Add CVSS vector elements as decision point docs #691
Conversation
now provided at site build time using inline python
inline examples are now down with inline python in markdown
…nvert_doctools_to_inline
…d_cvss_docs # Conflicts: # docs/reference/decision_points/automatable.md # docs/reference/decision_points/public_safety_impact.md # docs/reference/decision_points/safety_impact.md # src/ssvc/decision_points/cvss/attack_vector.py # src/ssvc/decision_points/cvss/availability_impact.py # src/ssvc/decision_points/cvss/confidentiality_impact.py # src/ssvc/decision_points/cvss/integrity_impact.py # src/ssvc/decision_points/cvss/supplemental/automatable.py # src/ssvc/decision_points/cvss/supplemental/provider_urgency.py # src/ssvc/decision_points/cvss/supplemental/recovery.py # src/ssvc/decision_points/cvss/supplemental/safety.py # src/ssvc/decision_points/cvss/supplemental/value_density.py # src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py # src/ssvc/decision_points/high_value_asset.py # src/ssvc/doc_helpers.py # src/ssvc/doctools.py # src/ssvc/dp_groups/cvss/collections.py # src/test/test_doc_helpers.py
ahouseholder
added
content/semantic
ahouseholder
requested review from
cgyarbrough,
j--- and
sei-vsarvepalli
as code owners
sei-renae
left a comment
sei-renae
left a comment
There was a problem hiding this comment.
Why are our cvss table values not listed in the same order as on the https://www.first.org/cvss/v4.0/specification-document ?
|
Merged main to catch up and resolve conflicts. Also did markdownlint to bring the new markdown up to snuff. |
…d_cvss_docs # Conflicts: # docs/reference/decision_points/automatable.md # docs/reference/decision_points/safety_impact.md
I was looking at the CVSS v4 spec when I did those lists, so it was my intent that they be in the same order. |
For example, in ‘Exploit Maturity,’ FIRST orders the values XAPU whereas CERTCC orders them UPAX. |
Ah, I see what you mean. The short (and ironically apt) answer is that CVSS and SSVC have different perspectives on "endianness". I'll pause to let you recover from the eye roll before proceeding. ... Ready? cool. CVSS tends to list the worst thing first, and the least bad thing last. They repeat this in CVSS v4 with the Equivalence Sets as well: 0 is the worst thing and the least bad thing is either a 1 or 2 depending on how many things are in the list. This gave me the same feeling as folks must have had when Celsius showed up with a temperature scale in which water boils at zero and freezes at 100. We went with the idea that zero is less than one and one is less than two and therefore the zeroth item in the list should be least bad of the ordered set. (18th Century Science also reached a similar conclusion with temperature, lucky us.) The long answer is in https://github.com/CERTCC/SSVC/blob/main/docs/adr/0008-decision-points-are-ordered-sets.md |
3 participants
This pull request includes several changes to the documentation, particularly focusing on connecting CVSS vector elements and SSVC decision points and adding markdown includes for various decision points for cross-reference. The most important changes include the addition of tips explaining the interchangeability between CVSS and SSVC decision points, updates to markdown files with new content, and the inclusion of example blocks for different CVSS-based decision points.
Documentation Enhancements:
automatable_cvss_ssvc.md,safety_cvss_ssvc.md, andvalue_density_cvss_ssvc.md. [1] [2] [3]automatable.mdto include markdown fromautomatable_cvss_ssvc.md. [1] [2]attack_complexity.md,attack_requirements.md,attack_vector.md,authentication.md,availability_impact.md,availability_requirement.md,collateral_damage_potential.md,confidentiality_impact.md,confidentiality_requirement.md,exploit_maturity.md,impact_bias.md,integrity_impact.md,integrity_requirement.md, andprivileges_required.md. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]cvss/index.md, organizing them into groups according to the CVSS v4.0 specification document.