Vulnerability Response - no NVD match for CWE-540

Go to solution
Joanna17
Tera Contributor

‎10-15-2024 02:28 AM

Hi! 

 

I'm going through the Vulnerability Response module and I'm trying to understand nuances of NVD and CWE integrations. I have a case of some github related vulnerabilities that match CWE-540 (inclusion of sensitive information in source code), however I cannot see any reference for github vulnerability connected with CWE-540 in NVD. What should I do in this case? Can I match vulnerability item with CWE instead of CVE record? Or should I use something that looks the most appropriate from what is already in the NVD? 

Thanks for any suggestions!

 

0 Helpfuls
  • 1,278 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Joanna17

‎10-17-2024 12:29 PM

Got'cha ...

Do we have plans to look at using the ServiceNow built Store App integration for GitHub and App VR at some point, in the future?  That really seems like the happy-path here 🙂 

 

-------------------------------------------------------------

 

For the Secret Scanning bit - perhaps you could create a new record in the Application Vuln Entry table, linked to that CWE-540, and then use that as the referenced Vulnerability for each Secret Scanning finding (VIT) you create?

I am not sure if other CVEs or CWEs would be relevant for the Secrets scanning findings?

 

-------------------------------------------------------------

 

For the Code Scanning bit, I think you would want to see what type of data is coming form your intermediary tool - ideally they'd have something like a library with the GitHub Security Advisory, that links to one ore more CWEs ...

 

That would be used to create records in the Application Vuln Entry table, and then your VITs (would really suggest using AVR/AVITs, but I suppose this should work in VR/VIT would reference those in the Vulnerability field

 

andy_ojha_1-1729192570316.png

 

------------------------------------------------------------------------

For GitHub Dependabot Alerts / Vuln Advisories work, consider that a given CVE, may have one or more CWE tied to it.

You would want to leverage the CVE data for the Vulnerability on VITs

https://github.com/advisories/GHSA-mjvf-4h88-6xm3

 

 

andy_ojha_0-1729192118712.png

 

View solution in original post

6 REPLIES 6

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Joanna17

‎11-13-2024 11:36 AM

Hey there,

 

Interesting - for manually created entries in the App Vuln Entry table - the ID would be something that you define (either using a convention you have internally, or something related to a finding from an automated tool).

As a user that is part of the baseline "Ethical Hacker" User Group - you should have permissions to create the record, and set the ID based on your situation.

Can you try testing this out?

https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/vulnerability-app-vul...

Go to solution
Joanna17
Tera Contributor
In response to andy_ojha

‎11-27-2024 12:04 AM

Thanks, that worked!

0 Helpfuls