How to integrate SSVC into CVE ADP? #288
Replies: 4 comments 2 replies
-
|
Discussion #289 may have some bearing on this topic too. |
Beta Was this translation helpful? Give feedback.
-
|
Confirming and adding some detail:
It would be nice to have one official SSVC JSON schema even if the CISA SSVC ADP pilot only uses a subset or slight adaptation as needed to fit into CVE ADP JSON. |
Beta Was this translation helpful? Give feedback.
-
|
Work in progress on the ADP JSON cc @jwoytek "metrics": [
{
"other": {
"type": "ssvc",
"content": {
"id": string (vul id, in this case CVE ID),
"options": [
{
"Exploitation": string
},
{
"Automatable": string
},
{
"Technical Impact": string
}
],
"role": string,
"timestamp": string(ISO8601 format date score created),
"version": string (major.minor.patch),
"computed": string(optional),
"decision_tree": object (full decision tree, optional),
"decision_tree_url": string (URL to decision tree, optional),
"generator": string(optional),
}
}
} |
Beta Was this translation helpful? Give feedback.
-
|
The above is an informal take after iterating on it for a few rounds, adapted from the published SSVC JSON schema. I can formalize this if that would make it easier to iterate and discuss. |
Beta Was this translation helpful? Give feedback.
-
|
We should sync this with / try to resolve #289 (comment) before committing too hard to a schema. |
Beta Was this translation helpful? Give feedback.
-
|
This topic has evolved toward |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Starting a discussion to continue discussion between @j--- and @sei-vsarvepalli and others.
General gist:
Beta Was this translation helpful? Give feedback.
All reactions