diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md new file mode 100644 index 00000000..324b4ead --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md @@ -0,0 +1,17 @@ +- Remove this template and add a description of the changes you are proposing. +- Edit the title of the PR to be a concise summary of the changes. The title should + be descriptive enough to give a reviewer a good idea of what the PR is about, and + not just a reference to an issue number. PR titles are used in the commit log + and release notes, so they need to convey meaning on their own. +- Most pull requests should be in response to an issue, and ideally a PR will + resolve or close one or more issues. +- If a PR only partially resolves an issue, + we suggest spawning one or more child issues from the main issue to identify what portion + of the issue is resolved by the PR, and what work remains to be done. +- Please use [github keyword syntax](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/using-keywords-in-issues-and-pull-requests) + (closes, fixes, resolves, etc.) to reference relevant issues. +- Using bulleted lists with the issue id at the end lets github automatically + link the issue and provide the title inline. E.g.: `- resolves #99999` +- CoPilot summaries are welcome in the PR description, but please provide a brief +description of the changes in your own words as well. CoPilot can be good at the _what_, +but not so good at the _why_. \ No newline at end of file diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml new file mode 100644 index 00000000..7c076a7b --- /dev/null +++ b/.github/workflows/lint_md_changes.yml @@ -0,0 +1,30 @@ +name: "Lint Markdown (Changes)" +on: + push: + paths: + - '**/*.md' + - .github/workflows/lint_md_changes.yml + pull_request: + paths: + - '**/*.md' + - .github/workflows/lint_md_changes.yml + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: tj-actions/changed-files@v45 + id: changed-files + with: + files: '**/*.md' + separator: "," + - uses: DavidAnson/markdownlint-cli2-action@v19 + if: steps.changed-files.outputs.any_changed == 'true' + with: + globs: ${{ steps.changed-files.outputs.all_changed_files }} + separator: "," + config: .markdownlint.yml + diff --git a/.gitignore b/.gitignore index 6189a8e6..c575e379 100644 --- a/.gitignore +++ b/.gitignore @@ -129,3 +129,4 @@ dmypy.json .pyre/ ssvc2-applier-wip.xlsx _version.py +node_modules diff --git a/.markdownlint.yml b/.markdownlint.yml new file mode 100644 index 00000000..3c95d570 --- /dev/null +++ b/.markdownlint.yml @@ -0,0 +1,29 @@ +default: true +# disable noisy rules +# 0004 Unordered List style +# Force dash style for unordered lists +MD004: + style: "dash" +# 013 Line length +# Disabled because we have a lot of long lines. We should fix this eventually. +MD013: false +# 033 Inline HTML +# Disabled because we use inline HTML (
in table cells for example) +MD033: false +# MD040/fenced-code-language : Fenced code blocks should have a language specified : https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md040.md +MD040: false +# 041 First line in file should be a top level header +# Disabled because we use `include-markdown` plugin for merging markdown files +MD041: false +# 046 Code block style +# Disabled because mkdocs-material uses indented blocks for admonitions +MD046: false +# 049 emphasis style +# Force asterisk style for emphasis +MD049: + style: "asterisk" +# 050 strong style +# Force asterisk style for strong +MD050: + style: "asterisk" + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d3e01067..e2d15805 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,7 +1,7 @@ # How to contribute Thanks for your help on improving our stakeholder-specific vulnerability categorization work. -To account for different stakeholder perspectives, we benefit from a diverse group of contributors. +To account for different stakeholder perspectives, we benefit from a diverse group of contributors. Please see our project documentation in the [wiki](https://github.com/CERTCC/SSVC/wiki) that accompanies this repository for more information on how you can contribute to the project. @@ -9,9 +9,8 @@ for more information on how you can contribute to the project. ## Licenses See [LICENSE](https://github.com/CERTCC/SSVC/blob/main/LICENSE) - + ## Questions If you have any questions, an [issue](https://github.com/CERTCC/SSVC/issues) or [discussion](https://github.com/CERTCC/SSVC/discussions) is the best way to get in touch with us. - diff --git a/Dockerfile b/Dockerfile index 37a6d682..79aa5836 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,23 @@ -FROM python:3.12-slim-bookworm - +FROM python:3.12-slim-bookworm AS base +RUN pip install --upgrade pip WORKDIR /app +FROM base AS dependencies + # install requirements COPY requirements.txt . RUN pip install -r requirements.txt - # Copy the files we need -COPY src/ . -COPY data ./data +COPY . /app +# Set the environment variable +ENV PYTHONPATH=/app/src + +FROM dependencies AS test # install pytest RUN pip install pytest - # run the unit tests \ -ENTRYPOINT ["pytest"] -CMD ["test"] +CMD ["pytest","src/test"] + +FROM dependencies AS docs +CMD ["mkdocs", "serve", "--dev-addr", "0.0.0.0:8000"] \ No newline at end of file diff --git a/LICENSE b/LICENSE index c5d2a6ad..816cc7df 100644 --- a/LICENSE +++ b/LICENSE @@ -3,7 +3,7 @@ The following license applies to software contained in this repository. ---- MIT License -Copyright (c) 2020 Carnegie Mellon University +Copyright (c) 2020-2025 Carnegie Mellon University Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..40f8e7f0 --- /dev/null +++ b/Makefile @@ -0,0 +1,61 @@ +# Project-specific vars +PFX=ssvc +DOCKER=docker +DOCKER_BUILD=$(DOCKER) build +DOCKER_RUN=$(DOCKER) run --tty --rm +PROJECT_VOLUME=--volume $(shell pwd):/app +MKDOCS_PORT=8765 + +# docker names +TEST_DOCKER_TARGET=test +TEST_IMAGE = $(PFX)_test +DOCS_DOCKER_TARGET=docs +DOCS_IMAGE = $(PFX)_docs + +# Targets +.PHONY: all dockerbuild_test dockerrun_test dockerbuild_docs dockerrun_docs docs docker_test clean help + +all: help + +dockerbuild_test: + @echo "Building the test Docker image..." + $(DOCKER_BUILD) --target $(TEST_DOCKER_TARGET) --tag $(TEST_IMAGE) . + +dockerrun_test: + @echo "Running the test Docker image..." + $(DOCKER_RUN) $(PROJECT_VOLUME) $(TEST_IMAGE) + +dockerbuild_docs: + @echo "Building the docs Docker image..." + $(DOCKER_BUILD) --target $(DOCS_DOCKER_TARGET) --tag $(DOCS_IMAGE) . + +dockerrun_docs: + @echo "Running the docs Docker image..." + $(DOCKER_RUN) --publish $(MKDOCS_PORT):8000 $(PROJECT_VOLUME) $(DOCS_IMAGE) + + +docs: dockerbuild_docs dockerrun_docs +docker_test: dockerbuild_test dockerrun_test + +clean: + @echo "Cleaning up..." + $(DOCKER) rmi $(TEST_IMAGE) $(DOCS_IMAGE) || true + +help: + @echo "Usage: make [target]" + @echo "" + @echo "Targets:" + @echo " all - Display this help message" + @echo " docs - Build and run the docs Docker image" + @echo " docker_test - Build and run the test Docker image" + @echo "" + @echo " dockerbuild_test - Build the test Docker image" + @echo " dockerrun_test - Run the test Docker image" + @echo " dockerbuild_docs - Build the docs Docker image" + @echo " dockerrun_docs - Run the docs Docker image" + @echo "" + @echo " clean - Remove the Docker images" + @echo " help - Display this help message" + + + diff --git a/README.md b/README.md index ae0a2910..e1bc0c1e 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-ma SSVC is mostly conceptual tools for vulnerability management. These conceptual tools (how to make decisions, what should go into a decision, how to document and communicate decisions clearly, etc.) are described here. -**Note:** This repository contains the _content_ for the main SSVC documentation hosted at +**Note:** This repository contains the *content* for the main SSVC documentation hosted at ## [https://certcc.github.io/SSVC/](https://certcc.github.io/SSVC/) @@ -19,7 +19,6 @@ These conceptual tools (how to make decisions, what should go into a decision, h --- - # What's here Here's a quick overview of the main directories and files in this repository. @@ -34,7 +33,7 @@ See [`project_docs/README.md`](project_docs/README.md) for more info. Directory with SSVC calculator using D3 graph. See [`ssvc-calc/README.md`](docs/ssvc-calc/README.md) for more info. -A demo version of `ssvc-calc` can be found at https://certcc.github.io/SSVC/ssvc-calc/ +A demo version of `ssvc-calc` can be found at ## `/pdfs/*` @@ -82,12 +81,57 @@ The two methods just loop through their respective lookup tables until they hit a match, then return the outcome. Maybe not the best implementation, but it worked well enough for what was needed at the time. - ## Local development -Install prerequisites: +The simplest way to get started with local development is to use Docker. +We provide a Dockerfile that builds an image with all the dependencies needed to build the site. +We also provide a `Makefile` that simplifies the process of building the site and running a local server, +so you don't have to remember the exact `docker build` and `docker run` commands +to get started. + +### Make Commands + +To display the available `make` commands, run: + +```bash +make help +``` + +To preview any `make` command without actually executing it, run: ```bash +make -n +``` + +### Run Local Server With Docker + +The easiest way to get started is using make to build a docker image and run the site: + +```bash +make docs +``` + +Then navigate to to see the site. + +Note that the docker container will display a message with the URL to visit, for +example: `Serving on http://0.0.0.0:8000/SSVC/` in the output. However, that port +is only available inside the container. The host port 8765 is mapped to the container's +port 8000, so you should navigate to to see the site. + +Or, if make is not available: + +```bash +docker build --target docs --tag ssvc_docs . +docker run --tty --rm -p 8765:8000 --volume .:/app ssvc_docs +``` + +### Run Local Server Without Docker + +If you prefer to run the site locally without Docker, you can do so with mkdocs. +We recommend using a virtual environment to manage dependencies: + +```bash +python3 -m venv ssvc_venv pip install -r requirements.txt ``` @@ -97,32 +141,47 @@ Start a local server: mkdocs serve ``` -Navigate to http://localhost:8001/ to see the site. +By default, the server will run on port 8001. +This is configured in the `mkdocs.yml` file. +Navigate to to see the site. (Hint: You can use the `--dev-addr` argument with mkdocs to change the port, e.g. `mkdocs serve --dev-addr localhost:8000`) -## Run tests +## Run tests We include a few tests for the `ssvc` module. -### With Docker +### Run Tests With Docker -```bash +The easiest way to run tests is using make to build a docker image and run the tests: -docker build -t ssvc_test . -docker run -it --rm ssvc_test +```bash +make docker_test ``` -### Without Docker +Or, if make is not available: ```bash -pip install pytest # if you haven't already +docker build --target test --tag ssvc_test . +docker run --tty --rm --volume .:/app ssvc_test +``` + +### Run Tests Without Docker -pytest # should find tests in src/test/* +```bash +pip install pytest +pytest src/test ``` +## Environment Variables +If you encounter a problem with the `ssvc` module not being found, you may need to set the `PYTHONPATH` environment variable. +The Dockerfile takes care of this in the Docker environment. +When not running in Docker, make sure that the `src` directory is in your `PYTHONPATH`: +```bash +export PYTHONPATH=$PYTHONPATH:$(pwd)/src +``` ## Contributing @@ -147,5 +206,5 @@ To reference SSVC in an academic publication, please refer to the version presen ## References -1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization." White Paper, Software Engineering Institute, Carnegie Mellon University (2019). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379 -2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Towards Improving CVSS." White Paper, Software Engineering Institute, Carnegie Mellon University (2018). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368 +1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization." White Paper, Software Engineering Institute, Carnegie Mellon University (2019). +2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Towards Improving CVSS." White Paper, Software Engineering Institute, Carnegie Mellon University (2018). diff --git a/data/json/decision_points/automatable_2_0_0.json b/data/json/decision_points/automatable_2_0_0.json index 90ac4a09..a44086f9 100644 --- a/data/json/decision_points/automatable_2_0_0.json +++ b/data/json/decision_points/automatable_2_0_0.json @@ -17,4 +17,4 @@ "description": "Attackers can reliably automate steps 1-4 of the kill chain." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/cvss/access_complexity_1_0_0.json b/data/json/decision_points/cvss/access_complexity_1_0_0.json new file mode 100644 index 00000000..30e88f11 --- /dev/null +++ b/data/json/decision_points/cvss/access_complexity_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "AC", + "name": "Access Complexity", + "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable." + }, + { + "key": "H", + "name": "High", + "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)" + } + ] +} diff --git a/data/json/decision_points/cvss/access_complexity_2_0_0.json b/data/json/decision_points/cvss/access_complexity_2_0_0.json new file mode 100644 index 00000000..09c795fc --- /dev/null +++ b/data/json/decision_points/cvss/access_complexity_2_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "AC", + "name": "Access Complexity", + "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Specialized access conditions or extenuating circumstances do not exist." + }, + { + "key": "M", + "name": "Medium", + "description": "The access conditions are somewhat specialized." + }, + { + "key": "H", + "name": "High", + "description": "Specialized access conditions exist." + } + ] +} diff --git a/data/json/decision_points/cvss/access_vector_1_0_0.json b/data/json/decision_points/cvss/access_vector_1_0_0.json new file mode 100644 index 00000000..beee709d --- /dev/null +++ b/data/json/decision_points/cvss/access_vector_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "AV", + "name": "Access Vector", + "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.", + "values": [ + { + "key": "L", + "name": "Local", + "description": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)" + }, + { + "key": "R", + "name": "Remote", + "description": "The vulnerability is exploitable remotely." + } + ] +} diff --git a/data/json/decision_points/cvss/access_vector_2_0_0.json b/data/json/decision_points/cvss/access_vector_2_0_0.json new file mode 100644 index 00000000..9f68fb5a --- /dev/null +++ b/data/json/decision_points/cvss/access_vector_2_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "AV", + "name": "Access Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible.", + "values": [ + { + "key": "L", + "name": "Local", + "description": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account." + }, + { + "key": "A", + "name": "Adjacent Network", + "description": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software." + }, + { + "key": "N", + "name": "Network", + "description": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'." + } + ] +} diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_0.json b/data/json/decision_points/cvss/attack_complexity_3_0_0.json new file mode 100644 index 00000000..b9dd8584 --- /dev/null +++ b/data/json/decision_points/cvss/attack_complexity_3_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "AC", + "name": "Attack Complexity", + "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + }, + { + "key": "H", + "name": "High", + "description": "A successful attack depends on conditions beyond the attacker's control." + } + ] +} diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json new file mode 100644 index 00000000..7f49cf1d --- /dev/null +++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "3.0.1", + "schemaVersion": "1-0-1", + "key": "AC", + "name": "Attack Complexity", + "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", + "values": [ + { + "key": "L", + "name": "Low", + "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + }, + { + "key": "H", + "name": "High", + "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + } + ] +} diff --git a/data/json/decision_points/cvss/attack_requirements_1_0_0.json b/data/json/decision_points/cvss/attack_requirements_1_0_0.json new file mode 100644 index 00000000..4232fa7b --- /dev/null +++ b/data/json/decision_points/cvss/attack_requirements_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "AT", + "name": "Attack Requirements", + "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", + "values": [ + { + "key": "N", + "name": "None", + "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + }, + { + "key": "P", + "name": "Present", + "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." + } + ] +} diff --git a/data/json/decision_points/cvss/attack_vector_3_0_0.json b/data/json/decision_points/cvss/attack_vector_3_0_0.json new file mode 100644 index 00000000..612e5c72 --- /dev/null +++ b/data/json/decision_points/cvss/attack_vector_3_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "AV", + "name": "Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. ", + "values": [ + { + "key": "P", + "name": "Physical", + "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + }, + { + "key": "L", + "name": "Local", + "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." + }, + { + "key": "A", + "name": "Adjacent", + "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + }, + { + "key": "N", + "name": "Network", + "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + } + ] +} diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json new file mode 100644 index 00000000..fbf31693 --- /dev/null +++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "3.0.1", + "schemaVersion": "1-0-1", + "key": "AV", + "name": "Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", + "values": [ + { + "key": "P", + "name": "Physical", + "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + }, + { + "key": "L", + "name": "Local", + "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." + }, + { + "key": "A", + "name": "Adjacent", + "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + }, + { + "key": "N", + "name": "Network", + "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + } + ] +} diff --git a/data/json/decision_points/cvss/authentication_1_0_0.json b/data/json/decision_points/cvss/authentication_1_0_0.json new file mode 100644 index 00000000..0e2f41e7 --- /dev/null +++ b/data/json/decision_points/cvss/authentication_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "Au", + "name": "Authentication", + "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", + "values": [ + { + "key": "N", + "name": "Not Required", + "description": "Authentication is not required to access or exploit the vulnerability." + }, + { + "key": "R", + "name": "Required", + "description": "Authentication is required to access and exploit the vulnerability." + } + ] +} diff --git a/data/json/decision_points/cvss/authentication_2_0_0.json b/data/json/decision_points/cvss/authentication_2_0_0.json new file mode 100644 index 00000000..98a1037b --- /dev/null +++ b/data/json/decision_points/cvss/authentication_2_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "Au", + "name": "Authentication", + "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", + "values": [ + { + "key": "M", + "name": "Multiple", + "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time." + }, + { + "key": "S", + "name": "Single", + "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)." + }, + { + "key": "N", + "name": "None", + "description": "Authentication is not required to exploit the vulnerability." + } + ] +} diff --git a/data/json/decision_points/cvss/automatable_1_0_0.json b/data/json/decision_points/cvss/automatable_1_0_0.json new file mode 100644 index 00000000..9601b871 --- /dev/null +++ b/data/json/decision_points/cvss/automatable_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "AU", + "name": "Automatable", + "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.", + "values": [ + { + "key": "N", + "name": "No", + "description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." + }, + { + "key": "Y", + "name": "Yes", + "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")." + } + ] +} diff --git a/data/json/decision_points/cvss/availability_impact_1_0_0.json b/data/json/decision_points/cvss/availability_impact_1_0_0.json new file mode 100644 index 00000000..4c2b59e3 --- /dev/null +++ b/data/json/decision_points/cvss/availability_impact_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "A", + "name": "Availability Impact", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No impact on availability." + }, + { + "key": "P", + "name": "Partial", + "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete." + }, + { + "key": "C", + "name": "Complete", + "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable." + } + ] +} diff --git a/data/json/decision_points/cvss/availability_impact_2_0_0.json b/data/json/decision_points/cvss/availability_impact_2_0_0.json new file mode 100644 index 00000000..f3b37b02 --- /dev/null +++ b/data/json/decision_points/cvss/availability_impact_2_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "A", + "name": "Availability Impact", + "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to the availability of the system." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} diff --git a/data/json/decision_points/cvss/availability_impact_2_0_1.json b/data/json/decision_points/cvss/availability_impact_2_0_1.json new file mode 100644 index 00000000..e815d46a --- /dev/null +++ b/data/json/decision_points/cvss/availability_impact_2_0_1.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "A", + "name": "Availability Impact", + "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} diff --git a/data/json/decision_points/cvss/availability_requirement_1_0_0.json b/data/json/decision_points/cvss/availability_requirement_1_0_0.json new file mode 100644 index 00000000..cbffe72a --- /dev/null +++ b/data/json/decision_points/cvss/availability_requirement_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "AR", + "name": "Availability Requirement", + "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_0.json b/data/json/decision_points/cvss/availability_requirement_1_1_0.json new file mode 100644 index 00000000..66dec4d4 --- /dev/null +++ b/data/json/decision_points/cvss/availability_requirement_1_1_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "AR", + "name": "Availability Requirement", + "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json new file mode 100644 index 00000000..9e4a94fe --- /dev/null +++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.1.1", + "schemaVersion": "1-0-1", + "key": "AR", + "name": "Availability Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json new file mode 100644 index 00000000..b650ad2f --- /dev/null +++ b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "CDP", + "name": "Collateral Damage Potential", + "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no potential for physical or property damage." + }, + { + "key": "L", + "name": "Low", + "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed." + }, + { + "key": "M", + "name": "Medium", + "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + }, + { + "key": "H", + "name": "High", + "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + } + ] +} diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json new file mode 100644 index 00000000..c08f0fe8 --- /dev/null +++ b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "CDP", + "name": "Collateral Damage Potential", + "description": "This metric measures the potential for loss of life or physical assets.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no potential for loss of life, physical assets, productivity or revenue." + }, + { + "key": "LM", + "name": "Low-Medium", + "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss." + }, + { + "key": "MH", + "name": "Medium-High", + "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + }, + { + "key": "H", + "name": "High", + "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json new file mode 100644 index 00000000..f8e633e6 --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "C", + "name": "Confidentiality Impact", + "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No impact on confidentiality." + }, + { + "key": "P", + "name": "Partial", + "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained." + }, + { + "key": "C", + "name": "Complete", + "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json new file mode 100644 index 00000000..5d8f0826 --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "C", + "name": "Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json new file mode 100644 index 00000000..4c72a5d5 --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "C", + "name": "Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json new file mode 100644 index 00000000..741722cd --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "SC", + "name": "Confidentiality Impact to the Subsequent System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", + "values": [ + { + "key": "N", + "name": "Negligible", + "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json new file mode 100644 index 00000000..988ee409 --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "CR", + "name": "Confidentiality Requirement", + "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json new file mode 100644 index 00000000..2c508587 --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "CR", + "name": "Confidentiality Requirement", + "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json new file mode 100644 index 00000000..2e1ef437 --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.1.1", + "schemaVersion": "1-0-1", + "key": "CR", + "name": "Confidentiality Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json new file mode 100644 index 00000000..9046163e --- /dev/null +++ b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "EQ1", + "name": "Equivalence Set 1", + "description": "AV/PR/UI with 3 levels specified in Table 24", + "values": [ + { + "key": "L", + "name": "Low", + "description": "2: AV:P or not(AV:N or PR:N or UI:N)" + }, + { + "key": "M", + "name": "Medium", + "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" + }, + { + "key": "H", + "name": "High", + "description": "0: AV:N and PR:N and UI:N" + } + ] +} diff --git a/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json new file mode 100644 index 00000000..f9fa06e5 --- /dev/null +++ b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "EQ2", + "name": "Equivalence Set 2", + "description": "AC/AT with 2 levels specified in Table 25", + "values": [ + { + "key": "L", + "name": "Low", + "description": "1: not (AC:L and AT:N)" + }, + { + "key": "H", + "name": "High", + "description": "0: AC:L and AT:N" + } + ] +} diff --git a/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json new file mode 100644 index 00000000..a617a8f4 --- /dev/null +++ b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "EQ3", + "name": "Equivalence Set 3", + "description": "VC/VI/VA with 3 levels specified in Table 26", + "values": [ + { + "key": "L", + "name": "Low", + "description": "2: not (VC:H or VI:H or VA:H)" + }, + { + "key": "M", + "name": "Medium", + "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" + }, + { + "key": "H", + "name": "High", + "description": "0: VC:H and VI:H" + } + ] +} diff --git a/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json new file mode 100644 index 00000000..761d6ec8 --- /dev/null +++ b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "EQ4", + "name": "Equivalence Set 4", + "description": "SC/SI/SA with 3 levels specified in Table 27", + "values": [ + { + "key": "L", + "name": "Low", + "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" + }, + { + "key": "M", + "name": "Medium", + "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" + }, + { + "key": "H", + "name": "High", + "description": "0: MSI:S or MSA:S" + } + ] +} diff --git a/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json new file mode 100644 index 00000000..1f1b7eec --- /dev/null +++ b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "EQ5", + "name": "Equivalence Set 5", + "description": "E with 3 levels specified in Table 28", + "values": [ + { + "key": "L", + "name": "Low", + "description": "2: E:U" + }, + { + "key": "M", + "name": "Medium", + "description": "1: E:P" + }, + { + "key": "H", + "name": "High", + "description": "0: E:A" + } + ] +} diff --git a/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json new file mode 100644 index 00000000..599ec3b1 --- /dev/null +++ b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "EQ6", + "name": "Equivalence Set 6", + "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", + "values": [ + { + "key": "L", + "name": "Low", + "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" + }, + { + "key": "H", + "name": "High", + "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" + } + ] +} diff --git a/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json new file mode 100644 index 00000000..a900808a --- /dev/null +++ b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "1.2.0", + "schemaVersion": "1-0-1", + "key": "E", + "name": "Exploit Code Maturity", + "description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation", + "values": [ + { + "key": "U", + "name": "Unproven", + "description": "No exploit code is available, or an exploit is theoretical." + }, + { + "key": "POC", + "name": "Proof-of-Concept", + "description": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker." + }, + { + "key": "F", + "name": "Functional", + "description": "Functional exploit code is available. The code works in most situations where the vulnerability exists." + }, + { + "key": "H", + "name": "High", + "description": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/exploit_maturity_2_0_0.json b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json new file mode 100644 index 00000000..879891f6 --- /dev/null +++ b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "E", + "name": "Exploit Maturity", + "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.", + "values": [ + { + "key": "U", + "name": "Unreported", + "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" + }, + { + "key": "P", + "name": "Proof-of-Concept", + "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" + }, + { + "key": "A", + "name": "Attacked", + "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/exploitability_1_0_0.json b/data/json/decision_points/cvss/exploitability_1_0_0.json new file mode 100644 index 00000000..be804085 --- /dev/null +++ b/data/json/decision_points/cvss/exploitability_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "E", + "name": "Exploitability", + "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", + "values": [ + { + "key": "U", + "name": "Unproven", + "description": "No exploit code is yet available or an exploit method is entirely theoretical." + }, + { + "key": "P", + "name": "Proof of Concept", + "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + }, + { + "key": "F", + "name": "Functional", + "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + }, + { + "key": "H", + "name": "High", + "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + } + ] +} diff --git a/data/json/decision_points/cvss/exploitability_1_1_0.json b/data/json/decision_points/cvss/exploitability_1_1_0.json new file mode 100644 index 00000000..f2d07e9d --- /dev/null +++ b/data/json/decision_points/cvss/exploitability_1_1_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "E", + "name": "Exploitability", + "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", + "values": [ + { + "key": "U", + "name": "Unproven", + "description": "No exploit code is yet available or an exploit method is entirely theoretical." + }, + { + "key": "P", + "name": "Proof of Concept", + "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + }, + { + "key": "F", + "name": "Functional", + "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + }, + { + "key": "H", + "name": "High", + "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/impact_bias_1_0_0.json b/data/json/decision_points/cvss/impact_bias_1_0_0.json new file mode 100644 index 00000000..97039be4 --- /dev/null +++ b/data/json/decision_points/cvss/impact_bias_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "IB", + "name": "Impact Bias", + "description": "This metric measures the impact bias of the vulnerability.", + "values": [ + { + "key": "N", + "name": "Normal", + "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight." + }, + { + "key": "C", + "name": "Confidentiality", + "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact." + }, + { + "key": "I", + "name": "Integrity", + "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact." + }, + { + "key": "A", + "name": "Availability", + "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_impact_1_0_0.json b/data/json/decision_points/cvss/integrity_impact_1_0_0.json new file mode 100644 index 00000000..cf1dcc9b --- /dev/null +++ b/data/json/decision_points/cvss/integrity_impact_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "I", + "name": "Integrity Impact", + "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No impact on integrity." + }, + { + "key": "P", + "name": "Partial", + "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope." + }, + { + "key": "C", + "name": "Complete", + "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_0.json b/data/json/decision_points/cvss/integrity_impact_2_0_0.json new file mode 100644 index 00000000..48102023 --- /dev/null +++ b/data/json/decision_points/cvss/integrity_impact_2_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "I", + "name": "Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to the integrity of the system." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_1.json b/data/json/decision_points/cvss/integrity_impact_2_0_1.json new file mode 100644 index 00000000..59579fbd --- /dev/null +++ b/data/json/decision_points/cvss/integrity_impact_2_0_1.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "I", + "name": "Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of integrity within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json new file mode 100644 index 00000000..ab4089b3 --- /dev/null +++ b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "SI", + "name": "Integrity Impact to the Subsequent System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_requirement_1_0_0.json b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json new file mode 100644 index 00000000..73d07de1 --- /dev/null +++ b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "IR", + "name": "Integrity Requirement", + "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_requirement_1_0_1.json b/data/json/decision_points/cvss/integrity_requirement_1_0_1.json new file mode 100644 index 00000000..4c8e1762 --- /dev/null +++ b/data/json/decision_points/cvss/integrity_requirement_1_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.1", + "schemaVersion": "1-0-1", + "key": "IR", + "name": "Integrity Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_0.json b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json new file mode 100644 index 00000000..5515b3b4 --- /dev/null +++ b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "IR", + "name": "Integrity Requirement", + "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json new file mode 100644 index 00000000..09fa2cab --- /dev/null +++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "MAC", + "name": "Modified Attack Complexity", + "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + }, + { + "key": "H", + "name": "High", + "description": "A successful attack depends on conditions beyond the attacker's control." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json new file mode 100644 index 00000000..9ddd5581 --- /dev/null +++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "3.0.1", + "schemaVersion": "1-0-1", + "key": "MAC", + "name": "Modified Attack Complexity", + "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", + "values": [ + { + "key": "L", + "name": "Low", + "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + }, + { + "key": "H", + "name": "High", + "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json new file mode 100644 index 00000000..be523348 --- /dev/null +++ b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MAT", + "name": "Modified Attack Requirements", + "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", + "values": [ + { + "key": "N", + "name": "None", + "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + }, + { + "key": "P", + "name": "Present", + "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json new file mode 100644 index 00000000..afb49892 --- /dev/null +++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "MAV", + "name": "Modified Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. ", + "values": [ + { + "key": "P", + "name": "Physical", + "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + }, + { + "key": "L", + "name": "Local", + "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." + }, + { + "key": "A", + "name": "Adjacent", + "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + }, + { + "key": "N", + "name": "Network", + "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json new file mode 100644 index 00000000..32f378f7 --- /dev/null +++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "3.0.1", + "schemaVersion": "1-0-1", + "key": "MAV", + "name": "Modified Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", + "values": [ + { + "key": "P", + "name": "Physical", + "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + }, + { + "key": "L", + "name": "Local", + "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." + }, + { + "key": "A", + "name": "Adjacent", + "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + }, + { + "key": "N", + "name": "Network", + "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json new file mode 100644 index 00000000..861be583 --- /dev/null +++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "MA", + "name": "Modified Availability Impact", + "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to the availability of the system." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json new file mode 100644 index 00000000..793c5579 --- /dev/null +++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "MA", + "name": "Modified Availability Impact", + "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json new file mode 100644 index 00000000..5920006a --- /dev/null +++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "MC", + "name": "Modified Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json new file mode 100644 index 00000000..027f96a0 --- /dev/null +++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "MC", + "name": "Modified Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json new file mode 100644 index 00000000..1abda292 --- /dev/null +++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MSC", + "name": "Modified Confidentiality Impact to the Subsequent System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", + "values": [ + { + "key": "N", + "name": "Negligible", + "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json new file mode 100644 index 00000000..359fb804 --- /dev/null +++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "MI", + "name": "Modified Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to the integrity of the system." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json new file mode 100644 index 00000000..a02b0fe3 --- /dev/null +++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "MI", + "name": "Modified Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of integrity within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json new file mode 100644 index 00000000..ec3d57b3 --- /dev/null +++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MSI", + "name": "Modified Integrity Impact to the Subsequent System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", + "values": [ + { + "key": "N", + "name": "Negligible", + "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "S", + "name": "Safety", + "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json new file mode 100644 index 00000000..b31ad194 --- /dev/null +++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MPR", + "name": "Modified Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", + "values": [ + { + "key": "H", + "name": "High", + "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." + }, + { + "key": "L", + "name": "Low", + "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." + }, + { + "key": "N", + "name": "None", + "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json new file mode 100644 index 00000000..92297091 --- /dev/null +++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.1", + "schemaVersion": "1-0-1", + "key": "MPR", + "name": "Modified Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", + "values": [ + { + "key": "H", + "name": "High", + "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + }, + { + "key": "L", + "name": "Low", + "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." + }, + { + "key": "N", + "name": "None", + "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_scope_1_0_0.json b/data/json/decision_points/cvss/modified_scope_1_0_0.json new file mode 100644 index 00000000..21d82cba --- /dev/null +++ b/data/json/decision_points/cvss/modified_scope_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MS", + "name": "Modified Scope", + "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", + "values": [ + { + "key": "U", + "name": "Unchanged", + "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + }, + { + "key": "C", + "name": "Changed", + "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json b/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json new file mode 100644 index 00000000..d8f83c65 --- /dev/null +++ b/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MSA", + "name": "Modified Subsequent Availability Impact", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "values": [ + { + "key": "N", + "name": "Negligible", + "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json new file mode 100644 index 00000000..cea0d0c0 --- /dev/null +++ b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MUI", + "name": "Modified User Interaction", + "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", + "values": [ + { + "key": "R", + "name": "Required", + "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." + }, + { + "key": "N", + "name": "None", + "description": "The vulnerable system can be exploited without interaction from any user." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json new file mode 100644 index 00000000..a4242ca6 --- /dev/null +++ b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "MUI", + "name": "Modified User Interaction", + "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", + "values": [ + { + "key": "A", + "name": "Active", + "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + }, + { + "key": "P", + "name": "Passive", + "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + }, + { + "key": "N", + "name": "None", + "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/privileges_required_1_0_0.json b/data/json/decision_points/cvss/privileges_required_1_0_0.json new file mode 100644 index 00000000..e7a14402 --- /dev/null +++ b/data/json/decision_points/cvss/privileges_required_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "PR", + "name": "Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", + "values": [ + { + "key": "H", + "name": "High", + "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." + }, + { + "key": "L", + "name": "Low", + "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." + }, + { + "key": "N", + "name": "None", + "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + } + ] +} diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json new file mode 100644 index 00000000..79c6c94a --- /dev/null +++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.1", + "schemaVersion": "1-0-1", + "key": "PR", + "name": "Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", + "values": [ + { + "key": "H", + "name": "High", + "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + }, + { + "key": "L", + "name": "Low", + "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." + }, + { + "key": "N", + "name": "None", + "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + } + ] +} diff --git a/data/json/decision_points/cvss/provider_urgency_1_0_0.json b/data/json/decision_points/cvss/provider_urgency_1_0_0.json new file mode 100644 index 00000000..0e277cca --- /dev/null +++ b/data/json/decision_points/cvss/provider_urgency_1_0_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "U", + "name": "Provider Urgency", + "description": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.", + "values": [ + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "C", + "name": "Clear", + "description": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)." + }, + { + "key": "G", + "name": "Green", + "description": "Provider has assessed the impact of this vulnerability as having a reduced urgency." + }, + { + "key": "A", + "name": "Amber", + "description": "Provider has assessed the impact of this vulnerability as having a moderate urgency." + }, + { + "key": "R", + "name": "Red", + "description": "Provider has assessed the impact of this vulnerability as having the highest urgency." + } + ] +} diff --git a/data/json/decision_points/cvss/recovery_1_0_0.json b/data/json/decision_points/cvss/recovery_1_0_0.json new file mode 100644 index 00000000..8a4beda9 --- /dev/null +++ b/data/json/decision_points/cvss/recovery_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "R", + "name": "Recovery", + "description": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.", + "values": [ + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "A", + "name": "Automatic", + "description": "The system recovers services automatically after an attack has been performed." + }, + { + "key": "U", + "name": "User", + "description": "The system requires manual intervention by the user to recover services, after an attack has been performed." + }, + { + "key": "I", + "name": "Irrecoverable", + "description": "The system services are irrecoverable by the user, after an attack has been performed." + } + ] +} diff --git a/data/json/decision_points/cvss/remediation_level_1_0_0.json b/data/json/decision_points/cvss/remediation_level_1_0_0.json new file mode 100644 index 00000000..11f9384f --- /dev/null +++ b/data/json/decision_points/cvss/remediation_level_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "RL", + "name": "Remediation Level", + "description": "This metric measures the remediation status of a vulnerability.", + "values": [ + { + "key": "OF", + "name": "Official Fix", + "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." + }, + { + "key": "TF", + "name": "Temporary Fix", + "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." + }, + { + "key": "W", + "name": "Workaround", + "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + { + "key": "U", + "name": "Unavailable", + "description": "There is either no solution available or it is impossible to apply." + } + ] +} diff --git a/data/json/decision_points/cvss/remediation_level_1_1_0.json b/data/json/decision_points/cvss/remediation_level_1_1_0.json new file mode 100644 index 00000000..ccaa439c --- /dev/null +++ b/data/json/decision_points/cvss/remediation_level_1_1_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "RL", + "name": "Remediation Level", + "description": "This metric measures the remediation status of a vulnerability.", + "values": [ + { + "key": "OF", + "name": "Official Fix", + "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." + }, + { + "key": "TF", + "name": "Temporary Fix", + "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." + }, + { + "key": "W", + "name": "Workaround", + "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + { + "key": "U", + "name": "Unavailable", + "description": "There is either no solution available or it is impossible to apply." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/report_confidence_1_0_0.json b/data/json/decision_points/cvss/report_confidence_1_0_0.json new file mode 100644 index 00000000..85940cf0 --- /dev/null +++ b/data/json/decision_points/cvss/report_confidence_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "RC", + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "values": [ + { + "key": "UC", + "name": "Unconfirmed", + "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." + }, + { + "key": "UR", + "name": "Uncorroborated", + "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." + }, + { + "key": "C", + "name": "Confirmed", + "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." + } + ] +} diff --git a/data/json/decision_points/cvss/report_confidence_1_1_0.json b/data/json/decision_points/cvss/report_confidence_1_1_0.json new file mode 100644 index 00000000..691f1e87 --- /dev/null +++ b/data/json/decision_points/cvss/report_confidence_1_1_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "RC", + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "values": [ + { + "key": "UC", + "name": "Unconfirmed", + "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." + }, + { + "key": "UR", + "name": "Uncorroborated", + "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." + }, + { + "key": "C", + "name": "Confirmed", + "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/report_confidence_2_0_0.json b/data/json/decision_points/cvss/report_confidence_2_0_0.json new file mode 100644 index 00000000..502e1291 --- /dev/null +++ b/data/json/decision_points/cvss/report_confidence_2_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "RC", + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "values": [ + { + "key": "U", + "name": "Unknown", + "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described." + }, + { + "key": "R", + "name": "Reasonable", + "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)." + }, + { + "key": "C", + "name": "Confirmed", + "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/safety_1_0_0.json b/data/json/decision_points/cvss/safety_1_0_0.json new file mode 100644 index 00000000..a72a7cd6 --- /dev/null +++ b/data/json/decision_points/cvss/safety_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "S", + "name": "Safety", + "description": "The Safety decision point is a measure of the potential for harm to humans or the environment.", + "values": [ + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "P", + "name": "Present", + "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\"" + }, + { + "key": "N", + "name": "Negligible", + "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\"" + } + ] +} diff --git a/data/json/decision_points/cvss/scope_1_0_0.json b/data/json/decision_points/cvss/scope_1_0_0.json new file mode 100644 index 00000000..2ed72c80 --- /dev/null +++ b/data/json/decision_points/cvss/scope_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "S", + "name": "Scope", + "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", + "values": [ + { + "key": "U", + "name": "Unchanged", + "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + }, + { + "key": "C", + "name": "Changed", + "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." + } + ] +} diff --git a/data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json b/data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json new file mode 100644 index 00000000..a7ed8c04 --- /dev/null +++ b/data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "SA", + "name": "Subsequent Availability Impact", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} diff --git a/data/json/decision_points/cvss/target_distribution_1_0_0.json b/data/json/decision_points/cvss/target_distribution_1_0_0.json new file mode 100644 index 00000000..1d86b7ca --- /dev/null +++ b/data/json/decision_points/cvss/target_distribution_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "TD", + "name": "Target Distribution", + "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + }, + { + "key": "L", + "name": "Low", + "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." + }, + { + "key": "M", + "name": "Medium", + "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + }, + { + "key": "H", + "name": "High", + "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + } + ] +} diff --git a/data/json/decision_points/cvss/target_distribution_1_1_0.json b/data/json/decision_points/cvss/target_distribution_1_1_0.json new file mode 100644 index 00000000..bc126152 --- /dev/null +++ b/data/json/decision_points/cvss/target_distribution_1_1_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "TD", + "name": "Target Distribution", + "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + }, + { + "key": "L", + "name": "Low", + "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." + }, + { + "key": "M", + "name": "Medium", + "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + }, + { + "key": "H", + "name": "High", + "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/user_interaction_1_0_0.json b/data/json/decision_points/cvss/user_interaction_1_0_0.json new file mode 100644 index 00000000..84f623ba --- /dev/null +++ b/data/json/decision_points/cvss/user_interaction_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "UI", + "name": "User Interaction", + "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", + "values": [ + { + "key": "R", + "name": "Required", + "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." + }, + { + "key": "N", + "name": "None", + "description": "The vulnerable system can be exploited without interaction from any user." + } + ] +} diff --git a/data/json/decision_points/cvss/user_interaction_2_0_0.json b/data/json/decision_points/cvss/user_interaction_2_0_0.json new file mode 100644 index 00000000..7794cc14 --- /dev/null +++ b/data/json/decision_points/cvss/user_interaction_2_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "UI", + "name": "User Interaction", + "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", + "values": [ + { + "key": "A", + "name": "Active", + "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + }, + { + "key": "P", + "name": "Passive", + "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + }, + { + "key": "N", + "name": "None", + "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + } + ] +} diff --git a/data/json/decision_points/cvss/value_density_1_0_0.json b/data/json/decision_points/cvss/value_density_1_0_0.json new file mode 100644 index 00000000..a4f06724 --- /dev/null +++ b/data/json/decision_points/cvss/value_density_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "V", + "name": "Value Density", + "description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.", + "values": [ + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "D", + "name": "Diffuse", + "description": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small." + }, + { + "key": "C", + "name": "Concentrated", + "description": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users." + } + ] +} diff --git a/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json new file mode 100644 index 00000000..71e2f3cc --- /dev/null +++ b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "RE", + "name": "Vulnerability Response Effort", + "description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.", + "values": [ + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "L", + "name": "Low", + "description": "The effort required to respond to a vulnerability is low/trivial." + }, + { + "key": "M", + "name": "Moderate", + "description": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement." + }, + { + "key": "H", + "name": "High", + "description": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)." + } + ] +} diff --git a/data/json/decision_points/exploitation_1_0_0.json b/data/json/decision_points/exploitation_1_0_0.json index d7099083..42242c30 100644 --- a/data/json/decision_points/exploitation_1_0_0.json +++ b/data/json/decision_points/exploitation_1_0_0.json @@ -22,4 +22,4 @@ "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/exploitation_1_1_0.json b/data/json/decision_points/exploitation_1_1_0.json index aed0a7af..f436738a 100644 --- a/data/json/decision_points/exploitation_1_1_0.json +++ b/data/json/decision_points/exploitation_1_1_0.json @@ -22,4 +22,4 @@ "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/human_impact_2_0_0.json b/data/json/decision_points/human_impact_2_0_0.json index ce7a8b4e..b9fec592 100644 --- a/data/json/decision_points/human_impact_2_0_0.json +++ b/data/json/decision_points/human_impact_2_0_0.json @@ -27,4 +27,4 @@ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/human_impact_2_0_1.json b/data/json/decision_points/human_impact_2_0_1.json index fd21da49..9fd6ba91 100644 --- a/data/json/decision_points/human_impact_2_0_1.json +++ b/data/json/decision_points/human_impact_2_0_1.json @@ -27,4 +27,4 @@ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json index d63cda57..20c2ad3a 100644 --- a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json +++ b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json @@ -22,4 +22,4 @@ "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/mission_impact_1_0_0.json b/data/json/decision_points/mission_impact_1_0_0.json index 3ede44f1..3dd1a4ba 100644 --- a/data/json/decision_points/mission_impact_1_0_0.json +++ b/data/json/decision_points/mission_impact_1_0_0.json @@ -29,7 +29,7 @@ { "key": "MF", "name": "Mission Failure", - "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails" + "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/mission_impact_2_0_0.json b/data/json/decision_points/mission_impact_2_0_0.json index d1a578a3..51f392e9 100644 --- a/data/json/decision_points/mission_impact_2_0_0.json +++ b/data/json/decision_points/mission_impact_2_0_0.json @@ -24,7 +24,7 @@ { "key": "MF", "name": "Mission Failure", - "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails" + "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/public_safety_impact_2_0_0.json b/data/json/decision_points/public_safety_impact_2_0_0.json index 4cf25b4f..03eaa0d8 100644 --- a/data/json/decision_points/public_safety_impact_2_0_0.json +++ b/data/json/decision_points/public_safety_impact_2_0_0.json @@ -17,4 +17,4 @@ "description": "Safety Impact:(Major OR Hazardous OR Catastrophic)" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/public_safety_impact_2_0_1.json b/data/json/decision_points/public_safety_impact_2_0_1.json index 2f76bbff..e61afe04 100644 --- a/data/json/decision_points/public_safety_impact_2_0_1.json +++ b/data/json/decision_points/public_safety_impact_2_0_1.json @@ -17,4 +17,4 @@ "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/public_value_added_1_0_0.json b/data/json/decision_points/public_value_added_1_0_0.json index 772e5de0..a376f8bb 100644 --- a/data/json/decision_points/public_value_added_1_0_0.json +++ b/data/json/decision_points/public_value_added_1_0_0.json @@ -22,4 +22,4 @@ "description": "The publication would be the first publicly available, or be coincident with the first publicly available." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/public_well-being_impact_1_0_0.json b/data/json/decision_points/public_well-being_impact_1_0_0.json index a963ea06..2b1c02bd 100644 --- a/data/json/decision_points/public_well-being_impact_1_0_0.json +++ b/data/json/decision_points/public_well-being_impact_1_0_0.json @@ -22,4 +22,4 @@ "description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A " } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/report_credibility_1_0_0.json b/data/json/decision_points/report_credibility_1_0_0.json index f9ff77f7..06f2d323 100644 --- a/data/json/decision_points/report_credibility_1_0_0.json +++ b/data/json/decision_points/report_credibility_1_0_0.json @@ -17,4 +17,4 @@ "description": "The report is credible." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/report_public_1_0_0.json b/data/json/decision_points/report_public_1_0_0.json index 67151fd2..ba36050a 100644 --- a/data/json/decision_points/report_public_1_0_0.json +++ b/data/json/decision_points/report_public_1_0_0.json @@ -17,4 +17,4 @@ "description": "No public report of the vulnerability exists." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/safety_impact_1_0_0.json b/data/json/decision_points/safety_impact_1_0_0.json index e25fc5d3..7aadf352 100644 --- a/data/json/decision_points/safety_impact_1_0_0.json +++ b/data/json/decision_points/safety_impact_1_0_0.json @@ -24,7 +24,7 @@ { "key": "H", "name": "Hazardous", - "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A." + "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A." }, { "key": "C", @@ -32,4 +32,4 @@ "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/safety_impact_2_0_0.json b/data/json/decision_points/safety_impact_2_0_0.json index 0c78a0e6..19d74d6b 100644 --- a/data/json/decision_points/safety_impact_2_0_0.json +++ b/data/json/decision_points/safety_impact_2_0_0.json @@ -19,7 +19,7 @@ { "key": "R", "name": "Critical", - "description": "Any one or more of these conditions hold.

- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A." + "description": "Any one or more of these conditions hold.

- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A." }, { "key": "C", @@ -27,4 +27,4 @@ "description": "Any one or more of these conditions hold.

- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/supplier_cardinality_1_0_0.json b/data/json/decision_points/supplier_cardinality_1_0_0.json index b4ad4c7c..0adc8300 100644 --- a/data/json/decision_points/supplier_cardinality_1_0_0.json +++ b/data/json/decision_points/supplier_cardinality_1_0_0.json @@ -17,4 +17,4 @@ "description": "There are multiple suppliers of the vulnerable component." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/supplier_contacted_1_0_0.json b/data/json/decision_points/supplier_contacted_1_0_0.json index 8eaf7976..2cceb5ed 100644 --- a/data/json/decision_points/supplier_contacted_1_0_0.json +++ b/data/json/decision_points/supplier_contacted_1_0_0.json @@ -17,4 +17,4 @@ "description": "The supplier has been contacted." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/supplier_engagement_1_0_0.json b/data/json/decision_points/supplier_engagement_1_0_0.json index 2f741598..ffd69c94 100644 --- a/data/json/decision_points/supplier_engagement_1_0_0.json +++ b/data/json/decision_points/supplier_engagement_1_0_0.json @@ -4,17 +4,17 @@ "schemaVersion": "1-0-1", "key": "SE", "name": "Supplier Engagement", - "description": "Is the supplier responding to the reporter\u2019s contact effort and actively participating in the coordination effort?", + "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?", "values": [ { "key": "A", "name": "Active", - "description": "The supplier is responding to the reporter\u2019s contact effort and actively participating in the coordination effort." + "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort." }, { "key": "U", "name": "Unresponsive", - "description": "The supplier is not responding to the reporter\u2019s contact effort and not actively participating in the coordination effort." + "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/supplier_involvement_1_0_0.json b/data/json/decision_points/supplier_involvement_1_0_0.json index e43b79c7..d9c5b433 100644 --- a/data/json/decision_points/supplier_involvement_1_0_0.json +++ b/data/json/decision_points/supplier_involvement_1_0_0.json @@ -4,7 +4,7 @@ "schemaVersion": "1-0-1", "key": "SI", "name": "Supplier Involvement", - "description": "What is the state of the supplier\u2019s work on addressing the vulnerability?", + "description": "What is the state of the supplier’s work on addressing the vulnerability?", "values": [ { "key": "FR", @@ -22,4 +22,4 @@ "description": "The supplier has not responded, declined to generate a remediation, or no longer exists." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/system_exposure_1_0_0.json b/data/json/decision_points/system_exposure_1_0_0.json index 5b77eb1b..45671101 100644 --- a/data/json/decision_points/system_exposure_1_0_0.json +++ b/data/json/decision_points/system_exposure_1_0_0.json @@ -14,7 +14,7 @@ { "key": "C", "name": "Controlled", - "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." }, { "key": "U", @@ -22,4 +22,4 @@ "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/system_exposure_1_0_1.json b/data/json/decision_points/system_exposure_1_0_1.json index d2fca848..a6b713d4 100644 --- a/data/json/decision_points/system_exposure_1_0_1.json +++ b/data/json/decision_points/system_exposure_1_0_1.json @@ -14,7 +14,7 @@ { "key": "C", "name": "Controlled", - "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." }, { "key": "O", @@ -22,4 +22,4 @@ "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/technical_impact_1_0_0.json b/data/json/decision_points/technical_impact_1_0_0.json index 6b9c8676..5f3c7375 100644 --- a/data/json/decision_points/technical_impact_1_0_0.json +++ b/data/json/decision_points/technical_impact_1_0_0.json @@ -17,4 +17,4 @@ "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/utility_1_0_0.json b/data/json/decision_points/utility_1_0_0.json index a54ebebd..033b00a3 100644 --- a/data/json/decision_points/utility_1_0_0.json +++ b/data/json/decision_points/utility_1_0_0.json @@ -22,4 +22,4 @@ "description": "Virulence:Rapid and Value Density:Concentrated" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/utility_1_0_1.json b/data/json/decision_points/utility_1_0_1.json index 53e39a8a..79091345 100644 --- a/data/json/decision_points/utility_1_0_1.json +++ b/data/json/decision_points/utility_1_0_1.json @@ -22,4 +22,4 @@ "description": "Automatable:Yes AND Value Density:Concentrated" } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/value_density_1_0_0.json b/data/json/decision_points/value_density_1_0_0.json index f0022b5e..725b53fe 100644 --- a/data/json/decision_points/value_density_1_0_0.json +++ b/data/json/decision_points/value_density_1_0_0.json @@ -14,7 +14,7 @@ { "key": "C", "name": "Concentrated", - "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of \u201csystem operators\u201d rather than users." + "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users." } ] -} \ No newline at end of file +} diff --git a/data/json/decision_points/virulence_1_0_0.json b/data/json/decision_points/virulence_1_0_0.json index 98eee786..5d2200d9 100644 --- a/data/json/decision_points/virulence_1_0_0.json +++ b/data/json/decision_points/virulence_1_0_0.json @@ -17,4 +17,4 @@ "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid." } ] -} \ No newline at end of file +} diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json new file mode 100644 index 00000000..c4ebbd2a --- /dev/null +++ b/data/json/outcomes/CISA.json @@ -0,0 +1,28 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "CISA Levels", + "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", + "outcomes": [ + { + "key": "T", + "name": "Track", + "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." + }, + { + "key": "T*", + "name": "Track*", + "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + }, + { + "key": "A", + "name": "Attend", + "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." + }, + { + "key": "A", + "name": "Act", + "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/COORDINATE.json b/data/json/outcomes/COORDINATE.json new file mode 100644 index 00000000..67a4d9fa --- /dev/null +++ b/data/json/outcomes/COORDINATE.json @@ -0,0 +1,23 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Decline, Track, Coordinate", + "description": "The coordinate outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Decline", + "description": "Decline" + }, + { + "key": "T", + "name": "Track", + "description": "Track" + }, + { + "key": "C", + "name": "Coordinate", + "description": "Coordinate" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/CVSS.json b/data/json/outcomes/CVSS.json new file mode 100644 index 00000000..5d3d3bd2 --- /dev/null +++ b/data/json/outcomes/CVSS.json @@ -0,0 +1,28 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "CVSS Levels", + "description": "The CVSS outcome group.", + "outcomes": [ + { + "key": "L", + "name": "Low", + "description": "Low" + }, + { + "key": "M", + "name": "Medium", + "description": "Medium" + }, + { + "key": "H", + "name": "High", + "description": "High" + }, + { + "key": "C", + "name": "Critical", + "description": "Critical" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/DSOI.json b/data/json/outcomes/DSOI.json new file mode 100644 index 00000000..8e16b6f6 --- /dev/null +++ b/data/json/outcomes/DSOI.json @@ -0,0 +1,28 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Defer, Scheduled, Out-of-Cycle, Immediate", + "description": "The original SSVC outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Defer", + "description": "Defer" + }, + { + "key": "S", + "name": "Scheduled", + "description": "Scheduled" + }, + { + "key": "O", + "name": "Out-of-Cycle", + "description": "Out-of-Cycle" + }, + { + "key": "I", + "name": "Immediate", + "description": "Immediate" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/EISENHOWER.json b/data/json/outcomes/EISENHOWER.json new file mode 100644 index 00000000..40d98902 --- /dev/null +++ b/data/json/outcomes/EISENHOWER.json @@ -0,0 +1,28 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Do, Schedule, Delegate, Delete", + "description": "The Eisenhower outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Delete", + "description": "Delete" + }, + { + "key": "G", + "name": "Delegate", + "description": "Delegate" + }, + { + "key": "S", + "name": "Schedule", + "description": "Schedule" + }, + { + "key": "O", + "name": "Do", + "description": "Do" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/MOSCOW.json b/data/json/outcomes/MOSCOW.json new file mode 100644 index 00000000..3156c47d --- /dev/null +++ b/data/json/outcomes/MOSCOW.json @@ -0,0 +1,28 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Must, Should, Could, Won't", + "description": "The Moscow outcome group.", + "outcomes": [ + { + "key": "W", + "name": "Won't", + "description": "Won't" + }, + { + "key": "C", + "name": "Could", + "description": "Could" + }, + { + "key": "S", + "name": "Should", + "description": "Should" + }, + { + "key": "M", + "name": "Must", + "description": "Must" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/PUBLISH.json b/data/json/outcomes/PUBLISH.json new file mode 100644 index 00000000..fd656624 --- /dev/null +++ b/data/json/outcomes/PUBLISH.json @@ -0,0 +1,18 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Publish, Do Not Publish", + "description": "The publish outcome group.", + "outcomes": [ + { + "key": "N", + "name": "Do Not Publish", + "description": "Do Not Publish" + }, + { + "key": "P", + "name": "Publish", + "description": "Publish" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/THE_PARANOIDS.json b/data/json/outcomes/THE_PARANOIDS.json new file mode 100644 index 00000000..f19fb83d --- /dev/null +++ b/data/json/outcomes/THE_PARANOIDS.json @@ -0,0 +1,38 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "theParanoids", + "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.", + "outcomes": [ + { + "key": "5", + "name": "Track 5", + "description": "Track" + }, + { + "key": "4", + "name": "Track Closely 4", + "description": "Track Closely" + }, + { + "key": "3", + "name": "Attend 3", + "description": "Attend" + }, + { + "key": "2", + "name": "Attend 2", + "description": "Attend" + }, + { + "key": "1", + "name": "Act 1", + "description": "Act" + }, + { + "key": "0", + "name": "Act ASAP 0", + "description": "Act ASAP" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/VALUE_COMPLEXITY.json b/data/json/outcomes/VALUE_COMPLEXITY.json new file mode 100644 index 00000000..b60d42f8 --- /dev/null +++ b/data/json/outcomes/VALUE_COMPLEXITY.json @@ -0,0 +1,28 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Value, Complexity", + "description": "The Value/Complexity outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Drop", + "description": "Drop" + }, + { + "key": "R", + "name": "Reconsider Later", + "description": "Reconsider Later" + }, + { + "key": "E", + "name": "Easy Win", + "description": "Easy Win" + }, + { + "key": "F", + "name": "Do First", + "description": "Do First" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/YES_NO.json b/data/json/outcomes/YES_NO.json new file mode 100644 index 00000000..1a6dcdff --- /dev/null +++ b/data/json/outcomes/YES_NO.json @@ -0,0 +1,18 @@ +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Yes, No", + "description": "The Yes/No outcome group.", + "outcomes": [ + { + "key": "N", + "name": "No", + "description": "No" + }, + { + "key": "Y", + "name": "Yes", + "description": "Yes" + } + ] +} \ No newline at end of file diff --git a/data/schema/README.MD b/data/schema/README.MD index 75c80654..6f90e8bc 100644 --- a/data/schema/README.MD +++ b/data/schema/README.MD @@ -1,10 +1,6 @@ -# SSVC decision tree schemas +# SSVC decision tree schemas -Two JSON schema files are embedded here that provide schema information for +Two JSON schema files are embedded here that provide schema information for 1. Full Decision tree schema for represeting an SSVC decision tree for a Role 2. Computed SSVC score schema of a vulnerability at a point of time, optionally includes the tree used in making the decision. - - - - diff --git a/data/schema/current/Outcome_Group-1-0-1.schema.json b/data/schema/current/Outcome_Group-1-0-1.schema.json new file mode 120000 index 00000000..facc9154 --- /dev/null +++ b/data/schema/current/Outcome_Group-1-0-1.schema.json @@ -0,0 +1 @@ +../v1/Outcome_Group-1-0-1.schema.json \ No newline at end of file diff --git a/data/schema/v1/Decision_Point-1-0-1.schema.json b/data/schema/v1/Decision_Point-1-0-1.schema.json index 75b573d9..019accee 100644 --- a/data/schema/v1/Decision_Point-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point-1-0-1.schema.json @@ -5,7 +5,7 @@ "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.", "$defs": { "schemaVersion": { - "description": "Schema version used to represent this Decision Point", + "description": "Schema version used to represent this Decision Point.", "type": "string", "enum": ["1-0-1"] }, @@ -15,15 +15,21 @@ "properties": { "key": { "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" + "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.", + "minLength": 1, + "examples": ["P", "Y"] }, "name": { "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + "description": "A short label that identifies a Decision Point Value", + "minLength": 1, + "examples": ["Public PoC", "Yes"] }, "description": { "type": "string", - "description": "Description of the Decision Point Value" + "description": "A full description of the Decision Point Value.", + "minLength": 1, + "examples": ["One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.","Attackers can reliably automate steps 1-4 of the kill chain."] } }, "required" : [ @@ -41,26 +47,36 @@ }, "namespace": { "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point" + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", + "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", + "examples": ["ssvc", "cvss", "ssvc-jp", "ssvc/acme", "ssvc/example.com"] }, "version": { "type": "string", - "description": "Version (a semantic version string) that identifies this object" + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": ["1.0.1", "1.0.1-alpha"] }, "key": { "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" + "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point.", + + "minLength": 1, + "examples": ["E", "A"] }, "name": { "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + "description": "A short label that identifies a Decision Point.", + "minLength": 1, + "examples": ["Exploitation", "Automatable"] }, "description": { "type": "string", - "description": "q Description of the Decision Point or the Group of Decision Points as defined." + "description": "A full description of the Decision Point, explaining what it represents and how it is used in SSVC.", + "minLength": 1 }, "values": { - "description": "Decision Point Values are valid results from a Decision Point", + "description": "A set of possible answers for a given Decision Point", "uniqueItems": true, "type": "array", "minItems": 1, diff --git a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json index 7ff2f5dd..ec2768ab 100644 --- a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json @@ -1,10 +1,11 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "title": "Decision Points Group schema definition", + "title": "Decision Points Group schema definition.", "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group-1-0-1.schema.json", + "description": "Decision Point Groups are sets of decision points pinned to specific versions of those decision points. These groups may change over time.", "$defs": { "schemaVersion": { - "description": "Schema version used to represent Decision Point Group", + "description": "Schema version used to represent Decision Point Group.", "type": "string", "enum": ["1-0-1"] }, @@ -16,16 +17,19 @@ "$ref": "#/$defs/schemaVersion" }, "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies this object" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" }, "name": { "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + "description": "A short label that captures the description of the Decision Point Group.", + "minLength": 1, + "examples": ["SSVC Supplier","Coordinator Triage", "SSVC Deployer"] }, "description": { "type": "string", - "description": "Description of the Decision Point or the Group of Decision Points." + "description": "A full description of the Decision Point Group.", + "minLength": 1, + "examples": ["These decision points used by the Coordinator during publication."] }, "decision_points": { "type": "array", diff --git a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json index 59022e04..ca5b1115 100644 --- a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json @@ -1,57 +1,45 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { "id": { "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"] + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"], + "minLength": 1 }, "role": { "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": ["Supplier","Deployer","Coordinator"] + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"], + "minLength": 1 }, "timestamp" : { - "description": "Date and time in ISO format ISO 8601 format", + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", - "format": "date-time" + "format": "date-time" }, - "schemaVersion": { - "description": "Schema version used to represent this evaluation", - "type": "string", - "enum": ["1-0-1"] - }, "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", "properties": { "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", - "type": "string", - "examples": ["Automatable", "Exploitation"] + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name" }, "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", - "type": "string", - "examples": ["ssvc","cvssv4"] + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace" }, "values": { - "description": "Evaluated values of the Decision Point", + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", "title": "values", "type": "array", "minItems": 1, "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name" } }, "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" } }, "type": "object", @@ -72,13 +60,13 @@ "$ref": "#/$defs/role" }, "schemaVersion": { - "$ref": "#/$defs/schemaVersion" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion" }, "timestamp": { "$ref": "#/$defs/timestamp" }, "selections": { - "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", "title": "selections", "type": "array", "minItems": 1, diff --git a/data/schema/v1/Outcome_Group-1-0-1.schema.json b/data/schema/v1/Outcome_Group-1-0-1.schema.json new file mode 100644 index 00000000..aba8d781 --- /dev/null +++ b/data/schema/v1/Outcome_Group-1-0-1.schema.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "title": "Outcome Group/Set schema definition", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Outcome-1-0-1.schema.json", + "description": "An outcome is the result of making a decision. Outcomes are often tailored specifically to the stakeholder context in which the decision is being made. We call the set of possible outcomes for a decision an Outcome Set.", + "$defs": { + "schemaVersion": { + "description": "Schema version used to represent this Outcome Group", + "type": "string", + "enum": ["1-0-1"] + }, + "outcome_value": { + "type": "object", + "additionalProperties": false, + "properties": { + "key": { + "type": "string", + "description": "A key (a short, unique string) that can be used to identify the Outcome in a shorthand way" + }, + "name": { + "type": "string", + "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + }, + "description": { + "type": "string", + "description": "Description of the Decision Point Value" + } + }, + "required" : [ + "key", + "name", + "description" + ] + }, + "outcome_group": { + "type": "object", + "additionalProperties": false, + "properties": { + "schemaVersion": { + "$ref": "#/$defs/schemaVersion" + }, + "version": { + "type": "string", + "description": "Version (a semantic version string) that identifies this object" + }, + "name": { + "type": "string", + "description": "A short label that captures the description of the group of Outcomes" + }, + "description": { + "type": "string", + "description": " Description of the of group of Outcomes." + }, + "outcomes": { + "description": "Collection Set of Outcomes.", + "uniqueItems": true, + "type": "array", + "minItems": 2, + "items": { + "$ref": "#/$defs/outcome_value" + } + } + }, + "required": [ + "version", + "name", + "description", + "outcomes", + "schemaVersion" + ] + } + }, + "$ref": "#/$defs/outcome_group" +} diff --git a/data/schema_examples/README.MD b/data/schema_examples/README.MD deleted file mode 100644 index fa6c9b9b..00000000 --- a/data/schema_examples/README.MD +++ /dev/null @@ -1,11 +0,0 @@ -# Sample JSON files - - -There are there sample JSON files that provide examples of the current [JSON schema](../schema/). -The JSON files here are -1. Full Decision tree used for making an SSVC based decision. -2. Computed SSVC score of a vulnerability at a point of time. -3. Computed SSVC score with the full decision tree embedded. - - - diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json b/data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator-with-tree.json similarity index 99% rename from data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json rename to data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator-with-tree.json index 38184aff..d7896c88 100644 --- a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json +++ b/data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator-with-tree.json @@ -2,7 +2,7 @@ "role": "Coordinator", "id": "CVE-2014-0751", "version": "2.0.3", - "computed": "SSVCv2/E:A/V:S/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", + "computed": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", "timestamp": "2021-09-29T15:29:44Z", "options": [ { @@ -52,7 +52,7 @@ }, { "label": "Automatable", - "key": "V", + "key": "A", "decision_type": "simple", "options": [ { diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json b/data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator.json similarity index 89% rename from data/schema_examples/Computed-CVE-2014-0751-Coordinator.json rename to data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator.json index 7e869630..b75aa68b 100644 --- a/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json +++ b/data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator.json @@ -2,7 +2,7 @@ "role": "Coordinator", "id": "CVE-2014-0751", "version": "2.0.3", - "computed": "SSVCv2/E:A/V:S/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", + "computed": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", "timestamp": "2021-09-29T15:29:44Z", "options": [ { diff --git a/data/schema_examples/archive/index.md b/data/schema_examples/archive/index.md new file mode 100644 index 00000000..71f652a2 --- /dev/null +++ b/data/schema_examples/archive/index.md @@ -0,0 +1,3 @@ +# Sample JSON files (Archived) + +There are a few examples of the old schema validated JSON files here, please follow the latest schema in [Decision_Point_Value_Selection.schema.json](../../schema/current/Decision_Point_Value_Selection.schema.json) diff --git a/data/schema_examples/index.md b/data/schema_examples/index.md new file mode 100644 index 00000000..b405110a --- /dev/null +++ b/data/schema_examples/index.md @@ -0,0 +1,5 @@ +# Sample JSON files + +There is a sample JSON file that provides an example of a hypothetical CVE [CVE-1900-1234](CVE-1900-1234-Decision_Point_Value_Selection.json) that adheres to the [JSON schema](../schema/) + +The old JSON files are in the [archive](./archive/) folder diff --git a/doc/md_src_files/sources_ssvc.bib b/doc/md_src_files/sources_ssvc.bib index e42cce40..74c6192f 100644 --- a/doc/md_src_files/sources_ssvc.bib +++ b/doc/md_src_files/sources_ssvc.bib @@ -537,7 +537,7 @@ @techreport{FCD2_2017 year={2017}, author={Federal Emergency Management Agency}, institution={US Department of Homeland Security, Federal Emergency Management Agency}, - url={https://www.fema.gov/media-library-data/1499702987348-c8eb5e5746bfc5a7a3cb954039df7fc2/FCD-2June132017.pdf} + url={https://www.fema.gov/sites/default/files/2020-07/Federal_Continuity_Directive-2_June132017.pdf} } @techreport{dod3026_26_2018, diff --git a/docs/_generated/decision_points/automatable.md b/docs/_generated/decision_points/automatable.md deleted file mode 120000 index a8229e62..00000000 --- a/docs/_generated/decision_points/automatable.md +++ /dev/null @@ -1 +0,0 @@ -automatable_2_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/automatable_2_0_0.md b/docs/_generated/decision_points/automatable_2_0_0.md deleted file mode 100644 index 20084953..00000000 --- a/docs/_generated/decision_points/automatable_2_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Automatable v2.0.0" - -=== "Text" - - Can an attacker reliably automate creating exploitation events for this vulnerability? - - | Value | Definition | - |:-----|:-----------| - | No | Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation. | - | Yes | Attackers can reliably automate steps 1-4 of the kill chain. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/automatable_2_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/exploitation.md b/docs/_generated/decision_points/exploitation.md deleted file mode 120000 index 083c9359..00000000 --- a/docs/_generated/decision_points/exploitation.md +++ /dev/null @@ -1 +0,0 @@ -exploitation_1_1_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/exploitation_1_0_0.md b/docs/_generated/decision_points/exploitation_1_0_0.md deleted file mode 100644 index a4ab75dd..00000000 --- a/docs/_generated/decision_points/exploitation_1_0_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Exploitation v1.0.0" - -=== "Text" - - The present state of exploitation of the vulnerability. - - | Value | Definition | - |:-----|:-----------| - | None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. | - | PoC | One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. | - | Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/exploitation_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/exploitation_1_1_0.md b/docs/_generated/decision_points/exploitation_1_1_0.md deleted file mode 100644 index 910b8080..00000000 --- a/docs/_generated/decision_points/exploitation_1_1_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Exploitation v1.1.0" - -=== "Text" - - The present state of exploitation of the vulnerability. - - | Value | Definition | - |:-----|:-----------| - | None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. | - | Public PoC | One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation. | - | Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/exploitation_1_1_0.json" %} - ``` diff --git a/docs/_generated/decision_points/human_impact.md b/docs/_generated/decision_points/human_impact.md deleted file mode 120000 index 22faf37a..00000000 --- a/docs/_generated/decision_points/human_impact.md +++ /dev/null @@ -1 +0,0 @@ -human_impact_2_0_1.md \ No newline at end of file diff --git a/docs/_generated/decision_points/human_impact_2_0_0.md b/docs/_generated/decision_points/human_impact_2_0_0.md deleted file mode 100644 index 15ff4c86..00000000 --- a/docs/_generated/decision_points/human_impact_2_0_0.md +++ /dev/null @@ -1,19 +0,0 @@ - -!!! note "Human Impact v2.0.0" - -=== "Text" - - Human Impact is a combination of Safety and Mission impacts. - - | Value | Definition | - |:-----|:-----------| - | Low | Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled) | - | Medium | (Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled)) | - | High | (Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure) | - | Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/human_impact_2_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/human_impact_2_0_1.md b/docs/_generated/decision_points/human_impact_2_0_1.md deleted file mode 100644 index 122c1d7c..00000000 --- a/docs/_generated/decision_points/human_impact_2_0_1.md +++ /dev/null @@ -1,19 +0,0 @@ - -!!! note "Human Impact v2.0.1" - -=== "Text" - - Human Impact is a combination of Safety and Mission impacts. - - | Value | Definition | - |:-----|:-----------| - | Low | Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled) | - | Medium | (Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled)) | - | High | (Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure) | - | Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/human_impact_2_0_1.json" %} - ``` diff --git a/docs/_generated/decision_points/mission_and_well-being_impact.md b/docs/_generated/decision_points/mission_and_well-being_impact.md deleted file mode 120000 index ffa452e7..00000000 --- a/docs/_generated/decision_points/mission_and_well-being_impact.md +++ /dev/null @@ -1 +0,0 @@ -mission_and_well-being_impact_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md b/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md deleted file mode 100644 index 7a8affcd..00000000 --- a/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Mission and Well-Being Impact v1.0.0" - -=== "Text" - - Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact. - - | Value | Definition | - |:-----|:-----------| - | Low | Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal | - | Medium | Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material) | - | High | Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible) | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/mission_and_well-being_impact_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/mission_impact.md b/docs/_generated/decision_points/mission_impact.md deleted file mode 120000 index 938009ab..00000000 --- a/docs/_generated/decision_points/mission_impact.md +++ /dev/null @@ -1 +0,0 @@ -mission_impact_2_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/mission_impact_1_0_0.md b/docs/_generated/decision_points/mission_impact_1_0_0.md deleted file mode 100644 index e97cba5a..00000000 --- a/docs/_generated/decision_points/mission_impact_1_0_0.md +++ /dev/null @@ -1,20 +0,0 @@ - -!!! note "Mission Impact v1.0.0" - -=== "Text" - - Impact on Mission Essential Functions of the Organization - - | Value | Definition | - |:-----|:-----------| - | None | Little to no impact | - | Non-Essential Degraded | Degradation of non-essential functions; chronic degradation would eventually harm essential functions | - | MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time | - | MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time | - | Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/mission_impact_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/mission_impact_2_0_0.md b/docs/_generated/decision_points/mission_impact_2_0_0.md deleted file mode 100644 index 4738bf7a..00000000 --- a/docs/_generated/decision_points/mission_impact_2_0_0.md +++ /dev/null @@ -1,19 +0,0 @@ - -!!! note "Mission Impact v2.0.0" - -=== "Text" - - Impact on Mission Essential Functions of the Organization - - | Value | Definition | - |:-----|:-----------| - | Degraded | Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions | - | MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time | - | MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time | - | Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/mission_impact_2_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/public_safety_impact.md b/docs/_generated/decision_points/public_safety_impact.md deleted file mode 120000 index d2071e3b..00000000 --- a/docs/_generated/decision_points/public_safety_impact.md +++ /dev/null @@ -1 +0,0 @@ -public_safety_impact_2_0_1.md \ No newline at end of file diff --git a/docs/_generated/decision_points/public_safety_impact_2_0_0.md b/docs/_generated/decision_points/public_safety_impact_2_0_0.md deleted file mode 100644 index 4566df3b..00000000 --- a/docs/_generated/decision_points/public_safety_impact_2_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Public Safety Impact v2.0.0" - -=== "Text" - - A coarse-grained representation of impact to public safety. - - | Value | Definition | - |:-----|:-----------| - | Minimal | Safety Impact:(None OR Minor) | - | Significant | Safety Impact:(Major OR Hazardous OR Catastrophic) | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/public_safety_impact_2_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/public_safety_impact_2_0_1.md b/docs/_generated/decision_points/public_safety_impact_2_0_1.md deleted file mode 100644 index 1d561484..00000000 --- a/docs/_generated/decision_points/public_safety_impact_2_0_1.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Public Safety Impact v2.0.1" - -=== "Text" - - A coarse-grained representation of impact to public safety. - - | Value | Definition | - |:-----|:-----------| - | Minimal | Safety Impact:Negligible | - | Significant | Safety Impact:(Marginal OR Critical OR Catastrophic) | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/public_safety_impact_2_0_1.json" %} - ``` diff --git a/docs/_generated/decision_points/public_value_added.md b/docs/_generated/decision_points/public_value_added.md deleted file mode 120000 index b185dcb5..00000000 --- a/docs/_generated/decision_points/public_value_added.md +++ /dev/null @@ -1 +0,0 @@ -public_value_added_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/public_value_added_1_0_0.md b/docs/_generated/decision_points/public_value_added_1_0_0.md deleted file mode 100644 index daa27817..00000000 --- a/docs/_generated/decision_points/public_value_added_1_0_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Public Value Added v1.0.0" - -=== "Text" - - How much value would a publication from the coordinator benefit the broader community? - - | Value | Definition | - |:-----|:-----------| - | Limited | Minimal value added to the existing public information because existing information is already high quality and in multiple outlets. | - | Ampliative | Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc. | - | Precedence | The publication would be the first publicly available, or be coincident with the first publicly available. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/public_value_added_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/public_well-being_impact.md b/docs/_generated/decision_points/public_well-being_impact.md deleted file mode 120000 index 52bbe1c7..00000000 --- a/docs/_generated/decision_points/public_well-being_impact.md +++ /dev/null @@ -1 +0,0 @@ -public_well-being_impact_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/public_well-being_impact_1_0_0.md b/docs/_generated/decision_points/public_well-being_impact_1_0_0.md deleted file mode 100644 index ae6c11e5..00000000 --- a/docs/_generated/decision_points/public_well-being_impact_1_0_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Public Well-Being Impact v1.0.0" - -=== "Text" - - A coarse-grained representation of impact to public well-being. - - | Value | Definition | - |:-----|:-----------| - | Minimal | The effect is below the threshold for all aspects described in material. | - | Material | Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. | - | Irreversible | Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/public_well-being_impact_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/report_credibility.md b/docs/_generated/decision_points/report_credibility.md deleted file mode 120000 index 549fae08..00000000 --- a/docs/_generated/decision_points/report_credibility.md +++ /dev/null @@ -1 +0,0 @@ -report_credibility_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/report_credibility_1_0_0.md b/docs/_generated/decision_points/report_credibility_1_0_0.md deleted file mode 100644 index 09f5d64d..00000000 --- a/docs/_generated/decision_points/report_credibility_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Report Credibility v1.0.0" - -=== "Text" - - Is the report credible? - - | Value | Definition | - |:-----|:-----------| - | Not Credible | The report is not credible. | - | Credible | The report is credible. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/report_credibility_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/report_public.md b/docs/_generated/decision_points/report_public.md deleted file mode 120000 index 1bd15fd2..00000000 --- a/docs/_generated/decision_points/report_public.md +++ /dev/null @@ -1 +0,0 @@ -report_public_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/report_public_1_0_0.md b/docs/_generated/decision_points/report_public_1_0_0.md deleted file mode 100644 index 997c8d5e..00000000 --- a/docs/_generated/decision_points/report_public_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Report Public v1.0.0" - -=== "Text" - - Is a viable report of the details of the vulnerability already publicly available? - - | Value | Definition | - |:-----|:-----------| - | Yes | A public report of the vulnerability exists. | - | No | No public report of the vulnerability exists. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/report_public_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/safety_impact.md b/docs/_generated/decision_points/safety_impact.md deleted file mode 120000 index e3cfa4d7..00000000 --- a/docs/_generated/decision_points/safety_impact.md +++ /dev/null @@ -1 +0,0 @@ -safety_impact_2_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/safety_impact_1_0_0.md b/docs/_generated/decision_points/safety_impact_1_0_0.md deleted file mode 100644 index 0575b6e1..00000000 --- a/docs/_generated/decision_points/safety_impact_1_0_0.md +++ /dev/null @@ -1,20 +0,0 @@ - -!!! note "Safety Impact v1.0.0" - -=== "Text" - - The safety impact of the vulnerability. - - | Value | Definition | - |:-----|:-----------| - | None | The effect is below the threshold for all aspects described in Minor. | - | Minor | Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons. | - | Major | Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people. | - | Hazardous | Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A. | - | Catastrophic | Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/safety_impact_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/safety_impact_2_0_0.md b/docs/_generated/decision_points/safety_impact_2_0_0.md deleted file mode 100644 index 61326a77..00000000 --- a/docs/_generated/decision_points/safety_impact_2_0_0.md +++ /dev/null @@ -1,19 +0,0 @@ - -!!! note "Safety Impact v2.0.0" - -=== "Text" - - The safety impact of the vulnerability. (based on IEC 61508) - - | Value | Definition | - |:-----|:-----------| - | Negligible | Any one or more of these conditions hold.

- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons. | - | Marginal | Any one or more of these conditions hold.

- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people. | - | Critical | Any one or more of these conditions hold.

- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A. | - | Catastrophic | Any one or more of these conditions hold.

- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/safety_impact_2_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/supplier_cardinality.md b/docs/_generated/decision_points/supplier_cardinality.md deleted file mode 120000 index 518ef0e7..00000000 --- a/docs/_generated/decision_points/supplier_cardinality.md +++ /dev/null @@ -1 +0,0 @@ -supplier_cardinality_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/supplier_cardinality_1_0_0.md b/docs/_generated/decision_points/supplier_cardinality_1_0_0.md deleted file mode 100644 index 91874a69..00000000 --- a/docs/_generated/decision_points/supplier_cardinality_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Supplier Cardinality v1.0.0" - -=== "Text" - - How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan? - - | Value | Definition | - |:-----|:-----------| - | One | There is only one supplier of the vulnerable component. | - | Multiple | There are multiple suppliers of the vulnerable component. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/supplier_cardinality_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/supplier_contacted.md b/docs/_generated/decision_points/supplier_contacted.md deleted file mode 120000 index 7a40d514..00000000 --- a/docs/_generated/decision_points/supplier_contacted.md +++ /dev/null @@ -1 +0,0 @@ -supplier_contacted_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/supplier_contacted_1_0_0.md b/docs/_generated/decision_points/supplier_contacted_1_0_0.md deleted file mode 100644 index 57964ada..00000000 --- a/docs/_generated/decision_points/supplier_contacted_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Supplier Contacted v1.0.0" - -=== "Text" - - Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method? - - | Value | Definition | - |:-----|:-----------| - | No | The supplier has not been contacted. | - | Yes | The supplier has been contacted. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/supplier_contacted_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/supplier_engagement.md b/docs/_generated/decision_points/supplier_engagement.md deleted file mode 120000 index 7a13d88e..00000000 --- a/docs/_generated/decision_points/supplier_engagement.md +++ /dev/null @@ -1 +0,0 @@ -supplier_engagement_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/supplier_engagement_1_0_0.md b/docs/_generated/decision_points/supplier_engagement_1_0_0.md deleted file mode 100644 index 4ab0298f..00000000 --- a/docs/_generated/decision_points/supplier_engagement_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Supplier Engagement v1.0.0" - -=== "Text" - - Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort? - - | Value | Definition | - |:-----|:-----------| - | Active | The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort. | - | Unresponsive | The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/supplier_engagement_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/supplier_involvement.md b/docs/_generated/decision_points/supplier_involvement.md deleted file mode 120000 index 9f97027b..00000000 --- a/docs/_generated/decision_points/supplier_involvement.md +++ /dev/null @@ -1 +0,0 @@ -supplier_involvement_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/supplier_involvement_1_0_0.md b/docs/_generated/decision_points/supplier_involvement_1_0_0.md deleted file mode 100644 index d11d3d6d..00000000 --- a/docs/_generated/decision_points/supplier_involvement_1_0_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Supplier Involvement v1.0.0" - -=== "Text" - - What is the state of the supplier’s work on addressing the vulnerability? - - | Value | Definition | - |:-----|:-----------| - | Fix Ready | The supplier has provided a patch or fix. | - | Cooperative | The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time. | - | Uncooperative/Unresponsive | The supplier has not responded, declined to generate a remediation, or no longer exists. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/supplier_involvement_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/system_exposure.md b/docs/_generated/decision_points/system_exposure.md deleted file mode 120000 index 38c20e7b..00000000 --- a/docs/_generated/decision_points/system_exposure.md +++ /dev/null @@ -1 +0,0 @@ -system_exposure_1_0_1.md \ No newline at end of file diff --git a/docs/_generated/decision_points/system_exposure_1_0_0.md b/docs/_generated/decision_points/system_exposure_1_0_0.md deleted file mode 100644 index f5d02ec8..00000000 --- a/docs/_generated/decision_points/system_exposure_1_0_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "System Exposure v1.0.0" - -=== "Text" - - The Accessible Attack Surface of the Affected System or Service - - | Value | Definition | - |:-----|:-----------| - | Small | Local service or program; highly controlled network | - | Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. | - | Unavoidable | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/system_exposure_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/system_exposure_1_0_1.md b/docs/_generated/decision_points/system_exposure_1_0_1.md deleted file mode 100644 index a24beb92..00000000 --- a/docs/_generated/decision_points/system_exposure_1_0_1.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "System Exposure v1.0.1" - -=== "Text" - - The Accessible Attack Surface of the Affected System or Service - - | Value | Definition | - |:-----|:-----------| - | Small | Local service or program; highly controlled network | - | Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. | - | Open | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/system_exposure_1_0_1.json" %} - ``` diff --git a/docs/_generated/decision_points/technical_impact.md b/docs/_generated/decision_points/technical_impact.md deleted file mode 120000 index 8418d098..00000000 --- a/docs/_generated/decision_points/technical_impact.md +++ /dev/null @@ -1 +0,0 @@ -technical_impact_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/technical_impact_1_0_0.md b/docs/_generated/decision_points/technical_impact_1_0_0.md deleted file mode 100644 index 543f744d..00000000 --- a/docs/_generated/decision_points/technical_impact_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Technical Impact v1.0.0" - -=== "Text" - - The technical impact of the vulnerability. - - | Value | Definition | - |:-----|:-----------| - | Partial | The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. | - | Total | The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/technical_impact_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/utility.md b/docs/_generated/decision_points/utility.md deleted file mode 120000 index 73464668..00000000 --- a/docs/_generated/decision_points/utility.md +++ /dev/null @@ -1 +0,0 @@ -utility_1_0_1.md \ No newline at end of file diff --git a/docs/_generated/decision_points/utility_1_0_0.md b/docs/_generated/decision_points/utility_1_0_0.md deleted file mode 100644 index f05120fa..00000000 --- a/docs/_generated/decision_points/utility_1_0_0.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Utility v1.0.0" - -=== "Text" - - The Usefulness of the Exploit to the Adversary - - | Value | Definition | - |:-----|:-----------| - | Laborious | Virulence:Slow and Value Density:Diffuse | - | Efficient | Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated | - | Super Effective | Virulence:Rapid and Value Density:Concentrated | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/utility_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/utility_1_0_1.md b/docs/_generated/decision_points/utility_1_0_1.md deleted file mode 100644 index 3111782d..00000000 --- a/docs/_generated/decision_points/utility_1_0_1.md +++ /dev/null @@ -1,18 +0,0 @@ - -!!! note "Utility v1.0.1" - -=== "Text" - - The Usefulness of the Exploit to the Adversary - - | Value | Definition | - |:-----|:-----------| - | Laborious | Automatable:No AND Value Density:Diffuse | - | Efficient | (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated) | - | Super Effective | Automatable:Yes AND Value Density:Concentrated | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/utility_1_0_1.json" %} - ``` diff --git a/docs/_generated/decision_points/value_density.md b/docs/_generated/decision_points/value_density.md deleted file mode 120000 index d65e392d..00000000 --- a/docs/_generated/decision_points/value_density.md +++ /dev/null @@ -1 +0,0 @@ -value_density_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/value_density_1_0_0.md b/docs/_generated/decision_points/value_density_1_0_0.md deleted file mode 100644 index e23853ce..00000000 --- a/docs/_generated/decision_points/value_density_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Value Density v1.0.0" - -=== "Text" - - The concentration of value in the target - - | Value | Definition | - |:-----|:-----------| - | Diffuse | The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small. | - | Concentrated | The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/value_density_1_0_0.json" %} - ``` diff --git a/docs/_generated/decision_points/virulence.md b/docs/_generated/decision_points/virulence.md deleted file mode 120000 index e14f67c6..00000000 --- a/docs/_generated/decision_points/virulence.md +++ /dev/null @@ -1 +0,0 @@ -virulence_1_0_0.md \ No newline at end of file diff --git a/docs/_generated/decision_points/virulence_1_0_0.md b/docs/_generated/decision_points/virulence_1_0_0.md deleted file mode 100644 index a8c231ee..00000000 --- a/docs/_generated/decision_points/virulence_1_0_0.md +++ /dev/null @@ -1,17 +0,0 @@ - -!!! note "Virulence v1.0.0" - -=== "Text" - - The speed at which the vulnerability can be exploited. - - | Value | Definition | - |:-----|:-----------| - | Slow | Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. | - | Rapid | Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid. | - -=== "JSON" - - ```json - {% include "../../../data/json/decision_points/virulence_1_0_0.json" %} - ``` diff --git a/docs/_includes/automatable_cvss_ssvc.md b/docs/_includes/automatable_cvss_ssvc.md new file mode 100644 index 00000000..61cf80b2 --- /dev/null +++ b/docs/_includes/automatable_cvss_ssvc.md @@ -0,0 +1,8 @@ +!!! tip "CVSS:Automatable vs SSVC:Automatable" + + The [CVSS Automatable](../reference/decision_points/cvss/automatable.md) + vector element was developed alongside the identically named + [Automatable](../reference/decision_points/automatable.md) decision point in + SSVC. We intend for these two decision points to be interchangeable. + The main difference is that the CVSS Automatable accomodates an explicit + _Not Defined_ value, whereas the SSVC Automatable does not. diff --git a/docs/_includes/helping_out.md b/docs/_includes/helping_out.md index e869620b..f088bbe1 100644 --- a/docs/_includes/helping_out.md +++ b/docs/_includes/helping_out.md @@ -4,53 +4,52 @@ We welcome your feedback and contributions to SSVC. Here are some ways you can g
-- :material-message-question: _Ask a question_ +- :material-message-question: *Ask a question* --- - If you have a specific question for the SSVC team, please feel free to + If you have a specific question for the SSVC team, please feel free to [Ask a Question](https://github.com/CERTCC/SSVC/issues/new?template=question.md). - + Questions of more general interest to the community of SSVC users might fit better in the [Q&A](https://github.com/CERTCC/SSVC/discussions/categories/q-a) section of the [Discussion](https://github.com/CERTCC/SSVC/discussions) area. -- :fontawesome-solid-bug: _Report a problem_ +- :fontawesome-solid-bug: *Report a problem* --- If you find a problem with the SSVC documentation, the methodology, or accompanying code, we welcome your [Bug Reports](https://github.com/CERTCC/SSVC/issues/new?template=bug_report.md) - -- :material-lightbulb-on: _Suggest an improvement_ + +- :material-lightbulb-on: *Suggest an improvement* --- Got an idea for how to make SSVC better? We'd love to hear it! Please submit your [Feature Requests](https://github.com/CERTCC/SSVC/issues/new?template=feature_request.md) - -- :fontawesome-regular-comments: _Join the conversation_ + +- :fontawesome-regular-comments: *Join the conversation* --- More in-depth conversations that might not be actionable as issues are found in the [Discussions](https://github.com/CERTCC/SSVC/discussions) area. -- :material-binoculars: _See what we're working on_ +- :material-binoculars: *See what we're working on* --- We manage the SSVC development effort via Github [Issues](https://github.com/CERTCC/SSVC/issues) and - [Pull Requests](https://github.com/CERTCC/SSVC/pulls). + [Pull Requests](https://github.com/CERTCC/SSVC/pulls). Drop by and see what we're working on, or leave a comment to let us know what you're interested in. -- :material-hub: _Get more involved_ +- :material-hub: *Get more involved* --- Want more information about engaging as a collaborator? Check out the [SSVC Project Wiki](https://github.com/CERTCC/SSVC/wiki) - -
+ !!! tip "Footer Icons" @@ -60,4 +59,3 @@ We welcome your feedback and contributions to SSVC. Here are some ways you can g If you are new to contributing to open source projects on Github, we've assembled some pointers to help you get started in the [Github Tips for SSVC contributors](https://github.com/CERTCC/SSVC/wiki/Github-Tips-for-SSVC-contributors) - diff --git a/docs/_includes/safety_cvss_ssvc.md b/docs/_includes/safety_cvss_ssvc.md new file mode 100644 index 00000000..9a2af5f4 --- /dev/null +++ b/docs/_includes/safety_cvss_ssvc.md @@ -0,0 +1,15 @@ +!!! tip "CVSS:Safety vs SSVC:Public Safety Impact vs SSVC:Safety Impact" + + The [CVSS Safety](../reference/decision_points/cvss/safety.md) vector element + is semantically interchangeable with the + [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md) + decision point. + The main difference is that the [CVSS Safety](../reference/decision_points/cvss/safety.md) + vector element accomodates an explicit _Not Defined_ value, whereas the + [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md) + does not. + + The [SSVC Safety Impact](../reference/decision_points/safety_impact.md) decision point provides a higher-resolution view of the safety impact. + The [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md) and + [CVSS Safety](../reference/decision_points/cvss/safety.md) decision points are + lower-resolution views of the safety impact. diff --git a/docs/_includes/value_density_cvss_ssvc.md b/docs/_includes/value_density_cvss_ssvc.md new file mode 100644 index 00000000..11fb85e0 --- /dev/null +++ b/docs/_includes/value_density_cvss_ssvc.md @@ -0,0 +1,8 @@ +!!! tip "CVSS:Value Density vs SSVC:Value Density" + + The [CVSS Value Density](../reference/decision_points/cvss/value_density.md) + vector element was developed alongside the identically named + [Value Density](../reference/decision_points/value_density.md) decision + point in SSVC. We intend for these two decision points to be interchangeable. + The main difference is that the CVSS Value Density accomodates an explicit + _Not Defined_ value, whereas the SSVC Value Density does not. diff --git a/docs/about/acknowledgements.md b/docs/about/acknowledgements.md index b2176f46..174ef80c 100644 --- a/docs/about/acknowledgements.md +++ b/docs/about/acknowledgements.md @@ -5,8 +5,8 @@ of this report: Art Manion, Madison Oliver, and Deana Shick. The authors thank the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) to the [SSVC project](https://github.com/CERTCC/SSVC) on Github as well as the following individuals for helpful comments on -prior drafts (listed in alphabetical order): -Muhammad Akbar, +prior drafts (listed in alphabetical order): +Muhammad Akbar, Will Dormann, Manish Gaur, Ralph Langer, @@ -23,4 +23,3 @@ Anonymous WEIS reviewers; Various staff members and analysts at CERT/CC, CISA, McAfee, and VMWare; FIRST CVSS SIG and EPSS SIG members; and others who wish to remain anonymous. - diff --git a/docs/about/changelog.md b/docs/about/changelog.md index aee45fe4..cb31527b 100644 --- a/docs/about/changelog.md +++ b/docs/about/changelog.md @@ -9,29 +9,29 @@ In the 2024.3 release of the Stakeholder-Specific Vulnerability Classification ( This release debuts the [certcc.github.io/SSVC](https://certcc.github.io/SSVC) web site to serve as the front-door for all things SSVC. - **Diátaxis Framework** - We adopted the [Diátaxis Framework](https://diataxis.fr/) as a document organization framework for SSVC documentation. High level content categories are: tutorials, how-to, topics, and reference. What used to be a linear paper format is now sectioned off into more digestible pieces. -- **More call-outs and examples** - With our adoption of [_Material for MkDocs_](https://squidfunk.github.io/mkdocs-material/) as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site. +- **More call-outs and examples** - With our adoption of [*Material for MkDocs*](https://squidfunk.github.io/mkdocs-material/) as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site. -## New and Revised Content +## New and Revised Content - **Expanded Content** - We've included more examples of Decision Points and the like directly inline where they're mentioned so readers don't need to keep flipping back and forth to their definitions for reference. -- **Bootstrapping advice** - Added a _Getting Started with SSVC_ process to help organizations go from being _potential_ SSVC users to being _actual_ SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community. -- **Putting the Pieces Together** - _Added a Putting the Pieces Together_ page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like. -- **Acuity Ramp** - Added an _Acuity Ramp_ explainer to show how an organization can grow into a decision model over time. +- **Bootstrapping advice** - Added a *Getting Started with SSVC* process to help organizations go from being *potential* SSVC users to being *actual* SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community. +- **Putting the Pieces Together** - *Added a Putting the Pieces Together* page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like. +- **Acuity Ramp** - Added an *Acuity Ramp* explainer to show how an organization can grow into a decision model over time. - **Community Engagement** - Included in the new web site are a number of suggested ways for the community to interact with and contribute to the SSVC. ## Versioned Objects -- **Semantic Versioning for Decision Points and Decision Point Groups** - Introduced Semantic Versioning (SemVer) for _Decision Points_ and _Decision Point Groups_ to improve communication around decision points and decision models -- **Calendar Versioning for SSVC as a whole** - With the introduction of SemVer for _Decision Points_ and _Decision Point Groups_, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer. +- **Semantic Versioning for Decision Points and Decision Point Groups** - Introduced Semantic Versioning (SemVer) for *Decision Points* and *Decision Point Groups* to improve communication around decision points and decision models +- **Calendar Versioning for SSVC as a whole** - With the introduction of SemVer for *Decision Points* and *Decision Point Groups*, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer. ## Experimental & Emerging Features There are a few improvements we've begun but have not yet fully finished, and that are largely undocumented. Most of these in the current release are python-centric. Here's a brief overview for those who want to poke around at code. -- **SSVC Python module** - This release introduces the `ssvc` python module to allow us to more easily work with _Decision Points_, _Decision Point Groups_, _Outcomes_, and _Policies_ that map from _Decision Points_ to _Outcomes_. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation. -- **Policy Generator** - We're prototyping a Python tool that can generate a starting policy given any combination of a _Decision Point Group_ and _Outcomes_. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out. +- **SSVC Python module** - This release introduces the `ssvc` python module to allow us to more easily work with *Decision Points*, *Decision Point Groups*, *Outcomes*, and *Policies* that map from *Decision Points* to *Outcomes*. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation. +- **Policy Generator** - We're prototyping a Python tool that can generate a starting policy given any combination of a *Decision Point Group* and *Outcomes*. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out. - **More Decision Points and Outcomes** - In the process of exercising our Semantic Versioning rules for decision points and groups, we needed some examples of versioning events for discussion purposes. As a result, the `ssvc.decision_points.cvss` and `ssvc.dp_groups.cvss` modules contain python implementations of CVSS vector elements from CVSS v1, v2, v3, v3.1, and v4. We anticipate some of these coming in handy in the future as we look toward modeling other decisions potentially based on CVSS vector elements as well as other decision points from SSVC and elsewhere. We also included decision points and groups from [CISA's customized SSVC implementation](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc). - + ## Other project infrastructure improvements - Shifted from PDF-oriented to web-oriented workflow @@ -55,8 +55,8 @@ The details of what changes were made can be viewed on the SSVC Github under the - Improved consistency of *Public Safety Impact* usage throughout the document and tooling - Improved consistency of *Human Impact* usage throughout the document - Clarified that known default passwords are an example of *Exploitation*:PoC -- Clarified that unreachable code (as in unused library features) are _System Exposure_:small -- Mention DoD MEF definition in _Mission Impact_ +- Clarified that unreachable code (as in unused library features) are *System Exposure*:small +- Mention DoD MEF definition in *Mission Impact* - Updated references to EPSS to reflect recent publications - Refactored markdown files to better track chapter and section numbering, improving findability when editing - Automated HTML and PDF generation into a Github Workflow @@ -64,7 +64,6 @@ The details of what changes were made can be viewed on the SSVC Github under the - Consolidated the SSVC document style guide into a single file in the repository - Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists) - ## Version 2 (2021.5) Changelog This section summarizes the changes between SSVC version 2 and SSVC version 1.1 as published at the Workshop on the Ecnomics of Information Security (WEIS 2020). @@ -113,7 +112,6 @@ Either situation is sufficient to increase the priority, and there do not appear On the other hand, a low *Utility* or *System Exposure* may mitigate a high mission or well-being impact. So the Version 2 recommended tree is more usable than the Version 1 tree, thanks to these changes. - ### Tree management and communication tools The section Tree Construction and Customization Guidance is largely new or revised. @@ -127,4 +125,4 @@ Version 2 also addresses several other questions about SSVC information manageme ## Version 1.0 (2019.12) Changelog -Initial release \ No newline at end of file +Initial release diff --git a/docs/about/contact_us.md b/docs/about/contact_us.md index 3e740193..795237f4 100644 --- a/docs/about/contact_us.md +++ b/docs/about/contact_us.md @@ -7,4 +7,4 @@ Software Engineering Institute **Web**: [www.sei.cmu.edu](http://www.sei.cmu.edu) **Email**: [info@sei.cmu.edu](mailto:info@sei.cmu.edu) -{% include-markdown "../_includes/helping_out.md" heading-offset=1 %} \ No newline at end of file +{% include-markdown "../_includes/helping_out.md" heading-offset=1 %} diff --git a/docs/about/contributing.md b/docs/about/contributing.md index fdd0519e..1077a4b3 100644 --- a/docs/about/contributing.md +++ b/docs/about/contributing.md @@ -1,3 +1,3 @@ {% include-markdown "../_includes/helping_out.md" %} -{% include-markdown "../../CONTRIBUTING.md" %} \ No newline at end of file +{% include-markdown "../../CONTRIBUTING.md" %} diff --git a/docs/about/copyright.md b/docs/about/copyright.md index 59abb77e..5637a336 100644 --- a/docs/about/copyright.md +++ b/docs/about/copyright.md @@ -15,7 +15,7 @@ NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE Internal use:\* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. -External use:\* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. +External use:\* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at . \* These restrictions do not apply to U.S. government entities. diff --git a/docs/about/index.md b/docs/about/index.md index 74f4fc02..8f18dbd3 100644 --- a/docs/about/index.md +++ b/docs/about/index.md @@ -6,11 +6,10 @@ The evaluation process we developed in version 1 remains an important part of co We invite [participation](contributing.md) and further refinement of the prioritization mechanism from the community as well, such as by [posting an issue](https://github.com/CERTCC/SSVC/issues). We endeavored to be transparent about our process and provide justification for design decisions. -We invite questions, comments, and further community refinement in moving forward with a transparent and justified -vulnerability prioritization methodology that is inclusive for the various stakeholders and industries that develop +We invite questions, comments, and further community refinement in moving forward with a transparent and justified +vulnerability prioritization methodology that is inclusive for the various stakeholders and industries that develop and use information and computer technology. -
- :material-offer: [Community Engagement](contributing.md) @@ -20,4 +19,4 @@ and use information and computer technology. - :material-copyright: [Copyright](copyright.md) - :material-inbox-arrow-down: [Contact Us](contact_us.md) -
\ No newline at end of file + diff --git a/docs/adr/0000-record-architecture-decisions.md b/docs/adr/0000-record-architecture-decisions.md index fcd64cce..1afae220 100644 --- a/docs/adr/0000-record-architecture-decisions.md +++ b/docs/adr/0000-record-architecture-decisions.md @@ -1,7 +1,7 @@ # Record architecture decisions -* Status: accepted -* Date: 2023-10-16 +- Status: accepted +- Date: 2023-10-16 ## Context diff --git a/docs/adr/0001-use-markdown-architectural-decision-records.md b/docs/adr/0001-use-markdown-architectural-decision-records.md index 2c99e241..103a62f1 100644 --- a/docs/adr/0001-use-markdown-architectural-decision-records.md +++ b/docs/adr/0001-use-markdown-architectural-decision-records.md @@ -3,8 +3,8 @@ Adapted from [MADR's similar decision record](https://github.com/adr/madr/blob/2.1.2/docs/adr/0000-use-markdown-architectural-decision-records.md). -* Status: accepted -* Date: 2023-10-16 +- Status: accepted +- Date: 2023-10-16 ## Context and Problem Statement @@ -13,31 +13,32 @@ Which format and structure should these records follow? ## Considered Options -* [MADR](https://adr.github.io/madr/) 3.0.0 - The Markdown Architectural Decision Records -* [Michael Nygard's template](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions) - The first incarnation of the term "ADR" -* [Sustainable Architectural Decisions](https://www.infoq.com/articles/sustainable-architectural-design-decisions) - The Y-Statements -* Other templates listed at -* Formless - No conventions for file format and structure +- [MADR](https://adr.github.io/madr/) 3.0.0 - The Markdown Architectural Decision Records +- [Michael Nygard's template](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions) - The first incarnation of the term "ADR" +- [Sustainable Architectural Decisions](https://www.infoq.com/articles/sustainable-architectural-design-decisions) - The Y-Statements +- Other templates listed at +- Formless - No conventions for file format and structure ## Decision Outcome Chosen option: "MADR 3.0.0", because -* Implicit assumptions should be made explicit. +- Implicit assumptions should be made explicit. Design documentation is important to enable people understanding the decisions later on. See also [A rational design process: How and why to fake it](https://doi.org/10.1109/TSE.1986.6312940). -* The MADR format is lean and fits our development style. -* The MADR structure is comprehensible and facilitates usage & maintenance. -* Version 3.0.0 is the latest one available when starting to document ADRs. +- The MADR format is lean and fits our development style. +- The MADR structure is comprehensible and facilitates usage & maintenance. +- Version 3.0.0 is the latest one available when starting to document ADRs. ### Positive Consequences The ADR are more structured. See especially: -* [MADR-0002 - Do not use numbers in headings](https://github.com/adr/madr/blob/2.1.2/docs/adr/0002-do-not-use-numbers-in-headings.md). -* [MADR-0005 - Use (unique number and) dashes in filenames](https://github.com/adr/madr/blob/2.1.2/docs/adr/0005-use-dashes-in-filenames.md). -* [MADR-0010 - Support categories (in form of subfolders with local ids)](https://github.com/adr/madr/blob/2.1.2/docs/adr/0010-support-categories.md). -* See [full set of MADR ADRs](https://github.com/adr/madr/blob/2.1.2/docs/adr). + +- [MADR-0002 - Do not use numbers in headings](https://github.com/adr/madr/blob/2.1.2/docs/adr/0002-do-not-use-numbers-in-headings.md). +- [MADR-0005 - Use (unique number and) dashes in filenames](https://github.com/adr/madr/blob/2.1.2/docs/adr/0005-use-dashes-in-filenames.md). +- [MADR-0010 - Support categories (in form of subfolders with local ids)](https://github.com/adr/madr/blob/2.1.2/docs/adr/0010-support-categories.md). +- See [full set of MADR ADRs](https://github.com/adr/madr/blob/2.1.2/docs/adr). ### Negative Consequences -* Learning curve will be slightly longer. +- Learning curve will be slightly longer. diff --git a/docs/adr/0002-ssvc-decision-points-are-versioned.md b/docs/adr/0002-ssvc-decision-points-are-versioned.md index 4a0d0ae2..9203a78b 100644 --- a/docs/adr/0002-ssvc-decision-points-are-versioned.md +++ b/docs/adr/0002-ssvc-decision-points-are-versioned.md @@ -18,18 +18,17 @@ should be relatively infrequent after an initial period of refinement. Note: This decision addresses the fact that decision points are versioned, but does not address how the version number is used. We will address that in a separate decision. - ## Decision Drivers -* Decision points evolve over time - * new values (options) are added, modified, or removed - * descriptions are updated +- Decision points evolve over time + - new values (options) are added, modified, or removed + - descriptions are updated ## Considered Options -* No versioning -* [Semantic versioning](https://semver.org/) -* [CalVer](https://calver.org/) +- No versioning +- [Semantic versioning](https://semver.org/) +- [CalVer](https://calver.org/) ## Decision Outcome @@ -42,7 +41,6 @@ compatibility expectations between versions. - Semver makes sense for decision point versioning because we don't anticipate them changing much once they go 1.0 - and typo fixes etc. could just bump the fix version e.g., 1.0.2 -> 1.0.3 - ### Consequences - Maintaining version numbers for decision points will add a small burden to each decision point. @@ -56,6 +54,6 @@ compatibility expectations between versions. ## More Information -- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. +- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. - [Semantic Versioning](https://semver.org/) -- [CalVer](https://calver.org/) \ No newline at end of file +- [CalVer](https://calver.org/) diff --git a/docs/adr/0003-ssvc-decision-point-versioning-rules.md b/docs/adr/0003-ssvc-decision-point-versioning-rules.md index b625d4cc..ecffcbfb 100644 --- a/docs/adr/0003-ssvc-decision-point-versioning-rules.md +++ b/docs/adr/0003-ssvc-decision-point-versioning-rules.md @@ -7,7 +7,6 @@ deciders: adh, jspring, vssarvepalli, latyzenhaus, cgyarbrough, ehatleback ## Context and Problem Statement - A decision point represents a unit of information for use in one or more decisions An SSVC "version" might introduce new decision points or new functions (trees) over existing decision points (or both) As SSVC evolves and grows, we occasionally have the need to modify an existing decision point. @@ -19,13 +18,12 @@ should be relatively infrequent after an initial period of refinement. Note: This decision addresses the rules for versioning, and depends on the decision to version decision points in the first place. - ## Decision Drivers -* Decision points evolve over time - * new values (options) are added, modified, or removed - * descriptions are updated -* Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. +- Decision points evolve over time + - new values (options) are added, modified, or removed + - descriptions are updated +- Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. ## Considered Options @@ -36,31 +34,30 @@ Strictly speaking, Decision Points might not need to be explicitly versioned bec However, for future-proofing purposes we might want to include a key-value pair in the decision point definition to represent a version ID. We could establish rules such as + - version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change - version 1.0 freezes the Decision Point labels, number of labels, and their ordering - version 1.0.x for x > 0 would be limited to description changes - ## Decision Outcome Chosen option: "Semantic versioning": > Given a version number MAJOR.MINOR.PATCH, increment the: -> +> > - MAJOR version when you make incompatible API changes -> - MINOR version when you add functionality in a backward compatible manner +> - MINOR version when you add functionality in a backward compatible manner > - PATCH version when you make backward compatible bug fixes > > Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format. Applied as follows: - | Do this... | ...when... | |----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | New Object | A different or new concept is being represented
