diff --git a/data/json/decision_points/automatable_2_0_0.json b/data/json/decision_points/automatable_2_0_0.json
index 90ac4a09..a44086f9 100644
--- a/data/json/decision_points/automatable_2_0_0.json
+++ b/data/json/decision_points/automatable_2_0_0.json
@@ -17,4 +17,4 @@
"description": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/access_complexity_1_0_0.json b/data/json/decision_points/cvss/access_complexity_1_0_0.json
new file mode 100644
index 00000000..30e88f11
--- /dev/null
+++ b/data/json/decision_points/cvss/access_complexity_1_0_0.json
@@ -0,0 +1,20 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "AC",
+ "name": "Access Complexity",
+ "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/access_complexity_2_0_0.json b/data/json/decision_points/cvss/access_complexity_2_0_0.json
new file mode 100644
index 00000000..09c795fc
--- /dev/null
+++ b/data/json/decision_points/cvss/access_complexity_2_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "AC",
+ "name": "Access Complexity",
+ "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Specialized access conditions or extenuating circumstances do not exist."
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "The access conditions are somewhat specialized."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "Specialized access conditions exist."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/access_vector_1_0_0.json b/data/json/decision_points/cvss/access_vector_1_0_0.json
new file mode 100644
index 00000000..beee709d
--- /dev/null
+++ b/data/json/decision_points/cvss/access_vector_1_0_0.json
@@ -0,0 +1,20 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "AV",
+ "name": "Access Vector",
+ "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Local",
+ "description": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+ },
+ {
+ "key": "R",
+ "name": "Remote",
+ "description": "The vulnerability is exploitable remotely."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/access_vector_2_0_0.json b/data/json/decision_points/cvss/access_vector_2_0_0.json
new file mode 100644
index 00000000..9f68fb5a
--- /dev/null
+++ b/data/json/decision_points/cvss/access_vector_2_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "AV",
+ "name": "Access Vector",
+ "description": "This metric reflects the context by which vulnerability exploitation is possible.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Local",
+ "description": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
+ },
+ {
+ "key": "A",
+ "name": "Adjacent Network",
+ "description": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+ },
+ {
+ "key": "N",
+ "name": "Network",
+ "description": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/attack_complexity_3.json b/data/json/decision_points/cvss/attack_complexity_3_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/attack_complexity_3.json
rename to data/json/decision_points/cvss/attack_complexity_3_0_0.json
index 895283e4..b9dd8584 100644
--- a/data/json/decision_points/cvss/attack_complexity_3.json
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_0.json
@@ -17,4 +17,4 @@
"description": "A successful attack depends on conditions beyond the attacker's control."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
index 86686214..7f49cf1d 100644
--- a/data/json/decision_points/cvss/attack_complexity_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
@@ -17,4 +17,4 @@
"description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_requirements_1.json b/data/json/decision_points/cvss/attack_requirements_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/attack_requirements_1.json
rename to data/json/decision_points/cvss/attack_requirements_1_0_0.json
index 0a7d65f8..4232fa7b 100644
--- a/data/json/decision_points/cvss/attack_requirements_1.json
+++ b/data/json/decision_points/cvss/attack_requirements_1_0_0.json
@@ -17,4 +17,4 @@
"description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_vector_3.json b/data/json/decision_points/cvss/attack_vector_3_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/attack_vector_3.json
rename to data/json/decision_points/cvss/attack_vector_3_0_0.json
index 43f2ca06..612e5c72 100644
--- a/data/json/decision_points/cvss/attack_vector_3.json
+++ b/data/json/decision_points/cvss/attack_vector_3_0_0.json
@@ -27,4 +27,4 @@
"description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json
index 22006bd9..fbf31693 100644
--- a/data/json/decision_points/cvss/attack_vector_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json
@@ -27,4 +27,4 @@
"description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/authentication_1.json b/data/json/decision_points/cvss/authentication_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/authentication_1.json
rename to data/json/decision_points/cvss/authentication_1_0_0.json
index 059f7f59..0e2f41e7 100644
--- a/data/json/decision_points/cvss/authentication_1.json
+++ b/data/json/decision_points/cvss/authentication_1_0_0.json
@@ -17,4 +17,4 @@
"description": "Authentication is required to access and exploit the vulnerability."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/authentication_2.json b/data/json/decision_points/cvss/authentication_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/authentication_2.json
rename to data/json/decision_points/cvss/authentication_2_0_0.json
index 3550aecb..98a1037b 100644
--- a/data/json/decision_points/cvss/authentication_2.json
+++ b/data/json/decision_points/cvss/authentication_2_0_0.json
@@ -22,4 +22,4 @@
"description": "Authentication is not required to exploit the vulnerability."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/automatable_1_0_0.json b/data/json/decision_points/cvss/automatable_1_0_0.json
new file mode 100644
index 00000000..9601b871
--- /dev/null
+++ b/data/json/decision_points/cvss/automatable_1_0_0.json
@@ -0,0 +1,20 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "AU",
+ "name": "Automatable",
+ "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
+ "values": [
+ {
+ "key": "N",
+ "name": "No",
+ "description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ },
+ {
+ "key": "Y",
+ "name": "Yes",
+ "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/availability_impact_1.json b/data/json/decision_points/cvss/availability_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_impact_1.json
rename to data/json/decision_points/cvss/availability_impact_1_0_0.json
index 07201d9f..4c2b59e3 100644
--- a/data/json/decision_points/cvss/availability_impact_1.json
+++ b/data/json/decision_points/cvss/availability_impact_1_0_0.json
@@ -22,4 +22,4 @@
"description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_impact_2.json b/data/json/decision_points/cvss/availability_impact_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_impact_2.json
rename to data/json/decision_points/cvss/availability_impact_2_0_0.json
index 98d6e493..f3b37b02 100644
--- a/data/json/decision_points/cvss/availability_impact_2.json
+++ b/data/json/decision_points/cvss/availability_impact_2_0_0.json
@@ -22,4 +22,4 @@
"description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_impact_2_0_1.json b/data/json/decision_points/cvss/availability_impact_2_0_1.json
index 1cc6921a..e815d46a 100644
--- a/data/json/decision_points/cvss/availability_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/availability_impact_2_0_1.json
@@ -22,4 +22,4 @@
"description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_requirement_1.json b/data/json/decision_points/cvss/availability_requirement_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_requirement_1.json
rename to data/json/decision_points/cvss/availability_requirement_1_0_0.json
index 9f436294..cbffe72a 100644
--- a/data/json/decision_points/cvss/availability_requirement_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_0_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_requirement_1_1.json
rename to data/json/decision_points/cvss/availability_requirement_1_1_0.json
index c1719568..66dec4d4 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
index 80f909c5..9e4a94fe 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1.json b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/collateral_damage_potential_1.json
rename to data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
index a2f3f630..b650ad2f 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_1.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
@@ -27,4 +27,4 @@
"description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2.json b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/collateral_damage_potential_2.json
rename to data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
index 26af28f9..c08f0fe8 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_2.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
@@ -32,4 +32,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_1.json b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_impact_1.json
rename to data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
index feaed5b0..f8e633e6 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
@@ -22,4 +22,4 @@
"description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_impact_2.json
rename to data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
index f56c8f62..5d8f0826 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_2.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
@@ -22,4 +22,4 @@
"description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
index ce5046e2..4c72a5d5 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
@@ -22,4 +22,4 @@
"description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
rename to data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
index ff897172..741722cd 100644
--- a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
@@ -22,4 +22,4 @@
"description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_requirement_1.json
rename to data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
index 64966a4b..988ee409 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_requirement_1_1.json
rename to data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
index bedacd44..2c508587 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
index eecf2cac..2e1ef437 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
new file mode 100644
index 00000000..9046163e
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "EQ1",
+ "name": "Equivalence Set 1",
+ "description": "AV/PR/UI with 3 levels specified in Table 24",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "0: AV:N and PR:N and UI:N"
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
new file mode 100644
index 00000000..f9fa06e5
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
@@ -0,0 +1,20 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "EQ2",
+ "name": "Equivalence Set 2",
+ "description": "AC/AT with 2 levels specified in Table 25",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "1: not (AC:L and AT:N)"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "0: AC:L and AT:N"
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
new file mode 100644
index 00000000..a617a8f4
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "EQ3",
+ "name": "Equivalence Set 3",
+ "description": "VC/VI/VA with 3 levels specified in Table 26",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "2: not (VC:H or VI:H or VA:H)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "0: VC:H and VI:H"
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
new file mode 100644
index 00000000..761d6ec8
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "EQ4",
+ "name": "Equivalence Set 4",
+ "description": "SC/SI/SA with 3 levels specified in Table 27",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "0: MSI:S or MSA:S"
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
new file mode 100644
index 00000000..1f1b7eec
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "EQ5",
+ "name": "Equivalence Set 5",
+ "description": "E with 3 levels specified in Table 28",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "2: E:U"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "1: E:P"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "0: E:A"
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
new file mode 100644
index 00000000..599ec3b1
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
@@ -0,0 +1,20 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "EQ6",
+ "name": "Equivalence Set 6",
+ "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
new file mode 100644
index 00000000..a900808a
--- /dev/null
+++ b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "cvss",
+ "version": "1.2.0",
+ "schemaVersion": "1-0-1",
+ "key": "E",
+ "name": "Exploit Code Maturity",
+ "description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
+ "values": [
+ {
+ "key": "U",
+ "name": "Unproven",
+ "description": "No exploit code is available, or an exploit is theoretical."
+ },
+ {
+ "key": "POC",
+ "name": "Proof-of-Concept",
+ "description": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
+ },
+ {
+ "key": "F",
+ "name": "Functional",
+ "description": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/exploit_maturity_2_0_0.json b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json
new file mode 100644
index 00000000..879891f6
--- /dev/null
+++ b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "E",
+ "name": "Exploit Maturity",
+ "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
+ "values": [
+ {
+ "key": "U",
+ "name": "Unreported",
+ "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ },
+ {
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ },
+ {
+ "key": "A",
+ "name": "Attacked",
+ "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/exploitability_1.json b/data/json/decision_points/cvss/exploitability_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/exploitability_1.json
rename to data/json/decision_points/cvss/exploitability_1_0_0.json
index a4251052..be804085 100644
--- a/data/json/decision_points/cvss/exploitability_1.json
+++ b/data/json/decision_points/cvss/exploitability_1_0_0.json
@@ -27,4 +27,4 @@
"description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/exploitability_1_1.json b/data/json/decision_points/cvss/exploitability_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/exploitability_1_1.json
rename to data/json/decision_points/cvss/exploitability_1_1_0.json
index a66619c8..f2d07e9d 100644
--- a/data/json/decision_points/cvss/exploitability_1_1.json
+++ b/data/json/decision_points/cvss/exploitability_1_1_0.json
@@ -32,4 +32,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/impact_bias_1.json b/data/json/decision_points/cvss/impact_bias_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/impact_bias_1.json
rename to data/json/decision_points/cvss/impact_bias_1_0_0.json
index 2a49fde0..97039be4 100644
--- a/data/json/decision_points/cvss/impact_bias_1.json
+++ b/data/json/decision_points/cvss/impact_bias_1_0_0.json
@@ -27,4 +27,4 @@
"description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_impact_1.json b/data/json/decision_points/cvss/integrity_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_impact_1.json
rename to data/json/decision_points/cvss/integrity_impact_1_0_0.json
index bb9d0b30..cf1dcc9b 100644
--- a/data/json/decision_points/cvss/integrity_impact_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_1_0_0.json
@@ -22,4 +22,4 @@
"description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_impact_2.json b/data/json/decision_points/cvss/integrity_impact_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_impact_2.json
rename to data/json/decision_points/cvss/integrity_impact_2_0_0.json
index 9bc278ad..48102023 100644
--- a/data/json/decision_points/cvss/integrity_impact_2.json
+++ b/data/json/decision_points/cvss/integrity_impact_2_0_0.json
@@ -22,4 +22,4 @@
"description": "There is a total loss of integrity, or a complete loss of protection."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_1.json b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
index 95671937..59579fbd 100644
--- a/data/json/decision_points/cvss/integrity_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
@@ -22,4 +22,4 @@
"description": "There is a total loss of integrity, or a complete loss of protection."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/subsequent_integrity_impact_1.json
rename to data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
index a6baf936..ab4089b3 100644
--- a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
@@ -22,4 +22,4 @@
"description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1.json b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_requirement_1.json
rename to data/json/decision_points/cvss/integrity_requirement_1_0_0.json
index 33ef7161..73d07de1 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_0_1.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_requirement_1_1_1.json
rename to data/json/decision_points/cvss/integrity_requirement_1_0_1.json
index 9f54fe28..4c8e1762 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_0_1.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_requirement_1_1.json
rename to data/json/decision_points/cvss/integrity_requirement_1_1_0.json
index 405b1500..5515b3b4 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
new file mode 100644
index 00000000..09fa2cab
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "3.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MAC",
+ "name": "Modified Attack Complexity",
+ "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "A successful attack depends on conditions beyond the attacker's control."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
new file mode 100644
index 00000000..9ddd5581
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "3.0.1",
+ "schemaVersion": "1-0-1",
+ "key": "MAC",
+ "name": "Modified Attack Complexity",
+ "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
new file mode 100644
index 00000000..be523348
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MAT",
+ "name": "Modified Attack Requirements",
+ "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ },
+ {
+ "key": "P",
+ "name": "Present",
+ "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
new file mode 100644
index 00000000..afb49892
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "cvss",
+ "version": "3.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MAV",
+ "name": "Modified Attack Vector",
+ "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+ "values": [
+ {
+ "key": "P",
+ "name": "Physical",
+ "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ },
+ {
+ "key": "L",
+ "name": "Local",
+ "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ },
+ {
+ "key": "A",
+ "name": "Adjacent",
+ "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ },
+ {
+ "key": "N",
+ "name": "Network",
+ "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
new file mode 100644
index 00000000..32f378f7
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "cvss",
+ "version": "3.0.1",
+ "schemaVersion": "1-0-1",
+ "key": "MAV",
+ "name": "Modified Attack Vector",
+ "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "values": [
+ {
+ "key": "P",
+ "name": "Physical",
+ "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ },
+ {
+ "key": "L",
+ "name": "Local",
+ "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ },
+ {
+ "key": "A",
+ "name": "Adjacent",
+ "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ },
+ {
+ "key": "N",
+ "name": "Network",
+ "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
new file mode 100644
index 00000000..861be583
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MA",
+ "name": "Modified Availability Impact",
+ "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no impact to the availability of the system."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "There is reduced performance or interruptions in resource availability."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json
new file mode 100644
index 00000000..793c5579
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.1",
+ "schemaVersion": "1-0-1",
+ "key": "MA",
+ "name": "Modified Availability Impact",
+ "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no impact to availability within the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
new file mode 100644
index 00000000..5920006a
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MC",
+ "name": "Modified Confidentiality Impact",
+ "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no loss of confidentiality within the impacted component."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json
new file mode 100644
index 00000000..027f96a0
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.1",
+ "schemaVersion": "1-0-1",
+ "key": "MC",
+ "name": "Modified Confidentiality Impact",
+ "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no loss of confidentiality within the impacted component."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
new file mode 100644
index 00000000..1abda292
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MSC",
+ "name": "Modified Confidentiality Impact to the Subsequent System",
+ "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "values": [
+ {
+ "key": "N",
+ "name": "Negligible",
+ "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
new file mode 100644
index 00000000..359fb804
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MI",
+ "name": "Modified Integrity Impact",
+ "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no impact to the integrity of the system."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is a total loss of integrity, or a complete loss of protection."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json
new file mode 100644
index 00000000..a02b0fe3
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.1",
+ "schemaVersion": "1-0-1",
+ "key": "MI",
+ "name": "Modified Integrity Impact",
+ "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no loss of integrity within the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is a total loss of integrity, or a complete loss of protection."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
new file mode 100644
index 00000000..ec3d57b3
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MSI",
+ "name": "Modified Integrity Impact to the Subsequent System",
+ "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "values": [
+ {
+ "key": "N",
+ "name": "Negligible",
+ "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ },
+ {
+ "key": "S",
+ "name": "Safety",
+ "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
new file mode 100644
index 00000000..b31ad194
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MPR",
+ "name": "Modified Privileges Required",
+ "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+ "values": [
+ {
+ "key": "H",
+ "name": "High",
+ "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ },
+ {
+ "key": "N",
+ "name": "None",
+ "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
new file mode 100644
index 00000000..92297091
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.1",
+ "schemaVersion": "1-0-1",
+ "key": "MPR",
+ "name": "Modified Privileges Required",
+ "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "values": [
+ {
+ "key": "H",
+ "name": "High",
+ "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ },
+ {
+ "key": "N",
+ "name": "None",
+ "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_scope_1_0_0.json b/data/json/decision_points/cvss/modified_scope_1_0_0.json
new file mode 100644
index 00000000..21d82cba
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_scope_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MS",
+ "name": "Modified Scope",
+ "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+ "values": [
+ {
+ "key": "U",
+ "name": "Unchanged",
+ "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ },
+ {
+ "key": "C",
+ "name": "Changed",
+ "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json b/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json
new file mode 100644
index 00000000..d8f83c65
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MSA",
+ "name": "Modified Subsequent Availability Impact",
+ "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "values": [
+ {
+ "key": "N",
+ "name": "Negligible",
+ "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
new file mode 100644
index 00000000..cea0d0c0
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MUI",
+ "name": "Modified User Interaction",
+ "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+ "values": [
+ {
+ "key": "R",
+ "name": "Required",
+ "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ },
+ {
+ "key": "N",
+ "name": "None",
+ "description": "The vulnerable system can be exploited without interaction from any user."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
new file mode 100644
index 00000000..a4242ca6
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "2.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "MUI",
+ "name": "Modified User Interaction",
+ "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "values": [
+ {
+ "key": "A",
+ "name": "Active",
+ "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ },
+ {
+ "key": "P",
+ "name": "Passive",
+ "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ },
+ {
+ "key": "N",
+ "name": "None",
+ "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/privileges_required_1.json b/data/json/decision_points/cvss/privileges_required_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/privileges_required_1.json
rename to data/json/decision_points/cvss/privileges_required_1_0_0.json
index 003960ee..e7a14402 100644
--- a/data/json/decision_points/cvss/privileges_required_1.json
+++ b/data/json/decision_points/cvss/privileges_required_1_0_0.json
@@ -22,4 +22,4 @@
"description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json
index e46eb67d..79c6c94a 100644
--- a/data/json/decision_points/cvss/privileges_required_1_0_1.json
+++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json
@@ -22,4 +22,4 @@
"description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/provider_urgency_1_0_0.json b/data/json/decision_points/cvss/provider_urgency_1_0_0.json
new file mode 100644
index 00000000..0e277cca
--- /dev/null
+++ b/data/json/decision_points/cvss/provider_urgency_1_0_0.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "U",
+ "name": "Provider Urgency",
+ "description": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
+ "values": [
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ },
+ {
+ "key": "C",
+ "name": "Clear",
+ "description": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
+ },
+ {
+ "key": "G",
+ "name": "Green",
+ "description": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+ },
+ {
+ "key": "A",
+ "name": "Amber",
+ "description": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+ },
+ {
+ "key": "R",
+ "name": "Red",
+ "description": "Provider has assessed the impact of this vulnerability as having the highest urgency."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/recovery_1_0_0.json b/data/json/decision_points/cvss/recovery_1_0_0.json
new file mode 100644
index 00000000..8a4beda9
--- /dev/null
+++ b/data/json/decision_points/cvss/recovery_1_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "R",
+ "name": "Recovery",
+ "description": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
+ "values": [
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ },
+ {
+ "key": "A",
+ "name": "Automatic",
+ "description": "The system recovers services automatically after an attack has been performed."
