• vulnerability

vulnerability (object, required)

Details about the vulnerability.

Examples

table

component	attestation
[object Object]	[object Object]
[object Object]	[object Object]

json

[
  {
    "component": {
      "id": "urn:uuid:777e8887-e89b-12d3-a456-426614174010",
      "hash": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdef"
    },
    "attestation": {
      "type": "vulnerability",
      "vulnerability": {
        "id": "GHSA-44wm-f244-xhp3",
        "severity": "High",
        "description": "A vulnerability in the Python library Pillow that allows an attacker to execute arbitrary code via a crafted image file.\n",
        "fixedIn": [
          "10.1.1",
          "10.2.0"
        ],
        "type": "Software"
      }
    }
  },
  {
    "component": {
      "id": "urn:uuid:1a2b3c4d-5678-90ef-abcd-1234567890ab",
      "hash": "123456abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdef"
    },
    "attestation": {
      "type": "vulnerability",
      "vulnerability": {
        "id": "CVE-2024-12345",
        "severity": "Critical",
        "description": "A critical buffer overflow vulnerability in the Apache HTTP Server that could allow remote attackers to execute arbitrary code.\n",
        "fixedIn": [
          "2.4.56"
        ],
        "type": "Software"
      }
    }
  }
]

Edit this schema here