Resurrecting DWF
Five years ago, we looked at an effort to
assist in the assignment of Common
Vulnerabilities and Exposures (CVE) IDs, especially for open-source
projects.
Developers in the free-software world have often found it difficult to
obtain CVE IDs for the vulnerabilities that they find.
The Distributed Weakness
Filing (DWF) project was meant to reduce the friction in the
CVE-assignment process, but it never really got off the ground. In a blog
post, Josh Bressers said that DWF was hampered by trying to follow the
rules for CVEs. That has led to a plan to restart DWF, but this time without the
"yoke of legacy CVE
".
A bit of history
The CVE system was started in 1999 as a way to track and provide identification numbers for vulnerabilities. It is far easier and more robust to talk about CVE-xxxx-yyyy, rather than "that buffer overflow in the xyzzy project", especially when "that buffer overflow" might refer to any of several (or more) vulnerabilities. CVE IDs provide a specificity that was largely missing prior to their introduction; these days, of course, the highest profile bugs also have catchy names, web sites, logos, stickers, and branded shot glasses.
By the time DWF was introduced in 2016, there were lots of complaints about problems with the CVE system, though there was no real consensus on what should be done to fix it. There were a number of suggestions for ways to improve the CVE system; one relatively concrete approach was DWF, which was announced by Kurt Seifried:
I have increasingly noticed problems with Mitre's handling of the CVE database. This has come to a head now that I have multiple, confirmed, public reports of security researchers being unable to get CVE numbers assigned to them in a timely manner, if at all. As such the solution is simple:We need a distributed, scale out method for assigning vulnerability identifiers that is as compatible with the existing CVE system as possible. Not just in terms of format but in terms of process and usage. As such I took on the task, creating the DWF system and getting a number of other people involved (Larry Cashdollar, Zachary Wikholm, Josh Bressers, etc.). My goal is to create a simple system for assigning vulnerability identifiers that relies on the community and not a single entity or organization. Additionally I want to reduce the time and effort needed to get identifiers, something best achieved by pushing assigning out to as close to the vulnerability discover/handling as possible.
The complaints eventually led the CVE maintainers to change the process for requesting (and receiving) a CVE ID. Before the change announcement, projects could request a CVE by posting to the oss-security mailing list; a CVE-request web form was set up for projects to use instead.
Even today, it is not hard to find examples of CVE requests going unanswered for two weeks or more. While that may be irritating and is definitely sub-optimal, Bresser points to a bigger problem in his post: CVEs are not keeping pace with the number of vulnerabilities. Based on data from his cve-analysis tools, the number of CVEs assigned was fairly flat for a few years until 2017, which is when the CVE-request web form was added:
We can see a noticeable uptick in 2017. For most of us paying attention this was what we were waiting for, the CVE project was finally going to start growing!And then it didn't.
Since that spike in 2017, CVE assignments have been flat or even declining slightly, but no one would seriously argue that this reflects the number of actual vulnerabilities. For part of the explanation of why, Bressers pointed to a 2020 article that looked at the role played by CVE Numbering Authorities (CNAs), which are companies and other organizations that get blocks of CVE IDs that they can issue for vulnerabilities in their projects and products. The number of CNAs has expanded over the years, but slowly; by 2016, there were only 22 CNAs, while today there are 159.
The point in that article is that the CNA system lets a CNA decide what should get an ID. This is sort of how security worked in 1999 when security researchers were often treated as adversaries. This is no longer the case, yet researchers have no easy way to request and use their own CVE IDs. If you report a vulnerability to an organization, and they decide it doesn't get a CVE ID, it's very difficult to get one yourself. So many researchers just don't bother.
A DWF reboot
So, after a while, it became clear that the CVE situation was not getting any better, and that DWF was not solving those problems either. Bressers, Seifried, and others rethought things, which is what led to a new version of DWF:
The idea was to make CVE data work more like open source. We can call that DWF version 1. DWF version 1 didn't work out. There are many reasons for that, but the single biggest is that DWF tried to follow the legacy CVE rules which ended up strangling the project to death. Open source doesn't work when buried under artificial constraints. Open source communities need to be able to move around and [breathe] so they can thrive and grow.