+ },
+ {
+ "key": "U",
+ "name": "User",
+ "description": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+ },
+ {
+ "key": "I",
+ "name": "Irrecoverable",
+ "description": "The system services are irrecoverable by the user, after an attack has been performed."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/remediation_level_1.json b/data/json/decision_points/cvss/remediation_level_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/remediation_level_1.json
rename to data/json/decision_points/cvss/remediation_level_1_0_0.json
index a71b3444..11f9384f 100644
--- a/data/json/decision_points/cvss/remediation_level_1.json
+++ b/data/json/decision_points/cvss/remediation_level_1_0_0.json
@@ -27,4 +27,4 @@
"description": "There is either no solution available or it is impossible to apply."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/remediation_level_1_1.json b/data/json/decision_points/cvss/remediation_level_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/remediation_level_1_1.json
rename to data/json/decision_points/cvss/remediation_level_1_1_0.json
index 0855a3fb..ccaa439c 100644
--- a/data/json/decision_points/cvss/remediation_level_1_1.json
+++ b/data/json/decision_points/cvss/remediation_level_1_1_0.json
@@ -32,4 +32,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/report_confidence_1.json b/data/json/decision_points/cvss/report_confidence_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/report_confidence_1.json
rename to data/json/decision_points/cvss/report_confidence_1_0_0.json
index 01fc795f..85940cf0 100644
--- a/data/json/decision_points/cvss/report_confidence_1.json
+++ b/data/json/decision_points/cvss/report_confidence_1_0_0.json
@@ -22,4 +22,4 @@
"description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/report_confidence_1_1.json b/data/json/decision_points/cvss/report_confidence_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/report_confidence_1_1.json
rename to data/json/decision_points/cvss/report_confidence_1_1_0.json
index be9759a7..691f1e87 100644
--- a/data/json/decision_points/cvss/report_confidence_1_1.json
+++ b/data/json/decision_points/cvss/report_confidence_1_1_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/report_confidence_2.json b/data/json/decision_points/cvss/report_confidence_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/report_confidence_2.json
rename to data/json/decision_points/cvss/report_confidence_2_0_0.json
index 794d8da4..502e1291 100644
--- a/data/json/decision_points/cvss/report_confidence_2.json
+++ b/data/json/decision_points/cvss/report_confidence_2_0_0.json
@@ -27,4 +27,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/safety_1_0_0.json b/data/json/decision_points/cvss/safety_1_0_0.json
new file mode 100644
index 00000000..a72a7cd6
--- /dev/null
+++ b/data/json/decision_points/cvss/safety_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "S",
+ "name": "Safety",
+ "description": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
+ "values": [
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ },
+ {
+ "key": "P",
+ "name": "Present",
+ "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
+ },
+ {
+ "key": "N",
+ "name": "Negligible",
+ "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/scope_1.json b/data/json/decision_points/cvss/scope_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/scope_1.json
rename to data/json/decision_points/cvss/scope_1_0_0.json
index 9dbdef2e..2ed72c80 100644
--- a/data/json/decision_points/cvss/scope_1.json
+++ b/data/json/decision_points/cvss/scope_1_0_0.json
@@ -17,4 +17,4 @@
"description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/subsequent_availability_impact_1.json b/data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/subsequent_availability_impact_1.json
rename to data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json
index 76d1190c..a7ed8c04 100644
--- a/data/json/decision_points/cvss/subsequent_availability_impact_1.json
+++ b/data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json
@@ -22,4 +22,4 @@
"description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/target_distribution_1.json b/data/json/decision_points/cvss/target_distribution_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/target_distribution_1.json
rename to data/json/decision_points/cvss/target_distribution_1_0_0.json
index 7cbaccec..1d86b7ca 100644
--- a/data/json/decision_points/cvss/target_distribution_1.json
+++ b/data/json/decision_points/cvss/target_distribution_1_0_0.json
@@ -27,4 +27,4 @@
"description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/target_distribution_1_1.json b/data/json/decision_points/cvss/target_distribution_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/target_distribution_1_1.json
rename to data/json/decision_points/cvss/target_distribution_1_1_0.json
index 45d295da..bc126152 100644
--- a/data/json/decision_points/cvss/target_distribution_1_1.json
+++ b/data/json/decision_points/cvss/target_distribution_1_1_0.json
@@ -32,4 +32,4 @@
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/user_interaction_1.json b/data/json/decision_points/cvss/user_interaction_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/user_interaction_1.json
rename to data/json/decision_points/cvss/user_interaction_1_0_0.json
index 8c378db1..84f623ba 100644
--- a/data/json/decision_points/cvss/user_interaction_1.json
+++ b/data/json/decision_points/cvss/user_interaction_1_0_0.json
@@ -17,4 +17,4 @@
"description": "The vulnerable system can be exploited without interaction from any user."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/user_interaction_2.json b/data/json/decision_points/cvss/user_interaction_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/user_interaction_2.json
rename to data/json/decision_points/cvss/user_interaction_2_0_0.json
index 98b997d5..7794cc14 100644
--- a/data/json/decision_points/cvss/user_interaction_2.json
+++ b/data/json/decision_points/cvss/user_interaction_2_0_0.json
@@ -22,4 +22,4 @@
"description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/value_density_1_0_0.json b/data/json/decision_points/cvss/value_density_1_0_0.json
new file mode 100644
index 00000000..a4f06724
--- /dev/null
+++ b/data/json/decision_points/cvss/value_density_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "V",
+ "name": "Value Density",
+ "description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
+ "values": [
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ },
+ {
+ "key": "D",
+ "name": "Diffuse",
+ "description": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
+ },
+ {
+ "key": "C",
+ "name": "Concentrated",
+ "description": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
+ }
+ ]
+}
diff --git a/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
new file mode 100644
index 00000000..71e2f3cc
--- /dev/null
+++ b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "cvss",
+ "version": "1.0.0",
+ "schemaVersion": "1-0-1",
+ "key": "RE",
+ "name": "Vulnerability Response Effort",
+ "description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
+ "values": [
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "description": "This metric value is not defined. See CVSS documentation for details."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "The effort required to respond to a vulnerability is low/trivial."
+ },
+ {
+ "key": "M",
+ "name": "Moderate",
+ "description": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
+ }
+ ]
+}
diff --git a/data/json/decision_points/exploitation_1_0_0.json b/data/json/decision_points/exploitation_1_0_0.json
index d7099083..42242c30 100644
--- a/data/json/decision_points/exploitation_1_0_0.json
+++ b/data/json/decision_points/exploitation_1_0_0.json
@@ -22,4 +22,4 @@
"description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/exploitation_1_1_0.json b/data/json/decision_points/exploitation_1_1_0.json
index aed0a7af..f436738a 100644
--- a/data/json/decision_points/exploitation_1_1_0.json
+++ b/data/json/decision_points/exploitation_1_1_0.json
@@ -22,4 +22,4 @@
"description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/human_impact_2_0_0.json b/data/json/decision_points/human_impact_2_0_0.json
index ce7a8b4e..b9fec592 100644
--- a/data/json/decision_points/human_impact_2_0_0.json
+++ b/data/json/decision_points/human_impact_2_0_0.json
@@ -27,4 +27,4 @@
"description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/human_impact_2_0_1.json b/data/json/decision_points/human_impact_2_0_1.json
index fd21da49..9fd6ba91 100644
--- a/data/json/decision_points/human_impact_2_0_1.json
+++ b/data/json/decision_points/human_impact_2_0_1.json
@@ -27,4 +27,4 @@
"description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json
index d63cda57..20c2ad3a 100644
--- a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json
+++ b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json
@@ -22,4 +22,4 @@
"description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/mission_impact_1_0_0.json b/data/json/decision_points/mission_impact_1_0_0.json
index 3ede44f1..3dd1a4ba 100644
--- a/data/json/decision_points/mission_impact_1_0_0.json
+++ b/data/json/decision_points/mission_impact_1_0_0.json
@@ -29,7 +29,7 @@
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+ "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/mission_impact_2_0_0.json b/data/json/decision_points/mission_impact_2_0_0.json
index d1a578a3..51f392e9 100644
--- a/data/json/decision_points/mission_impact_2_0_0.json
+++ b/data/json/decision_points/mission_impact_2_0_0.json
@@ -24,7 +24,7 @@
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+ "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_safety_impact_2_0_0.json b/data/json/decision_points/public_safety_impact_2_0_0.json
index 4cf25b4f..03eaa0d8 100644
--- a/data/json/decision_points/public_safety_impact_2_0_0.json
+++ b/data/json/decision_points/public_safety_impact_2_0_0.json
@@ -17,4 +17,4 @@
"description": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_safety_impact_2_0_1.json b/data/json/decision_points/public_safety_impact_2_0_1.json
index 2f76bbff..e61afe04 100644
--- a/data/json/decision_points/public_safety_impact_2_0_1.json
+++ b/data/json/decision_points/public_safety_impact_2_0_1.json
@@ -17,4 +17,4 @@
"description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_value_added_1_0_0.json b/data/json/decision_points/public_value_added_1_0_0.json
index 772e5de0..a376f8bb 100644
--- a/data/json/decision_points/public_value_added_1_0_0.json
+++ b/data/json/decision_points/public_value_added_1_0_0.json
@@ -22,4 +22,4 @@
"description": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_well-being_impact_1_0_0.json b/data/json/decision_points/public_well-being_impact_1_0_0.json
index a963ea06..2b1c02bd 100644
--- a/data/json/decision_points/public_well-being_impact_1_0_0.json
+++ b/data/json/decision_points/public_well-being_impact_1_0_0.json
@@ -22,4 +22,4 @@
"description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/report_credibility_1_0_0.json b/data/json/decision_points/report_credibility_1_0_0.json
index f9ff77f7..06f2d323 100644
--- a/data/json/decision_points/report_credibility_1_0_0.json
+++ b/data/json/decision_points/report_credibility_1_0_0.json
@@ -17,4 +17,4 @@
"description": "The report is credible."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/report_public_1_0_0.json b/data/json/decision_points/report_public_1_0_0.json
index 67151fd2..ba36050a 100644
--- a/data/json/decision_points/report_public_1_0_0.json
+++ b/data/json/decision_points/report_public_1_0_0.json
@@ -17,4 +17,4 @@
"description": "No public report of the vulnerability exists."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/safety_impact_1_0_0.json b/data/json/decision_points/safety_impact_1_0_0.json
index e25fc5d3..7aadf352 100644
--- a/data/json/decision_points/safety_impact_1_0_0.json
+++ b/data/json/decision_points/safety_impact_1_0_0.json
@@ -24,7 +24,7 @@
{
"key": "H",
"name": "Hazardous",
- "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
},
{
"key": "C",
@@ -32,4 +32,4 @@
"description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/safety_impact_2_0_0.json b/data/json/decision_points/safety_impact_2_0_0.json
index 0c78a0e6..19d74d6b 100644
--- a/data/json/decision_points/safety_impact_2_0_0.json
+++ b/data/json/decision_points/safety_impact_2_0_0.json
@@ -19,7 +19,7 @@
{
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
@@ -27,4 +27,4 @@
"description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_cardinality_1_0_0.json b/data/json/decision_points/supplier_cardinality_1_0_0.json
index b4ad4c7c..0adc8300 100644
--- a/data/json/decision_points/supplier_cardinality_1_0_0.json
+++ b/data/json/decision_points/supplier_cardinality_1_0_0.json
@@ -17,4 +17,4 @@
"description": "There are multiple suppliers of the vulnerable component."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_contacted_1_0_0.json b/data/json/decision_points/supplier_contacted_1_0_0.json
index 8eaf7976..2cceb5ed 100644
--- a/data/json/decision_points/supplier_contacted_1_0_0.json
+++ b/data/json/decision_points/supplier_contacted_1_0_0.json
@@ -17,4 +17,4 @@
"description": "The supplier has been contacted."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_engagement_1_0_0.json b/data/json/decision_points/supplier_engagement_1_0_0.json
index 2f741598..ffd69c94 100644
--- a/data/json/decision_points/supplier_engagement_1_0_0.json
+++ b/data/json/decision_points/supplier_engagement_1_0_0.json
@@ -4,17 +4,17 @@
"schemaVersion": "1-0-1",
"key": "SE",
"name": "Supplier Engagement",
- "description": "Is the supplier responding to the reporter\u2019s contact effort and actively participating in the coordination effort?",
+ "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
"values": [
{
"key": "A",
"name": "Active",
- "description": "The supplier is responding to the reporter\u2019s contact effort and actively participating in the coordination effort."
+ "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
{
"key": "U",
"name": "Unresponsive",
- "description": "The supplier is not responding to the reporter\u2019s contact effort and not actively participating in the coordination effort."
