Add versioned outcomes schema

data/json/decision_points/cvss/attack_complexity_3.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."}, {"key": "H", "name": "High", "description": "A successful attack depends on conditions beyond the attacker's control."}]}

data/json/decision_points/cvss/attack_complexity_3_0_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [{"key": "L", "name": "Low", "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "}, {"key": "H", "name": "High", "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."}]}

data/json/decision_points/cvss/attack_requirements_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AT", "name": "Attack Requirements", "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [{"key": "N", "name": "None", "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."}, {"key": "P", "name": "Present", "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."}]}

data/json/decision_points/cvss/attack_vector_3.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [{"key": "P", "name": "Physical", "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."}, {"key": "L", "name": "Local", "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."}, {"key": "A", "name": "Adjacent", "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."}, {"key": "N", "name": "Network", "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."}]}

data/json/decision_points/cvss/attack_vector_3_0_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [{"key": "P", "name": "Physical", "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."}, {"key": "L", "name": "Local", "description": "The vulnerable system is not bound to the network stack and the attacker\u2019s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."}, {"key": "A", "name": "Adjacent", "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."}, {"key": "N", "name": "Network", "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed \u201cremotely exploitable\u201d and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."}]}

data/json/decision_points/cvss/authentication_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "values": [{"key": "N", "name": "Not Required", "description": "Authentication is not required to access or exploit the vulnerability."}, {"key": "R", "name": "Required", "description": "Authentication is required to access and exploit the vulnerability."}]}

data/json/decision_points/cvss/authentication_2.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "values": [{"key": "M", "name": "Multiple", "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."}, {"key": "S", "name": "Single", "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."}, {"key": "N", "name": "None", "description": "Authentication is not required to exploit the vulnerability."}]}

data/json/decision_points/cvss/availability_impact_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on availability."}, {"key": "P", "name": "Partial", "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."}, {"key": "C", "name": "Complete", "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."}]}

data/json/decision_points/cvss/availability_impact_2.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the availability of the system."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}

data/json/decision_points/cvss/availability_impact_2_0_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}

data/json/decision_points/cvss/availability_requirement_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}

data/json/decision_points/cvss/availability_requirement_1_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}

data/json/decision_points/cvss/availability_requirement_1_1_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Availability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}

data/json/decision_points/cvss/collateral_damage_potential_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "values": [{"key": "N", "name": "None", "description": "There is no potential for physical or property damage."}, {"key": "L", "name": "Low", "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."}, {"key": "M", "name": "Medium", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}]}

data/json/decision_points/cvss/collateral_damage_potential_2.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for loss of life or physical assets.", "values": [{"key": "N", "name": "None", "description": "There is no potential for loss of life, physical assets, productivity or revenue."}, {"key": "LM", "name": "Low-Medium", "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."}, {"key": "MH", "name": "Medium-High", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}

data/json/decision_points/cvss/confidentiality_impact_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on confidentiality."}, {"key": "P", "name": "Partial", "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."}, {"key": "C", "name": "Complete", "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."}]}

data/json/decision_points/cvss/confidentiality_impact_2.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}

data/json/decision_points/cvss/confidentiality_impact_2_0_1.json

@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}