Note: new objects get new names | -| +1 Major Version | Existing options are _removed_
Option semantics change in a way that older answers are no longer usable
New options are added that divide previous semantics ambiguously
Note: The ability to map old to new semantics is encouraged but not required | -| +0.1 Minor Version | New options are added
Option names are changed while semantics are retained
_AND_ all existing options are retained with compatible semantics | +| +1 Major Version | Existing options are *removed*
Option semantics change in a way that older answers are no longer usable
New options are added that divide previous semantics ambiguously
Note: The ability to map old to new semantics is encouraged but not required | +| +0.1 Minor Version | New options are added
Option names are changed while semantics are retained
*AND* all existing options are retained with compatible semantics | | +0.0.1 Patch Version | No changes to number of options
No changes to semantics of options
Typo fixes in option names or decision point name | Decision Points having a major version of 0 are considered to be pre-support and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change. @@ -80,8 +77,8 @@ The lowest supported version of a decision point is 1.0.0. use use version 2.1 of a decision point at one time and later revert to using version 1.0 if the 2.1 was found to be problematic). - Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated. - We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets. -This implies the need for a way to denote the _status_ of a decision point in addition to its _version_. -Decision Point _status_ will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. +This implies the need for a way to denote the *status* of a decision point in addition to its *version*. +Decision Point *status* will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. ### Confirmation @@ -89,5 +86,5 @@ Decision Point _status_ will need to be addressed in a separate decision (or dec ## More Information -- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. +- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. - [Semantic Versioning](https://semver.org/) diff --git a/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md b/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md index 345801ca..1e7aa82d 100644 --- a/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md +++ b/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md @@ -11,9 +11,9 @@ deciders: adh, jspring, vssarvepalli, cgyarbrough, latyzenhaus, ehatleback Decision Point Groups are sets of decision points pinned to specific versions of those decision points. These groups may change over time. -For example, the SSVC _Patch Applier_ and _Deployer_ trees have evolved as follows: +For example, the SSVC *Patch Applier* and *Deployer* trees have evolved as follows: -| _Patch Applier_ (SSVC v1) | _Deployer_ (SSVC v2) | _Deployer_ (SSVC v2.1) | +| *Patch Applier* (SSVC v1) | *Deployer* (SSVC v2) | *Deployer* (SSVC v2.1) | |:-------------------------:|:--------------------------------------------------------:|:-----------------------------------------------------------:| | Exploitation 1.0.0 | Exploitation 1.0.0 | Exploitation 1.0.0 | | System Exposure 1.0.0 | System Exposure 1.0.1 | System Exposure 1.0.1 | diff --git a/docs/adr/0005-ssvc-decision-point-group-versioning.md b/docs/adr/0005-ssvc-decision-point-group-versioning.md index f515f1d0..cdb2f525 100644 --- a/docs/adr/0005-ssvc-decision-point-group-versioning.md +++ b/docs/adr/0005-ssvc-decision-point-group-versioning.md @@ -19,11 +19,10 @@ This ADR establishes the rules for versioning Decision Point Groups. - Decision Points change over time - The composition of decision point groups change over time - It is important that we can discriminate between versions of decision point groups -- Although technically a Decision Point Group is fully defined by the set of - pinned Decision Points it contains, we find it convenient to be able to +- Although technically a Decision Point Group is fully defined by the set of + pinned Decision Points it contains, we find it convenient to be able to refer to the group as a whole, and to be able to discriminate between different versions of the group. - ## Considered Options A number of options were discussed in @@ -45,7 +44,7 @@ provides indication of compatibility expectations between versions. Implemented as follows: The core identity of a decision point group is derived from the pairing of the -_stakeholder role_ and the specific _decision_ being modeled. +*stakeholder role* and the specific *decision* being modeled. ### Create a new object when @@ -79,8 +78,8 @@ version of the existing name according to the following rules. ### Examples -Assume a decision point group (DPG) named _DPG v1.0.0_, -containing decision points (DP) _A v1.0.0_ and _B v1.3.1_. +Assume a decision point group (DPG) named *DPG v1.0.0*, +containing decision points (DP) *A v1.0.0* and *B v1.3.1*. In the table below, we show how the Decision Point Group version number changes as the constituent Decision Points change. @@ -101,11 +100,11 @@ In row 4, DP C undergoes a major version increment, which triggers a major versi - Maintaining version numbers for decision point groups will add a small burden to each decision point group. - Semantic versioning will make it easier to track changes to decision point groups over time. - Because we don't anticipate frequent changes to decision point groups, the burden of maintaining version numbers should be minimal. -- We are deliberately avoiding using the _name_ of the Decision Point Group as part of the versioning scheme, as +- We are deliberately avoiding using the *name* of the Decision Point Group as part of the versioning scheme, as in the motivating example in [ADR 0004](0004-ssvc-decision-point-groups-are-versioned.md) we shifted the -group name from _Patch Applier_ to _Deployer_, but since the group is still -intended to represent the same _stakeholder role_ and _decision_, we want +group name from *Patch Applier* to *Deployer*, but since the group is still +intended to represent the same *stakeholder role* and *decision*, we want to be able to treat name changes as aliases rather than versioning events. ## More Information diff --git a/docs/adr/0006-ssvc-decision-point-versioning-rules.md b/docs/adr/0006-ssvc-decision-point-versioning-rules.md index 580b4ae0..ad1c5063 100644 --- a/docs/adr/0006-ssvc-decision-point-versioning-rules.md +++ b/docs/adr/0006-ssvc-decision-point-versioning-rules.md @@ -20,10 +20,10 @@ Note: This decision addresses the rules for versioning, and depends on the decis ## Decision Drivers -* Decision points evolve over time - * new values (options) are added, modified, or removed - * descriptions are updated -* Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. +- Decision points evolve over time + - new values (options) are added, modified, or removed + - descriptions are updated +- Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. ## Considered Options @@ -35,9 +35,9 @@ However, for future-proofing purposes we might want to include a key-value pair We could establish rules such as -* version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change -* version 1.0 freezes the Decision Point labels, number of labels, and their ordering -* version 1.0.x for x > 0 would be limited to description changes +- version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change +- version 1.0 freezes the Decision Point labels, number of labels, and their ordering +- version 1.0.x for x > 0 would be limited to description changes ## Decision Outcome @@ -45,9 +45,9 @@ Chosen option: "Semantic versioning": > Given a version number MAJOR.MINOR.PATCH, increment the: > -> * MAJOR version when you make incompatible API changes -> * MINOR version when you add functionality in a backward compatible manner -> * PATCH version when you make backward compatible bug fixes +> - MAJOR version when you make incompatible API changes +> - MINOR version when you add functionality in a backward compatible manner +> - PATCH version when you make backward compatible bug fixes > > Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format. @@ -55,17 +55,17 @@ Applied as follows: ### Create a new object when -* A different or new concept is being represented +- A different or new concept is being represented **Note**: New objects SHOULD get new names and new keys ### Increment the Major Version when -* Criteria for creating a new object are not met, _AND_ - * existing values are removed, _OR_ - * value semantics change in a way that older answers are no longer usable, - _OR_ - * new values are added that divide previous value semantics ambiguously +- Criteria for creating a new object are not met, *AND* + - existing values are removed, *OR* + - value semantics change in a way that older answers are no longer usable, + *OR* + - new values are added that divide previous value semantics ambiguously **Note**: The ability to map old to new semantics is encouraged but not required @@ -73,21 +73,21 @@ Applied as follows: Minor version increments imply that existing value semantics are preserved. -* Criteria for incrementing the Major Version are not met, _AND_ - * new options are added, _OR_ - * value names or keys are changed, _OR_ - * the decision point name is changed +- Criteria for incrementing the Major Version are not met, *AND* + - new options are added, *OR* + - value names or keys are changed, *OR* + - the decision point name is changed ### Increment the Patch Version when Patch version increments imply that existing value number and semantics are preserved. -* Criteria for incrementing the Major or Minor Version are not met, _AND_ - * typo fixes in option names or decision point name, _OR_ - * the decision point description changes in a way that does not affect - semantics, _OR_ - * a value description changes in a way that does not affect semantics +- Criteria for incrementing the Major or Minor Version are not met, *AND* + - typo fixes in option names or decision point name, *OR* + - the decision point description changes in a way that does not affect + semantics, *OR* + - a value description changes in a way that does not affect semantics ### Pre-Support Decision Points @@ -103,7 +103,7 @@ In other words, a Minor version increment of a 0.x decision point may be used to indicate a change in semantics that is not backwards compatible. This is not the case for decision points with a Major Version of 1 or greater. -The lowest _supported_ version of a decision point is 1.0.0. +The lowest *supported* version of a decision point is 1.0.0. ### Examples @@ -122,21 +122,21 @@ compatible, so the new version is 3.0.0. ### Consequences -* Maintaining version numbers for decision points according to these rules will add a small burden to each decision point. -* Semantic versioning will make it easier to track changes to decision points over time. -* Because we don't anticipate frequent changes to decision points, the burden of maintaining version numbers should be minimal. -* Decision point versions can move in either direction when used repeatedly in other versioned objects (E.g., a decision model could +- Maintaining version numbers for decision points according to these rules will add a small burden to each decision point. +- Semantic versioning will make it easier to track changes to decision points over time. +- Because we don't anticipate frequent changes to decision points, the burden of maintaining version numbers should be minimal. +- Decision point versions can move in either direction when used repeatedly in other versioned objects (E.g., a decision model could use use version 2.1 of a decision point at one time and later revert to using version 1.0 if the 2.1 was found to be problematic). -* Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated. -* We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets. -This implies the need for a way to denote the _status_ of a decision point in addition to its _version_. -Decision Point _status_ will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. +- Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated. +- We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets. +This implies the need for a way to denote the *status* of a decision point in addition to its *version*. +Decision Point *status* will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. ### Confirmation -* The PR process will confirm that the decision point version number is updated according to these rules. +- The PR process will confirm that the decision point version number is updated according to these rules. ## More Information -* [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. -* [Semantic Versioning](https://semver.org/) +- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. +- [Semantic Versioning](https://semver.org/) diff --git a/docs/adr/0007-descriptions-exclude-examples.md b/docs/adr/0007-descriptions-exclude-examples.md index 36699d94..1851adc9 100644 --- a/docs/adr/0007-descriptions-exclude-examples.md +++ b/docs/adr/0007-descriptions-exclude-examples.md @@ -7,9 +7,9 @@ deciders: adh, jspring ## Context and Problem Statement -In written definitions of a Decision Point, Decision Point -Value, Outcome Group, Outcome Value, or other elements, it is common to -include examples in the text. In terms of documentation, this is a worthy +In written definitions of a Decision Point, Decision Point +Value, Outcome Group, Outcome Value, or other elements, it is common to +include examples in the text. In terms of documentation, this is a worthy practice to promote understanding. Examples are sometimes timely and need to be updated even though the @@ -18,9 +18,9 @@ versioning of objects. ## Decision Drivers -- In the course of modeling CVSS vectors across versions as SSVC decision +- In the course of modeling CVSS vectors across versions as SSVC decision points, we have found that concepts change less often than examples. -- Our preference is to minimize version changes to objects unless the +- Our preference is to minimize version changes to objects unless the underlying concept has changed. ## Considered Options @@ -30,19 +30,19 @@ versioning of objects. ## Decision Outcome -Chosen option: "Exclude examples from descriptions of objects", because this +Chosen option: "Exclude examples from descriptions of objects", because this helps to minimize version changes to objects unless the underlying concept has changed. -Examples may be included in the documentation text surrounding the object +Examples may be included in the documentation text surrounding the object definition, but not in the object definition itself. ### Consequences -- Good, because it reduces the likelihood and frequency of version changes to +- Good, because it reduces the likelihood and frequency of version changes to objects. - Good, because it promotes the use of examples in documentation text. -- Bad, because it may make it more difficult to understand the object +- Bad, because it may make it more difficult to understand the object definition solely from the object definition itself. ### Confirmation @@ -50,8 +50,8 @@ definition, but not in the object definition itself. The implementation of this decision is confirmed by the absence of examples in the object definitions. -When generating an object definition from a text description, object -creators should look out for phrases like "for example" and "an example of +When generating an object definition from a text description, object +creators should look out for phrases like "for example" and "an example of this is" and exclude the example from the object definition. ## Pros and Cons of the Options @@ -69,7 +69,7 @@ See [Decision Outcome](#decision-outcome). ## More Information -- [ADR-0006](0006-ssvc-decision-point-versioning-rules.md) - SSVC Decision +- [ADR-0006](0006-ssvc-decision-point-versioning-rules.md) - SSVC Decision Point Versioning Rules -- [ADR-0005](0005-ssvc-decision-point-group-versioning.md) - SSVC Decision +- [ADR-0005](0005-ssvc-decision-point-group-versioning.md) - SSVC Decision Point Group Versioning Rules diff --git a/docs/adr/0008-decision-points-are-ordered-sets.md b/docs/adr/0008-decision-points-are-ordered-sets.md index df1740be..cc366ece 100644 --- a/docs/adr/0008-decision-points-are-ordered-sets.md +++ b/docs/adr/0008-decision-points-are-ordered-sets.md @@ -15,25 +15,25 @@ rules about the interaction between decision point values and the outcomes of th ## Decision Drivers -* The need to reason about the outcomes of a decision given a set of input values. -* Desire to automate portions of the decision-making process. -* Desire for rules to validate the interaction between decision point values and the outcomes of the decision. +- The need to reason about the outcomes of a decision given a set of input values. +- Desire to automate portions of the decision-making process. +- Desire for rules to validate the interaction between decision point values and the outcomes of the decision. ## Considered Options -* Decision Point values are ordered sets. -* Decision Point values are unordered sets. +- Decision Point values are ordered sets. +- Decision Point values are unordered sets. ## Decision Outcome Chosen option: "Decision Point values are ordered sets" Rationale: An ordered set implies that for a decision set $D$ with $n$ values $d_1, d_2, \ldots, d_n$, we can -assert the relationship $d_1 \leq d_2 \leq \ldots \leq d_n$. +assert the relationship $d_1 \leq d_2 \leq \ldots \leq d_n$. When combining decision points into a decision model, we can use that relationship to assert rules about the interaction between decision points. For example, if we have a decision point $D_a$ with values $a_1, a_2, a_3$ -and a decision point $D_b$ with values $b_1, b_2, b_3$, we know that +and a decision point $D_b$ with values $b_1, b_2, b_3$, we know that - $a_1 \leq a_2 \leq a_3$ - $b_1 \leq b_2 \leq b_3$ @@ -94,21 +94,20 @@ default policies that map decision values to outcomes following the graph struct ### Consequences -* (Good) This allows us to make inferences about the relationships between sets of decision point values +- (Good) This allows us to make inferences about the relationships between sets of decision point values and the outcomes of the decision. -* (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations +- (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations undefined. -* (Neutral) May require additional information to fully define the relationship between decision point values and outcomes +- (Neutral) May require additional information to fully define the relationship between decision point values and outcomes into a policy -* (Neutral) Requires each decision point to have a "direction" (i.e., a way to order the values) which may not be +- (Neutral) Requires each decision point to have a "direction" (i.e., a way to order the values) which may not be intuitive in all cases. So far we have found that the natural direction is usually intuitive and most often it is - analogous to "less likely to act" → "more likely to act". -* (Good) Although a sense of direction is required, scaling the values is not. So "None, Few, Many" is just as valid as + analogous to "less likely to act" → "more likely to act". +- (Good) Although a sense of direction is required, scaling the values is not. So "None, Few, Many" is just as valid as a more defined interval scale like "0-4, 4-7, 7-9, 9-10" or a more abstract scale like "Low, Medium, High, Critical"[^1]. [^1]: The latter two examples were inspired by CVSS scoring. - ### Confirmation All current decision points are constructed as ordered sets, and the current policy generator tool makes use of that @@ -125,4 +124,3 @@ However, we *can* evaluate new decision points as they are proposed to ensure th - [ADR-0009](0009-outcomes-are-ordered-sets.md) - Outcomes are Ordered Sets - [Partially ordered sets](https://en.wikipedia.org/wiki/Partially_ordered_set) - [Hasse diagram](https://en.wikipedia.org/wiki/Hasse_diagram) - diff --git a/docs/adr/0009-outcomes-are-ordered-sets.md b/docs/adr/0009-outcomes-are-ordered-sets.md index e801f2cc..afc7f561 100644 --- a/docs/adr/0009-outcomes-are-ordered-sets.md +++ b/docs/adr/0009-outcomes-are-ordered-sets.md @@ -13,23 +13,23 @@ rules about the interaction between decision point values and the outcomes of th ## Decision Drivers -* The need to reason about the outcomes of a decision given a set of input values. -* Desire to automate portions of the decision-making process. -* Desire for rules to validate the interaction between decision point values and the outcomes of the decision. +- The need to reason about the outcomes of a decision given a set of input values. +- Desire to automate portions of the decision-making process. +- Desire for rules to validate the interaction between decision point values and the outcomes of the decision. ## Considered Options -* Outcome values are ordered sets. -* Outcome values are unordered sets. +- Outcome values are ordered sets. +- Outcome values are unordered sets. ## Decision Outcome Chosen option: "Outcome values are ordered sets" Rationale: An ordered set implies that for an outcome set $C$ with $n$ values $c_1, c_2, \ldots, c_n$, we can -assert the relationship $c_1 \leq c_2 \leq \ldots \leq c_n$. +assert the relationship $c_1 \leq c_2 \leq \ldots \leq c_n$. -When combining outcomes with a set of decision points into a decision model and policy, we can use that relationship +When combining outcomes with a set of decision points into a decision model and policy, we can use that relationship to assert rules about the resulting policy. For example, if we have a decision model consisting of: @@ -124,24 +124,23 @@ $Outcome(T_1)$ must be equal to or less than the outcome $Outcome(T_2)$ of any t $Outcome(T_1) \leq Outcome(T_2)$ when $T_1 \leq T_2$. -This allows us to generate default policies that map decision values to outcomes following the graph structure of the +This allows us to generate default policies that map decision values to outcomes following the graph structure of the decision model. ### Consequences -* (Good) This allows us to make inferences about the relationships between sets of decision point values +- (Good) This allows us to make inferences about the relationships between sets of decision point values and the outcomes of the decision. -* (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations +- (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations undefined. -* (Neutral) May require additional information to fully define the relationship between decision point values and outcomes +- (Neutral) May require additional information to fully define the relationship between decision point values and outcomes into a policy -* (Neutral) Requires each outcome set to have a "direction" (i.e., a way to order the values) which may not be +- (Neutral) Requires each outcome set to have a "direction" (i.e., a way to order the values) which may not be intuitive in all cases. So far we have found that the natural direction is usually intuitive and most often it is - analogous to "less likely to act" → "more likely to act". -* (Good) Although a sense of direction is required, scaling the values is not. So "Defer, Scheduled, Out-of-Band, Immediate" + analogous to "less likely to act" → "more likely to act". +- (Good) Although a sense of direction is required, scaling the values is not. So "Defer, Scheduled, Out-of-Band, Immediate" is just as valid as a more Service Level Expectation (SLE) oriented "1 hour, 1 day, 1 week, 1 month". - ### Confirmation All current outcomes are constructed as ordered sets, and the current policy generator tool makes use of that @@ -158,4 +157,3 @@ However, we *can* evaluate new outcome sets as they are proposed to ensure that - [ADR-0008](0008-decision-points-are-ordered-sets.md) - Decision Points are Ordered Sets - [Partially ordered sets](https://en.wikipedia.org/wiki/Partially_ordered_set) - [Hasse diagram](https://en.wikipedia.org/wiki/Hasse_diagram) - diff --git a/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md b/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md index 3073af84..86493346 100644 --- a/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md +++ b/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md @@ -11,42 +11,41 @@ consulted: team Should the outcome set be included in a decision model (tree) definition? While a decision point group and their combinations of values define the structure of a tree, an Outcome Set defines -the possible labels of each leaf node. However, in order to decide what labels are appropriate for a leaf node, one -must also be given a policy that maps each input combination (specific decision point values) to a specific outcome +the possible labels of each leaf node. However, in order to decide what labels are appropriate for a leaf node, one +must also be given a policy that maps each input combination (specific decision point values) to a specific outcome (drawn from an outcome set). But both the policy and the outcome set are actually stakeholder-specific. -The example trees we provide are at best a guess at a reasonable policy for SSVC adopters for each of the decisions we -chose to model. And they also make assumptions about the process that the decision supports. So we assumed that -suppliers have four options for priority. And we assigned outcome labels to leaf nodes based on what seemed reasonable -to us at the time. But we must acknowledge that (a) stakeholders might have an arbitrary number of categories for +The example trees we provide are at best a guess at a reasonable policy for SSVC adopters for each of the decisions we +chose to model. And they also make assumptions about the process that the decision supports. So we assumed that +suppliers have four options for priority. And we assigned outcome labels to leaf nodes based on what seemed reasonable +to us at the time. But we must acknowledge that (a) stakeholders might have an arbitrary number of categories for prioritization (2, 3, 4, 5, ...), and (b) they may have wide variation in what combinations are given which priority. - ## Decision Drivers -* There was some discussion during the development of [ADR 0005](0005-ssvc-decision-point-group-versioning.md) about - whether the outcome set should be included in the tree definition. +- There was some discussion during the development of [ADR 0005](0005-ssvc-decision-point-group-versioning.md) about + whether the outcome set should be included in the tree definition. ## Considered Options -* Include the outcome set in the decision point group definition. -* Omit the outcome set from the decision point group definition. +- Include the outcome set in the decision point group definition. +- Omit the outcome set from the decision point group definition. ## Decision Outcome Chosen option: "Omit the outcome set from the decision point group definition", because the outcome set is -stakeholder-specific and not part of the decision point group's (aka _the tree's_) identity. +stakeholder-specific and not part of the decision point group's (aka *the tree's*) identity. We need to define a few terms here: -- a _decision point group_ is a set of decision points that are used to model a decision. The combinations of the decision - points' values define the structure of the decision model (aka _tree_). -- an _outcome set_ is the set of possible outcomes for a decision model. Each leaf node of a tree is labeled with an +- a *decision point group* is a set of decision points that are used to model a decision. The combinations of the decision + points' values define the structure of the decision model (aka *tree*). +- an *outcome set* is the set of possible outcomes for a decision model. Each leaf node of a tree is labeled with an outcome from the outcome set. -- a _policy_ is a mapping from specific combinations of decision point values to specific outcomes from the outcome set. +- a *policy* is a mapping from specific combinations of decision point values to specific outcomes from the outcome set. A decision point group fully defines the structure of a decision model (tree). The outcome set and the policy are -both stakeholder-specific. +both stakeholder-specific. Two examples for illustrative purposes: @@ -65,21 +64,20 @@ the