The intent is for DWF to get to "100% automated CVE IDs
", which has
not quite happened, though you should "be able to get a CVE ID in
less than ten seconds
". There is a form at https://iwantacve.org, which
requires a GitHub account to sign in with, then:
You enter a few details into a web form, and you get a candidate, or CAN ID. A human then double checks things, approves it, then the bot flips it to a DWF CVE ID assuming it looks good. Things generally look good because the form makes it easy to do the right thing. And this is just version one of the form! It will keep getting better. If you submit IDs a few times you will get added to the allowlist and just get a DWF CVE ID right away skipping the CAN step. Long term there won't be any humans involved because humans are slow, need to sleep, and get burnt out.
The project has carved off a piece of the CVE-ID namespace to issue its IDs, though that piece is far removed from the five-digit CVE IDs that the CNAs issue. The first identifier issued is CVE-2021-1000000, which was tracked via this issue in the DWF GitHub repository. There is some amount of controversy over the use of the normal CVE identifier format, but that is by design; the project thinks that the term "CVE" has become a generic term that simply means "vulnerability". Meanwhile, DWF believes that it makes sense to have all of the IDs for vulnerabilities live in the same namespace.
The CVE project seems to feel
differently, as it put out a tweet
disavowing CVE IDs that do not come from the CNAs. CVE board
member Tod Beardsley also filed a pull
request to change the identifiers to DWF-xxxx-yyyyy, which "will
disambiguate vulnerability identifiers sourced from the DWF project
from those produced by the federation of CVE Numbering Authorities, and
avoid any confusion in downstream users of these identifiers
".
Seifried closed the request, quoting Bressers's comment
on a separate suggestion for a different ID name:
CVE now means "vulnerability" in the same way a tissue is a kleenex. If we create a "new" naming scheme we end up with https://xkcd.com/927/ But if we reuse an existing naming scheme, there isn't an increase in identifiers names.
Bressers also noted that by choosing a range in the ID space starting at
one million, there should be no logistical problems with numbering
collisions: "possibly ever, but at least for decades
".
The DWF project is broken up into three separate pieces, each with its own repository. The dwflist repository holds the JSON version each CVE that has been issued. At the time of this writing, there are eight entries from several different reporters, though no new CVEs have been assigned since March 18.
The dwf-workflow
repository is the place "where conversations are meant to be
held
". It is currently a GitHub repository, but that could change
depending on where the community wants to take things. It has the FAQ
for the project, along with some other documentation. In addition, some conversations
do seem to be getting started in the issues.
Bressers described the workflow repository this way:
Everything is meant to happen in public. This is the best place to start out if you want to help. Feel free to just jump in and create issues to ask questions or make suggestions.
Finally, there is the inevitable dwf-request
code repository, which holds the Node.js code for the web form and a
Python bot for actually assigning IDs based on the GitHub issues that get
created from the form. "Neither is spectacular code. It's not meant
to be, it's an open source
project and will get better with time. It's good enough.
"
The intent of DWF is clear: to have a community-driven process for assigning IDs to vulnerabilities, rather than the largely corporate-driven process that exists today. The community being targeted is explicitly including security researchers, who may not be well-represented in the CVE project. It would also include those interested in ensuring that vulnerability tags are not being haphazardly applied based on the commercial interests of those doing the tagging—community Linux distributions, for example. Whether there is enough "push" from those groups to sustain an approach like DWF remains to be seen, however.
| Index entries for this article | |
|---|---|
| Security | Bug reporting/CVE |
Posted Apr 7, 2021 23:22 UTC (Wed)
by dullfire (guest, #111432)
[Link] (8 responses)
I seem to recall looking at githubs ToS several years ago and seeing several things I wasn't willing to agree to.