+ "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_involvement_1_0_0.json b/data/json/decision_points/supplier_involvement_1_0_0.json
index e43b79c7..d9c5b433 100644
--- a/data/json/decision_points/supplier_involvement_1_0_0.json
+++ b/data/json/decision_points/supplier_involvement_1_0_0.json
@@ -4,7 +4,7 @@
"schemaVersion": "1-0-1",
"key": "SI",
"name": "Supplier Involvement",
- "description": "What is the state of the supplier\u2019s work on addressing the vulnerability?",
+ "description": "What is the state of the supplier’s work on addressing the vulnerability?",
"values": [
{
"key": "FR",
@@ -22,4 +22,4 @@
"description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/system_exposure_1_0_0.json b/data/json/decision_points/system_exposure_1_0_0.json
index 5b77eb1b..45671101 100644
--- a/data/json/decision_points/system_exposure_1_0_0.json
+++ b/data/json/decision_points/system_exposure_1_0_0.json
@@ -14,7 +14,7 @@
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "U",
@@ -22,4 +22,4 @@
"description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/system_exposure_1_0_1.json b/data/json/decision_points/system_exposure_1_0_1.json
index d2fca848..a6b713d4 100644
--- a/data/json/decision_points/system_exposure_1_0_1.json
+++ b/data/json/decision_points/system_exposure_1_0_1.json
@@ -14,7 +14,7 @@
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "O",
@@ -22,4 +22,4 @@
"description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/technical_impact_1_0_0.json b/data/json/decision_points/technical_impact_1_0_0.json
index 6b9c8676..5f3c7375 100644
--- a/data/json/decision_points/technical_impact_1_0_0.json
+++ b/data/json/decision_points/technical_impact_1_0_0.json
@@ -17,4 +17,4 @@
"description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/utility_1_0_0.json b/data/json/decision_points/utility_1_0_0.json
index a54ebebd..033b00a3 100644
--- a/data/json/decision_points/utility_1_0_0.json
+++ b/data/json/decision_points/utility_1_0_0.json
@@ -22,4 +22,4 @@
"description": "Virulence:Rapid and Value Density:Concentrated"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/utility_1_0_1.json b/data/json/decision_points/utility_1_0_1.json
index 53e39a8a..79091345 100644
--- a/data/json/decision_points/utility_1_0_1.json
+++ b/data/json/decision_points/utility_1_0_1.json
@@ -22,4 +22,4 @@
"description": "Automatable:Yes AND Value Density:Concentrated"
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/value_density_1_0_0.json b/data/json/decision_points/value_density_1_0_0.json
index f0022b5e..725b53fe 100644
--- a/data/json/decision_points/value_density_1_0_0.json
+++ b/data/json/decision_points/value_density_1_0_0.json
@@ -14,7 +14,7 @@
{
"key": "C",
"name": "Concentrated",
- "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of \u201csystem operators\u201d rather than users."
+ "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/virulence_1_0_0.json b/data/json/decision_points/virulence_1_0_0.json
index 98eee786..5d2200d9 100644
--- a/data/json/decision_points/virulence_1_0_0.json
+++ b/data/json/decision_points/virulence_1_0_0.json
@@ -17,4 +17,4 @@
"description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
}
]
-}
\ No newline at end of file
+}
diff --git a/docs/_generated/decision_points/automatable.md b/docs/_generated/decision_points/automatable.md
deleted file mode 120000
index a8229e62..00000000
--- a/docs/_generated/decision_points/automatable.md
+++ /dev/null
@@ -1 +0,0 @@
-automatable_2_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/automatable_2_0_0.md b/docs/_generated/decision_points/automatable_2_0_0.md
deleted file mode 100644
index 20084953..00000000
--- a/docs/_generated/decision_points/automatable_2_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Automatable v2.0.0"
-
-=== "Text"
-
- Can an attacker reliably automate creating exploitation events for this vulnerability?
-
- | Value | Definition |
- |:-----|:-----------|
- | No | Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation. |
- | Yes | Attackers can reliably automate steps 1-4 of the kill chain. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/automatable_2_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/exploitation.md b/docs/_generated/decision_points/exploitation.md
deleted file mode 120000
index 083c9359..00000000
--- a/docs/_generated/decision_points/exploitation.md
+++ /dev/null
@@ -1 +0,0 @@
-exploitation_1_1_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/exploitation_1_0_0.md b/docs/_generated/decision_points/exploitation_1_0_0.md
deleted file mode 100644
index a4ab75dd..00000000
--- a/docs/_generated/decision_points/exploitation_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Exploitation v1.0.0"
-
-=== "Text"
-
- The present state of exploitation of the vulnerability.
-
- | Value | Definition |
- |:-----|:-----------|
- | None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. |
- | PoC | One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. |
- | Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/exploitation_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/exploitation_1_1_0.md b/docs/_generated/decision_points/exploitation_1_1_0.md
deleted file mode 100644
index 910b8080..00000000
--- a/docs/_generated/decision_points/exploitation_1_1_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Exploitation v1.1.0"
-
-=== "Text"
-
- The present state of exploitation of the vulnerability.
-
- | Value | Definition |
- |:-----|:-----------|
- | None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. |
- | Public PoC | One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation. |
- | Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/exploitation_1_1_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/human_impact.md b/docs/_generated/decision_points/human_impact.md
deleted file mode 120000
index 22faf37a..00000000
--- a/docs/_generated/decision_points/human_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-human_impact_2_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/human_impact_2_0_0.md b/docs/_generated/decision_points/human_impact_2_0_0.md
deleted file mode 100644
index 15ff4c86..00000000
--- a/docs/_generated/decision_points/human_impact_2_0_0.md
+++ /dev/null
@@ -1,19 +0,0 @@
-
-!!! note "Human Impact v2.0.0"
-
-=== "Text"
-
- Human Impact is a combination of Safety and Mission impacts.
-
- | Value | Definition |
- |:-----|:-----------|
- | Low | Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled) |
- | Medium | (Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled)) |
- | High | (Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure) |
- | Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/human_impact_2_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/human_impact_2_0_1.md b/docs/_generated/decision_points/human_impact_2_0_1.md
deleted file mode 100644
index 122c1d7c..00000000
--- a/docs/_generated/decision_points/human_impact_2_0_1.md
+++ /dev/null
@@ -1,19 +0,0 @@
-
-!!! note "Human Impact v2.0.1"
-
-=== "Text"
-
- Human Impact is a combination of Safety and Mission impacts.
-
- | Value | Definition |
- |:-----|:-----------|
- | Low | Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled) |
- | Medium | (Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled)) |
- | High | (Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure) |
- | Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/human_impact_2_0_1.json" %}
- ```
diff --git a/docs/_generated/decision_points/mission_and_well-being_impact.md b/docs/_generated/decision_points/mission_and_well-being_impact.md
deleted file mode 120000
index ffa452e7..00000000
--- a/docs/_generated/decision_points/mission_and_well-being_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-mission_and_well-being_impact_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md b/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md
deleted file mode 100644
index 7a8affcd..00000000
--- a/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Mission and Well-Being Impact v1.0.0"
-
-=== "Text"
-
- Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.
-
- | Value | Definition |
- |:-----|:-----------|
- | Low | Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal |
- | Medium | Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material) |
- | High | Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible) |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/mission_and_well-being_impact_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/mission_impact.md b/docs/_generated/decision_points/mission_impact.md
deleted file mode 120000
index 938009ab..00000000
--- a/docs/_generated/decision_points/mission_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-mission_impact_2_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/mission_impact_1_0_0.md b/docs/_generated/decision_points/mission_impact_1_0_0.md
deleted file mode 100644
index e97cba5a..00000000
--- a/docs/_generated/decision_points/mission_impact_1_0_0.md
+++ /dev/null
@@ -1,20 +0,0 @@
-
-!!! note "Mission Impact v1.0.0"
-
-=== "Text"
-
- Impact on Mission Essential Functions of the Organization
-
- | Value | Definition |
- |:-----|:-----------|
- | None | Little to no impact |
- | Non-Essential Degraded | Degradation of non-essential functions; chronic degradation would eventually harm essential functions |
- | MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time |
- | MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time |
- | Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/mission_impact_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/mission_impact_2_0_0.md b/docs/_generated/decision_points/mission_impact_2_0_0.md
deleted file mode 100644
index 4738bf7a..00000000
--- a/docs/_generated/decision_points/mission_impact_2_0_0.md
+++ /dev/null
@@ -1,19 +0,0 @@
-
-!!! note "Mission Impact v2.0.0"
-
-=== "Text"
-
- Impact on Mission Essential Functions of the Organization
-
- | Value | Definition |
- |:-----|:-----------|
- | Degraded | Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions |
- | MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time |
- | MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time |
- | Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/mission_impact_2_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/public_safety_impact.md b/docs/_generated/decision_points/public_safety_impact.md
deleted file mode 120000
index d2071e3b..00000000
--- a/docs/_generated/decision_points/public_safety_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-public_safety_impact_2_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/public_safety_impact_2_0_0.md b/docs/_generated/decision_points/public_safety_impact_2_0_0.md
deleted file mode 100644
index 4566df3b..00000000
--- a/docs/_generated/decision_points/public_safety_impact_2_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Public Safety Impact v2.0.0"
-
-=== "Text"
-
- A coarse-grained representation of impact to public safety.
-
- | Value | Definition |
- |:-----|:-----------|
- | Minimal | Safety Impact:(None OR Minor) |
- | Significant | Safety Impact:(Major OR Hazardous OR Catastrophic) |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/public_safety_impact_2_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/public_safety_impact_2_0_1.md b/docs/_generated/decision_points/public_safety_impact_2_0_1.md
deleted file mode 100644
index 1d561484..00000000
--- a/docs/_generated/decision_points/public_safety_impact_2_0_1.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Public Safety Impact v2.0.1"
-
-=== "Text"
-
- A coarse-grained representation of impact to public safety.
-
- | Value | Definition |
- |:-----|:-----------|
- | Minimal | Safety Impact:Negligible |
- | Significant | Safety Impact:(Marginal OR Critical OR Catastrophic) |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/public_safety_impact_2_0_1.json" %}
- ```
diff --git a/docs/_generated/decision_points/public_value_added.md b/docs/_generated/decision_points/public_value_added.md
deleted file mode 120000
index b185dcb5..00000000
--- a/docs/_generated/decision_points/public_value_added.md
+++ /dev/null
@@ -1 +0,0 @@
-public_value_added_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/public_value_added_1_0_0.md b/docs/_generated/decision_points/public_value_added_1_0_0.md
deleted file mode 100644
index daa27817..00000000
--- a/docs/_generated/decision_points/public_value_added_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Public Value Added v1.0.0"
-
-=== "Text"
-
- How much value would a publication from the coordinator benefit the broader community?
-
- | Value | Definition |
- |:-----|:-----------|
- | Limited | Minimal value added to the existing public information because existing information is already high quality and in multiple outlets. |
- | Ampliative | Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc. |
- | Precedence | The publication would be the first publicly available, or be coincident with the first publicly available. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/public_value_added_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/public_well-being_impact.md b/docs/_generated/decision_points/public_well-being_impact.md
deleted file mode 120000
index 52bbe1c7..00000000
--- a/docs/_generated/decision_points/public_well-being_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-public_well-being_impact_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/public_well-being_impact_1_0_0.md b/docs/_generated/decision_points/public_well-being_impact_1_0_0.md
deleted file mode 100644
index ae6c11e5..00000000
--- a/docs/_generated/decision_points/public_well-being_impact_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Public Well-Being Impact v1.0.0"
-
-=== "Text"
-
- A coarse-grained representation of impact to public well-being.
-
- | Value | Definition |
- |:-----|:-----------|
- | Minimal | The effect is below the threshold for all aspects described in material. |
- | Material | Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. |
- | Irreversible | Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/public_well-being_impact_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/report_credibility.md b/docs/_generated/decision_points/report_credibility.md
deleted file mode 120000
index 549fae08..00000000
--- a/docs/_generated/decision_points/report_credibility.md
+++ /dev/null
@@ -1 +0,0 @@
-report_credibility_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/report_credibility_1_0_0.md b/docs/_generated/decision_points/report_credibility_1_0_0.md
deleted file mode 100644
index 09f5d64d..00000000
--- a/docs/_generated/decision_points/report_credibility_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Report Credibility v1.0.0"
-
-=== "Text"
-
- Is the report credible?
-
- | Value | Definition |
- |:-----|:-----------|
- | Not Credible | The report is not credible. |
- | Credible | The report is credible. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/report_credibility_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/report_public.md b/docs/_generated/decision_points/report_public.md
deleted file mode 120000
index 1bd15fd2..00000000
--- a/docs/_generated/decision_points/report_public.md
+++ /dev/null
@@ -1 +0,0 @@
-report_public_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/report_public_1_0_0.md b/docs/_generated/decision_points/report_public_1_0_0.md
deleted file mode 100644
index 997c8d5e..00000000
--- a/docs/_generated/decision_points/report_public_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Report Public v1.0.0"
-
-=== "Text"
-
- Is a viable report of the details of the vulnerability already publicly available?
-
- | Value | Definition |
- |:-----|:-----------|
- | Yes | A public report of the vulnerability exists. |
- | No | No public report of the vulnerability exists. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/report_public_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/safety_impact.md b/docs/_generated/decision_points/safety_impact.md
deleted file mode 120000
index e3cfa4d7..00000000
--- a/docs/_generated/decision_points/safety_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-safety_impact_2_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/safety_impact_1_0_0.md b/docs/_generated/decision_points/safety_impact_1_0_0.md
deleted file mode 100644
index 0575b6e1..00000000
--- a/docs/_generated/decision_points/safety_impact_1_0_0.md
+++ /dev/null
@@ -1,20 +0,0 @@
-
-!!! note "Safety Impact v1.0.0"
-
-=== "Text"
-
- The safety impact of the vulnerability.
-
- | Value | Definition |
- |:-----|:-----------|
- | None | The effect is below the threshold for all aspects described in Minor. |
- | Minor | Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons. |
- | Major | Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people. |
- | Hazardous | Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A. |
- | Catastrophic | Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/safety_impact_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/safety_impact_2_0_0.md b/docs/_generated/decision_points/safety_impact_2_0_0.md
deleted file mode 100644
index 61326a77..00000000
--- a/docs/_generated/decision_points/safety_impact_2_0_0.md
+++ /dev/null
@@ -1,19 +0,0 @@
-
-!!! note "Safety Impact v2.0.0"
-
-=== "Text"
-
- The safety impact of the vulnerability. (based on IEC 61508)
-
- | Value | Definition |
- |:-----|:-----------|
- | Negligible | Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons. |
- | Marginal | Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people. |
- | Critical | Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A. |
- | Catastrophic | Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/safety_impact_2_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/supplier_cardinality.md b/docs/_generated/decision_points/supplier_cardinality.md
deleted file mode 120000
index 518ef0e7..00000000
--- a/docs/_generated/decision_points/supplier_cardinality.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_cardinality_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_cardinality_1_0_0.md b/docs/_generated/decision_points/supplier_cardinality_1_0_0.md
deleted file mode 100644
index 91874a69..00000000
--- a/docs/_generated/decision_points/supplier_cardinality_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Supplier Cardinality v1.0.0"
-
-=== "Text"
-
- How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?
-
- | Value | Definition |
- |:-----|:-----------|
- | One | There is only one supplier of the vulnerable component. |
- | Multiple | There are multiple suppliers of the vulnerable component. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/supplier_cardinality_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/supplier_contacted.md b/docs/_generated/decision_points/supplier_contacted.md
deleted file mode 120000
index 7a40d514..00000000
--- a/docs/_generated/decision_points/supplier_contacted.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_contacted_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_contacted_1_0_0.md b/docs/_generated/decision_points/supplier_contacted_1_0_0.md
deleted file mode 100644
index 57964ada..00000000
--- a/docs/_generated/decision_points/supplier_contacted_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Supplier Contacted v1.0.0"
-
-=== "Text"
-
- Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?
-
- | Value | Definition |
- |:-----|:-----------|
- | No | The supplier has not been contacted. |
- | Yes | The supplier has been contacted. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/supplier_contacted_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/supplier_engagement.md b/docs/_generated/decision_points/supplier_engagement.md
deleted file mode 120000
index 7a13d88e..00000000
--- a/docs/_generated/decision_points/supplier_engagement.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_engagement_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_engagement_1_0_0.md b/docs/_generated/decision_points/supplier_engagement_1_0_0.md
deleted file mode 100644
index 4ab0298f..00000000
--- a/docs/_generated/decision_points/supplier_engagement_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Supplier Engagement v1.0.0"
-
-=== "Text"
-
- Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?