same decision in the same structure, only differing in their policy applicat If we were to include the outcome set but not the policy in the decision point group definition, then the first example would appear to be "different" whereas the second example would appear to be "the same". This also seems misleading. -For completeness, it is not possible to include the policy without the outcome set, since the policy depends on both +For completeness, it is not possible to include the policy without the outcome set, since the policy depends on both the decision point group and the outcome set. -Therefore, the decision point group's (aka _the tree's_) identity omits both the outcome set and its specific mapping to +Therefore, the decision point group's (aka *the tree's*) identity omits both the outcome set and its specific mapping to the tree structure. The thing we're asserting is that the structure of the tree (as defined by its constituent decision -points and their specific versions) is invariant to the above, therefore the tree's identity omits both the outcome set +points and their specific versions) is invariant to the above, therefore the tree's identity omits both the outcome set and its specific mapping to the tree structure. - ### Consequences -* Good, because we can avoid decision point group versioning events due to changes in the outcome set or policy. -* Good, because SSVC users can share decision point groups as decision models without needing to share their specific +- Good, because we can avoid decision point group versioning events due to changes in the outcome set or policy. +- Good, because SSVC users can share decision point groups as decision models without needing to share their specific outcome sets or policies. -* Bad, because the decision point group definition does not fully specify the decision model including the policy. +- Bad, because the decision point group definition does not fully specify the decision model including the policy. ### Confirmation @@ -87,26 +85,26 @@ This decision is confirmed by the fact that decision point groups are versioned ## Pros and Cons of the Options -### Include the outcome set in the decision point group definition. +### Include the outcome set in the decision point group definition Including the outcome set in the decision point group definition would mean that the decision model (tree) changes whenever the outcome set changes. This would lead to a large number of versioning events for decision point groups whenever the outcome set changes, even if the structure of the decision model (tree) remains the same. -* Good, because the combination of decision points and outcome sets would be fully specified, and users would only +- Good, because the combination of decision points and outcome sets would be fully specified, and users would only need to establish their own policy to use the decision model. -* Bad, because the decision model (tree) would change whenever the outcome set changes, even if the structure of the +- Bad, because the decision model (tree) would change whenever the outcome set changes, even if the structure of the decision model (tree) remains the same. For example, the same structure with a 3-category outcome set and a 4-category - outcome set would be considered different decision models. + outcome set would be considered different decision models. -Furthermore, including both the outcome group _and_ the policy in the decision point group definition would mean that the +Furthermore, including both the outcome group *and* the policy in the decision point group definition would mean that the decision model (tree) version would change whenever the policy changes, even if the structure of the decision model (tree) and the outcome set both remained the same. -* Good, because the decision model (tree) would be fully specified and would not depend on any external factors. -* Bad, because the decision model (tree) would change whenever the policy changes, even if the structure of the +- Good, because the decision model (tree) would be fully specified and would not depend on any external factors. +- Bad, because the decision model (tree) would change whenever the policy changes, even if the structure of the decision model (tree) and the outcome set both remained the same. -* Bad, because the number of versioning events for decision models would be large. +- Bad, because the number of versioning events for decision models would be large. ## More Information diff --git a/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md b/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md index 03609316..b38d427c 100644 --- a/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md +++ b/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md @@ -12,17 +12,16 @@ deciders: adh, jspring Two SSVC decision points happen to match two CVSS v4 supplemental metrics. This ADR is to make clear what the SSVC support plan is in regards to this overlap for future versions of these decision points and metrics. - ## Decision Drivers -* The SSVC and CVSS communities have productively shared ideas and concepts in the past. These two decision points are an example. It was a relatively long process to propose these decision points as CVSS metrics, take feedback from the CVSS community, get text approved, and then port those changes over to SSVC. This all happened several years before we had this formalized decision documentation process within SSVC. +- The SSVC and CVSS communities have productively shared ideas and concepts in the past. These two decision points are an example. It was a relatively long process to propose these decision points as CVSS metrics, take feedback from the CVSS community, get text approved, and then port those changes over to SSVC. This all happened several years before we had this formalized decision documentation process within SSVC. ## Considered Options -* No support, expressed or implied, by either group -* SSVC project commits to mirroring any changes made to CVSS -* CVSS SIG commits to mirroring any changes made by the SSVC project -* Both the second and third options, leading to joint decision making on these two decision points / metrics. +- No support, expressed or implied, by either group +- SSVC project commits to mirroring any changes made to CVSS +- CVSS SIG commits to mirroring any changes made by the SSVC project +- Both the second and third options, leading to joint decision making on these two decision points / metrics. ## Decision Outcome @@ -31,14 +30,11 @@ there are no structured agreements in place that could create a service expectat The CVSS SIG is an independent group, even if there may be some overlap with the SSVC community, and SSVC cannot require or expect any changes by CVSS. While SSVC may mirror any changes the CVSS SIG makes to these metrics in the future, that change should be considered by the SSVC community indepdently on its merits, through the normal change management processes for suggestions to amend decision points. - ### Consequences -* Good, because low overhead -- no additional organizational structures -* Good, because leaves the opportunity for continued synchronization open if everyone agrees -* Bad, because no guarantee of future synchronization - - +- Good, because low overhead -- no additional organizational structures +- Good, because leaves the opportunity for continued synchronization open if everyone agrees +- Bad, because no guarantee of future synchronization ### Confirmation @@ -47,4 +43,3 @@ The implementation of this decision is confirmed by continued use of SSVC commun ## More Information This decision could hypothetically be revisited at the request of the CVSS SIG. - diff --git a/docs/adr/_template.md b/docs/adr/_template.md index f4da6f8c..4e991b46 100644 --- a/docs/adr/_template.md +++ b/docs/adr/_template.md @@ -16,16 +16,16 @@ informed: {list everyone who is kept up-to-date on progress; and with whom there ## Decision Drivers -* {decision driver 1, e.g., a force, facing concern, …} -* {decision driver 2, e.g., a force, facing concern, …} -* … +- {decision driver 1, e.g., a force, facing concern, …} +- {decision driver 2, e.g., a force, facing concern, …} +- … ## Considered Options -* {title of option 1} -* {title of option 2} -* {title of option 3} -* … +- {title of option 1} +- {title of option 2} +- {title of option 3} +- … ## Decision Outcome @@ -35,9 +35,9 @@ Chosen option: "{title of option 1}", because ### Consequences -* Good, because {positive consequence, e.g., improvement of one or more desired qualities, …} -* Bad, because {negative consequence, e.g., compromising one or more desired qualities, …} -* … +- Good, because {positive consequence, e.g., improvement of one or more desired qualities, …} +- Bad, because {negative consequence, e.g., compromising one or more desired qualities, …} +- … ### Confirmation @@ -53,22 +53,22 @@ Chosen option: "{title of option 1}", because {example | description | pointer to more information | …} -* Good, because {argument a} -* Good, because {argument b} +- Good, because {argument a} +- Good, because {argument b} -* Neutral, because {argument c} -* Bad, because {argument d} -* … +- Neutral, because {argument c} +- Bad, because {argument d} +- … ### {title of other option} {example | description | pointer to more information | …} -* Good, because {argument a} -* Good, because {argument b} -* Neutral, because {argument c} -* Bad, because {argument d} -* … +- Good, because {argument a} +- Good, because {argument b} +- Neutral, because {argument c} +- Bad, because {argument d} +- … ## More Information @@ -76,4 +76,4 @@ Chosen option: "{title of option 1}", because {You might want to provide additional evidence/confidence for the decision outcome here and/or document the team agreement on the decision and/or define when/how this decision the decision should be realized and if/when it should be re-visited. -Links to other decisions and resources might appear here as well.} \ No newline at end of file +Links to other decisions and resources might appear here as well.} diff --git a/docs/adr/index.md b/docs/adr/index.md index eb58185e..e99a6286 100644 --- a/docs/adr/index.md +++ b/docs/adr/index.md @@ -1,6 +1,6 @@ # SSVC Decision Records -We have adopted the use of [Markdown Any Decision Records](https://adr.github.io/madr/) +We have adopted the use of [Markdown Any Decision Records](https://adr.github.io/madr/) to document significant decisions made in the development of SSVC. Below is a list of all the decision records that have been made. diff --git a/docs/assets/cert_seal.svg b/docs/assets/cert_seal.svg index 980c324c..27a989d3 100644 --- a/docs/assets/cert_seal.svg +++ b/docs/assets/cert_seal.svg @@ -1 +1,16 @@ + + cert_seal \ No newline at end of file diff --git a/docs/howto/acuity_ramp.md b/docs/howto/acuity_ramp.md index 13e4a2be..ef1ae271 100644 --- a/docs/howto/acuity_ramp.md +++ b/docs/howto/acuity_ramp.md @@ -1,6 +1,6 @@ # Acuity Ramp -!!! question inline end "Why _Acuity_? Isn't this a _Maturity_ Model?" +!!! question inline end "Why *Acuity*? Isn't this a *Maturity* Model?" The _acuity ramp_ concept is similar to the idea of a _maturity model_, but the term _maturity_ carries a sort of moral bias in the sense that it has an implied "good" direction from "immature" to "mature". @@ -12,7 +12,7 @@ one that is most appropriate for both their decision and context. It is not inherently better to use a higher-resolution decision point, and it is not inherently worse to use a lower-resolution decision point. -An SSVC _acuity ramp_ is a concept that describes a series of decision functions that are increasingly more detailed and +An SSVC *acuity ramp* is a concept that describes a series of decision functions that are increasingly more detailed and complex while addressing the same decision. The idea is that a decision maker can start with a simple decision model and then, as their needs, resources, or abilities change, they can gather and analyze more or different data to understand their environment with more acuity. @@ -21,37 +21,36 @@ their environment with more acuity. In Cybersecurity Threat and Vulnerability analysis, as with most decision-making processes, decision makers must balance trade-offs between the volume, quality, or detail of the information they use and the cost of gathering and -analyzing that information. -There are many good reasons that decision makers might choose to use a lower resolution indicator that is readily +analyzing that information. +There are many good reasons that decision makers might choose to use a lower resolution indicator that is readily available over a higher resolution indicator that comes at a high cost in terms of time, money, or effort. One way to think about the tradeoffs in acuity is to consider the cost or difficulty of gathering and analyzing data. -Some vulnerability information is readily available for free as a public resource. +Some vulnerability information is readily available for free as a public resource. Other information is available for purchase, for example as a subscription to a threat intelligence feed. Still other information is only available if you set up a system to collect and manage it yourself, such as an internal -asset management system. -For direct cost tradeoffs, one might conduct a cost-benefit analysis of whether the additional acuity provides value -more than its cost. Sometimes, tradeoffs are not directly cost-based. +asset management system. +For direct cost tradeoffs, one might conduct a cost-benefit analysis of whether the additional acuity provides value +more than its cost. Sometimes, tradeoffs are not directly cost-based. The quality and readiness for use of the information can also vary. Structured, low resolution public data might be easier to incorporate into a decision model than unstructured data that requires a lot of manual analysis. -At the CERT/CC, we have observed otherwise high quality threat intelligence provided as PDF files with threat indicators +At the CERT/CC, we have observed otherwise high quality threat intelligence provided as PDF files with threat indicators embedded as screenshots of text, which would be difficult to extract and use in a decision model. Another tradeoff is that sometimes one decision point can serve as a close-enough proxy for another decision point that -is more costly or difficult to acquire. For example, in a given deployment context, -[_Value Density_](../reference/decision_points/value_density.md) might be more readily discerned than -[_Mission Impact_](../reference/decision_points/mission_impact.md) for some stakeholders because it's easier to +is more costly or difficult to acquire. For example, in a given deployment context, +[*Value Density*](../reference/decision_points/value_density.md) might be more readily discerned than +[*Mission Impact*](../reference/decision_points/mission_impact.md) for some stakeholders because it's easier to count how many of something there are than to estimate the impact of a loss of specific instances of the thing. -Alternately, information about _Value Density_ might be available from another source, such as a CVSS v4 scoring provider, -whereas _Mission Impact_ might require a more detailed understanding of the stakeholder's mission and environment. -An organization might start with _Value Density_ as a proxy for _Mission Impact_ and then, as they develop a better -understanding of their environment, they could replace _Value Density_ with _Mission Impact_ in their decision model. - +Alternately, information about *Value Density* might be available from another source, such as a CVSS v4 scoring provider, +whereas *Mission Impact* might require a more detailed understanding of the stakeholder's mission and environment. +An organization might start with *Value Density* as a proxy for *Mission Impact* and then, as they develop a better +understanding of their environment, they could replace *Value Density* with *Mission Impact* in their decision model. ## An Acuity Ramp in Action -The _acuity ramp_ idea is a way to show how a stakeholder could "grow into" their desired decision function as their +The *acuity ramp* idea is a way to show how a stakeholder could "grow into" their desired decision function as their data collection and analysis capabilities increase. We demonstrate this with the following example. !!! example "An Acuity Ramp for a Growing System Deployer Organization" @@ -92,7 +91,12 @@ data collection and analysis capabilities increase. We demonstrate this with the [Exploit Prediction Scoring System](https://www.first.org/epss/) ([EPSS](https://www.first.org/epss/)) into their decision model. - {% include-markdown "../_generated/decision_points/exploitation_1_0_0.md" %} + ```python exec="true" idprefix="" + from ssvc.decision_points.exploitation import LATEST + from ssvc.doc_helpers import example_block + + print(example_block(LATEST)) + ``` ### Improved Asset Management (Acuity Level 3) @@ -100,7 +104,12 @@ data collection and analysis capabilities increase. We demonstrate this with the asset data to reflect the degree to which a system is exposed to the internet, allowing them to incorporate the `SYSTEM_EXPOSURE_1_0_1` decision point into their decision model. - {% include-markdown "../_generated/decision_points/system_exposure_1_0_1.md" %} + ```python exec="true" idprefix="" + from ssvc.decision_points.system_exposure import LATEST + from ssvc.doc_helpers import example_block + + print(example_block(LATEST)) + ``` ### Improved Threat and Vulnerability Analysis (Acuity Level 4) @@ -111,7 +120,12 @@ data collection and analysis capabilities increase. We demonstrate this with the [National Vulnerability Database](https://nvd.nist.gov/) ([NVD](https://nvd.nist.gov/)) or by translating CVSS v3 or v4 scores into a value for this decision point. - {% include-markdown "../_generated/decision_points/automatable_2_0_0.md" %} + ```python exec="true" idprefix="" + from ssvc.decision_points.automatable import LATEST + from ssvc.doc_helpers import example_block + + print(example_block(LATEST)) + ``` ### Improved Mission and Safety Impact Understanding (Acuity Level 5) @@ -119,21 +133,27 @@ data collection and analysis capabilities increase. We demonstrate this with the degree to which a vulnerability impacts both their mission and public safety, allowing them to incorporate the `MISSION_IMPACT_2` and `SAFETY_IMPACT_1` decision points into their decision model. - {% include-markdown "../_generated/decision_points/mission_impact_2_0_0.md" %} - {% include-markdown "../_generated/decision_points/safety_impact_1_0_0.md" %} + ```python exec="true" idprefix="" + from ssvc.decision_points.mission_impact import LATEST as MI + from ssvc.decision_points.safety_impact import LATEST as SI - In this way, the organization can grow into a more detailed decision model as their understanding and capabilities improve. + from ssvc.doc_helpers import example_block + + print(example_block(MI)) + print(example_block(SI)) + ``` + In this way, the organization can grow into a more detailed decision model as their understanding and capabilities improve. ## Conclusion -The _acuity ramp_ concept is a way to show how a stakeholder could "grow into" their desired decision function as their +The *acuity ramp* concept is a way to show how a stakeholder could "grow into" their desired decision function as their data collection and analysis capabilities improve. It is a way to show how a decision model can be adapted to the context of the decision maker, and how the decision maker can make trade-offs between the cost of gathering information and the quality of the decision they are able to make. -The example above is just a single illustration of the _acuity ramp_ concept. There are many other ways that an -organization might evolve their decision model from a simple starting point toward a more detailed decision model for +The example above is just a single illustration of the *acuity ramp* concept. There are many other ways that an +organization might evolve their decision model from a simple starting point toward a more detailed decision model for any particular decision. Substituting one decision point for another, adding decision points over time, or even customizing decision points to better fit the organization's specific context are all ways that an organization might grow from a simple decision model to a more robust one. diff --git a/docs/howto/bootstrap/collect.md b/docs/howto/bootstrap/collect.md index 53381718..cc28d073 100644 --- a/docs/howto/bootstrap/collect.md +++ b/docs/howto/bootstrap/collect.md @@ -11,10 +11,10 @@ While the actual collection of operational data is outside the scope of SSVC, it of the process. SSVC is designed to be flexible enough to accommodate a variety of data collection methods. The [Data Mapping](prepare.md) step defines the data that is needed to assign a value to each decision point. -The Data Operations process collects that data so that it can be used to assign values to decision points in the +The Data Operations process collects that data so that it can be used to assign values to decision points in the [Use SSVC](use.md) step. -We include a feedback loop on the data collection node to indicate that it is expected to be a continuous process. +We include a feedback loop on the data collection node to indicate that it is expected to be a continuous process. ```mermaid flowchart LR @@ -59,7 +59,6 @@ That caveat notwithstanding, some automation is possible. At least, for those vulnerabilities that are not “automatically” PoC-ready, such as on-path attackers for TLS or network replays. - Some of the decision points require a substantial upfront analysis effort to gather risk assessment or organizational data. However, once gathered, this information can be efficiently reused across many vulnerabilities and only refreshed @@ -70,7 +69,6 @@ occasionally. An obvious example of this is the [Mission Impact](../../reference/decision_points/mission_impact.md) decision point. To answer this, a deployer must analyze their Mission Essential Functions (MEFs), how they interrelate, and how they are supported. - !!! example "Evidence of System Exposure" [System Exposure](../../reference/decision_points/system_exposure.md) is similar; answering that decision point requires an asset inventory, adequate understanding of the network @@ -78,7 +76,6 @@ occasionally. Independently operated scans, such as Shodan or Shadowserver, may play a role in evaluating exposure, but the entire exposure question cannot be reduced to a binary question of whether an organization’s assets appear in such databases. - Once the deployer has the situational awareness to understand their Mission Essential Functions or System Exposure, selecting the answer for each individual vulnerability is usually straightforward. @@ -98,7 +95,7 @@ In the case where no information is available or the organization has not yet ma we can suggest something like defaults for some decision points. !!! tip "Default Exploitation Values" - + [*Exploitation*](../../reference/decision_points/exploitation.md) needs no special default; if adequate searches are made for exploit code and none is found, the answer is [*none*](../../reference/decision_points/exploitation.md). @@ -108,7 +105,6 @@ we can suggest something like defaults for some decision points. means they do not know where the devices are or how they are controlled, so they should assume [*System Exposure*](../../reference/decision_points/system_exposure.md) is [*open*](../../reference/decision_points/system_exposure.md). - !!! tip "Default Automatable Values" If nothing is known about [*Automatable*](../../reference/decision_points/automatable.md), the safer answer to assume is [*yes*](../../reference/decision_points/automatable.md). @@ -127,7 +123,6 @@ we can suggest something like defaults for some decision points. Similarly, with [*Mission Impact*](../../reference/decision_points/mission_impact.md), the deployer should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume [*support crippled*](../../reference/decision_points/mission_impact.md) as a default. - !!! example "Using Defaults" diff --git a/docs/howto/bootstrap/index.md b/docs/howto/bootstrap/index.md index 95042e6c..293d4afb 100644 --- a/docs/howto/bootstrap/index.md +++ b/docs/howto/bootstrap/index.md @@ -21,4 +21,4 @@ Using SSVC to prioritize vulnerability response requires a few steps. The steps {% include-markdown "howto/bootstrap/_steps_table.md" %} We cover each of these in the following sections, starting with [Prepare to Use SSVC](prepare.md). -If you want to skip ahead to the full process, see [Bootstrapping SSVC Summary](summary.md). \ No newline at end of file +If you want to skip ahead to the full process, see [Bootstrapping SSVC Summary](summary.md). diff --git a/docs/howto/bootstrap/prepare.md b/docs/howto/bootstrap/prepare.md index 710aab40..79f144ea 100644 --- a/docs/howto/bootstrap/prepare.md +++ b/docs/howto/bootstrap/prepare.md @@ -18,7 +18,6 @@ the information you need to make that decision, and the policy you want to use t bring to the decision making process is essential. SSVC adoption is not just a process for the security team or technical staff. - Here is a diagram of the preparation process: ```mermaid @@ -53,7 +52,7 @@ We will go through each step in detail. ## Choose a Decision to Model !!! example inline end - + Decisions we have modeled with SSVC include: - [Patch Supplier Prioritization](../supplier_tree.md) @@ -120,7 +119,7 @@ flowchart LR oss --> cos ``` -!!! example +!!! example Imagine two different Service Providers, each of which is responsible for managing vulnerabilities in their respective environments. @@ -140,7 +139,7 @@ A single decision point enumerates a set of options for a particular aspect of t We have defined a number of decision points in the [SSVC documentation](../../reference/decision_points/index.md). You can choose from these decision points, or you can define your own decision points to meet your needs. -Whether you choose from the existing decision points or define your own, the set of decision points you use to make a +Whether you choose from the existing decision points or define your own, the set of decision points you use to make a decision is called a Decision Point Set. ```mermaid @@ -182,7 +181,6 @@ flowchart LR device safety regulations. So, the medical device manufacturer might define a decision point called _Regulated_ with the values _Regulated Device_, _Non-Regulated Device_, and _Support Service_. - ## Define Policy So far, you have chosen a decision to model, defined the possible outcomes for that decision, and defined the information you need to make that decision. @@ -223,14 +221,14 @@ flowchart LR example—that is, the mapping from decision point values to outcomes—is not appropriate for their needs because it has too few _Immediate_ outcomes to suit their policy. Therefore, the bank decides to reuse the same decision point set and outcome set but define their own policy. - + ## Map Data to Model Inputs In SSVC, data mapping is the process of defining what data can be used to assign a value to each decision point. The resulting data map indicates which data sources are relevant to each decision point, and how to interpret the data from each data source to assign a value to the decision point. -```mermaid +```mermaid --- title: Data Mapping Process --- @@ -252,7 +250,7 @@ flowchart LR dd --> ddf ddf --> dp2d dp2d --> dpm -``` +``` !!! example @@ -270,7 +268,6 @@ flowchart LR containing the SLA data, and document that the script they wrote will assign a value to the _Service Level_ decision point based on the SLA data. - !!! tip inline end "CERT RMM on Vulnerability Analysis and Resolution" The process of maintaining SSVC decision models is a governance process. @@ -291,11 +288,11 @@ flowchart LR ## Establish Governance The final step in preparing to use SSVC is to establish a governance process for the decision model. -This process should ensure that the decision model remains relevant to the organization's needs and that the data +This process should ensure that the decision model remains relevant to the organization's needs and that the data used to make decisions is accurate and up-to-date. It need not be complex or burdensome. -A lightweight governance process might resemble a review of this _Prepare_ step for each decision modeled using +A lightweight governance process might resemble a review of this *Prepare* step for each decision modeled using SSVC. Each of the items we discussed above could be reviewed in turn, ensuring that: - The decision itself remains relevant to the organization @@ -304,7 +301,7 @@ SSVC. Each of the items we discussed above could be reviewed in turn, ensuring t - The policy remains relevant to the organization's needs - The data sources remain relevant to informing the decision points -Depending on the review, any necessary adjustments can be made to the outcomes, decision points, policy, data map, +Depending on the review, any necessary adjustments can be made to the outcomes, decision points, policy, data map, or operational processes. ```mermaid @@ -368,6 +365,3 @@ um --> po - Are there new data sources we should consider? - Are there data sources we are using that are no longer relevant? - Is our data mapping still appropriate? - - - diff --git a/docs/howto/bootstrap/summary.md b/docs/howto/bootstrap/summary.md index 409c7fe6..1de97b42 100644 --- a/docs/howto/bootstrap/summary.md +++ b/docs/howto/bootstrap/summary.md @@ -8,42 +8,41 @@ We covered each of these in the previous sections, see the links in the table ab The diagram below shows the complete process of using SSVC. - ```mermaid flowchart TD start([Start]) subgraph prep [Prepare to use SSVC] - dcd{{Choose Decision to Model}} - d[/Decision/] + dcd{{Choose Decision to Model}} + d[/Decision/] l4((1)) - subgraph outcomes [Define Outcomes] - oc1[/Use available
outcome sets?\] - dos{{Define Outcome Sets}} - oss[\Outcome Sets/] - cos{{Choose Outcome Set}} - os[/Outcome Set/] - end + subgraph outcomes [Define Outcomes] + oc1[/Use available
outcome sets?\] + dos{{Define Outcome Sets}} + oss[\Outcome Sets/] + cos{{Choose Outcome Set}} + os[/Outcome Set/] + end l5((1)) - subgraph decisionpoints [Define Inputs] - dp1[/Use available
decision points?\] - ddp{{Define Decision Points}} - dpt[\Decision Points/] - cdp{{Choose Decision Points}} - dps[/Decision Point Set/] - end + subgraph decisionpoints [Define Inputs] + dp1[/Use available
