A new Vulnerability Findings class

dictionary.json

@@ -65,6 +65,12 @@
       "description": "The permissions that were granted to the in a platform-native format.",
       "type": "integer_t"
     },
+    "affected_packages": {
+      "caption": "Affected Software Packages",
+      "description": "List of software packages identified as affected by a vulnerability/vulnerabilities.",
+      "is_array": true,
+      "type": "affected_package"
+    },
     "alert": {
       "caption": "Client TLS Alert",
       "description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.",
@@ -992,6 +998,7 @@
     "cvss": {
       "caption": "CVSS Score",
       "description": "The CVSS object details Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) scores from the advisory that are related to the vulnerability.",
+      "is_array": true,
       "type": "cvss"
     },
     "cwe": {
@@ -1376,7 +1383,7 @@
     },
     "finding": {
       "caption": "Finding",
-      "description": "Finding object provides details related to a finding generated by security tool",
+      "description": "The Finding object provides details about a finding/detection generated by a security tool.",
       "type": "finding"
     },
     "fingerprint": {
@@ -2171,12 +2178,16 @@
       "description": "The user that owns the file/object.",
       "type": "user"
     },
-    "packages": {
+    "package": {
       "caption": "Software Packages",
-      "description": "List of vulnerable packages as identified by the security product",
-      "is_array": true,
+      "description": "The Software Package object describes details about a software package. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/'>d3f:SoftwarePackage</a>.",
       "type": "package"
     },
+    "package_manager": {
+      "caption": "Package Manager",
+      "description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.",
+      "type": "string_t"
+    },
     "packet_uid": {
       "caption": "Packet UID",
       "description": "The packet identifier assigned by the protocol.",
@@ -2395,6 +2406,11 @@
       "description": "If a proxy connection is present, the connection from the client to the proxy server.",
       "type": "network_proxy"
     },
+    "purl":{
+      "caption": "Package URL",
+      "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.",
+      "type": "string_t"
+    },
     "query": {
       "caption": "DNS Query",
       "description": "The Domain Name System (DNS) query.",
@@ -2452,7 +2468,7 @@
     },
     "references": {
       "caption": "References",
-      "description": "Supporting reference URLs",
+      "description": "A list of reference URLs supporting the finding/detection.",
       "is_array": true,
       "type": "string_t"
     },
@@ -2977,11 +2993,6 @@
       "description": "The unique identifier of a virtual subnet.",
       "type": "string_t"
     },
-    "supporting_data": {
-      "caption": "Supporting Data",
-      "description": "Additional data supporting a finding as provided by security tool",
-      "type": "json_t"
-    },
     "surname": {
       "caption": "Surname",
       "description": "The last or family name for the user.",

events/findings/findings.json → events/findings/finding.json

@@ -1,9 +1,9 @@
 {
-  "caption": "Findings",
-  "name": "findings",
+  "caption": "Finding",
   "category": "findings",
-  "extends": "base_event",
   "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or actions performed by security products.",
+  "extends": "base_event",
+  "name": "finding",
   "attributes": {
     "activity_id": {
       "enum": {

events/findings/security_finding.json

@@ -2,7 +2,7 @@
   "caption": "Security Finding",
   "category": "findings",
   "description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products",
-  "extends": "findings",
+  "extends": "finding",
   "name": "security_finding",
   "uid": 1,
   "attributes": {

events/findings/vulnerability_finding.json

@@ -0,0 +1,76 @@
+{
+  "caption": "Vulnerability Finding",
+  "category": "findings",
+  "description": "Vulnerability Finding events describe findings generated by vulnerability scanning tools.",
+  "extends": "finding",
+  "name": "vulnerability_finding",
+  "uid": 2,
+  "attributes": {
+    "analytic": {
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "confidence": {
+      "group": "context",
+      "requirement": "optional"
+    },
+    "confidence_id": {
+      "group": "context",
+      "requirement": "recommended"
+    },
+    "confidence_score": {
+      "group": "context",
+      "requirement": "optional"
+    },
+    "device": {
+      "description": "Describes details about the device that is affected by the vulnerability/vulnerabilities.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "finding": {
+      "group": "primary",
+      "requirement": "required"
+    },
+    "resource": {
+      "description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "remediation": {
+      "group": "context",
+      "requirement": "optional"
+    },
+    "status": {
+      "description": "The normalized status of the vulnerability finding.",
+      "group": "context",
+      "requirement": "optional"
+    },
+    "status_id": {
+      "description": "The normalized status identifier of the vulnerability finding.",
+      "enum": {
+        "1": {
+          "caption": "New",
+          "description": "The vulnerability finding is new and yet to be reviewed."
+        },
+        "2": {
+          "caption": "In Progress",
+          "description": "The vulnerability finding is under review."
+        },
+        "3": {
+          "caption": "Suppressed",
+          "description": "The vulnerability finding was reviewed, considered as a false positive and is now suppressed."
+        },
+        "4": {
+          "caption": "Resolved",
+          "description": "The vulnerability finding was reviewed and remediated and is now considered resolved."
+        }
+      },
+      "group": "context",
+      "requirement": "recommended"
+    },
+    "vulnerabilities": {
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}

