OHDF Schema Review
6/10/24About 5 min
OHDF Schema Review
Now that you've familiarized yourself with the formal OHDF schema, let's revisit the GoSec and Twistlock examples and analyze both the original source data and how it has been converted to OHDF.
Here are some key questions to keep note of while reading through these examples:
- How is the source data structured/organized (e.g., by requirement, by target system, by finding)?
- Is the source data's data format perfectly aligned to OHDF?
- What should we do when multiple source data fields correspond to the same OHDF field?
- How should we handle a source data field that contains information correlating to multiple OHDF fields?
- How should we handle source data fields that don't fit into the OHDF schema?
- How is the structure of the source data interpreted to fit the OHDF hierarchy?
- What groups of fields in the source data correlate to our Profiles, Controls, and Results structures?
- Which fields in the source data are used to fill each OHDF field? Is that mapping accurate?
- Can you think of a reason for why that field is used to populate the OHDF field?
- Are there any fields in the source data that you believe are more applicable? Why?
- Which fields are unfilled/omitted?
- Can you think of a reason for why that field is unfilled/omitted?
- Are there any fields in the source data that you believe are applicable? Why?
These questions will help you understand the conversion process for when you create your own OHDF mappers later.
Sample Files
The sample files below are truncated for pedagogical purposes.
For the original files and more examples of actual OHDF samples used in production, see here.
GoSec
Source Data
{
"Golang errors": {},
"Issues": [
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "C:\\Users\\AGILLUM\\OneDrive - The MITRE Corporation\\Documents\\Code\\grype-0.34.4\\internal\\file\\tar.go",
"code": "82: \t\tcase tar.TypeReg:\n83: \t\t\tf, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))\n84: \t\t\tif err != nil {\n",
"line": "83",
"column": "14",
"nosec": false,
"suppressions": null
}
],
"Stats": {
"files": 199,
"lines": 12401,
"nosec": 0,
"found": 7
},
"GosecVersion": "dev"
}Converted OHDF File
{
"platform": { "name": "Heimdall Tools", "release": "2.10.8" },
"version": "2.10.8",
"statistics": {},
"profiles": [
{
"name": "Gosec scanner",
"title": "gosec",
"version": "dev",
"supports": [],
"attributes": [],
"groups": [],
"status": "loaded",
"controls": [
{
"tags": {
"nist": ["SI-10"],
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"nosec": "",
"suppressions": "",
"severity": "MEDIUM",
"confidence": "HIGH"
},
"refs": [],
"source_location": {},
"title": "Potential file inclusion via variable",
"id": "G304",
"desc": "",
"impact": 0.5,
"results": [
{
"status": "failed",
"code_desc": "82: \t\tcase tar.TypeReg:\n83: \t\t\tf, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))\n84: \t\t\tif err != nil {\n",
"message": "C:\\Users\\AGILLUM\\OneDrive - The MITRE Corporation\\Documents\\Code\\grype-0.34.4\\internal\\file\\tar.go, line:83, column:14",
"start_time": ""
}
]
}
],
"sha256": "d0506f4b7715bf8b1cd81a8a87ab8efcce41ebeb2b5ec5fcfb23d3bdd136f48c"
}
],
"passthrough": {
"auxiliary_data": [{ "name": "Gosec", "data": { "Golang errors": {} } }]
}
}Twistlock
Source Data
{
"results": [
{
"id": "sha256:b1c0237ebd29860066656372da10d8d7da33b34715986f74b3d5a7e4ba060d1b",
"name": "registry.io/test:1a7a431a105aa04632f5f5fbe8f753bd245add0a",
"distro": "Red Hat Enterprise Linux release 8.6 (Ootpa)",
"distroRelease": "RHEL8",
"digest": "sha256:c0274cb1e0c6e92d2ccc1e23bd19b7dddedbaa2da26861c225d4ad6cec5047f4",
"collections": ["All", "TEST-COLLECTION"],
"packages": [
{
"type": "os",
"name": "nss-util",
"version": "3.67.0-7.el8_5",
"licenses": ["MPLv2.0"]
}
],
"applications": [