decision points?\] + ddp{{Define Decision Points}} + dpt[\Decision Points/] + cdp{{Choose Decision Points}} + dps[/Decision Point Set/] + end l6((1)) - subgraph dataeng [Data Mapping] - dd1[/Use existing data?\] - dpm[/Data Map/] - dp2d{{Map Decision Points to Data}} - dd{{Define Data}} - ddf[/Data Definition/] - end + subgraph dataeng [Data Mapping] + dd1[/Use existing data?\] + dpm[/Data Map/] + dp2d{{Map Decision Points to Data}} + dd{{Define Data}} + ddf[/Data Definition/] + end l7((1)) - subgraph policy [Policy Development] - dfp{{Define Policy}} - p[/Policy/] - end + subgraph policy [Policy Development] + dfp{{Define Policy}} + p[/Policy/] + end subgraph gov [Governance] eg{{Establish Governance Process}} gp[[Governance Process]] @@ -52,17 +51,17 @@ subgraph prep [Prepare to use SSVC] end subgraph dataops [Data Operations] - cd[Collect Data] - vd[/Vulnerability Data/] - ed[/Environment Data/] + cd[Collect Data] + vd[/Vulnerability Data/] + ed[/Environment Data/] dt[\Available Data/] end subgraph runtime [Use SSVC] - mdp[[Apply Decision Point Mapping to Data]] - dp[/Decision Point Values/] - ap[[Apply Policy]] - oc[/Outcome/] + mdp[[Apply Decision Point Mapping to Data]] + dp[/Decision Point Values/] + ap[[Apply Policy]] + oc[/Outcome/] end r[Vulnerability Response] start --> dcd @@ -115,4 +114,3 @@ r --> l1((2)) l2((2)) --> cd l6 --> dd1 ``` - diff --git a/docs/howto/bootstrap/use.md b/docs/howto/bootstrap/use.md index cbf9a4db..6b75cba6 100644 --- a/docs/howto/bootstrap/use.md +++ b/docs/howto/bootstrap/use.md @@ -30,9 +30,8 @@ flowchart LR ap --> oc ``` - !!! example - + A government agency has a need to prioritize vulnerability response as part of their vulnerability management process. Certain vulnerabilities require special handling as a matter of government policy, and the agency wants to make sure that they are not overlooked. @@ -90,7 +89,7 @@ Not every stakeholder will use the decision points to make comparable decisions. [Suppliers](../supplier_tree.md) and [deployers](../deployer_tree.md) make interdependent decisions, but the actions of one group are not strictly dependent on the other. Recall that one reason for this is that SSVC is about prioritizing a vulnerability response action in general, not specifically applying a patch that a supplier produced. [Coordinators](../coordination_intro.md) are particularly interested in facilitating communication because that is their core function. -This section handles three aspects of this challenge: +This section handles three aspects of this challenge: - formats for communicating SSVC - how to handle partial or incomplete information @@ -106,7 +105,7 @@ This section discusses the situation where one stakeholder, usually a supplier o We provide a structured communication format for SSVC information using JSON schemas. The goal of this format is to capture all the context and details about a decision or work item in a clear and machine-readable way. -- The [provision schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Provision.schema.json) is equivalent to a decision model and documents the full set of logical statements that a +- The [provision schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Provision.schema.json) is equivalent to a decision model and documents the full set of logical statements that a stakeholder uses to make decisions. - The [computed schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Computed.schema.json) expresses a set of information about a work item or vulnerability at a point in time. A computed schema should identify the provision schema used, so the options from which the information was computed are specified. @@ -123,8 +122,7 @@ A computed schema should identify the provision schema used, so the options from The `value` term is derived the same way as `decision point` except start with the value name as given in the relevant decision point subsection of [Likely Decision Points and Relevant Data](../../reference/decision_points/index.md). - -### Partial or Incomplete Information +### Partial or Incomplete Information What an analyst knows about a vulnerability may not be complete. However, the vulnerability management community may still benefit from partial information. @@ -139,7 +137,12 @@ If the analyst knows nothing, all states are possible. For example, [Utility](../../reference/decision_points/utility.md) may be [laborious](../../reference/decision_points/utility.md), [efficient](../../reference/decision_points/utility.md), or [super effective](../../reference/decision_points/system_exposure.md). - {% include-markdown "../../_generated/decision_points/utility.md" %} + ```python exec="true" idprefix="" + from ssvc.decision_points.utility import LATEST + from ssvc.doc_helpers import example_block + + print(example_block(LATEST)) + ``` The reason a stakeholder might publish a decision point with all its possible values is that doing so expresses that the analyst thought about [*Utility*](#utility) but does not have anything to communicate. A stakeholder might have information to communicate about some decision points but not others. @@ -151,9 +154,19 @@ The merit in this “list all values” approach emerges when the stakeholder kn Extending the previous example, say the analyst knows that [*Value Density*](../../reference/decision_points/value_density.md) is [diffuse](../../reference/decision_points/value_density.md) but does not know the value for [Automatability](../../reference/decision_points/automatable.md). - {% include-markdown "../../_generated/decision_points/value_density.md" %} + ```python exec="true" idprefix="" + from ssvc.decision_points.value_density import LATEST + from ssvc.doc_helpers import example_block + + print(example_block(LATEST)) + ``` - {% include-markdown "../../_generated/decision_points/automatable.md" %} + ```python exec="true" idprefix="" + from ssvc.decision_points.automatable import LATEST + from ssvc.doc_helpers import example_block + + print(example_block(LATEST)) + ``` Therefore they could rule out [super effective](../../reference/decision_points/utility.md) for [Utility](../../reference/decision_points/utility.md) @@ -202,14 +215,13 @@ Risk tolerance and risk appetite are primarily reflected in the priority labels | [*Utility*](../../reference/decision_points/utility.md) | every 6 months | | [*Public Safety Impact*](../../reference/decision_points/public_safety_impact.md) | every 1 year | - ### Decision Points Under Direct Control The following decision points are usually in the control of the organization running SSVC and should be re-evaluated when a relevant change is made or during annual reviews of assets. - - [*Situated Safety Impact*](../../reference/decision_points/safety_impact.md) - - [*Mission Impact*](../../reference/decision_points/mission_impact.md) - - [*System Exposure*](../../reference/decision_points/system_exposure.md) +- [*Situated Safety Impact*](../../reference/decision_points/safety_impact.md) +- [*Mission Impact*](../../reference/decision_points/mission_impact.md) +- [*System Exposure*](../../reference/decision_points/system_exposure.md) ### Timestamping SSVC Information diff --git a/docs/howto/coordination_intro.md b/docs/howto/coordination_intro.md index abccf08a..e290b5b2 100644 --- a/docs/howto/coordination_intro.md +++ b/docs/howto/coordination_intro.md @@ -5,7 +5,6 @@ Since coordinators neither supply nor deploy the vulnerable component in questio [suppliers'](supplier_tree.md) or [deployers'](deployer_tree.md) decisions. This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions. - Coordinators vary quite a lot, and their use of SSVC may likewise vary. A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents. Furthermore, a coordinator may only publish some of the information it uses to make decisions. @@ -13,9 +12,9 @@ Consistent with other stakeholder perspectives (supplier and deployer), SSVC pro For more information about types of coordinators and their facilitation actions within vulnerability management, see [The CERT Guide to Coordinated Vulnerability Disclosure](https://certcc.github.io/CERT-Guide-to-CVD/topics/roles/coordinator/) -The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are +The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are -1. [Coordination Triage](coordination_triage_decision.md) - The initial triage of vulnerability reports. This initial coordination decision is a prioritization decision, but it +1. [Coordination Triage](coordination_triage_decision.md) - The initial triage of vulnerability reports. This initial coordination decision is a prioritization decision, but it does not have the same values as prioritization by a [deployer](deployer_tree.md) or [supplier](supplier_tree.md). 2. [Publication](publication_decision.md) - Whether a publication about a vulnerability is warranted. The publication decision for us is a binary yes/no. @@ -25,9 +24,7 @@ These two decisions are not the entirety of vulnerability coordination, but we l For another example of how a coordinator is using SSVC, see the [CISA SSVC](https://www.cisa.gov/ssvc) website. - Different coordinators have different scopes and constituencies. See [The CERT Guide to Coordinated Vulnerability Disclosure](https://certcc.github.io/CERT-Guide-to-CVD/topics/roles/coordinator/) for a listing of different coordinator types. If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator. The decisions in this section assume the report or vulnerability in question is within the work scope or constituency for the coordinator. - diff --git a/docs/howto/coordination_triage_decision.md b/docs/howto/coordination_triage_decision.md index 18ef5d5c..6ad72cdc 100644 --- a/docs/howto/coordination_triage_decision.md +++ b/docs/howto/coordination_triage_decision.md @@ -11,20 +11,18 @@ This decision is also known as triage. In this case, the stakeholder is the **Coordinator** and the decision is the **priority of coordinating a vulnerability report**. - -## Coordinator Triage Units of Work +## Coordinator Triage Units of Work !!! info inline end "Coordinator Unit of Work" The unit of work for a Coordinator is usually a single report to be coordinated. Coordinator units of work tend to coincide with whatever arrives in a single report, which spans the range from a single -vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design +vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design flaws in system specifications that could affect every Supplier and product that uses or implements the flawed specification. Coordinators may need to reorganize reports (e.g., merge, split, expand, or contract) according to their workflow demands. SSVC can be applied to either the initial report or to the results of such refinement. - ## Coordinator Triage Decision Outcomes We take three priority levels in our decision about whether and how to [coordinate](https://certcc.github.io/CERT-Guide-to-CVD/tutorials/cvd_is_a_process/) @@ -38,17 +36,15 @@ a vulnerability based on an incoming report: | Track | Receive information about the vulnerability and monitor for status changes but do not take any overt actions. | | Coordinate | Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, publication, and assist another party. | - - - *Decline* — Do not act on the report. May take different forms, including ignoring the report as well as an +- *Decline* — Do not act on the report. May take different forms, including ignoring the report as well as an acknowledgement to the reporter that we will not act and suggest the reporter to go to vendor or publish if unresponsive. - - *Track* — Receive information about the vulnerability and monitor for status changes but do not take any overt actions. - - *Coordinate* — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, - notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), +- *Track* — Receive information about the vulnerability and monitor for status changes but do not take any overt actions. +- *Coordinate* — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, + notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), advise only, secondary coordinator (assist another lead coordinator). See the [FIRST CSIRT Services Framework](https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#7-Service-Area-Vulnerability-Management) for additional vulnerability management services a coordinator may provide. - ## Coordinator Triage Decision Points !!! tip inline end "Prior CERT/CC Work on Prioritizing Coordination Decisions" @@ -68,30 +64,36 @@ In addition to using some of the decision points common to [Suppliers](supplier_ The first two function as gating questions: - [Report Public](../reference/decision_points/report_public.md): If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md). -- [Supplier Contacted](../reference/decision_points/supplier_contacted.md): If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md). +- [Supplier Contacted](../reference/decision_points/supplier_contacted.md): If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md). In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive. -These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage +These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the decision model below shows. The remaining five decision points are: - [Report Credibility](../reference/decision_points/report_credibility.md): If the report is not credible, then CERT/CC will decline the case. -- [Supplier Cardinality](../reference/decision_points/supplier_cardinality.md): Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases. +- [Supplier Cardinality](../reference/decision_points/supplier_cardinality.md): Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases. - [Supplier Engagement](../reference/decision_points/supplier_engagement.md): If the suppliers are already engaged in a case, there is usually less for a coordinator to do, making it less likely that we will coordinate a case. - [Utility](../reference/decision_points/utility.md): If the vulnerability has high utility, then CERT/CC is more likely to coordinate the case. -- [Public Safety Impact](../reference/decision_points/public_safety_impact.md): If the vulnerability has significant +- [Public Safety Impact](../reference/decision_points/public_safety_impact.md): If the vulnerability has significant public safety impact, then CERT/CC is more likely to coordinate the case. More detail about each of these decision points is provided at the links above, here we provide a brief summary of each. -{% include-markdown "../_generated/decision_points/report_public.md" %} -{% include-markdown "../_generated/decision_points/supplier_contacted.md" %} -{% include-markdown "../_generated/decision_points/report_credibility.md" %} -{% include-markdown "../_generated/decision_points/supplier_cardinality.md" %} -{% include-markdown "../_generated/decision_points/supplier_engagement.md" %} -{% include-markdown "../_generated/decision_points/utility.md" %} -{% include-markdown "../_generated/decision_points/public_safety_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.report_public import LATEST as RP +from ssvc.decision_points.supplier_contacted import LATEST as SC +from ssvc.decision_points.report_credibility import LATEST as RC +from ssvc.decision_points.supplier_cardinality import LATEST as SI +from ssvc.decision_points.supplier_engagement import LATEST as SE +from ssvc.decision_points.utility import LATEST as U +from ssvc.decision_points.public_safety_impact import LATEST as PSI +from ssvc.doc_helpers import example_block + +for dp in [RP, SC, RC, SI, SE, U, PSI]: + print(example_block(dp)) +``` ## Coordinator Triage Decision Model diff --git a/docs/howto/deployer_tree.md b/docs/howto/deployer_tree.md index 68853bc0..961a475e 100644 --- a/docs/howto/deployer_tree.md +++ b/docs/howto/deployer_tree.md @@ -18,7 +18,7 @@ in their infrastructure. Deployers are usually in the position of receiving remediations or mitigations from their [Suppliers](supplier_tree.md) for products they have deployed. They must then decide whether to deploy the remediation or mitigation to a particular instance (or not). -Whether they have the option of deploying only part of a remediation such as a fix bundle depends on whether the +Whether they have the option of deploying only part of a remediation such as a fix bundle depends on whether the Supplier has engineered their release process to permit that degree of flexibility. For example, if service packs are fix bundles, the Supplier might choose to release individually deployable fixes as well. @@ -35,12 +35,11 @@ The vulnerability management process for deployers has at its core the collation The first must be collected by the Deployer, while the latter two most often originate from the product Supplier. Managing this information is generally called **asset management**. - -In turn, Deployers must resolve this information into specific actions in which a remediation or mitigation is slated +In turn, Deployers must resolve this information into specific actions in which a remediation or mitigation is slated for deployment to replace or modify a particular instance of the product. -The Deployer model described below considers the mission and safety risks inherent to the category of systems to which those +The Deployer model described below considers the mission and safety risks inherent to the category of systems to which those deployed instances belong. -For this reason, we recommend that the pairing of remediation or mitigation to a product version instance constitutes +For this reason, we recommend that the pairing of remediation or mitigation to a product version instance constitutes the unit of work most appropriate for the Deployer. ## Deployer Decision Outcomes @@ -58,16 +57,15 @@ While we've used the same priority names, the meaning of the priority may have d | Out-of-cycle | Act more quickly than usual to apply the mitigation or remediation out-of-cycle, during the next available opportunity, working overtime if necessary. | | Immediate | Act immediately; focus all resources on applying the fix as quickly as possible, including, if necessary, pausing regular organization operations. | - -When remediation is available, usually the action is to apply it. +When remediation is available, usually the action is to apply it. When remediation is not yet available, the action space is more diverse, but it should involve mitigating the vulnerability (e.g., shutting down services or applying additional security controls) or accepting the risk of not mitigating the vulnerability. -Applying mitigations may change the value of decision points. -A mitigation that successfully changes the value of a decision point may shift the priority of further action to a -reduced state. -If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation if it later -becomes available. +Applying mitigations may change the value of decision points. +A mitigation that successfully changes the value of a decision point may shift the priority of further action to a +reduced state. +If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation if it later +becomes available. !!! example "Mitigation Examples" @@ -114,12 +112,18 @@ The Deployer Patch Deployment Priority decision model uses the following decisio More detail about each of these decision points is provided at the links above, here we provide a brief summary of each. -{% include-markdown "../_generated/decision_points/exploitation.md" %} -{% include-markdown "../_generated/decision_points/system_exposure.md" %} -{% include-markdown "../_generated/decision_points/utility.md" %} -{% include-markdown "../_generated/decision_points/human_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.exploitation import LATEST as EXP +from ssvc.decision_points.system_exposure import LATEST as SE +from ssvc.decision_points.utility import LATEST as U +from ssvc.decision_points.human_impact import LATEST as HI +from ssvc.doc_helpers import example_block -In the _Human Impact_ table above, *MEF* stands for Mission Essential Function. +for dp in [EXP, SE, U, HI]: + print(example_block(dp)) +``` + +In the *Human Impact* table above, *MEF* stands for Mission Essential Function. ## Deployer Decision Model @@ -132,7 +136,6 @@ Below we provide an example deployer prioritization policy that maps the decisio - An [_active_](../reference/decision_points/exploitation.md) state of [*Exploitation*](../reference/decision_points/exploitation.md) will never result in a *defer* priority. - A [_none_](../reference/decision_points/exploitation.md) state of [*Exploitation*](../reference/decision_points/exploitation.md) (no evidence of exploitation) will result in either *defer* or *scheduled* priority—unless the state of [*Human Impact*](../reference/decision_points/human_impact.md) is [_very high_](../reference/decision_points/human_impact.md), resulting in an *out-of-cycle* priority. - {% include-markdown "../_includes/_tree_notation_tip.md" %} -{{ read_csv('deployer-options.csv') }} \ No newline at end of file +{{ read_csv('deployer-options.csv') }} diff --git a/docs/howto/index.md b/docs/howto/index.md index b3331037..17946887 100644 --- a/docs/howto/index.md +++ b/docs/howto/index.md @@ -31,7 +31,7 @@ At its core are the concepts of: - [**Stakeholder Roles**](../topics/enumerating_stakeholders.md): Different participants in the vulnerability response process have different needs and priorities. Roles can include patch suppliers, deployers, coordinators, and others. - [**Decisions**](../topics/enumerating_decisions.md): Each stakeholder role has a set of decisions to make about how to respond to vulnerabilities. - For a supplier, the decision might be about how to prioritize the creation of patches. For a deployer, the + For a supplier, the decision might be about how to prioritize the creation of patches. For a deployer, the decision might be about how to prioritize the deployment of patches. Coordinators usually need to decide whether to coordinate a response, and whether to publish information about a vulnerability they've coordinated. - [**Decision Points**](../reference/decision_points/index.md): Each decision is made based on a set of inputs, or decision points. These are the factors @@ -41,18 +41,18 @@ At its core are the concepts of: For example, a decision about whether to deploy a patch might have outcomes like "immediate", "scheduled", "deferred", and "out-of-cycle". -Given these concepts, we can combine them into decision models to help stakeholders make decisions about the priority +Given these concepts, we can combine them into decision models to help stakeholders make decisions about the priority with which to act. The definition of choices can take a logical form, such as: - - IF - - - ([*Exploitation*](../reference/decision_points/exploitation.md) IS *Public PoC*) AND - - ([*System Exposure*](../reference/decision_points/system_exposure.md) IS *controlled*) AND - - ([*Automatable*](../reference/decision_points/automatable.md) IS *no*) AND - - ([*Human Impact*](../reference/decision_points/human_impact.md) IS *medium*) +- IF + + - ([*Exploitation*](../reference/decision_points/exploitation.md) IS *Public PoC*) AND + - ([*System Exposure*](../reference/decision_points/system_exposure.md) IS *controlled*) AND + - ([*Automatable*](../reference/decision_points/automatable.md) IS *no*) AND + - ([*Human Impact*](../reference/decision_points/human_impact.md) IS *medium*) - - THEN priority is *scheduled*. +- THEN priority is *scheduled*. This example logical statement is captured in [row 34 of the deployer `.csv` file](https://github.com/CERTCC/SSVC/blob/main/data/csvs/deployer-options.csv#L35). diff --git a/docs/howto/publication_decision.md b/docs/howto/publication_decision.md index a19a93d7..1673302a 100644 --- a/docs/howto/publication_decision.md +++ b/docs/howto/publication_decision.md @@ -11,7 +11,6 @@ While other stakeholders may also have to make a publication decision, here we f the combination of the stakeholder and the decision being modeled. In this case, the stakeholder is the **Coordinator** and the decision is **whether to publish an advisory about the vulnerability**. - ## Policy Constraints and Publication Decisions !!! tip inline end "Other Stakeholders' Publication Decisions" @@ -22,7 +21,7 @@ While other stakeholders may also have to make a publication decision, here we f A vulnerability finder may have to decide whether to publish information about a vulnerability they have discovered. Each of these decisions is likely to be different from the coordinator's decision. -The decision to publish information about a vulnerability is a policy choice, and is likely to differ from organization +The decision to publish information about a vulnerability is a policy choice, and is likely to differ from organization to organization. Two points where CERT/CC policy clearly influences the publication decision are embargo periods and scope. @@ -30,9 +29,9 @@ Two points where CERT/CC policy clearly influences the publication decision are As a matter of policy, CERT/CC will support an embargo from the public of information about a vulnerability through its choice not to publish that information while a number of conditions hold: - - - A negotiated embargo timer has not expired. The CERT/CC default embargo period is [45 days](https://certcc.github.io/CERT-Guide-to-CVD/reference/certcc_disclosure_policy/). - - Other exceptions have not been met, including active exploitation of the vulnerability in the wild or other public + +- A negotiated embargo timer has not expired. The CERT/CC default embargo period is [45 days](https://certcc.github.io/CERT-Guide-to-CVD/reference/certcc_disclosure_policy/). +- Other exceptions have not been met, including active exploitation of the vulnerability in the wild or other public discussion of the vulnerability details. Regardless, the decision described in this section assumes the embargo period is over, one way or another. @@ -43,11 +42,9 @@ The second point is related to the [Coordination Triage Decision](coordination_t CERT/CC only expects to publish about vulnerabilities with a [*coordinate*](coordination_triage_decision.md) status. While an issue that is tracked or declined may be reevaluated at a later date and status changed to [*coordinate*](coordination_triage_decision.md), unless that happens we would not publish about the vulnerability. -Other organizations, such as [NVD](https://nvd.nist.gov/), would have different publication criteria and may want to include decision +Other organizations, such as [NVD](https://nvd.nist.gov/), would have different publication criteria and may want to include decision points or the decision itself from the [Coordination Triage Decision](coordination_triage_decision.md) in their publication decision. - - ## Coordinator Publication Units of Work !!! info inline end "Coordinator Publication Unit of Work" @@ -57,11 +54,11 @@ points or the decision itself from the [Coordination Triage Decision](coordinati In the CERT/CC's vulnerability coordination practice, a single report leads to a single coordination case which leads to a single publication. Therefore the unit of work for the publication decision is often the same as the unit of work for the -[coordination triage decision](coordination_triage_decision.md). +[coordination triage decision](coordination_triage_decision.md). -That is sometimes not the case, however. For example, there could be multiple reports of multiple vulnerabilities and -the coordinator might choose to publish a single advisory covering all of them if the vulnerabilities are variations on -a central theme and have a common set of affected products. +That is sometimes not the case, however. For example, there could be multiple reports of multiple vulnerabilities and +the coordinator might choose to publish a single advisory covering all of them if the vulnerabilities are variations on +a central theme and have a common set of affected products. !!! example "Multiple Reports, Single Advisory" @@ -74,7 +71,7 @@ a central theme and have a common set of affected products. Another possibility is that a single report could lead to multiple advisories, for example if the product is a library that is used in multiple other products, and the coordinator chooses to publish separate advisories -based on some other criteria. +based on some other criteria. !!! example "Single Report, Multiple Advisories" @@ -122,28 +119,33 @@ For the CERT/CC, the publication decision is binary: publish or do not publish. a single decision with multiple outcomes, each of which would lead to a different publication vehicle. This is an example of how SSVC can be customized to the needs of the organization using it. - ## Coordinator Publication Decision Points -The publication decision reuses the [*Exploitation*](../reference/decision_points/exploitation.md) decision point -and adds two new ones ([*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) and +The publication decision reuses the [*Exploitation*](../reference/decision_points/exploitation.md) decision point +and adds two new ones ([*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) and [*Public Value Added*](../reference/decision_points/public_value_added.md)). - [*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) - If the supplier is involved and likely to publish already, there is less need for the CERT/CC to publish. - [*Exploitation*](../reference/decision_points/exploitation.md) - If the vulnerability is being actively exploited, the CERT/CC is more likely to publish. - [*Public Value Added*](../reference/decision_points/public_value_added.md) - If there is already significant public discussion of the vulnerability, there might not be - much for the CERT/CC to add, making us less likely to publish. + much for the CERT/CC to add, making us less likely to publish. More detail about each of these decision points is provided at the links above, here we provide a brief summary of each. -{% include-markdown "../_generated/decision_points/supplier_involvement.md" %} -{% include-markdown "../_generated/decision_points/exploitation.md" %} -{% include-markdown "../_generated/decision_points/public_value_added.