Needing to agree to ToS from a large corporation (regardless of how you feel about the specific corporation), that can be changed at any time, in order to participate it bug hunt is probably not going to be a healthy thing.
Unfortunately I don't have any magic alternatives. Possibly the best one would be if a number of 'sponsor' foundations hosted different portals, which were federated. That way the systems both distributed, and not locked behind the ToS of people who may be paid to have conflicting interests.
Posted Apr 8, 2021 2:09 UTC (Thu)
by kurtseifried (guest, #57307)
[Link] (7 responses)
Agreed. The problem is twofold:
1) GitHub is insanely great and the cost is, well, free.
I lied, threefold. To replace GitHub poses massive problems in cost (more in time than money), time lost to building it and not just doing DWF, and lastly identity management. Anyways this is being tracked long term in:
https://github.com/distributedweaknessfiling/dwf-workflow...
Posted Apr 8, 2021 15:47 UTC (Thu)
by ballombe (subscriber, #9523)
[Link] (6 responses)
This is the problematic part. Allowing Microsoft to act as a gatekeeper to participation to
Posted Apr 8, 2021 16:43 UTC (Thu)
by smurf (subscriber, #17840)
[Link] (5 responses)
Also, if you don't like that restriction, fine: add an auth hook towards Gitlab and submit a modest pull request.
Still not satisfied? hook up a registration form with TOTP-or-whatever for two-factor auth, and send a somewhat larger pull request. It's not rocket science.
However, if you do it yourself you have to track data protection laws more stringently because you're storing more personal data, you need more security precautions as you now store user passwords (yes they should be salted+hashed but that's no excuse for failing to prevent a leak), etc. You want to take those costs on? be the project's guest, I'd assume.
Posted Apr 8, 2021 18:07 UTC (Thu)
by kurtseifried (guest, #57307)
[Link]
Posted Apr 9, 2021 16:22 UTC (Fri)
by ballombe (subscriber, #9523)
[Link] (1 responses)
Only if you are in a position to agree with github TOS, and it takes more than two minutes to read it anyway.
Posted Apr 9, 2021 16:58 UTC (Fri)
by kurtseifried (guest, #57307)
[Link]
Posted Apr 11, 2021 16:22 UTC (Sun)
by gray_-_wolf (subscriber, #131074)
[Link] (1 responses)
Posted Apr 11, 2021 16:44 UTC (Sun)
by smurf (subscriber, #17840)
[Link]
Posted Apr 8, 2021 0:20 UTC (Thu)
by lucaswerkmeister (subscriber, #126654)
[Link] (2 responses)
Posted Apr 8, 2021 1:03 UTC (Thu)
by joshbressers (subscriber, #151533)
[Link] (1 responses)
Our intention is to avoid potentially silly situations
Posted Apr 8, 2021 2:17 UTC (Thu)
by kurtseifried (guest, #57307)
[Link]
https://github.com/distributedweaknessfiling/dwf-workflow...
Posted Apr 8, 2021 0:28 UTC (Thu)
by joshbressers (subscriber, #151533)
[Link]
For anyone reading this, we welcome any and all comments, questions, and ideas. The workflow repo is the best place to start
I know needing a GitHub account isn't exactly ideal, but it's the best short term solution we have at the moment. We would gladly accept any ideas on how to not require this :)
Posted Apr 8, 2021 6:01 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (10 responses)
I have no sympathy for the CVE project here. It sounds like they had every opportunity to fix this problem, and utterly failed to do anything effective. The concept of "fill out a web form, get a CVE ID" is not exactly novel.
If they had instead announced that, starting tomorrow, they were going to adopt the DWF approach and deprecate the whole CNA system, I might feel differently. But that's not at all what their tweet says. Indeed, it doesn't even properly acknowledge the existence of DWF, instead referring vaguely to "CVE IDs obtained in some other way [than from a CNA]."