-
- | Value | Definition |
- |:-----|:-----------|
- | Active | The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort. |
- | Unresponsive | The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/supplier_engagement_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/supplier_involvement.md b/docs/_generated/decision_points/supplier_involvement.md
deleted file mode 120000
index 9f97027b..00000000
--- a/docs/_generated/decision_points/supplier_involvement.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_involvement_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_involvement_1_0_0.md b/docs/_generated/decision_points/supplier_involvement_1_0_0.md
deleted file mode 100644
index d11d3d6d..00000000
--- a/docs/_generated/decision_points/supplier_involvement_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Supplier Involvement v1.0.0"
-
-=== "Text"
-
- What is the state of the supplier’s work on addressing the vulnerability?
-
- | Value | Definition |
- |:-----|:-----------|
- | Fix Ready | The supplier has provided a patch or fix. |
- | Cooperative | The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time. |
- | Uncooperative/Unresponsive | The supplier has not responded, declined to generate a remediation, or no longer exists. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/supplier_involvement_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/system_exposure.md b/docs/_generated/decision_points/system_exposure.md
deleted file mode 120000
index 38c20e7b..00000000
--- a/docs/_generated/decision_points/system_exposure.md
+++ /dev/null
@@ -1 +0,0 @@
-system_exposure_1_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/system_exposure_1_0_0.md b/docs/_generated/decision_points/system_exposure_1_0_0.md
deleted file mode 100644
index f5d02ec8..00000000
--- a/docs/_generated/decision_points/system_exposure_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "System Exposure v1.0.0"
-
-=== "Text"
-
- The Accessible Attack Surface of the Affected System or Service
-
- | Value | Definition |
- |:-----|:-----------|
- | Small | Local service or program; highly controlled network |
- | Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. |
- | Unavoidable | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/system_exposure_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/system_exposure_1_0_1.md b/docs/_generated/decision_points/system_exposure_1_0_1.md
deleted file mode 100644
index a24beb92..00000000
--- a/docs/_generated/decision_points/system_exposure_1_0_1.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "System Exposure v1.0.1"
-
-=== "Text"
-
- The Accessible Attack Surface of the Affected System or Service
-
- | Value | Definition |
- |:-----|:-----------|
- | Small | Local service or program; highly controlled network |
- | Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. |
- | Open | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/system_exposure_1_0_1.json" %}
- ```
diff --git a/docs/_generated/decision_points/technical_impact.md b/docs/_generated/decision_points/technical_impact.md
deleted file mode 120000
index 8418d098..00000000
--- a/docs/_generated/decision_points/technical_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-technical_impact_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/technical_impact_1_0_0.md b/docs/_generated/decision_points/technical_impact_1_0_0.md
deleted file mode 100644
index 543f744d..00000000
--- a/docs/_generated/decision_points/technical_impact_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Technical Impact v1.0.0"
-
-=== "Text"
-
- The technical impact of the vulnerability.
-
- | Value | Definition |
- |:-----|:-----------|
- | Partial | The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. |
- | Total | The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/technical_impact_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/utility.md b/docs/_generated/decision_points/utility.md
deleted file mode 120000
index 73464668..00000000
--- a/docs/_generated/decision_points/utility.md
+++ /dev/null
@@ -1 +0,0 @@
-utility_1_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/utility_1_0_0.md b/docs/_generated/decision_points/utility_1_0_0.md
deleted file mode 100644
index f05120fa..00000000
--- a/docs/_generated/decision_points/utility_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Utility v1.0.0"
-
-=== "Text"
-
- The Usefulness of the Exploit to the Adversary
-
- | Value | Definition |
- |:-----|:-----------|
- | Laborious | Virulence:Slow and Value Density:Diffuse |
- | Efficient | Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated |
- | Super Effective | Virulence:Rapid and Value Density:Concentrated |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/utility_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/utility_1_0_1.md b/docs/_generated/decision_points/utility_1_0_1.md
deleted file mode 100644
index 3111782d..00000000
--- a/docs/_generated/decision_points/utility_1_0_1.md
+++ /dev/null
@@ -1,18 +0,0 @@
-
-!!! note "Utility v1.0.1"
-
-=== "Text"
-
- The Usefulness of the Exploit to the Adversary
-
- | Value | Definition |
- |:-----|:-----------|
- | Laborious | Automatable:No AND Value Density:Diffuse |
- | Efficient | (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated) |
- | Super Effective | Automatable:Yes AND Value Density:Concentrated |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/utility_1_0_1.json" %}
- ```
diff --git a/docs/_generated/decision_points/value_density.md b/docs/_generated/decision_points/value_density.md
deleted file mode 120000
index d65e392d..00000000
--- a/docs/_generated/decision_points/value_density.md
+++ /dev/null
@@ -1 +0,0 @@
-value_density_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/value_density_1_0_0.md b/docs/_generated/decision_points/value_density_1_0_0.md
deleted file mode 100644
index e23853ce..00000000
--- a/docs/_generated/decision_points/value_density_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Value Density v1.0.0"
-
-=== "Text"
-
- The concentration of value in the target
-
- | Value | Definition |
- |:-----|:-----------|
- | Diffuse | The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small. |
- | Concentrated | The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/value_density_1_0_0.json" %}
- ```
diff --git a/docs/_generated/decision_points/virulence.md b/docs/_generated/decision_points/virulence.md
deleted file mode 120000
index e14f67c6..00000000
--- a/docs/_generated/decision_points/virulence.md
+++ /dev/null
@@ -1 +0,0 @@
-virulence_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/virulence_1_0_0.md b/docs/_generated/decision_points/virulence_1_0_0.md
deleted file mode 100644
index a8c231ee..00000000
--- a/docs/_generated/decision_points/virulence_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-!!! note "Virulence v1.0.0"
-
-=== "Text"
-
- The speed at which the vulnerability can be exploited.
-
- | Value | Definition |
- |:-----|:-----------|
- | Slow | Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. |
- | Rapid | Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid. |
-
-=== "JSON"
-
- ```json
- {% include "../../../data/json/decision_points/virulence_1_0_0.json" %}
- ```
diff --git a/docs/howto/acuity_ramp.md b/docs/howto/acuity_ramp.md
index 13e4a2be..af3b467b 100644
--- a/docs/howto/acuity_ramp.md
+++ b/docs/howto/acuity_ramp.md
@@ -92,7 +92,12 @@ data collection and analysis capabilities increase. We demonstrate this with the
[Exploit Prediction Scoring System](https://www.first.org/epss/) ([EPSS](https://www.first.org/epss/))
into their decision model.
- {% include-markdown "../_generated/decision_points/exploitation_1_0_0.md" %}
+ ```python exec="true" idprefix=""
+ from ssvc.decision_points.exploitation import LATEST
+ from ssvc.doc_helpers import example_block
+
+ print(example_block(LATEST))
+ ```
### Improved Asset Management (Acuity Level 3)
@@ -100,7 +105,12 @@ data collection and analysis capabilities increase. We demonstrate this with the
asset data to reflect the degree to which a system is exposed to the internet, allowing them to
incorporate the `SYSTEM_EXPOSURE_1_0_1` decision point into their decision model.
- {% include-markdown "../_generated/decision_points/system_exposure_1_0_1.md" %}
+ ```python exec="true" idprefix=""
+ from ssvc.decision_points.system_exposure import LATEST
+ from ssvc.doc_helpers import example_block
+
+ print(example_block(LATEST))
+ ```
### Improved Threat and Vulnerability Analysis (Acuity Level 4)
@@ -111,7 +121,12 @@ data collection and analysis capabilities increase. We demonstrate this with the
[National Vulnerability Database](https://nvd.nist.gov/) ([NVD](https://nvd.nist.gov/))
or by translating CVSS v3 or v4 scores into a value for this decision point.
- {% include-markdown "../_generated/decision_points/automatable_2_0_0.md" %}
+ ```python exec="true" idprefix=""
+ from ssvc.decision_points.automatable import LATEST
+ from ssvc.doc_helpers import example_block
+
+ print(example_block(LATEST))
+ ```
### Improved Mission and Safety Impact Understanding (Acuity Level 5)
@@ -119,8 +134,15 @@ data collection and analysis capabilities increase. We demonstrate this with the
degree to which a vulnerability impacts both their mission and public safety, allowing them to incorporate the
`MISSION_IMPACT_2` and `SAFETY_IMPACT_1` decision points into their decision model.
- {% include-markdown "../_generated/decision_points/mission_impact_2_0_0.md" %}
- {% include-markdown "../_generated/decision_points/safety_impact_1_0_0.md" %}
+ ```python exec="true" idprefix=""
+ from ssvc.decision_points.mission_impact import LATEST as MI
+ from ssvc.decision_points.safety_impact import LATEST as SI
+
+ from ssvc.doc_helpers import example_block
+
+ print(example_block(MI))
+ print(example_block(SI))
+ ```
In this way, the organization can grow into a more detailed decision model as their understanding and capabilities improve.
diff --git a/docs/howto/bootstrap/use.md b/docs/howto/bootstrap/use.md
index cbf9a4db..0f7ed8d1 100644
--- a/docs/howto/bootstrap/use.md
+++ b/docs/howto/bootstrap/use.md
@@ -139,7 +139,12 @@ If the analyst knows nothing, all states are possible.
For example, [Utility](../../reference/decision_points/utility.md) may be [laborious](../../reference/decision_points/utility.md), [efficient](../../reference/decision_points/utility.md), or [super effective](../../reference/decision_points/system_exposure.md).
- {% include-markdown "../../_generated/decision_points/utility.md" %}
+ ```python exec="true" idprefix=""
+ from ssvc.decision_points.utility import LATEST
+ from ssvc.doc_helpers import example_block
+
+ print(example_block(LATEST))
+ ```
The reason a stakeholder might publish a decision point with all its possible values is that doing so expresses that the analyst thought about [*Utility*](#utility) but does not have anything to communicate.
A stakeholder might have information to communicate about some decision points but not others.
@@ -151,9 +156,19 @@ The merit in this “list all values” approach emerges when the stakeholder kn
Extending the previous example, say the analyst knows that [*Value Density*](../../reference/decision_points/value_density.md) is [diffuse](../../reference/decision_points/value_density.md) but does not know the value for [Automatability](../../reference/decision_points/automatable.md).
- {% include-markdown "../../_generated/decision_points/value_density.md" %}
+ ```python exec="true" idprefix=""
+ from ssvc.decision_points.value_density import LATEST
+ from ssvc.doc_helpers import example_block
+
+ print(example_block(LATEST))
+ ```
+
+ ```python exec="true" idprefix=""
+ from ssvc.decision_points.automatable import LATEST
+ from ssvc.doc_helpers import example_block
- {% include-markdown "../../_generated/decision_points/automatable.md" %}
+ print(example_block(LATEST))
+ ```
Therefore they could rule out [super effective](../../reference/decision_points/utility.md)
for [Utility](../../reference/decision_points/utility.md)
diff --git a/docs/howto/coordination_triage_decision.md b/docs/howto/coordination_triage_decision.md
index 18ef5d5c..ec5bf7f1 100644
--- a/docs/howto/coordination_triage_decision.md
+++ b/docs/howto/coordination_triage_decision.md
@@ -85,13 +85,19 @@ The remaining five decision points are:
More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
-{% include-markdown "../_generated/decision_points/report_public.md" %}
-{% include-markdown "../_generated/decision_points/supplier_contacted.md" %}
-{% include-markdown "../_generated/decision_points/report_credibility.md" %}
-{% include-markdown "../_generated/decision_points/supplier_cardinality.md" %}
-{% include-markdown "../_generated/decision_points/supplier_engagement.md" %}
-{% include-markdown "../_generated/decision_points/utility.md" %}
-{% include-markdown "../_generated/decision_points/public_safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.report_public import LATEST as RP
+from ssvc.decision_points.supplier_contacted import LATEST as SC
+from ssvc.decision_points.report_credibility import LATEST as RC
+from ssvc.decision_points.supplier_cardinality import LATEST as SI
+from ssvc.decision_points.supplier_engagement import LATEST as SE
+from ssvc.decision_points.utility import LATEST as U
+from ssvc.decision_points.public_safety_impact import LATEST as PSI
+from ssvc.doc_helpers import example_block
+
+for dp in [RP, SC, RC, SI, SE, U, PSI]:
+ print(example_block(dp))
+```
## Coordinator Triage Decision Model
diff --git a/docs/howto/deployer_tree.md b/docs/howto/deployer_tree.md
index 68853bc0..e6683150 100644
--- a/docs/howto/deployer_tree.md
+++ b/docs/howto/deployer_tree.md
@@ -114,10 +114,16 @@ The Deployer Patch Deployment Priority decision model uses the following decisio
More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
-{% include-markdown "../_generated/decision_points/exploitation.md" %}
-{% include-markdown "../_generated/decision_points/system_exposure.md" %}
-{% include-markdown "../_generated/decision_points/utility.md" %}
-{% include-markdown "../_generated/decision_points/human_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import LATEST as EXP
+from ssvc.decision_points.system_exposure import LATEST as SE
+from ssvc.decision_points.utility import LATEST as U
+from ssvc.decision_points.human_impact import LATEST as HI
+from ssvc.doc_helpers import example_block
+
+for dp in [EXP, SE, U, HI]:
+ print(example_block(dp))
+```
In the _Human Impact_ table above, *MEF* stands for Mission Essential Function.
diff --git a/docs/howto/publication_decision.md b/docs/howto/publication_decision.md
index a19a93d7..f727af0b 100644
--- a/docs/howto/publication_decision.md
+++ b/docs/howto/publication_decision.md
@@ -136,10 +136,16 @@ and adds two new ones ([*Supplier Involvement*](../reference/decision_points/sup
More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
-{% include-markdown "../_generated/decision_points/supplier_involvement.md" %}
-{% include-markdown "../_generated/decision_points/exploitation.md" %}
-{% include-markdown "../_generated/decision_points/public_value_added.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_involvement import LATEST as SI
+from ssvc.decision_points.exploitation import LATEST as EXP
+from ssvc.decision_points.public_value_added import LATEST as PVA
+from ssvc.doc_helpers import example_block
+
+for dp in [SI, EXP, PVA]:
+ print(example_block(dp))
+```
## Coordinator Publication Decision Model
diff --git a/docs/howto/supplier_tree.md b/docs/howto/supplier_tree.md
index 380a1177..fc165e57 100644
--- a/docs/howto/supplier_tree.md
+++ b/docs/howto/supplier_tree.md
@@ -71,10 +71,17 @@ The decision to create a patch is based on the following decision points:
More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
-{% include-markdown "../_generated/decision_points/exploitation.md" %}
-{% include-markdown "../_generated/decision_points/utility.md" %}
-{% include-markdown "../_generated/decision_points/technical_impact.md" %}
-{% include-markdown "../_generated/decision_points/public_safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import LATEST as EXP
+from ssvc.decision_points.utility import LATEST as U
+from ssvc.decision_points.technical_impact import LATEST as TI
+from ssvc.decision_points.public_safety_impact import LATEST as PSI
+
+from ssvc.doc_helpers import example_block
+
+for dp in [EXP, U, TI, PSI]:
+ print(example_block(dp))
+```
!!! tip "Public Safety Impact is a notational convenience"
diff --git a/docs/reference/decision_points/automatable.md b/docs/reference/decision_points/automatable.md
index 9b74a09b..171c7cbb 100644
--- a/docs/reference/decision_points/automatable.md
+++ b/docs/reference/decision_points/automatable.md
@@ -1,6 +1,13 @@
# Automatable
-{% include-markdown "../../_generated/decision_points/automatable.md" %}
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.automatable import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
!!! tip "See also"
@@ -57,8 +64,15 @@ Due to vulnerability chaining, there is some nuance as to whether reconnaissance
## Prior Versions
+```python exec="true" idprefix=""
+from ssvc.decision_points.automatable import VERSIONS
+from ssvc.doc_helpers import prior_version, example_block
-{% include-markdown "../../_generated/decision_points/virulence_1_0_0.md" %}
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
!!! warning "*Virulence* is Superseded by *Automatable*"
diff --git a/docs/reference/decision_points/exploitation.md b/docs/reference/decision_points/exploitation.md
index 58b398c2..bed76396 100644
--- a/docs/reference/decision_points/exploitation.md
+++ b/docs/reference/decision_points/exploitation.md
@@ -1,6 +1,12 @@
# Exploitation
-{% include-markdown "../../_generated/decision_points/exploitation.md" %}
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
The intent of this measure is the present state of exploitation of the vulnerability. The intent is not to predict future exploitation but only to acknowledge the current state of affairs. Predictive systems, such as EPSS, could be used to augment this decision or to notify stakeholders of likely changes [@jacobs2021epss].
