[RFC] Stage 1- Introducing new fields in ECS Vulnerability fields#2449
[RFC] Stage 1- Introducing new fields in ECS Vulnerability fields#2449smriti0321 wants to merge 1 commit intoelastic:mainfrom
Conversation
smriti0321
changed the title
smriti0321
changed the title
|
I'm going to try a copilot review on this PR... |
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces a new vulnerability schema to support tracking and mitigating vulnerabilities in assets.
- Defines new vulnerability fields including vendor.id, title, mitigation, published, and several date fields.
- Adds a nested group for patch details with fields for existence, name, and code.
- Introduces an "age" field for dynamically calculating vulnerability age.
Comments suppressed due to low confidence (1)
rfcs/text/0045/vulnerbility.yml:1
- The file name 'vulnerbility.yml' appears to be misspelled; consider renaming it to 'vulnerability.yml' for clarity.
+- name: vulnerability
andrewkroh
left a comment
andrewkroh
left a comment
There was a problem hiding this comment.
I'm not a SME in vulnerability data, but I left some comments that hopefully improve the descriptions.
| level: extended | ||
| type: keyword | ||
| description: > | ||
| A vulnerability doesn't necessarily have a CVE associated with it. It makes sense to separate vulnerability ID (like CVEs) to the vendor/detection IDs. |
There was a problem hiding this comment.
| A vulnerability doesn't necessarily have a CVE associated with it. It makes sense to separate vulnerability ID (like CVEs) to the vendor/detection IDs. | |
| A vulnerability doesn't necessarily have a CVE associated with it. It makes sense to separate vulnerability ID (like CVEs) from the vendor/detection IDs. |
| level: extended | ||
| type: keyword | ||
| description: > | ||
| Title/Name/Short Description for vulnerability, to be used in flyout and dashboards. |
There was a problem hiding this comment.
| Title/Name/Short Description for vulnerability, to be used in flyout and dashboards. | |
| Title, name, and short description for the vulnerability, to be used in flyout and dashboards. |
I think an example: would be helpful here too.
| level: extended | ||
| type: text | ||
| description: > | ||
| Explains how to fix or mitigate the problem, could be used to store resolution from the scanner vendor or document mitigation in place. |
There was a problem hiding this comment.
| Explains how to fix or mitigate the problem, could be used to store resolution from the scanner vendor or document mitigation in place. | |
| Explains how to fix or mitigate the problem. Could be used to store the resolution from the scanner vendor or document the mitigation in place. |
| level: extended | ||
| type: date | ||
| description: > | ||
| The “published” field indicates the date when information about a specific vulnerability was publicly disclosed or made available. It represents the moment when details about the vulnerability were shared with the security community, vendors, and the public. This field helps security professionals track the timeline of vulnerability awareness, in ISO 8601 format - YYYY-MM-DD. |
There was a problem hiding this comment.
I don't think "in ISO 8601 format - YYYY-MM-DD" is needed given that we have said it is a type: date field.
| level: extended | ||
| type: keyword | ||
| description: > | ||
| The status field helps security teams track vulnerabilities, prioritize actions, and communicate their progress effectively. Examples: open/ignored/patched/mitigated/false_positive/risk_accepted/reopened. |
There was a problem hiding this comment.
| The status field helps security teams track vulnerabilities, prioritize actions, and communicate their progress effectively. Examples: open/ignored/patched/mitigated/false_positive/risk_accepted/reopened. | |
| The status field helps security teams track vulnerabilities, prioritize actions, and communicate their progress effectively. Examples: open, ignored, patched, mitigated, false_positive, risk_accepted, reopened. |
| level: extended | ||
| type: date | ||
| description: > | ||
| Last time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z. |
There was a problem hiding this comment.
| Last time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z. | |
| The last time a vulnerability was found on the asset. |
| level: extended | ||
| type: date | ||
| description: > | ||
| Last time a scan was performed on the asset. It's important as some companies are scanning on a quarterly basis. If last_found and last_scanned are close, it means it's still an active vulnerability, in ISO 8601 format: 2016-05-23T08:05:34.853Z. |
There was a problem hiding this comment.
| Last time a scan was performed on the asset. It's important as some companies are scanning on a quarterly basis. If last_found and last_scanned are close, it means it's still an active vulnerability, in ISO 8601 format: 2016-05-23T08:05:34.853Z. | |
| The last time a scan was performed on the asset. If last_found and last_scanned are close, it suggests that the vulnerability is likely still active. |
I'm not sure about added value of "It's important as some companies are scanning on a quarterly basis." section. Perhaps the additional context could be phrased in terms of it be in important indicator of staleness.
| level: extended | ||
| type: keyword | ||
| description: > | ||
| It's extremely important to be able to deduplicate different scans. It's often that we have different scanners showing the same vulnerability on the same asset. No newline at end of file |
There was a problem hiding this comment.
| It's extremely important to be able to deduplicate different scans. It's often that we have different scanners showing the same vulnerability on the same asset. | |
| It's extremely important to be able to deduplicate different scans. It's common to have different scanners showing the same vulnerability on the same asset. |
| description: > | ||
| Last time a scan was performed on the asset. It's important as some companies are scanning on a quarterly basis. If last_found and last_scanned are close, it means it's still an active vulnerability, in ISO 8601 format: 2016-05-23T08:05:34.853Z. | ||
|
|
||
| - name: age |
There was a problem hiding this comment.
Given that this is derived data, I think we should omit this field. Users of the data can calculate it on their own via the various means you mentioned if they need it.
| level: extended | ||
| type: text | ||
| description: > | ||
| Name of the patch. |
There was a problem hiding this comment.
Can you give an example of a named patch? I'm not sure follow what would go into this field.
|
Hi! We just realized that we haven't looked into this PR in a while. We're We're labeling this PR as Thank you for your contribution! |
|
This PR has been automatically closed due to inactivity. If you'd like to Thank you for your contribution! |
make test?makeand committed those changes?