Unfortunately, there's a good chance this ends in some sort of ugly legal battle over trademarks. Which is a crying shame, seeing as there is a blatantly obvious way for the parties to compromise:
* DWF agrees to operate as a "real" CNA, and not a rival organization. It issues "real" CVE IDs and complies with most or all of the CNA requirements (whatever those are?).
A good compromise leaves everyone unhappy, of course, but it's better than litigation. In my judgment, this is primarily CVE's mess to clean up, so I'm intentionally biasing this compromise in DWF's favor, but of course reality may result in a less equitable outcome.
Posted Apr 8, 2021 9:28 UTC (Thu)
by danielthompson (subscriber, #97243)
[Link] (7 responses)
Ultimately I can't agree with the assertion that CVE means vulnerability. I understand it to mean an identifier that I can look up, potentially with automatic tools in "the CVE list". Thus having identifiers that appear to be CVE numbers that are not included in the CVE list seems to be massively confusing, especially so on an identifier format that *explicitly* includes a namespace to describe the originator of an identifier.
In other words using CVE in this context appears to be exactly the sort of misrepresenation regarding the originator that trademark law was intended to prevent. Of course that is not to say that it will or won't apply in this case... but it is the societal benefit trademarks are intended to provide.
Posted Apr 8, 2021 10:42 UTC (Thu)
by jkingweb (subscriber, #113039)
[Link] (1 responses)
You have identified what I've been struggling to pin down about this that I don't like. If I see CVE 1000003 and I'm not aware of DWF (I certainly wasn't before today), how do I find the particulars? Not MITRE, despite the prefix that has been well known for two decades. How do I figure out, without prior knowledge, that I should be looking for the DWF database? This uses CVE identifiers without gaining any of the practical benefits of having them, while stepping on toes in the process.
Posted Apr 8, 2021 14:37 UTC (Thu)
by kurtseifried (guest, #57307)
[Link]
Posted Apr 8, 2021 13:46 UTC (Thu)
by mjcox@redhat.com (guest, #31775)
[Link]
Posted Apr 8, 2021 23:36 UTC (Thu)
by cjwatson (subscriber, #7322)
[Link] (3 responses)
(This is not a loaded question: I'm not a security researcher nor somebody particularly invested in the existing CVE system. I just want to figure out what we should be doing to track this in case people use these new DWF-issued identifiers on Launchpad and expect them to work the same way, which seems likely. "Use a search engine" isn't an option here: we maintain these links automatically and want to keep it that way.)
Posted Apr 9, 2021 0:44 UTC (Fri)
by pabs (subscriber, #43278)
[Link] (2 responses)
Posted Apr 9, 2021 8:30 UTC (Fri)
by cjwatson (subscriber, #7322)
[Link] (1 responses)
Posted Apr 18, 2021 20:07 UTC (Sun)
by kurtseifried (guest, #57307)
[Link]
Posted Apr 8, 2021 18:11 UTC (Thu)
by kurtseifried (guest, #57307)
[Link] (1 responses)
Ditto for being a member of the CVE Board, I retired from it in Jan 2021. We really tried to change from within.
Posted Apr 10, 2021 22:55 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link]
If y'all have lawyers and are prepared for this fight, I wish you luck. If not, then I think you should hire some. Because I simply cannot imagine the CVE people letting this go.
Posted Apr 8, 2021 8:02 UTC (Thu)
by mezcalero (subscriber, #45103)
[Link] (6 responses)
The IDs would then be entirely self-managed, distributed but stable.
I mean, content-addressable databases aren't precisely a new concept?
What am I missing?
