Skip to content

Add CVSS Qualitative Severity Rating Scale decision point #712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ahouseholder merged 4 commits into from
Feb 21, 2025
Merged

Add CVSS Qualitative Severity Rating Scale decision point #712

ahouseholder merged 4 commits into from
Feb 21, 2025

Conversation

@ahouseholder
Copy link
Contributor

@ahouseholder ahouseholder commented Feb 21, 2025
edited
Loading

  • resolves Consider a "CVSS Category" decision point #711, adding CVSS categories (Low, Medium, High, Critical) for use in future decision models
  • adds an include_json:bool option (defaults to True) on the example_block() method so that docs can ask for a defined decision point block without the json example being included (by explicitly passing include_json=False)
  • also fixed a small bug where example_block() accepted but did not use an indent:int parameter

Copilot Summary (edited to add CVSS spec link)

This pull request introduces a new decision point for the CVSS Qualitative Severity Rating Scale and updates the documentation accordingly. The most important changes include adding the new decision point, updating the documentation to include it, and modifying helper functions to support the new decision point.

Addition of CVSS Qualitative Severity Rating Scale:

Documentation updates:

Helper function modifications:

  • src/ssvc/doc_helpers.py: Modified the example_block function to include an optional JSON example and changed the indentation parameter to be more flexible. [1] [2]

@ahouseholder ahouseholder added content/semantic Changes to the semantic content of the SSVC documentation enhancement New feature or request python Pull requests that update Python code labels Feb 21, 2025
@ahouseholder ahouseholder added this to the 2025-03 milestone Feb 21, 2025
@ahouseholder ahouseholder self-assigned this Feb 21, 2025
@ahouseholder ahouseholder linked an issue Feb 21, 2025 that may be closed by this pull request
Consider a "CVSS Category" decision point #711
Closed
@ahouseholder ahouseholder marked this pull request as ready for review February 21, 2025 16:17
sei-renae
sei-renae approved these changes Feb 21, 2025
View reviewed changes
Copy link
Contributor

@sei-renae sei-renae left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

sei-vsarvepalli
sei-vsarvepalli reviewed Feb 21, 2025
View reviewed changes
src/ssvc/decision_points/cvss/qualitative_severity.py
key="QS",
description="The CVSS Qualitative Severity Rating Scale provides "
"a categorical representation of a CVSS Score.",
version="1.0.0",
Copy link
Contributor

@sei-vsarvepalli sei-vsarvepalli Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a lingering CVSS versioning question on my mind. May be it should be an issue. The CVSS V4 is sometime represented with namespace version combo of cvss and 3.0.1 like in ATTACK_VECTOR_3_0_1 (in src/ssvc/decision_points/cvss/attack_vector.py file) for CVSS v4 Attack Vector - can we track mapping this way? This seems to be the case in this PR as well where CVSSv4 Quality metric shows us as version 1.0.0 with names space cvss

Copy link
Contributor Author

@ahouseholder ahouseholder Feb 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The decision point versions are the decision point versions. They have no connection to CVSS versions.

The qualitative severity scale was added in CVSS v3.0 and has not changed (search each of these for "qualitative severity" to confirm), so by our decision point versioning rules, this one is 1.0.0.

@ahouseholder ahouseholder merged commit 9b53f52 into main Feb 21, 2025
6 checks passed
@ahouseholder ahouseholder deleted the 711-consider-a-cvss-category-decision-point branch February 21, 2025 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli left review comments

@sei-renae sei-renae sei-renae approved these changes

@cgyarbrough cgyarbrough Awaiting requested review from cgyarbrough cgyarbrough is a code owner

@j--- j--- Awaiting requested review from j--- j--- is a code owner

Assignees

@ahouseholder ahouseholder

Labels

content/semantic Changes to the semantic content of the SSVC documentation enhancement New feature or request python Pull requests that update Python code

Projects

None yet

Milestone

2025-03

Development

Successfully merging this pull request may close these issues.

Consider a "CVSS Category" decision point

4 participants

@ahouseholder @sei-vsarvepalli @sei-renae