Mitigations

Mitigate your vulnerabilities

What is a mitigation?

A mitigation in this context refers to vulnerability mitigation. Vulnerability mitigation is the process of reducing or eliminating the risk associated with a security vulnerability.

A software may often contain vulnerabilities of various severity. One way to mitigate these vulnerabilities is to fix all of them. Another way of mitigating these vulnerabilities is to analyze the risk associated with the vulnerabilities in the context of the application and publishing a CSAF.

The vulnerability count after applying the mitigations becomes the effective vulnerability count. This is shown by the Lineaje risk graph in the Info tab. The black start represents the project risk with the actual vulnerabilities present. The blue star represents the project risk re-evaluated after applying the vulnerability mitigations.

Understanding mitigation

The mitigations tab lists all the vulnerability mitigations that are uploaded in the form of CSAF.

Count of components that are mitigated is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).
The mitigation count is displayed towards the right, grouped by severity (critical, high, medium, low).
Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version, total vulnerabilities and a capsule for vulnerabilities details.
By clicking the vulnerabilities capsule, next level details will be shown as below.
By clicking on any row, the sidesheet shows up as shown below. There is a section showing the mitigation related information - mitigation origin, mitigation category, mitigation details. This information is sourced from the CSAF that was uploaded.

What is CSAF?

CSAF stands for Common Security Advisory Framework. Common Security Advisory Framework (CSAF) is a language to exchange Security Advisories. It plays a crucial role in the cybersecurity arena since it allows stakeholders to automate the creation and consumption of security vulnerability information and remediation. More details can be found here.

https://oasis-open.github.io/csaf-documentation/

https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html

How can I upload CSAF?

CSAF upload is available under Integrations from the left navigation bar. A CSAF document is a json that describes the mitigations for the vulnerabilities and the products that are applicable for. You can refer a sample CSAF

A sample CSAF document looks something like this

Sample CSAF

{
    "document": {
        "title": "Lineaje generated security advisory for calendro.fr.nf",
        "csaf_version": "2.0",
        "category": "csaf_security_advisory",
        "lang": "en",
        "notes": [
            {
                "title": "Legal Disclaimer",
                "category": "legal_disclaimer",
                "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. LINEAJE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors."
            }
        ],
        "publisher": {
            "category": [
                "translator"
            ],
            "issuing_authority": [
                "Lineaje Security Advisory"
            ],
            "name": [
                "Lineaje Inc."
            ],
            "namespace": "https://www.lineaje.com"
        },
        "tracking": {
            "id": "lineaje-78f5d464-30db-57b4-9253-f1fe21dd67ac",
            "generator": {
                "engine": {
                    "name": "LINEAJE INC"
                },
                "date": "2024-05-06T22:09:53.873514"
            }
        }
    },
    "product_tree": {
        "full_product_names": [
            {
                "name": "apache-zookeeper__3.7.1",
                "product_id": "apache-zookeeper__3.7.1"
            }
        ]
    },
    "vulnerabilities": [
        {
            "cve": "CVE-2023-44981",
            "title": "CVE-2023-44981",
            "scores": [
                {
                    "cvss_v3": {
                        "version": "3.1",
                        "baseScore": "9.1",
                        "exploitabilityScore": "3.9",
                        "impactScore": "5.2",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
                    }
                }
            ],
            "references": [
                {
                    "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b"
                },
                {
                    "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4"
                },
                {
                    "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html"
                },
                {
                    "url": "https://www.debian.org/security/2023/dsa-5544"
                },
                {
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981"
                }
            ],
            "product_status": {
                "fixed": [
                    "apache-zookeeper__3.7.1"
                ]
            }
        },
        {
            "cve": "CVE-2022-2048",
            "title": "CVE-2022-2048",
            "scores": [
                {
                    "cvss_v3": {
                        "version": "3.1",
                        "baseScore": "7.5",
                        "exploitabilityScore": "3.9",
                        "impactScore": "3.6",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                    }
                }
            ],
            "references": [
                {
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048"
                },
                {
                    "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j"
                },
                {
                    "url": "http://www.openwall.com/lists/oss-security/2022/09/09/2"
                },
                {
                    "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html"
                },
                {
                    "url": "https://www.debian.org/security/2022/dsa-5198"
                },
                {
                    "url": "https://security.netapp.com/advisory/ntap-20220901-0006/"
                }
            ],
            "product_status": {
                "fixed": [
                    "apache-zookeeper__3.7.1"
                ]
            }
        }
     ]
}

What happens when I upload a CSAF?