Posted Apr 8, 2021 8:21 UTC (Thu)
by zdzichu (subscriber, #17118)
[Link] (3 responses)
Posted Apr 8, 2021 9:06 UTC (Thu)
by Karellen (subscriber, #67644)
[Link]
Posted Apr 8, 2021 13:56 UTC (Thu)
by mezcalero (subscriber, #45103)
[Link] (1 responses)
Posted Apr 9, 2021 14:05 UTC (Fri)
by hailfinger (subscriber, #76962)
[Link]
Some people choose not to bear the burden of git hashes. Some of those use mercurial as a frontend for git.
Depending on your viewpoint, there is a difference between "human readable" and "can be understood by humans". A base64 encoded piece of information can be easily read character by character by a literate human being, but decoding the information without help from a computer is a rather rare skill (yes, it's easy in theory, but only few people have memorized the bit patterns).
Posted Apr 8, 2021 8:48 UTC (Thu)
by Rigrig (subscriber, #105346)
[Link] (1 responses)
Posted Apr 8, 2021 21:48 UTC (Thu)
by kurtseifried (guest, #57307)
[Link]
Posted Apr 8, 2021 13:42 UTC (Thu)
by dsommers (subscriber, #55274)
[Link] (4 responses)
And the github respository content looks quite similar to this one: https://github.com/CVEProject/cvelist
From a quick look at all of this, it looks like some missing communication between various teams and efforts.
Posted Apr 8, 2021 13:54 UTC (Thu)
by mjcox@redhat.com (guest, #31775)
[Link]
Posted Apr 8, 2021 14:40 UTC (Thu)
by kurtseifried (guest, #57307)
[Link] (2 responses)
Posted Apr 8, 2021 15:30 UTC (Thu)
by edstoner (subscriber, #4496)
[Link] (1 responses)
1.) Us assigning a CVE for every DWF
We've also been trying hard (and not having very much success) fixing the process. Why on earth it doesn't work like ISBN or something makes no sense at all. The current process is definitely broken.
ers@cert.org, also cert@cert.org will get to me if you put my name in the email somewhere.
Posted Apr 8, 2021 15:49 UTC (Thu)
by kurtseifried (guest, #57307)
[Link]
Posted Apr 8, 2021 14:26 UTC (Thu)
by domenpk (guest, #12382)
[Link]
If it's just to quickly get a unique vulnerability ID, then https://www.openwall.com/ove/ seems much simpler. There's less hassle, one just get an OVE ID, done.
Posted Apr 8, 2021 15:36 UTC (Thu)
by edstoner (subscriber, #4496)
[Link] (1 responses)
Posted Apr 9, 2021 17:32 UTC (Fri)
by champtar (subscriber, #128673)
[Link]
Posted Apr 8, 2021 22:02 UTC (Thu)
by lfam (subscriber, #127309)
[Link]
Posted Jun 16, 2022 22:14 UTC (Thu)
by anarcat (subscriber, #66354)
[Link]
Resurrecting DWF
Resurrecting DWF
2) Josh and I don't have the time to run this properly if we build it from scratch, so a mashup app on GitHub basically won
3) GitHub also solves the identity and Federation problem, most everyone in OpenSource has a GitHub ID
Resurrecting DWF
FOSS, and the assumption that this is OK with almost everyone.
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
It is also a gate Microsoft can close.
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
https://github.com/distributedweaknessfiling/dwf-workflow
Resurrecting DWF
* CVE agrees to let DWF issue enough "real" CVE IDs to fulfill their stated purposes, perhaps giving them larger or more blocks of CVEs than most CNAs get, and/or leeway with respect to other CNA requirements (to the extent that those requirements would otherwise interfere with DWF's structure, goals, or finances).
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
https://github.com/distributedweaknessfiling/dwf-workflow...
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Usability comes from low integer identifiers. In such confined space, some kind of supervision is needed.
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
And even if everyone could somehow filter those out themselves, that is a lot of duplicate effort.
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
2.) Trying lots of other things to fix the currently very broken process
3.) Publicly supporting DWF as an open-source replacement for CVE
Resurrecting DWF
Resurrecting DWF; why not OVE IDs?
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF
Resurrecting DWF: dead again?