Skip to content

Split CVSS equivalence sets #685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ahouseholder merged 2 commits into from
Feb 18, 2025
Merged

Split CVSS equivalence sets #685

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c1e5b9b
split eq1 into separate module
ahouseholder Feb 17, 2025
e36348d
split EQ2-6 into separate modules
ahouseholder Feb 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions src/ssvc/_mixins.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
#!/usr/bin/env python
"""
file: _basics
author: adh
created_at: 9/20/23 4:51 PM
This module provides mixin classes for adding features to SSVC objects.
"""
# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
Expand Down
191 changes: 0 additions & 191 deletions src/ssvc/decision_points/cvss/eq_sets.py
View file
Open in desktop

This file was deleted.

66 changes: 66 additions & 0 deletions src/ssvc/decision_points/cvss/equivalence_set_1.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
#!/usr/bin/env python
"""
Provides an object representing the CVSS Equivalence Set 1 as a decision point.
"""
# Copyright (c) 2025 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
# with this Software or contact [email protected] for full terms.
# Created, in part, with funding and support from the United States Government
# (see Acknowledgments file). This program may include and/or can make use of
# certain third party source code, object code, documentation and other files
# (“Third Party Software”). See LICENSE.md for more details.
# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
# U.S. Patent and Trademark Office by Carnegie Mellon University

from ssvc.decision_points import SsvcDecisionPointValue
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs

TWO = SsvcDecisionPointValue(
name="Low",
key="L",
description="2: AV:P or not(AV:N or PR:N or UI:N)",
)

ONE = SsvcDecisionPointValue(
name="Medium",
key="M",
description="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P",
)

ZERO = SsvcDecisionPointValue(
name="High",
key="H",
description="0: AV:N and PR:N and UI:N",
)

# EQ1 → AV/PR/UI with 3 levels specified in Table 24
# Levels Constraints Highest Severity Vector(s)
# 0 AV:N and PR:N and UI:N AV:N/PR:N/UI:N
# 1 (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P AV:A/PR:N/UI:N or AV:N/PR:L/UI:N or AV:N/PR:N:/UI:P
# 2 AV:P or not(AV:N or PR:N or UI:N) AV:P/PR:N/UI:N or AV:A/PR:L/UI:P
EQ1 = CvssDecisionPoint(
name="Equivalence Set 1",
key="EQ1",
description="AV/PR/UI with 3 levels specified in Table 24",
version="1.0.0",
values=(
TWO,
ONE,
ZERO,
),
)

VERSIONS = (EQ1,)
LATEST = EQ1


def main():
print_versions_and_diffs(VERSIONS)


if __name__ == "__main__":
main()
57 changes: 57 additions & 0 deletions src/ssvc/decision_points/cvss/equivalence_set_2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
#!/usr/bin/env python
"""
This module provides an object representing the CVSS Equivalence Set 2 as a decision point.
"""
# Copyright (c) 2025 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
# with this Software or contact [email protected] for full terms.
# Created, in part, with funding and support from the United States Government
# (see Acknowledgments file). This program may include and/or can make use of
# certain third party source code, object code, documentation and other files
# (“Third Party Software”). See LICENSE.md for more details.
# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
# U.S. Patent and Trademark Office by Carnegie Mellon University

from ssvc.decision_points import SsvcDecisionPointValue
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs

# EQ2 → AC/AT with 2 levels specified in Table 25
# Levels Constraints Highest Severity Vector(s)
# 0 AC:L and AT:N AC:L/AT:N
# 1 not (AC:L and AT:N) AC:L/AT:P or AC:H/AT:N
ONE = SsvcDecisionPointValue(
name="Low",
key="L",
description="1: not (AC:L and AT:N)",
)
ZERO = SsvcDecisionPointValue(
name="High",
key="H",
description="0: AC:L and AT:N",
)

EQ2 = CvssDecisionPoint(
name="Equivalence Set 2",
key="EQ2",
description="AC/AT with 2 levels specified in Table 25",
version="1.0.0",
values=(
ONE,
ZERO,
),
)

VERSIONS = (EQ2,)
LATEST = VERSIONS[-1]


def main():
print_versions_and_diffs(VERSIONS)


if __name__ == "__main__":
main()
65 changes: 65 additions & 0 deletions src/ssvc/decision_points/cvss/equivalence_set_3.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/usr/bin/env python
"""
This module provides an object representing the CVSS Equivalence Set 3 as a decision point.
"""
# Copyright (c) 2025 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
# with this Software or contact [email protected] for full terms.
# Created, in part, with funding and support from the United States Government
# (see Acknowledgments file). This program may include and/or can make use of
# certain third party source code, object code, documentation and other files
# (“Third Party Software”). See LICENSE.md for more details.
# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
# U.S. Patent and Trademark Office by Carnegie Mellon University

from ssvc.decision_points import SsvcDecisionPointValue
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs

# EQ3 → VC/VI/VA with 3 levels specified in Table 26
# Levels Constraints Highest Severity Vector(s)
# 0 VC:H and VI:H VC:H/VI:H/VA:H
# 1 not (VC:H and VI:H) and (VC:H or VI:H or VA:H) VC:L/VI:H/VA:H or VC:H/VI:L/VA:H
# 2 not (VC:H or VI:H or VA:H) VC:L/VI:L/VA:L
TWO = SsvcDecisionPointValue(
name="Low",
key="L",
description="2: not (VC:H or VI:H or VA:H)",
)
ONE = SsvcDecisionPointValue(
name="Medium",
key="M",
description="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)",
)
ZERO = SsvcDecisionPointValue(
name="High",
key="H",
description="0: VC:H and VI:H",
)

EQ3 = CvssDecisionPoint(
name="Equivalence Set 3",
key="EQ3",
description="VC/VI/VA with 3 levels specified in Table 26",
version="1.0.0",
values=(
TWO,
ONE,
ZERO,
),
)


VERSIONS = (EQ3,)
LATEST = VERSIONS[-1]


def main():
print_versions_and_diffs(VERSIONS)


if __name__ == "__main__":
main()
Loading