Lineaje platform will re-calculate the overall risk score of your application based on the mitigations provided by the CSAF document. The IRL gets recalculated the Lineaje Risk Graph shows a new blue star in the new quadrant.

A CSAF upload will result in the re-assessment of all projects across the different Lineaje products (SBOM360, SBOM360Hub, OSM). The re-assessment assumes the project names to match with the project names shown in the projects page(from left navigation bar). The project name and version should be separated by "__" in the CSAF document.

For apache-zookeeper:3.7.1, here is a sample from CSAF document

       "full_product_names": [
            {
                "name": "apache-zookeeper__3.7.1",
                "product_id": "apache-zookeeper__3.7.1"
            }
        ]

"vulnerabilities": [
    {
        "cve": "CVE-2023-44981",
        "title": "CVE-2023-44981",
        "scores": [...],
        "product_status": {
            "fixed": [
                "apache-zookeeper__3.7.1"
            ]
        }
    }
]

Can I generate a CSAF?

Lineaje platform provides you options to generate a CSAF document.

If mitigations were applied to projects, those status will be included in the generated CSAF document
If no mitigations were applied, then Lineaje platform makes the status of each project as "under_investigation". Once the vulnerability analysis is done, this CSAF document can be updated and then uploaded back in Lineaje to calculate the new risk of the projects.

CSAF document can be generated for a project or for a vulnerability or for a SKU(list of associated projects) etc.

Projects page (from left navigation bar) provides an option under "Action" menu to download a CSAF for the project

Serach page (from left navigation bar) provides an option to download CSAF. This option is very flexible. A CSAF can be generated for a CVE or for a project or for an organization or for the entire company. Here is an example to generate CSAF for a CVE

PreviousVulnerabilities NextSecurity Posture

Last updated 7 months ago

{ "document": { "title": "Lineaje generated security advisory for calendro.fr.nf", "csaf_version": "2.0", "category": "csaf_security_advisory", "lang": "en", "notes": [ { "title": "Legal Disclaimer", "category": "legal_disclaimer", "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. LINEAJE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors." } ], "publisher": { "category": [ "translator" ], "issuing_authority": [ "Lineaje Security Advisory" ], "name": [ "Lineaje Inc." ], "namespace": "https://www.lineaje.com" }, "tracking": { "id": "lineaje-78f5d464-30db-57b4-9253-f1fe21dd67ac", "generator": { "engine": { "name": "LINEAJE INC" }, "date": "2024-05-06T22:09:53.873514" } } }, "product_tree": { "full_product_names": [ { "name": "apache-zookeeper__3.7.1", "product_id": "apache-zookeeper__3.7.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-44981", "title": "CVE-2023-44981", "scores": [ { "cvss_v3": { "version": "3.1", "baseScore": "9.1", "exploitabilityScore": "3.9", "impactScore": "5.2", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } } ], "references": [ { "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b" }, { "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4" }, { "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html" }, { "url": "https://www.debian.org/security/2023/dsa-5544" }, { "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981" } ], "product_status": { "fixed": [ "apache-zookeeper__3.7.1" ] } }, { "cve": "CVE-2022-2048", "title": "CVE-2022-2048", "scores": [ { "cvss_v3": { "version": "3.1", "baseScore": "7.5", "exploitabilityScore": "3.9", "impactScore": "3.6", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048" }, { "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j" }, { "url": "http://www.openwall.com/lists/oss-security/2022/09/09/2" }, { "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html" }, { "url": "https://www.debian.org/security/2022/dsa-5198" }, { "url": "https://security.netapp.com/advisory/ntap-20220901-0006/" } ], "product_status": { "fixed": [ "apache-zookeeper__3.7.1" ] } } ] }

"vulnerabilities": [ { "cve": "CVE-2023-44981", "title": "CVE-2023-44981", "scores": [...], "product_status": { "fixed": [ "apache-zookeeper__3.7.1" ] } } ]