{
"name": ".net-core",
"version": "5.0.17",
"path": "/usr/lib64/dotnet/dotnet"
}
],
"complianceDistribution": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"total": 0
},
"complianceScanPassed": true,
"vulnerabilities": [
{
"id": "CVE-2021-43529",
"status": "affected",
"cvss": 9.8,
"description": "DOCUMENTATION: A remote code execution flaw was found in the way NSS verifies certificates. This flaw allows an attacker posing as an SSL/TLS server to trigger this issue in a client application compiled with NSS when it tries to initiate an SSL/TLS connection. Similarly, a server application compiled with NSS, which processes client certificates, can receive a malicious certificate via a client, triggering the flaw. The highest threat to this vulnerability is confidentiality, integrity, as well as system availability. STATEMENT: The issue is not limited to TLS. Any applications that use NSS certificate verification are vulnerable; S/MIME is impacted as well. Similarly, a server application compiled with NSS, which processes client certificates, can receive a malicious certificate via a client. Firefox is not vulnerable to this flaw as it uses the mozilla::pkix for certificate verification. Thunderbird is affected when parsing email with the S/MIME signature. Thunderbird on Red Hat Enterprise Linux 8.4 and later does not need to be updated since it uses the system NSS library, but earlier Red Hat Enterprise Linux 8 extended life streams will need to update Thunderbird as well as NSS. MITIGATION: Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affec",
"severity": "critical",
"packageName": "nss-util",
"packageVersion": "3.67.0-7.el8_5",
"link": "https://access.redhat.com/security/cve/CVE-2021-43529",
"riskFactors": [
"Remote execution",
"Attack complexity: low",
"Attack vector: network",
"Critical severity",
"Recent vulnerability"
],
"impactedVersions": ["*"],
"publishedDate": "2021-12-01T00:00:00Z",
"discoveredDate": "2022-05-18T12:24:22Z",
"layerTime": "2022-05-16T23:12:25Z"
}
],
"vulnerabilityDistribution": {
"critical": 5,
"high": 1,
"medium": 86,
"low": 5,
"total": 97
},
"vulnerabilityScanPassed": true,
"history": [
{
"created": "2022-05-03T08:38:31Z"
}
],
"scanTime": "2022-05-18T12:24:32.855444532Z",
"scanID": "6284e580d9600f8d0db159e2"
}
],
"consoleURL": "https://twistlock.test.net/#!/monitor/vulnerabilities/images/ci?search=sha256%3Ab1c0237ebd29860066656372da10d8d7da33b34715986f74b3d5a7e4ba060d1b"
}Converted OHDF File
{
"platform": {
"name": "Heimdall Tools",
"release": "2.10.8",
"target_id": "registry.io/test:1a7a431a105aa04632f5f5fbe8f753bd245add0a"
},
"version": "2.10.8",
"statistics": {},
"profiles": [
{
"name": "Twistlock Scan",
"title": "Twistlock Project: All / TEST-COLLECTION",
"summary": "Package Vulnerability Summary: 97 Application Compliance Issue Total: 0",
"supports": [],
"attributes": [],
"groups": [],
"status": "loaded",
"controls": [
{
"tags": {
"nist": ["SI-2", "RA-5"],
"cci": ["CCI-002605", "CCI-001643"],
"cveid": "CVE-2021-43529"
},
"refs": [],
"source_location": {},
"title": "CVE-2021-43529",
"id": "CVE-2021-43529",
"desc": "DOCUMENTATION: A remote code execution flaw was found in the way NSS verifies certificates. This flaw allows an attacker posing as an SSL/TLS server to trigger this issue in a client application compiled with NSS when it tries to initiate an SSL/TLS connection. Similarly, a server application compiled with NSS, which processes client certificates, can receive a malicious certificate via a client, triggering the flaw. The highest threat to this vulnerability is confidentiality, integrity, as well as system availability. STATEMENT: The issue is not limited to TLS. Any applications that use NSS certificate verification are vulnerable; S/MIME is impacted as well. Similarly, a server