CSAF and VEX

Presenter Notes

CSAF

Common Security Advisory Framework (CSAF) Version 2.0
Machine read-able data for security advisories
Became an ISO standard recently
Distinguish binaries and source
Some tooling out there
- csaf python library: https://github.com/anthonyharrison/csaf
- CSAF perl module: https://metacpan.org/dist/CSAF

Presenter Notes

CSAF document

{
   "document": {
      "category": "csaf_security_advisory",
      "csaf_version": "2.0",
      "distribution": {
         "tlp": {
            "label": "WHITE",
            "url": "https://www.first.org/tlp/"
         }
      },
      "lang": "en",
      "publisher": {
         "category": "vendor",
         "name": "Debian",
         "namespace": "https://www.debian.org"
      },
      "title": "[DLA-4222-1] activemq - security update",
      "tracking": {
         "current_release_date": "2025-07-02T12:24:37",
         "generator": {
            "engine": {
               "name": "CSAF Perl Toolkit",
               "version": "0.25"
            }
         },
         "id": "DLA-4222-1",
         "initial_release_date": "2025-07-02T12:24:37",
         "revision_history": [
            {
               "date": "2025-07-02T12:24:37",
               "number": "1",
               "summary": "First release"
            }
         ],
         "status": "final",
         "version": "1.0.0"
      }
   },
   "product_tree": {
      "branches": [
         {
            "branches": [
               {
                  "branches": [
                     {
                        "category": "product_version",
                        "name": "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
                        "product": {
                           "name": "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
                           "product_id": "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
                           "product_identification_helper": {
                              "purl": "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye"
                           }
                        }
                     },
                     {
                        "category": "product_version",
                        "name": "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
                        "product": {
                           "name": "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
                           "product_id": "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
                           "product_identification_helper": {
                              "purl": "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye"
                           }
                        }
                     }
                  ],
                  "category": "architecture",
                  "name": "all"
               }
            ],
            "category": "vendor",
            "name": "Debian"
         }
      ],
      "relationships": [
         {
            "category": "default_component_of",
            "full_product_name": {
               "name": "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye as component of bullseye",
               "product_id": "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye&distro=bullseye"
            },
            "product_reference": "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
            "relates_to_product_reference": "bullseye"
         },
         {
            "category": "default_component_of",
            "full_product_name": {
               "name": "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye as component of bullseye",
               "product_id": "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye&distro=bullseye"
            },
            "product_reference": "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
            "relates_to_product_reference": "bullseye"
         }
      ]
   },
   "vulnerabilities": [
      {
         "cve": "CVE-2025-27533",
         "ids": [
            {
               "system_name": "Debian CVE page",
               "text": "https://security-tracker.debian.org/tracker/CVE-2025-27533"
            }
         ],
         "notes": [
            {
               "category": "general",
               "text": "https://issues.apache.org/jira/browse/AMQ-6596",
               "title": "Debian Security Tracker note"
            },
            {
               "category": "general",
               "text": "Fixed by https://github.com/apache/activemq/pull/1399",
               "title": "Debian Security Tracker note"
            }
         ],
         "product_status": {
            "fixed": [
               "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
               "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye"
            ],
            "recommended": [
               "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
               "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye"
            ]
         },
         "references": [
            {
               "category": "external",
               "summary": "Debian bug 1104933 for CVE-2025-27533",
               "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104933"
            },
            {
               "category": "external",
               "summary": "CVE-2025-27533",
               "url": "https://security-tracker.debian.org/tracker/CVE-2025-27533"
            }
         ],
         "remediations": [
            {
               "category": "vendor_fix",
               "details": "To install this Debian Security Update use the Debian recommended installation methods like 'apt upgrade'.",
               "product_ids": [
                  "pkg:deb/debian/activemq@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye",
                  "pkg:deb/debian/libactivemq-java@5.16.1-1%2Bdeb11u2?arch=all&distro=bullseye"
               ]
            }
         ],
         "title": "Memory Allocation with Excessive Size Value vulnerability in Apache Ac ..."
      }
   ]
}

Presenter Notes

VEX

Vulnerability Exploitability Exchange (VEX)
OpenVEX is an implementation of VEX designed to be minimal, compliant, interopable, and embeddable
Statements per CVE
Distinguish binaries and source
Some tooling out there
- go-vex Golang library: https://github.com/openvex/go-vex
- lib4vex python library: https://github.com/anthonyharrison/lib4vex

Presenter Notes

VEX statement

statement = product(s)             + vulnerability              + status
            │                        │                            │
            └ The software product   └ Typically a CVE related    └ One of the impact
              we are talking about     to one of the product's      statuses as identified
                                       components                   by the VEX working group.

Presenter Notes

VEX document

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://example.com/vex/my-project-vex.json",
  "author": "MyCompany",
  "timestamp": "2024-07-22T10:30:00-00:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2024-1234"
      },
      "products": [
        {
          "@id": "pkg:maven/com.example/my-library@1.2.3"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    },
    {
      "vulnerability": {
        "name": "CVE-2024-5678"
      },
      "products": [
        {
          "@id": "pkg:deb/debian/my-package@1.0.0-1"
        }
      ],
      "status": "fixed",
      "action": "upgrade",
      "action_statement": "Upgrade to version 1.0.1 or later.",
      "justification": "component_not_present",
      "impact_statement": "This vulnerability is not present in the version of the package used."
    }
  ]
}

Presenter Notes

Roadmap

Finish PoC for OpenVEX documents generation
Re-write the PoC for CSAF in Python
- Current implementation in Perl (no support for VEX)
Polish the solution to be ready to be deployed
Host it in some Freexian server
Publish those documents somewhere in a Freexian domain

Table of Contents	t
Exposé	ESC
Presenter View	p
Source Files	s
Slide Numbers	n
Toggle screen blanking	b
Show/hide next slide	c
Notes	2
Help	h

Table of Contents

Help