objects/affected_package.json

@@ -0,0 +1,11 @@
+{
+  "caption": "Affected Software Package",
+  "description": "The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.",
+  "extends": "package",
+  "name": "affected_package",
+  "attributes": {
+    "package_manager": {
+      "requirement": "optional"
+    }
+  }
+}

objects/analytic.json

@@ -13,8 +13,7 @@
       "requirement": "optional"
     },
     "name": {
-      "description": "The name of the analytic that generated the finding.",
-      "requirement": "required"
+      "description": "The name of the analytic that generated the finding."
     },
     "related_analytics": {
       "description:": "Other analytics related to this analytic ",
@@ -49,13 +48,11 @@
       }
     },
     "uid": {
-      "description": "The unique identifier of the analytic that generated the finding.",
-      "requirement": "recommended"
+      "description": "The unique identifier of the analytic that generated the finding."
     },
     "version": {
       "description": "The analytic version. For example: <code>1.1</code>.",
       "requirement": "optional"
     }
-  },
-  "constraints": {}
+  }
 }

objects/cve.json

@@ -7,7 +7,11 @@
     "cvss": {
       "requirement": "recommended"
     },
-    "cwe":{
+    "cwe": {
+      "requirement": "optional"
+    },
+    "desc": {
+      "description": "A brief description of the CVE Record.",
       "requirement": "optional"
     },
     "modified_time": {
@@ -19,18 +23,26 @@
       "requirement": "recommended"
     },
     "uid": {
-			"caption": "CVE ID",
+      "caption": "CVE ID",
       "description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: <code>CVE-2021-12345</code>.",
       "requirement": "required"
     },
     "product": {
       "description": "The product where the vulnerability was discovered.",
       "requirement": "optional"
     },
+    "references": {
+      "description": "A list of reference URLs with additional information about the CVE Record.",
+      "requirement": "recommended"
+    },
+    "title": {
+      "description": "A title or a brief phrase summarizing the CVE record.",
+      "requirement": "recommended"
+    },
     "type": {
-			"caption": "Vulnerability Type",
+      "caption": "Vulnerability Type",
       "description": "<p>The vulnerability type as selected from a large dropdown menu during CVE refinement.</p>Most frequently used vulnerability types are: <code>DoS</code>, <code>Code Execution</code>, <code>Overflow</code>, <code>Memory Corruption</code>, <code>Sql Injection</code>, <code>XSS</code>, <code>Directory Traversal</code>, <code>Http Response Splitting</code>, <code>Bypass something</code>, <code>Gain Information</code>, <code>Gain Privileges</code>, <code>CSRF</code>, <code>File Inclusion</code>. For more information see <a target='_blank' href='https://www.cvedetails.com/vulnerabilities-by-types.php'>Vulnerabilities By Type</a> distributions.",
       "requirement": "recommended"
     }
   }
-}
+}

objects/finding.json

@@ -1,6 +1,6 @@
 {
   "caption": "Finding",
-  "description": "The Finding object contains details related to a security finding generated by a security tool or system. It encompasses information about potential security vulnerabilities, weaknesses, misconfigurations, or suspicious activities identified during security assessments or monitoring processes.",
+  "description": "The Finding object describes metadata related to a security finding generated by a security tool or system.",
   "extends": "object",
   "name": "finding",
   "attributes": {
@@ -31,18 +31,12 @@
     "related_events": {
       "requirement": "optional"
     },
-    "remediation": {
-      "requirement": "optional"
-    },
     "src_url": {
       "description": "The URL pointing to the source of the finding.",
       "requirement": "optional"
     },
-    "supporting_data": {
-      "requirement": "optional"
-    },
     "title": {
-      "description": "The title of the reported finding.",
+      "description": "A title or a brief phrase summarizing the reported finding.",
       "requirement": "required"
     },
     "types": {

objects/package.json

@@ -18,6 +18,9 @@
       "description": "The software package name.",
       "requirement": "required"
     },
+    "purl":{
+      "requirement": "optional"
+    },
     "release": {
       "requirement": "optional"
     },

objects/product.json

@@ -6,7 +6,7 @@
   "attributes": {
     "feature": {},
     "lang": {
-      "requirement": "recommended"
+      "requirement": "optional"
     },
     "name": {
       "description": "The name of the product."

objects/vulnerability.json

@@ -10,34 +10,25 @@
     "cwe": {
       "requirement": "recommended"
     },
-    "desc": {
-      "description": "The description of the vulnerability.",
-      "requirement": "optional"
-    },
     "fix_available": {
       "requirement": "optional"
     },
-    "kb_articles": {
-      "requirement": "optional"
-    },
-    "packages": {
+    "affected_packages": {
       "requirement": "recommended"
     },
     "references": {
+      "description": "A list of reference URLs with additional information about the vulnerability.",
       "requirement": "recommended"
     },
     "related_vulnerabilities": {
-      "requirement": "recommended"
+      "requirement": "optional"
     },
     "severity": {
+      "description": "The vendor assigned severity of the vulnerability.",
       "requirement": "optional"
     },
-    "title": {
-      "description": "The title of the vulnerability.",
-      "requirement": "recommended"
-    },
     "vendor_name": {
-      "description": "The vendor who identified the vulnerability.",
+      "description": "The name of the vendor that identified the vulnerability.",
       "requirement": "optional"
     }
   },