application compiled with NSS, which processes client certificates, can receive a malicious certificate via a client. Firefox is not vulnerable to this flaw as it uses the mozilla::pkix for certificate verification. Thunderbird is affected when parsing email with the S/MIME signature. Thunderbird on Red Hat Enterprise Linux 8.4 and later does not need to be updated since it uses the system NSS library, but earlier Red Hat Enterprise Linux 8 extended life streams will need to update Thunderbird as well as NSS. MITIGATION: Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affec",
"impact": 0.9,
"code": "{\n \"id\": \"CVE-2021-43529\",\n \"status\": \"affected\",\n \"cvss\": 9.8,\n \"description\": \"DOCUMENTATION: A remote code execution flaw was found in the way NSS verifies certificates. This flaw allows an attacker posing as an SSL/TLS server to trigger this issue in a client application compiled with NSS when it tries to initiate an SSL/TLS connection. Similarly, a server application compiled with NSS, which processes client certificates, can receive a malicious certificate via a client, triggering the flaw. The highest threat to this vulnerability is confidentiality, integrity, as well as system availability. STATEMENT: The issue is not limited to TLS. Any applications that use NSS certificate verification are vulnerable; S/MIME is impacted as well. Similarly, a server application compiled with NSS, which processes client certificates, can receive a malicious certificate via a client. Firefox is not vulnerable to this flaw as it uses the mozilla::pkix for certificate verification. Thunderbird is affected when parsing email with the S/MIME signature. Thunderbird on Red Hat Enterprise Linux 8.4 and later does not need to be updated since it uses the system NSS library, but earlier Red Hat Enterprise Linux 8 extended life streams will need to update Thunderbird as well as NSS. MITIGATION: Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affec\",\n \"severity\": \"critical\",\n \"packageName\": \"nss-util\",\n \"packageVersion\": \"3.67.0-7.el8_5\",\n \"link\": \"https://access.redhat.com/security/cve/CVE-2021-43529\",\n \"riskFactors\": [\n \"Remote execution\",\n \"Attack complexity: low\",\n \"Attack vector: network\",\n \"Critical severity\",\n \"Recent vulnerability\"\n ],\n \"impactedVersions\": [\n \"*\"\n ],\n \"publishedDate\": \"2021-12-01T00:00:00Z\",\n \"discoveredDate\": \"2022-05-18T12:24:22Z\",\n \"layerTime\": \"2022-05-16T23:12:25Z\"\n}",
"results": [
{
"status": "failed",
"code_desc": "Package \"nss-util\" should be updated to latest version above impacted versions [\"*\"]",
"message": "Expected latest version of \"nss-util\"\nDetected vulnerable version \"3.67.0-7.el8_5\" of \"nss-util\"",
"start_time": "2022-05-18T12:24:22Z"
}
]
}
],
"sha256": "998180601124e9d2b4f03be239a5bb68d9045ba2dc5a26fa2c8d453500288b2e"
}
],
"passthrough": {
"auxiliary_data": [
{
"name": "Twistlock",
"data": {
"results": [
{
"id": "sha256:b1c0237ebd29860066656372da10d8d7da33b34715986f74b3d5a7e4ba060d1b",
"distro": "Red Hat Enterprise Linux release 8.6 (Ootpa)",
"distroRelease": "RHEL8",
"digest": "sha256:c0274cb1e0c6e92d2ccc1e23bd19b7dddedbaa2da26861c225d4ad6cec5047f4",
"packages": [
{
"type": "os",
"name": "nss-util",
"version": "3.67.0-7.el8_5",
"licenses": ["MPLv2.0"]
}
],
"applications": [
{
"name": ".net-core",
"version": "5.0.17",
"path": "/usr/lib64/dotnet/dotnet"
}
],
"complianceScanPassed": true,
"vulnerabilityScanPassed": true,
"history": [{ "created": "2022-05-03T08:38:31Z" }],
"scanTime": "2022-05-18T12:24:32.855444532Z",
"scanID": "6284e580d9600f8d0db159e2"
}
],
"consoleURL": "https://twistlock.test.net/#!/monitor/vulnerabilities/images/ci?search=sha256%3Ab1c0237ebd29860066656372da10d8d7da33b34715986f74b3d5a7e4ba060d1b"
}
}
]
}
}