@@ -46,4 +52,14 @@ The table below lists CWE-IDs that could be used to mark a vulnerability as *PoC
{{ read_csv('cwe/possible-cwe-with-poc-examples.csv') }}
----
\ No newline at end of file
+## Prior Versions
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import VERSIONS
+from ssvc.doc_helpers import prior_version, example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
diff --git a/docs/reference/decision_points/human_impact.md b/docs/reference/decision_points/human_impact.md
index a8a22036..7f970a6b 100644
--- a/docs/reference/decision_points/human_impact.md
+++ b/docs/reference/decision_points/human_impact.md
@@ -1,6 +1,11 @@
# Human Impact
-{% include-markdown "../../_generated/decision_points/human_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.human_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
!!! tip "See also"
@@ -43,6 +48,12 @@ see [Guidance on Communicating Results](../../howto/bootstrap/use.md).
## Prior Versions
-{% include-markdown "../../_generated/decision_points/human_impact_2_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.human_impact import VERSIONS
+from ssvc.doc_helpers import prior_version, example_block
-{% include-markdown "../../_generated/decision_points/mission_and_well-being_impact_1_0_0.md" %}
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
diff --git a/docs/reference/decision_points/mission_impact.md b/docs/reference/decision_points/mission_impact.md
index ca2a05c7..9af10310 100644
--- a/docs/reference/decision_points/mission_impact.md
+++ b/docs/reference/decision_points/mission_impact.md
@@ -1,6 +1,11 @@
# Mission Impact
-{% include-markdown "../../_generated/decision_points/mission_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.mission_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
!!! tip "See also"
@@ -40,4 +45,12 @@ For example, if the [Utility](utility.md) is [*super effective*](utility.md), th
## Prior Versions
-{% include-markdown "../../_generated/decision_points/mission_impact_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.mission_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
diff --git a/docs/reference/decision_points/public_safety_impact.md b/docs/reference/decision_points/public_safety_impact.md
index 1f26a47d..9943ddac 100644
--- a/docs/reference/decision_points/public_safety_impact.md
+++ b/docs/reference/decision_points/public_safety_impact.md
@@ -1,6 +1,11 @@
# Public Safety Impact
-{% include-markdown "../../_generated/decision_points/public_safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.public_safety_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
!!! tip "See also"
@@ -17,6 +22,12 @@ Therefore we simplify the above into a binary categorization:
## Prior Versions
-{% include-markdown "../../_generated/decision_points/public_safety_impact_2_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.public_safety_impact import VERSIONS
+from ssvc.doc_helpers import example_block
-{% include-markdown "../../_generated/decision_points/public_well-being_impact_1_0_0.md" %}
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
diff --git a/docs/reference/decision_points/public_value_added.md b/docs/reference/decision_points/public_value_added.md
index 03507837..ad5759a9 100644
--- a/docs/reference/decision_points/public_value_added.md
+++ b/docs/reference/decision_points/public_value_added.md
@@ -1,6 +1,12 @@
# Public Value Added
-{% include-markdown "../../_generated/decision_points/public_value_added.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.public_value_added import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
The intent of the definition is that one rarely if ever transitions from _limited_ to _ampliative_ or _ampliative_ to _precedence_.
A vulnerability could transition from _precedence_ to _ampliative_ and _ampliative_ to _limited_.
diff --git a/docs/reference/decision_points/report_credibility.md b/docs/reference/decision_points/report_credibility.md
index f508f7cd..647360a1 100644
--- a/docs/reference/decision_points/report_credibility.md
+++ b/docs/reference/decision_points/report_credibility.md
@@ -1,6 +1,12 @@
# Report Credibility
-{% include-markdown "../../_generated/decision_points/report_credibility.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.report_credibility import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
An analyst should start with a presumption of credibility and proceed toward disqualification.
The reason for this is that, as a coordinator, occasionally doing a bit of extra work on a bad report is preferable to rejecting legitimate reports.
diff --git a/docs/reference/decision_points/report_public.md b/docs/reference/decision_points/report_public.md
index 5f02a81e..aa795f2e 100644
--- a/docs/reference/decision_points/report_public.md
+++ b/docs/reference/decision_points/report_public.md
@@ -1,3 +1,8 @@
# Report Public
-{% include-markdown "../../_generated/decision_points/report_public.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.report_public import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/safety_impact.md b/docs/reference/decision_points/safety_impact.md
index 41cd2eb4..425dd7a0 100644
--- a/docs/reference/decision_points/safety_impact.md
+++ b/docs/reference/decision_points/safety_impact.md
@@ -1,6 +1,12 @@
# Safety Impact
-{% include-markdown "../../_generated/decision_points/safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.safety_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
!!! tip "See also"
@@ -214,5 +220,13 @@ We defer this topic for now because we combine it with [*Mission Impact*](missio
## Prior Versions
-{% include-markdown "../../_generated/decision_points/safety_impact_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.safety_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
diff --git a/docs/reference/decision_points/supplier_cardinality.md b/docs/reference/decision_points/supplier_cardinality.md
index ef55c8bf..ccd088fa 100644
--- a/docs/reference/decision_points/supplier_cardinality.md
+++ b/docs/reference/decision_points/supplier_cardinality.md
@@ -1,3 +1,8 @@
# Supplier Cardinality
-{% include-markdown "../../_generated/decision_points/supplier_cardinality.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_cardinality import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/supplier_contacted.md b/docs/reference/decision_points/supplier_contacted.md
index 7a3d9d38..def0c2b6 100644
--- a/docs/reference/decision_points/supplier_contacted.md
+++ b/docs/reference/decision_points/supplier_contacted.md
@@ -1,6 +1,11 @@
# Supplier Contacted
-{% include-markdown "../../_generated/decision_points/supplier_contacted.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_contacted import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
!!! tip "Quality Contact Method"
diff --git a/docs/reference/decision_points/supplier_engagement.md b/docs/reference/decision_points/supplier_engagement.md
index 42e306af..c8a7426b 100644
--- a/docs/reference/decision_points/supplier_engagement.md
+++ b/docs/reference/decision_points/supplier_engagement.md
@@ -1,3 +1,8 @@
# Supplier Engagement
-{% include-markdown "../../_generated/decision_points/supplier_engagement.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_engagement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/supplier_involvement.md b/docs/reference/decision_points/supplier_involvement.md
index d28e978e..d4fb9d70 100644
--- a/docs/reference/decision_points/supplier_involvement.md
+++ b/docs/reference/decision_points/supplier_involvement.md
@@ -1,3 +1,8 @@
# Supplier Involvement
-{% include-markdown "../../_generated/decision_points/supplier_involvement.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_involvement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/system_exposure.md b/docs/reference/decision_points/system_exposure.md
index 9ada4318..4595895b 100644
--- a/docs/reference/decision_points/system_exposure.md
+++ b/docs/reference/decision_points/system_exposure.md
@@ -1,6 +1,12 @@
# System Exposure
-{% include-markdown "../../_generated/decision_points/system_exposure.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.system_exposure import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
Measuring the attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access.
Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed.
@@ -38,4 +44,12 @@ If you have suggestions for further heuristics, or potential counterexamples to
## Prior Versions
-{% include-markdown "../../_generated/decision_points/system_exposure_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.system_exposure import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
diff --git a/docs/reference/decision_points/technical_impact.md b/docs/reference/decision_points/technical_impact.md
index f7280b9a..5fc482f1 100644
--- a/docs/reference/decision_points/technical_impact.md
+++ b/docs/reference/decision_points/technical_impact.md
@@ -1,6 +1,11 @@
# Technical Impact
-{% include-markdown "../../_generated/decision_points/technical_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.technical_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
When evaluating *Technical Impact*, recall the scope definition in the [Scope Section](../../topics/scope.md).
Total control is relative to the affected component where the vulnerability resides.
diff --git a/docs/reference/decision_points/utility.md b/docs/reference/decision_points/utility.md
index 93e94124..4779439f 100644
--- a/docs/reference/decision_points/utility.md
+++ b/docs/reference/decision_points/utility.md
@@ -1,6 +1,11 @@
# Utility
-{% include-markdown "../../_generated/decision_points/utility.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.utility import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
!!! tip "See also"
@@ -44,7 +49,15 @@ However, future work should look for and prevent large mismatches between the ou
## Previous Versions
-{% include-markdown "../../_generated/decision_points/utility_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.utility import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+ print(example_block(version))
+ print("\n---\n")
+```
!!! tip "See also"
diff --git a/docs/reference/decision_points/value_density.md b/docs/reference/decision_points/value_density.md
index 934231f6..34339b35 100644
--- a/docs/reference/decision_points/value_density.md
+++ b/docs/reference/decision_points/value_density.md
@@ -1,6 +1,11 @@
# Value Density
-{% include-markdown "../../_generated/decision_points/value_density.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.value_density import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
!!! tip "See also"
diff --git a/mkdocs.yml b/mkdocs.yml
index 3e2ff861..922b7a98 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -117,6 +117,7 @@ plugins:
data_path: 'data/csvs'
- bibtex:
bib_file: 'doc/md_src_files/sources_ssvc.bib'
+ - markdown-exec
- mkdocstrings:
handlers:
python:
diff --git a/requirements.txt b/requirements.txt
index 9328527c..0799221f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,6 +7,7 @@ mkdocs-material-extensions==1.3.1
mkdocstrings==0.28.1
mkdocstrings-python==1.16.0
mkdocs-print-site-plugin==2.6.0
+markdown-exec==1.10.0
thefuzz==0.22.1
pandas==2.2.3
scikit-learn==1.6.1
diff --git a/src/cvss_to_json.py b/src/cvss_to_json.py
deleted file mode 100644
index df739988..00000000
--- a/src/cvss_to_json.py
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/usr/bin/python3"
-# Copyright (c) 2025 Carnegie Mellon University and Contributors.
-# - see Contributors.md for a full list of Contributors
-# - see ContributionInstructions.md for information on how you can Contribute to this project
-# Stakeholder Specific Vulnerability Categorization (SSVC) is
-# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
-# with this Software or contact permission@sei.cmu.edu for full terms.
-# Created, in part, with funding and support from the United States Government
-# (see Acknowledgments file). This program may include and/or can make use of
-# certain third party source code, object code, documentation and other files
-# (“Third Party Software”). See LICENSE.md for more details.
-# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
-# U.S. Patent and Trademark Office by Carnegie Mellon University
-
-mods = [
- "attack_complexity",
- "attack_requirements",
- "attack_vector",
- "authentication",
- "availability_impact",
- "availability_requirement",
- "collateral_damage_potential",
- "confidentiality_impact",
- "confidentiality_requirement",
- "exploitability",
- "helpers",
- "impact_bias",
- "integrity_impact",
- "integrity_requirement",
- "privileges_required",
- "remediation_level",
- "report_confidence",
- "scope",
- "subsequent_availability_impact",
- "subsequent_confidentiality_impact",
- "subsequent_integrity_impact",
- "target_distribution",
- "user_interaction",
-]
-
-
-def main():
- for mod in mods:
- module = getattr(__import__("ssvc.decision_points.cvss", fromlist=[mod]), mod)
- for dp in dir(module):
- if dp.upper().find(mod.upper()) > -1:
- # user_interaction USER_INTERACTION_2
- print(mod, dp)
- sdp = getattr(module, dp)
- with open(
- f"../data/json/decision_points/cvss/{dp.lower()}.json", "w"
- ) as f:
- f.write(sdp.model_dump_json(indent=2))
-
-
-if __name__ == "__main__":
- main()
diff --git a/src/ssvc/decision_points/automatable.py b/src/ssvc/decision_points/automatable.py
index a1745321..843626b5 100644
--- a/src/ssvc/decision_points/automatable.py
+++ b/src/ssvc/decision_points/automatable.py
@@ -65,11 +65,13 @@
values=(AUT_NO, AUT_YES),
)
+# always append new VERSIONS to this list, do not remove old ones
+VERSIONS = (VIRULENCE_1, AUTOMATABLE_2)
+LATEST = VERSIONS[-1]
-def main():
- versions = (VIRULENCE_1, AUTOMATABLE_2)
- print_versions_and_diffs(versions)
+def main():
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py
index 7fc28a4c..d9dad7d9 100644
--- a/src/ssvc/decision_points/critical_software.py
+++ b/src/ssvc/decision_points/critical_software.py
@@ -17,6 +17,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
YES = SsvcDecisionPointValue(
name="Yes",
@@ -41,9 +42,12 @@
),
)
+VERSIONS = (CRITICAL_SOFTWARE_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(CRITICAL_SOFTWARE_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/attack_complexity.py b/src/ssvc/decision_points/cvss/attack_complexity.py
index 2d6880f3..5fa68d59 100644
--- a/src/ssvc/decision_points/cvss/attack_complexity.py
+++ b/src/ssvc/decision_points/cvss/attack_complexity.py
@@ -133,16 +133,17 @@
"""
-versions = [
+VERSIONS = (
ACCESS_COMPLEXITY_1,
ACCESS_COMPLEXITY_2,
ATTACK_COMPLEXITY_3,
ATTACK_COMPLEXITY_3_0_1,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/attack_requirements.py b/src/ssvc/decision_points/cvss/attack_requirements.py
index d1dfc43c..8ae4ba7d 100644
--- a/src/ssvc/decision_points/cvss/attack_requirements.py
+++ b/src/ssvc/decision_points/cvss/attack_requirements.py
@@ -47,13 +47,12 @@
),
)
-versions = [
- ATTACK_REQUIREMENTS_1,
-]
+VERSIONS = (ATTACK_REQUIREMENTS_1,)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py
index 041a8bda..d7b81b81 100644
--- a/src/ssvc/decision_points/cvss/attack_vector.py
+++ b/src/ssvc/decision_points/cvss/attack_vector.py
@@ -194,16 +194,16 @@
),
)
-versions = [
+VERSIONS = (
ACCESS_VECTOR_1,
ACCESS_VECTOR_2,
ATTACK_VECTOR_3,
ATTACK_VECTOR_3_0_1,
-]
+)
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/authentication.py b/src/ssvc/decision_points/cvss/authentication.py
index 50729ce4..516966f1 100644
--- a/src/ssvc/decision_points/cvss/authentication.py
+++ b/src/ssvc/decision_points/cvss/authentication.py
@@ -79,15 +79,12 @@
Includes MULTIPLE, SINGLE, and AUTH_NONE values for CVSS Authentication.
"""
-
-versions = [
- AUTHENTICATION_1,
- AUTHENTICATION_2,
-]
+VERSIONS = (AUTHENTICATION_1, AUTHENTICATION_2)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/availability_impact.py b/src/ssvc/decision_points/cvss/availability_impact.py
index c6f45212..e744c341 100644
--- a/src/ssvc/decision_points/cvss/availability_impact.py
+++ b/src/ssvc/decision_points/cvss/availability_impact.py
@@ -127,15 +127,12 @@
),
)
-versions = [
- AVAILABILITY_IMPACT_1,
- AVAILABILITY_IMPACT_2,
- AVAILABILITY_IMPACT_2_0_1,
-]
+VERSIONS = (AVAILABILITY_IMPACT_1, AVAILABILITY_IMPACT_2, AVAILABILITY_IMPACT_2_0_1)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/availability_requirement.py b/src/ssvc/decision_points/cvss/availability_requirement.py
index fcaddba1..09cd2660 100644
--- a/src/ssvc/decision_points/cvss/availability_requirement.py
+++ b/src/ssvc/decision_points/cvss/availability_requirement.py
@@ -112,15 +112,16 @@
),
)
-versions = [
+VERSIONS = (
AVAILABILITY_REQUIREMENT_1,
AVAILABILITY_REQUIREMENT_1_1,
AVAILABILITY_REQUIREMENT_1_1_1,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/collateral_damage_potential.py b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
index 27c0caa1..3c541009 100644
--- a/src/ssvc/decision_points/cvss/collateral_damage_potential.py
+++ b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
@@ -98,11 +98,12 @@
Updates None description. Adds Low-Medium, Medium-High, and Not Defined value.
"""
-versions = [COLLATERAL_DAMAGE_POTENTIAL_1, COLLATERAL_DAMAGE_POTENTIAL_2]
+VERSIONS = (COLLATERAL_DAMAGE_POTENTIAL_1, COLLATERAL_DAMAGE_POTENTIAL_2)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/confidentiality_impact.py b/src/ssvc/decision_points/cvss/confidentiality_impact.py
index 4524308c..955ab72a 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_impact.py
@@ -138,15 +138,16 @@
)
-versions = [
+VERSIONS = (
CONFIDENTIALITY_IMPACT_1,
CONFIDENTIALITY_IMPACT_2,
CONFIDENTIALITY_IMPACT_2_0_1,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/confidentiality_requirement.py b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
index 117db9d2..288c05c8 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_requirement.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
@@ -110,15 +110,16 @@
),
)
-versions = [
+VERSIONS = (
CONFIDENTIALITY_REQUIREMENT_1,
CONFIDENTIALITY_REQUIREMENT_1_1,
CONFIDENTIALITY_REQUIREMENT_1_1_1,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/exploitability.py b/src/ssvc/decision_points/cvss/exploitability.py
index 9447ff60..2a3eee2a 100644
--- a/src/ssvc/decision_points/cvss/exploitability.py
+++ b/src/ssvc/decision_points/cvss/exploitability.py
@@ -180,16 +180,17 @@
),
)
-versions = [
+VERSIONS = (
EXPLOITABILITY_1,
EXPLOITABILITY_1_1,
EXPLOIT_CODE_MATURITY_1_2,
EXPLOIT_MATURITY_2,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/helpers.py b/src/ssvc/decision_points/cvss/helpers.py
index 23b0774c..25782192 100644
--- a/src/ssvc/decision_points/cvss/helpers.py
+++ b/src/ssvc/decision_points/cvss/helpers.py
@@ -34,7 +34,7 @@ def _modify_3(dp: SsvcDecisionPoint):
names = [v.name for v in values]
if nd.name not in names:
values.append(nd)
- _dp.values = tuple(values)
+ _dp.values = list(values)
return _dp
@@ -98,7 +98,7 @@ def _modify_4(dp: SsvcDecisionPoint):
)
values = list(_dp.values)
values.append(_SAFETY)
- _dp.values = tuple(values)
+ _dp.values = list(values)
return _dp
diff --git a/src/ssvc/decision_points/cvss/impact_bias.py b/src/ssvc/decision_points/cvss/impact_bias.py
index 1a3f44e9..ad113083 100644
--- a/src/ssvc/decision_points/cvss/impact_bias.py
+++ b/src/ssvc/decision_points/cvss/impact_bias.py
@@ -59,13 +59,12 @@
Defines Normal, Confidentiality, Integrity, and Availability values for CVSS Impact Bias.
"""
-versions = [
- IMPACT_BIAS_1,
-]
+VERSIONS = (IMPACT_BIAS_1,)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/integrity_impact.py b/src/ssvc/decision_points/cvss/integrity_impact.py
index a5b6533c..7bc62e96 100644
--- a/src/ssvc/decision_points/cvss/integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/integrity_impact.py
@@ -125,11 +125,12 @@
),
)
-versions = [INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_2_0_1]
+VERSIONS = (INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_2_0_1)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/integrity_requirement.py b/src/ssvc/decision_points/cvss/integrity_requirement.py
index dc3255a4..5bfb30e9 100644
--- a/src/ssvc/decision_points/cvss/integrity_requirement.py
+++ b/src/ssvc/decision_points/cvss/integrity_requirement.py
@@ -110,15 +110,16 @@
),
)
-versions = [
+VERSIONS = (
INTEGRITY_REQUIREMENT_1,
INTEGRITY_REQUIREMENT_1_1,
INTEGRITY_REQUIREMENT_1_1_1,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/privileges_required.py b/src/ssvc/decision_points/cvss/privileges_required.py
index 4c62f852..e9cb0ea5 100644
--- a/src/ssvc/decision_points/cvss/privileges_required.py
+++ b/src/ssvc/decision_points/cvss/privileges_required.py
@@ -101,11 +101,12 @@
),
)
-versions = [PRIVILEGES_REQUIRED_1, PRIVILEGES_REQUIRED_1_0_1]
+VERSIONS = (PRIVILEGES_REQUIRED_1, PRIVILEGES_REQUIRED_1_0_1)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/remediation_level.py b/src/ssvc/decision_points/cvss/remediation_level.py
index 8163f946..73a031ef 100644
--- a/src/ssvc/decision_points/cvss/remediation_level.py
+++ b/src/ssvc/decision_points/cvss/remediation_level.py
@@ -84,11 +84,12 @@
Adds Not Defined to the CVSS Remediation Level decision point.
"""
-versions = [REMEDIATION_LEVEL_1, REMEDIATION_LEVEL_1_1]
+VERSIONS = (REMEDIATION_LEVEL_1, REMEDIATION_LEVEL_1_1)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/report_confidence.py b/src/ssvc/decision_points/cvss/report_confidence.py
index 5873138a..93ea24fc 100644
--- a/src/ssvc/decision_points/cvss/report_confidence.py
+++ b/src/ssvc/decision_points/cvss/report_confidence.py
@@ -126,15 +126,16 @@
"""
-versions = [
+VERSIONS = (
REPORT_CONFIDENCE_1,
REPORT_CONFIDENCE_1_1,
REPORT_CONFIDENCE_2,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/scope.py b/src/ssvc/decision_points/cvss/scope.py
index f56c1ed0..9eaf0b35 100644
--- a/src/ssvc/decision_points/cvss/scope.py
+++ b/src/ssvc/decision_points/cvss/scope.py
@@ -49,13 +49,12 @@
Defines Changed and Unchanged values for CVSS Scope.
"""
-versions = [
- SCOPE_1,
-]
+VERSIONS = (SCOPE_1,)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
index e2efc8a5..e3cbe929 100644
--- a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
@@ -56,13 +56,12 @@
),
)
-versions = [
- SUBSEQUENT_AVAILABILITY_IMPACT_1,
-]
+VERSIONS = (SUBSEQUENT_AVAILABILITY_IMPACT_1,)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
index 4ae2c407..413dc803 100644
--- a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
@@ -57,13 +57,12 @@
),
)
-versions = [
- SUBSEQUENT_CONFIDENTIALITY_IMPACT_1,
-]
+VERSIONS = (SUBSEQUENT_CONFIDENTIALITY_IMPACT_1,)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
index 2cf2ccb9..4a2efbf5 100644
--- a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
@@ -60,13 +60,12 @@
),
)
-versions = [
- SUBSEQUENT_INTEGRITY_IMPACT_1,
-]
+VERSIONS = (SUBSEQUENT_INTEGRITY_IMPACT_1,)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/automatable.py b/src/ssvc/decision_points/cvss/supplemental/automatable.py
index f679705e..c6fa0dd7 100644
--- a/src/ssvc/decision_points/cvss/supplemental/automatable.py
+++ b/src/ssvc/decision_points/cvss/supplemental/automatable.py
@@ -19,7 +19,13 @@
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs
-
+NO = SsvcDecisionPointValue(name="No", key="N",
+ description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for " \
+ "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.", )
+YES = SsvcDecisionPointValue(name="Yes", key="Y",
+ description="Attackers can reliably automate all 4 steps of the kill chain. These steps are " \
+ "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is " \
+ '"wormable").', )
AUTOMATABLE_1 = CvssDecisionPoint(
name="Automatable",
description='The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation '
@@ -27,29 +33,16 @@
key="AU",
version="1.0.0",
values=(
- SsvcDecisionPointValue(
- name="No",
- key="N",
- description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for "
- "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.",
- ),
- SsvcDecisionPointValue(
- name="Yes",
- key="Y",
- description="Attackers can reliably automate all 4 steps of the kill chain. These steps are "
- "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is "
- '"wormable").',
- ),
+ NO,
+ YES,
),
)
+VERSIONS = (AUTOMATABLE_1,)
+LATEST = AUTOMATABLE_1
def main():
- versions = [
- AUTOMATABLE_1,
- ]
-
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
index a9a7aa36..aca04676 100644
--- a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
+++ b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
@@ -20,6 +20,14 @@
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs
+RED = SsvcDecisionPointValue(name="Red", key="R",
+ description="Provider has assessed the impact of this vulnerability as having the highest urgency.", )
+AMBER = SsvcDecisionPointValue(name="Amber", key="A",
+ description="Provider has assessed the impact of this vulnerability as having a moderate urgency.", )
+GREEN = SsvcDecisionPointValue(name="Green", key="G",
+ description="Provider has assessed the impact of this vulnerability as having a reduced urgency.", )
+CLEAR = SsvcDecisionPointValue(name="Clear", key="C",
+ description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).", )
PROVIDER_URGENCY_1 = CvssDecisionPoint(
name="Provider Urgency",
description="Many vendors currently provide supplemental severity ratings to consumers via product security "
@@ -30,37 +38,18 @@
version="1.0.0",
values=(
NOT_DEFINED_X,
- # Red, Amber, Green, Clear
- SsvcDecisionPointValue(
- name="Red",
- key="R",
- description="Provider has assessed the impact of this vulnerability as having the highest urgency.",
- ),
- SsvcDecisionPointValue(
- name="Amber",
- key="A",
- description="Provider has assessed the impact of this vulnerability as having a moderate urgency.",
- ),
- SsvcDecisionPointValue(
- name="Green",
- key="G",
- description="Provider has assessed the impact of this vulnerability as having a reduced urgency.",
- ),
- SsvcDecisionPointValue(
- name="Clear",
- key="C",
- description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).",
- ),
+ CLEAR,
+ GREEN,
+ AMBER,
+ RED,
),
)
+VERSIONS = (PROVIDER_URGENCY_1,)
+LATEST = PROVIDER_URGENCY_1
def main():
- versions = [
- PROVIDER_URGENCY_1,
- ]
-
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/recovery.py b/src/ssvc/decision_points/cvss/supplemental/recovery.py
index f86994e9..5297e10a 100644
--- a/src/ssvc/decision_points/cvss/supplemental/recovery.py
+++ b/src/ssvc/decision_points/cvss/supplemental/recovery.py
@@ -20,7 +20,13 @@
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs
-
+AUTOMATIC = SsvcDecisionPointValue(name="Automatic", key="A",
+ description="The system recovers services automatically after an attack has been performed.", )
+USER = SsvcDecisionPointValue(name="User", key="U",
+ description="The system requires manual intervention by the user to recover services, after an attack has " \
+ "been performed.", )
+IRRECOVERABLE = SsvcDecisionPointValue(name="Irrecoverable", key="I",
+ description="The system services are irrecoverable by the user, after an attack has been performed.", )
RECOVERY_1 = CvssDecisionPoint(
name="Recovery",
description="The Recovery metric describes the resilience of a system to recover services, in terms of performance "
@@ -29,32 +35,17 @@
version="1.0.0",
values=(
NOT_DEFINED_X,
- SsvcDecisionPointValue(
- name="Automatic",
- key="A",
- description="The system recovers services automatically after an attack has been performed.",
- ),
- SsvcDecisionPointValue(
- name="User",
- key="U",
- description="The system requires manual intervention by the user to recover services, after an attack has "
- "been performed.",
- ),
- SsvcDecisionPointValue(
- name="Irrecoverable",
- key="I",
- description="The system services are irrecoverable by the user, after an attack has been performed.",
- ),
+ AUTOMATIC,
+ USER,
+ IRRECOVERABLE,
),
)
+VERSIONS = (RECOVERY_1,)
+LATEST = VERSIONS[-1]
def main():
- versions = [
- RECOVERY_1,
- ]
-
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/safety.py b/src/ssvc/decision_points/cvss/supplemental/safety.py
index ca3347b6..f251a958 100644
--- a/src/ssvc/decision_points/cvss/supplemental/safety.py
+++ b/src/ssvc/decision_points/cvss/supplemental/safety.py
@@ -21,6 +21,12 @@
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs
+PRESENT = SsvcDecisionPointValue(name="Present", key="P",
+ description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of " \
+ '"marginal," "critical," or "catastrophic."', )
+NEGLIGIBLE = SsvcDecisionPointValue(name="Negligible", key="N",
+ description="Consequences of the vulnerability meet definition of IEC 61508 consequence category " \
+ '"negligible."', )
SAFETY_1 = CvssDecisionPoint(
name="Safety",
description="The Safety decision point is a measure of the potential for harm to humans or the environment.",
@@ -28,29 +34,16 @@
version="1.0.0",
values=(
NOT_DEFINED_X,
- # Present, Negligible
- SsvcDecisionPointValue(
- name="Present",
- key="P",
- description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of "
- '"marginal," "critical," or "catastrophic."',
- ),
- SsvcDecisionPointValue(
- name="Negligible",
- key="N",
- description="Consequences of the vulnerability meet definition of IEC 61508 consequence category "
- '"negligible."',
- ),
+ PRESENT,
+ NEGLIGIBLE,
),
)
+VERSIONS = (SAFETY_1,)
+LATEST = SAFETY_1
def main():
- versions = [
- SAFETY_1,
- ]
-
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/value_density.py b/src/ssvc/decision_points/cvss/supplemental/value_density.py
index 065512cf..ba176576 100644
--- a/src/ssvc/decision_points/cvss/supplemental/value_density.py
+++ b/src/ssvc/decision_points/cvss/supplemental/value_density.py
@@ -20,7 +20,12 @@
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs
-
+DIFFUSE = SsvcDecisionPointValue(name="Diffuse", key="D",
+ description="The vulnerable system has limited resources. That is, the resources that the attacker will " \
+ "gain control over with a single exploitation event are relatively small.", )
+CONCENTRATED = SsvcDecisionPointValue(name="Concentrated", key="C",
+ description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct " \
+ 'responsibility of "system operators" rather than users.', )
VALUE_DENSITY_1 = CvssDecisionPoint(
name="Value Density",
description="Value Density describes the resources that the attacker will gain control over with a single "
@@ -29,28 +34,16 @@
version="1.0.0",
values=(
NOT_DEFINED_X,
- SsvcDecisionPointValue(
- name="Diffuse",
- key="D",
- description="The vulnerable system has limited resources. That is, the resources that the attacker will "
- "gain control over with a single exploitation event are relatively small.",
- ),
- SsvcDecisionPointValue(
- name="Concentrated",
- key="C",
- description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct "
- 'responsibility of "system operators" rather than users.',
- ),
+ DIFFUSE,
+ CONCENTRATED,
),
)
+VERSIONS = (VALUE_DENSITY_1,)
+LATEST = VERSIONS[-1]
def main():
- versions = [
- VALUE_DENSITY_1,
- ]
-
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
index 40da0e4b..d3d058cb 100644
--- a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
+++ b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
@@ -20,7 +20,18 @@
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs
-
+LOW = SsvcDecisionPointValue(name="Low", key="L",
+ description="The effort required to respond to a vulnerability is low/trivial.", )
+MODERATE = SsvcDecisionPointValue(name="Moderate", key="M",
+ description="The actions required to respond to a vulnerability require some effort on behalf of the " \
+ "consumer and could cause minimal service impact to implement.", )
+HIGH = SsvcDecisionPointValue(name="High", key="H",
+ description="The actions required to respond to a vulnerability are significant and/or difficult, and may " \
+ "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling " \
+ "purposes including honoring any embargo on deployment of the selected response. Alternatively, response " \
+ "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability " \
+ "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or " \
+ "replacement).", )
VULNERABILITY_RESPONSE_EFFORT_1 = CvssDecisionPoint(
name="Vulnerability Response Effort",
description="The intention of the Vulnerability Response Effort metric is to provide supplemental information on "
@@ -31,37 +42,17 @@
version="1.0.0",
values=(
NOT_DEFINED_X,
- SsvcDecisionPointValue(
- name="Low",
- key="L",
- description="The effort required to respond to a vulnerability is low/trivial.",
- ),
- SsvcDecisionPointValue(
- name="Moderate",
- key="M",
- description="The actions required to respond to a vulnerability require some effort on behalf of the "
- "consumer and could cause minimal service impact to implement.",
- ),
- SsvcDecisionPointValue(
- name="High",
- key="H",
- description="The actions required to respond to a vulnerability are significant and/or difficult, and may "
- "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling "
- "purposes including honoring any embargo on deployment of the selected response. Alternatively, response "
- "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability "
- "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or "
- "replacement).",
- ),
+ LOW,
+ MODERATE,
+ HIGH,
),
)
+VERSIONS = (VULNERABILITY_RESPONSE_EFFORT_1,)
+LATEST = VERSIONS[-1]
def main():
- versions = [
- VULNERABILITY_RESPONSE_EFFORT_1,
- ]
-
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/target_distribution.py b/src/ssvc/decision_points/cvss/target_distribution.py
index d96ff767..2f408e67 100644
--- a/src/ssvc/decision_points/cvss/target_distribution.py
+++ b/src/ssvc/decision_points/cvss/target_distribution.py
@@ -87,14 +87,15 @@
Introduces Not Defined value.
"""
-versions = [
+VERSIONS = (
TARGET_DISTRIBUTION_1,
TARGET_DISTRIBUTION_1_1,
-]
+)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/user_interaction.py b/src/ssvc/decision_points/cvss/user_interaction.py
index d1e17418..02e75941 100644
--- a/src/ssvc/decision_points/cvss/user_interaction.py
+++ b/src/ssvc/decision_points/cvss/user_interaction.py
@@ -89,11 +89,12 @@
),
)
-versions = [USER_INTERACTION_1, USER_INTERACTION_2]
+VERSIONS = (USER_INTERACTION_1, USER_INTERACTION_2)
+LATEST = VERSIONS[-1]
def main():
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/exploitation.py b/src/ssvc/decision_points/exploitation.py
index 0f7c5f59..bb1a2a52 100644
--- a/src/ssvc/decision_points/exploitation.py
+++ b/src/ssvc/decision_points/exploitation.py
@@ -74,11 +74,12 @@ def _strip_spaces(s):
),
)
+VERSIONS = (EXPLOITATION_1, EXPLOITATION_1_1_0)
+LATEST = VERSIONS[-1]
-def main():
- versions = [EXPLOITATION_1, EXPLOITATION_1_1_0]
- print_versions_and_diffs(versions)
+def main():
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index 1a93505a..12a52077 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -127,45 +127,33 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
major = True
for name in dp2_names.difference(dp1_names):
- diffs.append(
- f"(major or minor) {dp2.name} v{dp2.version} adds value {name}"
- )
+ diffs.append(f"(major or minor) {dp2.name} v{dp2.version} adds value {name}")
maybe_major = True
maybe_minor = True
# did the value keys change?
for name in intersection:
- v1 = {
- value["name"]: value["key"] for value in dp1.model_dump()["values"]
- }
+ v1 = {value["name"]: value["key"] for value in dp1.model_dump()["values"]}
v1 = v1[name]
- v2 = {
- value["name"]: value["key"] for value in dp2.model_dump()["values"]
- }
+ v2 = {value["name"]: value["key"] for value in dp2.model_dump()["values"]}
v2 = v2[name]
if v1 != v2:
- diffs.append(
- f"(minor) {dp2.name} v{dp2.version} value {name} key changed"
- )
+ diffs.append(f"(minor) {dp2.name} v{dp2.version} value {name} key changed")
minor = True
else:
- diffs.append(
- f"{dp2.name} v{dp2.version} value {name} key did not change"
- )
+ diffs.append(f"{dp2.name} v{dp2.version} value {name} key did not change")
# did the value descriptions change?
for name in intersection:
v1 = {
- value["name"]: value["description"]
- for value in dp1.model_dump()["values"]
+ value["name"]: value["description"] for value in dp1.model_dump()["values"]
}
v1 = v1[name]
v2 = {
- value["name"]: value["description"]
- for value in dp2.model_dump()["values"]
+ value["name"]: value["description"] for value in dp2.model_dump()["values"]
}
v2 = v2[name]
diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py
index b483b7e3..b0aeac2b 100644
--- a/src/ssvc/decision_points/high_value_asset.py
+++ b/src/ssvc/decision_points/high_value_asset.py
@@ -17,6 +17,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
YES = SsvcDecisionPointValue(
name="Yes",
@@ -41,9 +42,11 @@
),
)
+VERSIONS = (HIGH_VALUE_ASSET_1,)
+LATEST = VERSIONS[-1]
def main():
- print(HIGH_VALUE_ASSET_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/human_impact.py b/src/ssvc/decision_points/human_impact.py
index 1b178d92..ac2deac0 100644
--- a/src/ssvc/decision_points/human_impact.py
+++ b/src/ssvc/decision_points/human_impact.py
@@ -120,15 +120,16 @@
),
)
+VERSIONS = (
+ MISSION_AND_WELL_BEING_IMPACT_1,
+ HUMAN_IMPACT_2,
+ HUMAN_IMPACT_2_0_1,
+)
+LATEST = VERSIONS[-1]
-def main():
- versions = (
- MISSION_AND_WELL_BEING_IMPACT_1,
- HUMAN_IMPACT_2,
- HUMAN_IMPACT_2_0_1,
- )
- print_versions_and_diffs(versions)
+def main():
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/in_kev.py b/src/ssvc/decision_points/in_kev.py
index 2b10690c..31466aaa 100644
--- a/src/ssvc/decision_points/in_kev.py
+++ b/src/ssvc/decision_points/in_kev.py
@@ -16,6 +16,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
YES = SsvcDecisionPointValue(
name="Yes",
@@ -40,9 +41,12 @@
),
)
+VERSIONS = (IN_KEV_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(IN_KEV_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/mission_impact.py b/src/ssvc/decision_points/mission_impact.py
index d98f4208..d0a3a132 100644
--- a/src/ssvc/decision_points/mission_impact.py
+++ b/src/ssvc/decision_points/mission_impact.py
@@ -80,11 +80,12 @@
values=(DEGRADED, MEF_CRIPPLED, MEF_FAILURE, MISSION_FAILURE),
)
+VERSIONS = (MISSION_IMPACT_1, MISSION_IMPACT_2)
+LATEST = VERSIONS[-1]
-def main():
- versions = (MISSION_IMPACT_1, MISSION_IMPACT_2)
- print_versions_and_diffs(versions)
+def main():
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py
index 6fb697e8..bc5e4778 100644
--- a/src/ssvc/decision_points/mission_prevalence.py
+++ b/src/ssvc/decision_points/mission_prevalence.py
@@ -52,7 +52,9 @@
),
)
+VERSIONS = (MISSION_PREVALENCE,)
+LATEST = VERSIONS[-1]
+
if __name__ == "__main__":
- versions = (MISSION_PREVALENCE,)
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
diff --git a/src/ssvc/decision_points/public_safety_impact.py b/src/ssvc/decision_points/public_safety_impact.py
index f057a39c..54df0a8e 100644
--- a/src/ssvc/decision_points/public_safety_impact.py
+++ b/src/ssvc/decision_points/public_safety_impact.py
@@ -109,14 +109,16 @@
),
)
+VERSIONS = (
+ PUBLIC_WELL_BEING_IMPACT_1,
+ PUBLIC_SAFETY_IMPACT_2,
+ PUBLIC_SAFETY_IMPACT_2_0_1,
+)
+LATEST = VERSIONS[-1]
+
def main():
- versions = (
- PUBLIC_WELL_BEING_IMPACT_1,
- PUBLIC_SAFETY_IMPACT_2,
- PUBLIC_SAFETY_IMPACT_2_0_1,
- )
- print_versions_and_diffs(versions)
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/public_value_added.py b/src/ssvc/decision_points/public_value_added.py
index cec1b200..87b4700a 100644
--- a/src/ssvc/decision_points/public_value_added.py
+++ b/src/ssvc/decision_points/public_value_added.py
@@ -47,10 +47,12 @@
)
-def main():
- versions = (PUBLIC_VALUE_ADDED_1,)
+VERSIONS = (PUBLIC_VALUE_ADDED_1,)
+LATEST = VERSIONS[-1]
+
- print_versions_and_diffs(versions)
+def main():
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py
index 3fbcdd51..1e4cf105 100644
--- a/src/ssvc/decision_points/report_credibility.py
+++ b/src/ssvc/decision_points/report_credibility.py
@@ -18,6 +18,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
NOT_CREDIBLE = SsvcDecisionPointValue(
name="Not Credible",
@@ -42,9 +43,12 @@
),
)
+VERSIONS = (REPORT_CREDIBILITY_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(REPORT_CREDIBILITY_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py
index 815d296c..a072e185 100644
--- a/src/ssvc/decision_points/report_public.py
+++ b/src/ssvc/decision_points/report_public.py
@@ -17,6 +17,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
YES = SsvcDecisionPointValue(
name="Yes",
@@ -41,9 +42,12 @@
),
)
+VERSIONS = (REPORT_PUBLIC_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(REPORT_PUBLIC_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/safety_impact.py b/src/ssvc/decision_points/safety_impact.py
index 110d053c..5a5c16ae 100644
--- a/src/ssvc/decision_points/safety_impact.py
+++ b/src/ssvc/decision_points/safety_impact.py
@@ -159,10 +159,12 @@
)
-def main():
- versions = (SAFETY_IMPACT_1, SAFETY_IMPACT_2)
+VERSIONS = (SAFETY_IMPACT_1, SAFETY_IMPACT_2)
+LATEST = VERSIONS[-1]
+
- print_versions_and_diffs(versions)
+def main():
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py
index e0c9ecfb..934ebfdf 100644
--- a/src/ssvc/decision_points/supplier_cardinality.py
+++ b/src/ssvc/decision_points/supplier_cardinality.py
@@ -17,6 +17,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
MULTIPLE = SsvcDecisionPointValue(
name="Multiple",
@@ -41,9 +42,12 @@
),
)
+VERSIONS = (SUPPLIER_CARDINALITY_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(SUPPLIER_CARDINALITY_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py
index 1d07aa00..f3586008 100644
--- a/src/ssvc/decision_points/supplier_contacted.py
+++ b/src/ssvc/decision_points/supplier_contacted.py
@@ -16,6 +16,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
YES = SsvcDecisionPointValue(
name="Yes",
@@ -40,9 +41,12 @@
),
)
+VERSIONS = (SUPPLIER_CONTACTED_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(SUPPLIER_CONTACTED_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py
index 94f94097..cb0aef24 100644
--- a/src/ssvc/decision_points/supplier_engagement.py
+++ b/src/ssvc/decision_points/supplier_engagement.py
@@ -18,6 +18,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
UNRESPONSIVE = SsvcDecisionPointValue(
name="Unresponsive",
@@ -42,9 +43,12 @@
),
)
+VERSIONS = (SUPPLIER_ENGAGEMENT_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(SUPPLIER_ENGAGEMENT_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py
index e7712e27..823afd4d 100644
--- a/src/ssvc/decision_points/supplier_involvement.py
+++ b/src/ssvc/decision_points/supplier_involvement.py
@@ -17,6 +17,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
UNCOOPERATIVE = SsvcDecisionPointValue(
name="Uncooperative/Unresponsive",
@@ -48,9 +49,12 @@
),
)
+VERSIONS = (SUPPLIER_INVOLVEMENT_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(SUPPLIER_INVOLVEMENT_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py
index 12a7a10b..9f0c813a 100644
--- a/src/ssvc/decision_points/system_exposure.py
+++ b/src/ssvc/decision_points/system_exposure.py
@@ -17,6 +17,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
EXP_UNAVOIDABLE = SsvcDecisionPointValue(
name="Unavoidable",
@@ -76,10 +77,12 @@
),
)
+VERSIONS = (SYSTEM_EXPOSURE_1, SYSTEM_EXPOSURE_1_0_1)
+LATEST = VERSIONS[-1]
+
def main():
- print(SYSTEM_EXPOSURE_1.model_dump_json(indent=2))
- print(SYSTEM_EXPOSURE_1_0_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py
index 6f8133a6..3fa10eff 100644
--- a/src/ssvc/decision_points/technical_impact.py
+++ b/src/ssvc/decision_points/technical_impact.py
@@ -18,6 +18,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
TOTAL = SsvcDecisionPointValue(
name="Total",
@@ -42,9 +43,12 @@
),
)
+VERSIONS = (TECHNICAL_IMPACT_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(TECHNICAL_IMPACT_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py
index d20f05a3..b1f08b0a 100644
--- a/src/ssvc/decision_points/utility.py
+++ b/src/ssvc/decision_points/utility.py
@@ -80,11 +80,12 @@
),
)
+VERSIONS = (UTILITY_1, UTILITY_1_0_1)
+LATEST = VERSIONS[-1]
-def main():
- versions = (UTILITY_1, UTILITY_1_0_1)
- print_versions_and_diffs(versions)
+def main():
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py
index d13a606f..81b9fd14 100644
--- a/src/ssvc/decision_points/value_density.py
+++ b/src/ssvc/decision_points/value_density.py
@@ -3,7 +3,7 @@
Provides the Value Density decision point and its values.
"""
-# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
+# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
@@ -17,6 +17,7 @@
# U.S. Patent and Trademark Office by Carnegie Mellon University
from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
CONCENTRATED = SsvcDecisionPointValue(
name="Concentrated",
@@ -41,9 +42,12 @@
),
)
+VERSIONS = (VALUE_DENSITY_1,)
+LATEST = VERSIONS[-1]
+
def main():
- print(VALUE_DENSITY_1.model_dump_json(indent=2))
+ print_versions_and_diffs(VERSIONS)
if __name__ == "__main__":
diff --git a/src/ssvc/doc_helpers.py b/src/ssvc/doc_helpers.py
new file mode 100644
index 00000000..3e794601
--- /dev/null
+++ b/src/ssvc/doc_helpers.py
@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+"""
+file: doc_helpers
+author: adh
+created_at: 2/14/25 2:54 PM
+"""
+# Copyright (c) 2025 Carnegie Mellon University and Contributors.
+# - see Contributors.md for a full list of Contributors
+# - see ContributionInstructions.md for information on how you can Contribute to this project
+# Stakeholder Specific Vulnerability Categorization (SSVC) is
+# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+# with this Software or contact permission@sei.cmu.edu for full terms.
+# Created, in part, with funding and support from the United States Government
+# (see Acknowledgments file). This program may include and/or can make use of
+# certain third party source code, object code, documentation and other files
+# (“Third Party Software”). See LICENSE.md for more details.
+# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+# U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points.base import SsvcDecisionPoint
+
+MD_TABLE_ROW_TEMPLATE = "| {value.name} | {value.description} |"
+
+
+def markdown_table(dp: SsvcDecisionPoint, indent: int = 0) -> str:
+ """
+ Generate a markdown table for a decision point.
+
+ Args:
+ dp (SsvcDecisionPoint): The decision point to generate a markdown table for.
+
+ Returns:
+ str: The markdown table.
+ """
+ rows = []
+ # prepend the header
+ _indent = " " * indent
+ rows.append(f"{_indent}{dp.description}")
+ rows.append("")
+ rows.append(f"{_indent}| Value | Definition |")
+ rows.append(f"{_indent}|:-----|:-----------|")
+
+ # add a row for each value
+ for value in dp.values:
+ rows.append(_indent + MD_TABLE_ROW_TEMPLATE.format(value=value))
+
+ return "\n".join(rows)
+
+
+def example_block_tabbed(dp: SsvcDecisionPoint, indent=4) -> str:
+ """Given a decision point, return a markdown block that contains an example of the decision point."""
+
+ indent_ = " " * 4
+ rows = []
+ rows.append(f'!!! note "{dp.name} v{dp.version}"')
+ rows.append("")
+
+ rows.append(indent_ + '=== "Table"')
+ rows.append("")
+ for row in markdown_table(dp, indent=4).splitlines():
+ rows.append(indent_ + row)
+ rows.append("")
+
+ rows.append(indent_ + '=== "JSON"')
+ rows.append("")
+ for row in json_example(dp, indent=4).splitlines():
+ rows.append(indent_ + row)
+
+ return "\n".join(rows)
+
+
+def example_block(dp: SsvcDecisionPoint, indent=4) -> str:
+ """Given a decision point, return a markdown block that contains an example of the decision point."""
+
+ indent_ = " " * 4
+ rows = []
+ rows.append(f'!!! note "{dp.name} v{dp.version}"')
+ rows.append("")
+
+ for row in markdown_table(dp).splitlines():
+ rows.append(indent_ + row)
+ rows.append("")
+
+ rows.append(indent_ + f'??? example "{dp.name} v{dp.version} JSON Example"')
+ rows.append("")
+ for row in json_example(dp, indent=4).splitlines():
+ rows.append(indent_ + row)
+
+ return "\n".join(rows)
+
+
+def prior_version(dp: SsvcDecisionPoint, indent=4) -> str:
+ """Given a decision point, return a markdown block that contains an example of the decision point."""
+
+ indent_ = " " * 4
+ rows = []
+ rows.append(f'!!! note "{dp.name} v{dp.version}"')
+ rows.append("")
+
+ rows.append("")
+ for row in markdown_table(dp, indent=0).splitlines():
+ rows.append(indent_ + row)
+
+ return "\n".join(rows)
+
+
+def json_example(dp, indent=0):
+ """
+ Generate a markdown block that contains a JSON example.
+
+ Args:
+ dp: the decision point object
+ jstr:
+ collapsible:
+
+ Returns:
+
+ """
+ indent_ = " " * indent
+ json_rows = [
+ indent_ + "```json",
+ ]
+
+ jstr = dp.model_dump_json(indent=2).strip()
+
+ for line in jstr.splitlines():
+ json_rows.append(indent_ + line)
+
+ json_rows.append(
+ indent_ + "```",
+ )
+ json_block = "\n".join(json_rows)
+ return json_block
+
+
+def main():
+ pass
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py
index 8130aeb6..e3d973a7 100644
--- a/src/ssvc/doctools.py
+++ b/src/ssvc/doctools.py
@@ -15,30 +15,28 @@
Provides tools to assist with generating documentation for SSVC decision points.
Writes the following files for each decision point:
-- a markdown table that can be used in the decision point documentation
- a json example that can be used in the decision point documentation
-- a markdown file that builds an insert using mkdocs tabs to switch between the markdown description and the json
- example
Examples
To generate the documentation for the decision points, use the following command:
- python -m ssvc.doctools --overwrite --outdir ./tmp/md_out --jsondir ./tmp/json_out`
+ python -m ssvc.doctools --overwrite --jsondir ./tmp/json_out`
To regenerate the existing docs, use the following command:
- python -m ssvc.doctools --overwrite --outdir docs/_generated/decision_points --jsondir data/json/decision_points
+ python -m ssvc.doctools --overwrite --jsondir data/json/decision_points
"""
import logging
import os
+import ssvc.dp_groups.cvss.collections # noqa
+import ssvc.dp_groups.ssvc.collections # noqa
from ssvc.decision_points.base import (
REGISTERED_DECISION_POINTS,
SsvcDecisionPoint,
)
-from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1 # noqa
logger = logging.getLogger(__name__)
@@ -56,49 +54,6 @@ def _filename_friendly(name: str) -> str:
return name.lower().replace(" ", "_").replace(".", "_")
-MD_TABLE_ROW_TEMPLATE = "| {value.name} | {value.description} |"
-
-# indent by 4 spaces to make it a code block
-MD_INCLUDE_TEMPLATE = """
-!!! note "{dp.name} v{dp.version}"
-
-=== "Text"
-
-{table}
-
-=== "JSON"
-
- ```json
- {{% include "{json_file}" %}}
- ```
-"""
-
-
-def to_markdown_table(dp: SsvcDecisionPoint) -> str:
- """
- Generate a markdown table for a decision point.
-
- Args:
- dp (SsvcDecisionPoint): The decision point to generate a markdown table for.
-
- Returns:
- str: The markdown table.
- """
- rows = []
- # prepend the header
- rows.append(f" {dp.description}")
- rows.append("")
- indent = " " * 4
- rows.append(f"{indent}| Value | Definition |")
- rows.append(f"{indent}|:-----|:-----------|")
-
- # add a row for each value
- for value in dp.values:
- rows.append(indent + MD_TABLE_ROW_TEMPLATE.format(value=value))
-
- return "\n".join(rows)
-
-
# create a runtime context that ensures that dir exists
class EnsureDirExists:
"""
@@ -137,9 +92,7 @@ def remove_if_exists(file):
logger.debug(f"File {file} does not exist, nothing to remove")
-def dump_decision_point(
- jsondir: str, outdir: str, dp: SsvcDecisionPoint, overwrite: bool
-) -> dict:
+def dump_decision_point(jsondir: str, dp: SsvcDecisionPoint, overwrite: bool) -> None:
"""
Generate the markdown table, json example, and markdown table file for a decision point.
@@ -155,75 +108,10 @@ def dump_decision_point(
- symlink: The path to the symlink that points to the markdown table file.
- json_file: The path to the json example file.
"""
- # - generate markdown table
# make dp.name safe for use in a filename
- basename = (
- _filename_friendly(dp.name) + f"_{_filename_friendly(dp.version)}"
- )
+ basename = _filename_friendly(dp.name) + f"_{_filename_friendly(dp.version)}"
# - generate json example
- json_file = dump_json(basename, dp, jsondir, overwrite)
-
- # - generate markdown table file
- r = dump_markdown(basename, dp, json_file, outdir, overwrite)
- r["json_file"] = json_file
- return r
-
-
-def dump_markdown(
- basename: str,
- dp: SsvcDecisionPoint,
- json_file: str,
- outdir: str,
- overwrite: bool,
-) -> dict:
- """
- Generate the markdown table file for a decision point.
-
- Args:
- basename (str): The basename of the markdown table file.
- dp (SsvcDecisionPoint): The decision point to generate documentation for.
- json_file (str): The path to the json example file.
- outdir (str): The directory to write the markdown table file to.
- overwrite (bool): Whether to overwrite existing files.
-
- Returns:
- dict: A dictionary with the following keys:
- - include_file: The path to the markdown table file.
- - symlink: The path to the symlink that points to the markdown table file.
- """
- include_file = f"{outdir}/{basename}.md"
-
- relative_json_file = os.path.relpath(json_file, outdir)
-
- if overwrite:
- remove_if_exists(include_file)
- with EnsureDirExists(outdir):
- try:
- with open(include_file, "x") as f:
- formatted_template = MD_INCLUDE_TEMPLATE.format(
- dp=dp,
- json_file=relative_json_file,
- table=(to_markdown_table(dp)),
- )
- f.write(formatted_template)
- except FileExistsError:
- logger.warning(
- f"File {include_file} already exists, use --overwrite to replace"
- )
-
- # update the symlink
- # because we don't want to have to edit each markdown file every time something changes
- symlink = f"{outdir}/{_filename_friendly(dp.name)}.md"
- remove_if_exists(symlink)
- relative_md_file = os.path.relpath(include_file, outdir)
- os.symlink(relative_md_file, symlink)
-
- result = {
- "include_file": include_file,
- "symlink": symlink,
- }
-
- return result
+ dump_json(basename, dp, jsondir, overwrite)
def dump_json(
@@ -241,13 +129,24 @@ def dump_json(
Returns:
str: The path to the json example file.
"""
- json_file = f"{jsondir}/{basename}.json"
+ # if namespace is ssvc, it goes in jsondir
+ filename = f"{basename}.json"
+ parts = [
+ jsondir,
+ ]
+ if dp.namespace != "ssvc":
+ parts.append(_filename_friendly(dp.namespace))
+ parts.append(filename)
+
+ json_file = os.path.join(*parts)
+
if overwrite:
remove_if_exists(json_file)
with EnsureDirExists(jsondir):
try:
with open(json_file, "x") as f:
f.write(dp.model_dump_json(indent=2))
+ f.write("\n") # newline at end of file
except FileExistsError:
logger.warning(
f"File {json_file} already exists, use --overwrite to replace"
@@ -275,21 +174,17 @@ def main():
default=False,
)
- parser.add_argument(
- "--outdir", help="output directory", default="./tmp/md_out"
- )
parser.add_argument(
"--jsondir", help="json output directory", default="./tmp/json_out"
)
args = parser.parse_args()
overwrite = args.overwrite
- outdir = args.outdir
jsondir = args.jsondir
# for each decision point:
for dp in REGISTERED_DECISION_POINTS:
- dump_decision_point(jsondir, outdir, dp, overwrite)
+ dump_decision_point(jsondir, dp, overwrite)
if __name__ == "__main__":
diff --git a/src/ssvc/dp_groups/base.py b/src/ssvc/dp_groups/base.py
index f2c0b530..d198a0df 100644
--- a/src/ssvc/dp_groups/base.py
+++ b/src/ssvc/dp_groups/base.py
@@ -4,7 +4,7 @@
author: adh
created_at: 9/20/23 4:47 PM
"""
-# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
+# Copyright (c) 2025 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index a8e8a271..debfaaca 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -334,9 +334,7 @@
name="CVSSv4",
description="All decision points for CVSS v4 (including supplemental metrics)",
version="1.0.0",
- decision_points=tuple(
- _BASE_4 + _THREAT_4 + _ENVIRONMENTAL_4 + _SUPPLEMENTAL_4
- ),
+ decision_points=tuple(_BASE_4 + _THREAT_4 + _ENVIRONMENTAL_4 + _SUPPLEMENTAL_4),
)
CVSSv4_Equivalence_Sets = SsvcDecisionPointGroup(
diff --git a/src/test/test_doc_helpers.py b/src/test/test_doc_helpers.py
new file mode 100644
index 00000000..f7834eee
--- /dev/null
+++ b/src/test/test_doc_helpers.py
@@ -0,0 +1,81 @@
+# Copyright (c) 2025 Carnegie Mellon University and Contributors.
+# - see Contributors.md for a full list of Contributors
+# - see ContributionInstructions.md for information on how you can Contribute to this project
+# Stakeholder Specific Vulnerability Categorization (SSVC) is
+# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+# with this Software or contact permission@sei.cmu.edu for full terms.
+# Created, in part, with funding and support from the United States Government
+# (see Acknowledgments file). This program may include and/or can make use of
+# certain third party source code, object code, documentation and other files
+# (“Third Party Software”). See LICENSE.md for more details.
+# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+# U.S. Patent and Trademark Office by Carnegie Mellon University
+
+import unittest
+
+from ssvc.decision_points import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.doc_helpers import example_block, markdown_table
+
+
+class MyTestCase(unittest.TestCase):
+ def setUp(self):
+ self.dp = SsvcDecisionPoint(
+ namespace="test",
+ name="test name",
+ description="test description",
+ key="TK",
+ version="1.0.0",
+ values=(
+ SsvcDecisionPointValue(name="A", key="A", description="A Definition"),
+ SsvcDecisionPointValue(name="B", key="B", description="B Definition"),
+ ),
+ )
+
+ def tearDown(self):
+ pass
+
+ def test_markdown_table(self):
+ result = markdown_table(self.dp)
+
+ expected = (
+ "test description\n"
+ "\n"
+ "| Value | Definition |\n"
+ "|:-----|:-----------|\n"
+ "| A | A Definition |\n"
+ "| B | B Definition |"
+ )
+
+ self.assertEqual(result, expected)
+
+ indented = markdown_table(self.dp, indent=4)
+
+ expected_indented = (
+ " test description\n"
+ "\n"
+ " | Value | Definition |\n"
+ " |:-----|:-----------|\n"
+ " | A | A Definition |\n"
+ " | B | B Definition |"
+ )
+
+ self.assertEqual(indented, expected_indented)
+
+ def test_example_block(self):
+
+ result = example_block(self.dp)
+
+ self.assertIn("!!! note", result)
+ self.assertIn("\n | Value | Definition |", result)
+ self.assertIn("\n | A | A Definition |", result)
+ self.assertIn("\n | B | B Definition |", result)
+ self.assertIn("\n ??? example", result)
+ self.assertIn("\n ```json", result)
+
+ for value in self.dp.values:
+ self.assertIn(value.name, result)
+ self.assertIn(value.description, result)
+
+
+if __name__ == "__main__":
+ unittest.main()
diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py
index 2e2083c7..c59226a5 100644
--- a/src/test/test_doctools.py
+++ b/src/test/test_doctools.py
@@ -22,9 +22,7 @@
_filename_friendly,
dump_decision_point,
dump_json,
- dump_markdown,
remove_if_exists,
- to_markdown_table,
)
_dp_dict = {
@@ -60,18 +58,6 @@ def test__filename_friendly(self):
# lowercase the string
self.assertEqual("foo_bar", _filename_friendly("Foo.Bar"))
- def test_to_markdown_table(self):
- dp = self.dp
-
- table = to_markdown_table(dp)
- self.assertIn(dp.description, table)
- # self.assertIn(dp.name, table)
- # self.assertIn(dp.version, table)
- for value in dp.values:
- self.assertIn(value.name, table)
- self.assertIn(value.description, table)
- self.assertIn(value.key, table)
-
def test_ensure_dir_exists(self):
path = os.path.join(self.tempdir.name, "foo")
self.assertFalse(os.path.exists(path))
@@ -98,78 +84,26 @@ def test_remove_if_exists(self):
def test_dump_decision_point(self):
jsondir = os.path.join(self.tempdir.name, "json")
- outdir = os.path.join(self.tempdir.name, "out")
dp = self.dp
overwrite = False
+ # should create the files in the expected places
+ self.assertFalse(os.path.exists(jsondir))
self.assertEqual(0, len(os.listdir(self.tempdir.name)))
- # should create the files in the expected places
- r = dump_decision_point(jsondir, outdir, dp, overwrite)
- self.assertTrue(os.path.exists(r["include_file"]))
- self.assertTrue(os.path.exists(r["symlink"]))
- self.assertTrue(os.path.exists(r["json_file"]))
+ r = dump_decision_point(jsondir, dp, overwrite)
- # not checking these thoroughly, just making sure they are there
- # because they are tested elsewhere in dump_markdown and dump_json
+ self.assertTrue(os.path.exists(jsondir))
+ self.assertIn("json", os.listdir(self.tempdir.name))
+ self.assertEqual(1, len(os.listdir(jsondir)))
- def test_dump_markdown(self):
- # dump_markdown should create a file, write to it, and then create a generic symlink
- basename = "foo"
- dp = self.dp
- json_file = os.path.join(self.tempdir.name, f"{basename}.json")
- outdir = self.tempdir.name
- overwrite = False
+ file_created = os.listdir(jsondir)[0]
- # should create the file in the expected place
- include_file = os.path.join(outdir, f"{basename}.md")
- symlink = os.path.join(outdir, f"{_filename_friendly(dp.name)}.md")
-
- self.assertFalse(os.path.exists(include_file))
- self.assertFalse(os.path.exists(symlink))
- r = dump_markdown(basename, dp, json_file, outdir, overwrite)
- self.assertTrue(os.path.exists(include_file))
-
- self.assertEqual(include_file, r["include_file"])
- self.assertEqual(symlink, r["symlink"])
-
- # the file contains text based on the dp
- with open(include_file, "r") as f:
- text = f.read()
-
- self.assertIn(dp.description, text)
- self.assertIn(dp.name, text)
- self.assertIn(dp.version, text)
- for value in dp.values:
- self.assertIn(value.name, text)
- self.assertIn(value.description, text)
- self.assertIn(value.key, text)
-
- # should create the symlink in the expected place
- self.assertTrue(os.path.exists(symlink), symlink)
- # should be a symlink
- self.assertTrue(os.path.islink(symlink))
- # should point to the include file
- self.assertEqual(
- os.path.realpath(symlink), os.path.realpath(include_file)
- )
+ for word in dp.name.split():
+ self.assertIn(word.lower(), file_created)
- # should not overwrite the file
- overwrite = False
- # capture logger output
- with self.assertLogs() as cm:
- dump_markdown(basename, dp, json_file, outdir, overwrite)
- # logger warns that the file exists
- self.assertIn("already exists", cm.output[0])
-
- # should overwrite the file
- overwrite = True
- dp.name = "Different Decision Point"
- # capture logger output
- with self.assertLogs(level=logging.DEBUG) as cm:
- dump_markdown(basename, dp, json_file, outdir, overwrite)
- # logger warns that the file was removed
- self.assertIn("Removed", cm.output[0])
+ # not checking these thoroughly, just making sure they are there
+ # because they are tested elsewhere in dump_markdown and dump_json
def test_dump_json(self):
basename = "foo"