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.supplier_involvement import LATEST as SI +from ssvc.decision_points.exploitation import LATEST as EXP +from ssvc.decision_points.public_value_added import LATEST as PVA +from ssvc.doc_helpers import example_block + +for dp in [SI, EXP, PVA]: + print(example_block(dp)) +``` ## Coordinator Publication Decision Model -An example coordinator publication decision model is shown below. The policy described by the model is based on CERT/CC +An example coordinator publication decision model is shown below. The policy described by the model is based on CERT/CC publication decisions. Other organizations may have different publication criteria and may want to include other decision points in their publication decision model. @@ -151,7 +153,6 @@ in their publication decision model. style="width: 100%;" height = "600" /> - |precedence| p25 va9 -->|ampliative| p26 va9 -->|limited| p27 + ``` --> @@ -268,4 +270,3 @@ flowchart LR {{ read_csv('coord-publish-options.csv') }} - diff --git a/docs/howto/supplier_tree.md b/docs/howto/supplier_tree.md index 380a1177..e714e907 100644 --- a/docs/howto/supplier_tree.md +++ b/docs/howto/supplier_tree.md @@ -43,11 +43,11 @@ Suppliers may also produce mitigations, such as recommended configuration change ## Supplier Decision Outcomes -At a basic level, the decision at a software development organization is whether to issue a work order and what +At a basic level, the decision at a software development organization is whether to issue a work order and what resources to expend to remediate a vulnerability in the organization’s software. Prioritization is required because, at least in the current history of software engineering, the effort to patch all known vulnerabilities will exceed available resources. -The organization considers several other factors to build the patch; refactoring a large portion of the code base may +The organization considers several other factors to build the patch; refactoring a large portion of the code base may be necessary for some patches, while others require relatively small changes. We focus only on the priority of building the patch, and we consider four categories of priority, as outlined in the table below. @@ -71,10 +71,17 @@ The decision to create a patch is based on the following decision points: More detail about each of these decision points is provided at the links above, here we provide a brief summary of each. -{% include-markdown "../_generated/decision_points/exploitation.md" %} -{% include-markdown "../_generated/decision_points/utility.md" %} -{% include-markdown "../_generated/decision_points/technical_impact.md" %} -{% include-markdown "../_generated/decision_points/public_safety_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.exploitation import LATEST as EXP +from ssvc.decision_points.utility import LATEST as U +from ssvc.decision_points.technical_impact import LATEST as TI +from ssvc.decision_points.public_safety_impact import LATEST as PSI + +from ssvc.doc_helpers import example_block + +for dp in [EXP, U, TI, PSI]: + print(example_block(dp)) +``` !!! tip "Public Safety Impact is a notational convenience" @@ -83,13 +90,12 @@ More detail about each of these decision points is provided at the links above, ## Supplier Decision Model -The example supplier decision model below shows a prioritization policy for the supplier. -We display the decision model as a decision tree, which provides a compact representation of the policy, +The example supplier decision model below shows a prioritization policy for the supplier. +We display the decision model as a decision tree, which provides a compact representation of the policy, showing the relative priority of different situations. {% include-markdown "../_includes/_tree_notation_tip.md" %} - diff --git a/docs/howto/tree_customization.md b/docs/howto/tree_customization.md index 35016ecd..5c4ebe68 100644 --- a/docs/howto/tree_customization.md +++ b/docs/howto/tree_customization.md @@ -15,7 +15,7 @@ A stakeholder community may come together and, if there is broad consensus, add ## Customizing a Decision Model -Which decision points are involved in a vulnerability management team's +Which decision points are involved in a vulnerability management team's decision and the priority label for each resulting situation are, for all intents and purposes, totally at the discretion of the team. We have provided some examples for different stakeholder communities here. What decision points a team considers reflects what it cares about and the risks prioritizes. @@ -27,7 +27,7 @@ The other aspect of risk management that SSVC allows a team to customize is its A team's risk appetite is reflected directly by the priority labels for each combination of decision values. For example, a vulnerability with -[no or minor](../reference/decision_points/public_safety_impact.md) +[no or minor](../reference/decision_points/public_safety_impact.md) [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md), [total](../reference/decision_points/technical_impact.md) [*Technical Impact*](../reference/decision_points/technical_impact.md), @@ -57,10 +57,11 @@ To that end, we briefly examine the qualities for which decision tree measuremen ## Decision Tree Construction Concerns -Decision tree construction methods must address five significant concerns: -- feature selection -- feature type -- overfitting +Decision tree construction methods must address five significant concerns: + +- feature selection +- feature type +- overfitting - parsimony - versioning @@ -87,7 +88,7 @@ The use of ordinal features is a key assumption behind our use of the parsimony When decision trees are used in a machine learning context, overfitting increases tree complexity by incorporating the noise in the training data set into the decision points in a tree. In our case, our “data” is just the set of outcomes as decided by humans, so overfitting is less of a concern, assuming the feature selection has been done with care. -### Parsimony +### Parsimony Parsimony is, in essence, Occam's Razor applied to tree selection. Given the choice between two trees that have identical outputs, one should choose the tree with fewer decisions. One way to evaluate the parsimony of a tree is by applying the concept of feature importance to ensure that each feature is contributing adequately to the result. @@ -106,9 +107,11 @@ More likely, however, is that some subset of features will be of relatively equa In this case, the lowest importance feature should be considered for refinement or elimination. It is possible that adjusting the definition of a feature or its available values (whether redefining, adding, or removing options) could increase its importance. Reasons to retain a low-importance feature include: -* the feature is relevant to a small set of important circumstances that a tree without the feature would otherwise be unable to discriminate -* the effort required to determine the correct value for the feature is relatively small, for example information that might be collected automatically -* the feature enables other features to be defined more clearly + +- the feature is relevant to a small set of important circumstances that a tree without the feature would otherwise be unable to discriminate +- the effort required to determine the correct value for the feature is relatively small, for example information that might be collected automatically +- the feature enables other features to be defined more clearly + Features that meet none of the above criteria may be good candidates for elimination. Customizing a tree by changing the outcome priority labels can also affect the importance of a feature. @@ -126,12 +129,14 @@ SSVC trees should be identifiable by name and version. A tree name is simply a s Communities of shared interest may desire to share information about decision points or even create custom trees to share within their community. Examples include: + - an Information Sharing and Analysis Organization (ISAO) within a critical infrastructure sector might want to define a custom decision point relevant to their constituents' regulatory compliance. - a corporate Computer Security Incident Response Team (CSIRT) might choose to adjust decision priorities for an existing tree for use by its subsidiaries. - a government department might define a separate tree using existing decision points to address a particular governance process within their constituent agencies. -- a regional coordinator might want to produce decision point information as a product of its threat analysis work and provide this information to its constituency in an advisory. +- a regional coordinator might want to produce decision point information as a product of its threat analysis work and provide this information to its constituency in an advisory. In these and other scenarios, there are two scopes to consider: + 1. Decision Point Scope 2. Decision Tree Scope @@ -139,19 +144,21 @@ In these and other scenarios, there are two scopes to consider: Each decision point defined in this document has a characteristic scope, either *stakeholder-agnostic* or *stakeholder-specific*. -- **Stakeholder-agnostic decision points** describe the state of the world outside the stakeholder's environment. +- **Stakeholder-agnostic decision points** describe the state of the world outside the stakeholder's environment. One might think of them as global facts that form the background context in which the stakeholder is making a prioritization decision. -Nearly all stakeholders should agree on the assignment of specific values to these decision points. +Nearly all stakeholders should agree on the assignment of specific values to these decision points. - **Stakeholder-specific decision points** are expected to be contextual to some set of stakeholders. Information about a stakeholder-specific decision point can still be inherited by other stakeholders using the same tree. For example in the corporate CSIRT scenario above, the [*System Exposure*](../reference/decision_points/system_exposure.md) value might be consistent across all subsidiaries for a centrally managed service. We generally consider the following decision points to be *stakeholder-agnostic*: + - [*Exploitation*](../reference/decision_points/exploitation.md) - [*Technical Impact*](../reference/decision_points/technical_impact.md) - [*Automatable*](../reference/decision_points/automatable.md) On the contrary, we consider the following decision points to be *stakeholder-specific*: + - [*Value Density*](../reference/decision_points/value_density.md) - [Utility](../reference/decision_points/utility.md) - [*Safety Impact*](../reference/decision_points/safety_impact.md) @@ -163,13 +170,14 @@ On the contrary, we consider the following decision points to be *stakeholder-sp We anticipate that most custom decision points created by stakeholders for themselves or a constituency will be of the *stakeholder-specific* variety. Examples of these sorts of custom decision points include + - A decision point indicating whether a system or mission context is affected by regulatory oversight that might alter the decision priority. E.g., a healthcare-focused ISAO might define a decision point about whether a vulnerability affects patient data privacy protection. - A decision point that incorporates the concept of change risk to a deployer. E.g., a financial institution might have a very low tolerance for changes to a transaction clearing system. - A decision point that indicates whether the affected software belongs to a list of critical software for a specific constituency. E.g., an open-source consortium might want to prioritize fix development for a set of key projects. - + ### Decision Tree Scope Two kinds of modifications are possible at the decision tree level. @@ -178,7 +186,7 @@ Two kinds of modifications are possible at the decision tree level. For example, an organization with sufficient resources to efficiently deploy fixes might choose to defer fewer cases than the default tree would recommend. - *Tree Customization* can be done in one of three ways: 1. incorporating an already-defined decision point into an existing tree that does not already contain it. - 2. defining a new decision point and adding it to an existing tree. + 2. defining a new decision point and adding it to an existing tree. Note that adding or removing an option from an existing decision point should be treated as creating a new decision point. The new decision point should be given a distinct name as well. 3. defining a new tree entirely from existing or new decision points. @@ -188,4 +196,3 @@ Because tree customization changes the tree structure and implies the addition o Risk-shifted or customized trees can be shared among a community of interest, of course. Further customization within each stakeholder remains an option as well, although there is likely a diminishing return on more than a few layers of customization for the same basic decision. Of course, SSVC users might choose to construct other trees to inform other decisions. - diff --git a/docs/index.md b/docs/index.md index c6faf6d3..8713f65b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,17 +1,16 @@ # Stakeholder-Specific Vulnerability Categorization -SSVC stands for A Stakeholder-Specific Vulnerability Categorization. +SSVC stands for A Stakeholder-Specific Vulnerability Categorization. It is a methodology for prioritizing vulnerabilities based on the needs of the stakeholders involved in the vulnerability management process. SSVC is designed to be used by any stakeholder in the vulnerability management process, including finders, vendors, coordinators, deployers, and others. - ## Where to go from here We have organized the SSVC documentation into four main sections:
-- :material-television-shimmer:{ .lg .middle } __Get Started with SSVC__ +- :material-television-shimmer:{ .lg .middle } **Get Started with SSVC** --- @@ -20,7 +19,7 @@ We have organized the SSVC documentation into four main sections: [:octicons-arrow-right-24: Learning SSVC](tutorials/index.md) -- :material-clipboard-check:{ .lg .middle } __SSVC How To__ +- :material-clipboard-check:{ .lg .middle } **SSVC How To** --- @@ -29,7 +28,7 @@ We have organized the SSVC documentation into four main sections: [:octicons-arrow-right-24: SSVC How To](howto/index.md) -- :fontawesome-solid-book:{ .lg .middle } __Learn More about SSVC__ +- :fontawesome-solid-book:{ .lg .middle } **Learn More about SSVC** --- @@ -38,7 +37,7 @@ We have organized the SSVC documentation into four main sections: [:octicons-arrow-right-24: Understanding SSVC](topics/index.md) -- :material-book-open-page-variant:{ .lg .middle } __SSVC Reference__ +- :material-book-open-page-variant:{ .lg .middle } **SSVC Reference** --- @@ -49,5 +48,4 @@ We have organized the SSVC documentation into four main sections:
- {% include-markdown "_includes/helping_out.md" heading-offset=1 %} diff --git a/docs/reference/code/analyze_csv.md b/docs/reference/code/analyze_csv.md index 1f47e1ab..8bee1a2c 100644 --- a/docs/reference/code/analyze_csv.md +++ b/docs/reference/code/analyze_csv.md @@ -1,4 +1,3 @@ # SSVC CSV Analyzer ::: ssvc.csv_analyzer - diff --git a/docs/reference/code/doctools.md b/docs/reference/code/doctools.md index edd3b5e0..a589b962 100644 --- a/docs/reference/code/doctools.md +++ b/docs/reference/code/doctools.md @@ -1,4 +1,3 @@ # Doctools ::: ssvc.doctools - diff --git a/docs/reference/code/index.md b/docs/reference/code/index.md index 726664c0..8f2f47ad 100644 --- a/docs/reference/code/index.md +++ b/docs/reference/code/index.md @@ -6,4 +6,4 @@ These include: - [CSV Analyzer](analyze_csv.md) - [Policy Generator](policy_generator.md) - [Outcomes](outcomes.md) -- [Doctools](doctools.md) \ No newline at end of file +- [Doctools](doctools.md) diff --git a/docs/reference/code/policy_generator.md b/docs/reference/code/policy_generator.md index fa6e8477..4520599f 100644 --- a/docs/reference/code/policy_generator.md +++ b/docs/reference/code/policy_generator.md @@ -5,5 +5,4 @@ policy (a decision tree) from a set of input parameters. It is intended to be used as a library, for example within a Jupyter notebook. - -::: ssvc.policy_generator \ No newline at end of file +::: ssvc.policy_generator diff --git a/docs/reference/decision_points/automatable.md b/docs/reference/decision_points/automatable.md index 9b74a09b..69259cfa 100644 --- a/docs/reference/decision_points/automatable.md +++ b/docs/reference/decision_points/automatable.md @@ -1,12 +1,18 @@ -# Automatable +# Automatable (SSVC) -{% include-markdown "../../_generated/decision_points/automatable.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.automatable import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` !!! tip "See also" Automatable combines with [Value Density](./value_density.md) to inform [Utility](./utility.md) +{% include-markdown "../../_includes/automatable_cvss_ssvc.md" %} *Automatable* captures the answer to the question “Can an attacker reliably automate creating exploitation events for this vulnerability?” @@ -22,13 +28,11 @@ 2. weaponization may require human direction for each target 3. delivery may require channels that widely deployed network security configurations block 4. exploitation is not reliable, due to exploit-prevention techniques (e.g., ASLR) enabled by default - !!! question "When is Automatable *yes*?" If the vulnerability allows remote code execution or command injection, the expected response should be yes. - Due to vulnerability chaining, there is some nuance as to whether reconnaissance can be automated. !!! example "Vulnerability Chaining" @@ -57,11 +61,17 @@ Due to vulnerability chaining, there is some nuance as to whether reconnaissance ## Prior Versions +```python exec="true" idprefix="" +from ssvc.decision_points.automatable import VERSIONS +from ssvc.doc_helpers import prior_version, example_block -{% include-markdown "../../_generated/decision_points/virulence_1_0_0.md" %} +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` !!! warning "*Virulence* is Superseded by *Automatable*" *Virulence* is superseded by *Automatable*, which clarified the concept we we were attempting to capture. - \ No newline at end of file diff --git a/docs/reference/decision_points/compound_decision_points.md b/docs/reference/decision_points/compound_decision_points.md index cca71dfe..43f0e385 100644 --- a/docs/reference/decision_points/compound_decision_points.md +++ b/docs/reference/decision_points/compound_decision_points.md @@ -7,4 +7,3 @@ Examples of compound decision points include: - [Human Impact](human_impact.md) - [Public Safety Impact](public_safety_impact.md) - [Utility](utility.md) - diff --git a/docs/reference/decision_points/cvss/attack_complexity.md b/docs/reference/decision_points/cvss/attack_complexity.md new file mode 100644 index 00000000..909f3a5a --- /dev/null +++ b/docs/reference/decision_points/cvss/attack_complexity.md @@ -0,0 +1,21 @@ +# Attack Complexity + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.attack_complexity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.attack_complexity import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) +``` diff --git a/docs/reference/decision_points/cvss/attack_requirements.md b/docs/reference/decision_points/cvss/attack_requirements.md new file mode 100644 index 00000000..8474666b --- /dev/null +++ b/docs/reference/decision_points/cvss/attack_requirements.md @@ -0,0 +1,8 @@ +# Attack Requirements + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.attack_requirements import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/attack_vector.md b/docs/reference/decision_points/cvss/attack_vector.md new file mode 100644 index 00000000..515e39d9 --- /dev/null +++ b/docs/reference/decision_points/cvss/attack_vector.md @@ -0,0 +1,22 @@ +# Attack Vector + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.attack_vector import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.attack_vector import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/authentication.md b/docs/reference/decision_points/cvss/authentication.md new file mode 100644 index 00000000..f7c92e09 --- /dev/null +++ b/docs/reference/decision_points/cvss/authentication.md @@ -0,0 +1,22 @@ +# Authentication + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.authentication import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.authentication import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/automatable.md b/docs/reference/decision_points/cvss/automatable.md new file mode 100644 index 00000000..cc3ccc25 --- /dev/null +++ b/docs/reference/decision_points/cvss/automatable.md @@ -0,0 +1,10 @@ +# Automatable (CVSS) + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.supplemental.automatable import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +{% include-markdown "../../../_includes/automatable_cvss_ssvc.md" %} diff --git a/docs/reference/decision_points/cvss/availability_impact.md b/docs/reference/decision_points/cvss/availability_impact.md new file mode 100644 index 00000000..5f71b52b --- /dev/null +++ b/docs/reference/decision_points/cvss/availability_impact.md @@ -0,0 +1,22 @@ +# Availability Impact to the Vulnerable System + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.availability_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.availability_impact import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/availability_requirement.md b/docs/reference/decision_points/cvss/availability_requirement.md new file mode 100644 index 00000000..caf0730e --- /dev/null +++ b/docs/reference/decision_points/cvss/availability_requirement.md @@ -0,0 +1,22 @@ +# Availability Requirement + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.availability_requirement import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.availability_requirement import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/collateral_damage_potential.md b/docs/reference/decision_points/cvss/collateral_damage_potential.md new file mode 100644 index 00000000..b34cd7c5 --- /dev/null +++ b/docs/reference/decision_points/cvss/collateral_damage_potential.md @@ -0,0 +1,22 @@ +# Collateral Damage Potential + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.collateral_damage_potential import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.collateral_damage_potential import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/confidentiality_impact.md b/docs/reference/decision_points/cvss/confidentiality_impact.md new file mode 100644 index 00000000..a2d85474 --- /dev/null +++ b/docs/reference/decision_points/cvss/confidentiality_impact.md @@ -0,0 +1,22 @@ +# Confidentiality Impact to the Vulnerable System + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.confidentiality_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.confidentiality_impact import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/confidentiality_requirement.md b/docs/reference/decision_points/cvss/confidentiality_requirement.md new file mode 100644 index 00000000..e65e354a --- /dev/null +++ b/docs/reference/decision_points/cvss/confidentiality_requirement.md @@ -0,0 +1,22 @@ +# Confidentiality Requirement + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.confidentiality_requirement import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.confidentiality_requirement import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/exploit_maturity.md b/docs/reference/decision_points/cvss/exploit_maturity.md new file mode 100644 index 00000000..5d8ddab2 --- /dev/null +++ b/docs/reference/decision_points/cvss/exploit_maturity.md @@ -0,0 +1,22 @@ +# Exploit Maturity + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.exploit_maturity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.exploit_maturity import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/impact_bias.md b/docs/reference/decision_points/cvss/impact_bias.md new file mode 100644 index 00000000..65ac3599 --- /dev/null +++ b/docs/reference/decision_points/cvss/impact_bias.md @@ -0,0 +1,8 @@ +# Impact Bias + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.impact_bias import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/index.md b/docs/reference/decision_points/cvss/index.md new file mode 100644 index 00000000..f9309c0f --- /dev/null +++ b/docs/reference/decision_points/cvss/index.md @@ -0,0 +1,83 @@ +# CVSS Decision Points + +!!! tip inline end "For more information" + + For more information on the CVSS specification, please refer to the + [CVSS Specifications](https://www.first.org/cvss/). + +For convenience, we have provide a list of decision points that are based +on the CVSS specification. These decision points can be used to model various +decisions based on CVSS vector elements. + +## Decision Points + +The following list of CVSS vector elements have been modeled as SSVC decision +points for use in vulnerability response and security decision modeling. +We have organized them into groups according to where they belong in the +[CVSS v4.0 specification document](https://www.first.org/cvss/v4.0/specification-document). + +!!! info "About CVSS Decision Point Versions" + + We have modeled our CVSS-based decision points using the SSVC versioning scheme. + Therefore, some decision points may have multiple versions as the concepts have + been refined over different versions of the CVSS specification. These versions + do _not_ correspond the CVSS specification versions (2.0, 3.0, 3.1, 4.0 etc.). + +### Qualitative Severity + +
+- [CVSS Qualitative Severity Rating Scale](qualitative_severity.md) +
+ +### Base Metrics + +
+- [Attack Vector](attack_vector.md) +- [Attack Complexity](attack_complexity.md) +- [Attack Requirements](attack_requirements.md) +- [Privileges Required](privileges_required.md) +- [User Interaction](user_interaction.md) +- [Confidentiality Impact](confidentiality_impact.md) +- [Subsequent Confidentiality Impact](subsequent_confidentiality_impact.md) +- [Integrity Impact](integrity_impact.md) +- [Subsequent Integrity Impact](subsequent_integrity_impact.md) +- [Availability Impact](availability_impact.md) +- [Subsequent Availability Impact](subsequent_availability_impact.md) +
+ +### Threat Metrics + +
+- [Exploit Maturity](exploit_maturity.md) +
+ +### Environmental Metrics + +
+- [Confidentiality Requirement](confidentiality_requirement.md) +- [Integrity Requirement](integrity_requirement.md) +- [Availability Requirement](availability_requirement.md) +
+ +### Supplemental Metrics + +
+- [Safety](safety.md) +- [Automatable](automatable.md) +- [Provider Urgency](provider_urgency.md) +- [Recovery](recovery.md) +- [Value Density](value_density.md) +- [Vulnerability Response Effort](vulnerability_response_effort.md) +
+ +### Older Metrics + +
+- [Authentication](authentication.md) +- [Collateral Damage Potential](collateral_damage_potential.md) +- [Impact Bias](impact_bias.md) +- [Remediation Level](remediation_level.md) +- [Report Confidence](report_confidence.md) +- [Scope](scope.md) +- [Target Distribution](target_distribution.md) +
diff --git a/docs/reference/decision_points/cvss/integrity_impact.md b/docs/reference/decision_points/cvss/integrity_impact.md new file mode 100644 index 00000000..f31dbdc3 --- /dev/null +++ b/docs/reference/decision_points/cvss/integrity_impact.md @@ -0,0 +1,22 @@ +# Integrity Impact to the Vulnerable System + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.integrity_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.integrity_impact import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/integrity_requirement.md b/docs/reference/decision_points/cvss/integrity_requirement.md new file mode 100644 index 00000000..99e031f1 --- /dev/null +++ b/docs/reference/decision_points/cvss/integrity_requirement.md @@ -0,0 +1,22 @@ +# Integrity Requirement + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.integrity_requirement import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.integrity_requirement import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/privileges_required.md b/docs/reference/decision_points/cvss/privileges_required.md new file mode 100644 index 00000000..a3704e84 --- /dev/null +++ b/docs/reference/decision_points/cvss/privileges_required.md @@ -0,0 +1,22 @@ +# Privileges Required + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.privileges_required import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.privileges_required import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/provider_urgency.md b/docs/reference/decision_points/cvss/provider_urgency.md new file mode 100644 index 00000000..f0fd62fd --- /dev/null +++ b/docs/reference/decision_points/cvss/provider_urgency.md @@ -0,0 +1,8 @@ +# Provider Urgency + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.supplemental.provider_urgency import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/qualitative_severity.md b/docs/reference/decision_points/cvss/qualitative_severity.md new file mode 100644 index 00000000..81be133d --- /dev/null +++ b/docs/reference/decision_points/cvss/qualitative_severity.md @@ -0,0 +1,12 @@ +# CVSS Qualitative Severity Rating Scale + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.qualitative_severity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +The [CVSS Qualitative Severity Rating Scale](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale) +is a set of labels that describe the severity of a vulnerability based on the +CVSS Score. diff --git a/docs/reference/decision_points/cvss/recovery.md b/docs/reference/decision_points/cvss/recovery.md new file mode 100644 index 00000000..6798a108 --- /dev/null +++ b/docs/reference/decision_points/cvss/recovery.md @@ -0,0 +1,8 @@ +# Recovery + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.supplemental.recovery import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/remediation_level.md b/docs/reference/decision_points/cvss/remediation_level.md new file mode 100644 index 00000000..0f06a9f1 --- /dev/null +++ b/docs/reference/decision_points/cvss/remediation_level.md @@ -0,0 +1,22 @@ +# Remediation Level + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.remediation_level import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.remediation_level import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/report_confidence.md b/docs/reference/decision_points/cvss/report_confidence.md new file mode 100644 index 00000000..a95ac406 --- /dev/null +++ b/docs/reference/decision_points/cvss/report_confidence.md @@ -0,0 +1,22 @@ +# Report Confidence + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.report_confidence import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.report_confidence import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/safety.md b/docs/reference/decision_points/cvss/safety.md new file mode 100644 index 00000000..e205d7b3 --- /dev/null +++ b/docs/reference/decision_points/cvss/safety.md @@ -0,0 +1,23 @@ +# Safety + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.supplemental.safety import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +{% include-markdown "../../../_includes/safety_cvss_ssvc.md" %} + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.supplemental.safety import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) +``` diff --git a/docs/reference/decision_points/cvss/scope.md b/docs/reference/decision_points/cvss/scope.md new file mode 100644 index 00000000..e7168659 --- /dev/null +++ b/docs/reference/decision_points/cvss/scope.md @@ -0,0 +1,8 @@ +# Scope + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.scope import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/subsequent_availability_impact.md b/docs/reference/decision_points/cvss/subsequent_availability_impact.md new file mode 100644 index 00000000..3eb241b2 --- /dev/null +++ b/docs/reference/decision_points/cvss/subsequent_availability_impact.md @@ -0,0 +1,8 @@ +# Availability Impact to the Subsequent System + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.subsequent_availability_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/subsequent_confidentiality_impact.md b/docs/reference/decision_points/cvss/subsequent_confidentiality_impact.md new file mode 100644 index 00000000..e0b6e8a8 --- /dev/null +++ b/docs/reference/decision_points/cvss/subsequent_confidentiality_impact.md @@ -0,0 +1,8 @@ +# Confidentiality Impact to the Subsequent System + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.subsequent_confidentiality_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/subsequent_integrity_impact.md b/docs/reference/decision_points/cvss/subsequent_integrity_impact.md new file mode 100644 index 00000000..43083663 --- /dev/null +++ b/docs/reference/decision_points/cvss/subsequent_integrity_impact.md @@ -0,0 +1,8 @@ +# Integrity Impact to the Subsequent System + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.subsequent_integrity_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/cvss/target_distribution.md b/docs/reference/decision_points/cvss/target_distribution.md new file mode 100644 index 00000000..4c27649e --- /dev/null +++ b/docs/reference/decision_points/cvss/target_distribution.md @@ -0,0 +1,22 @@ +# Target Distribution + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.target_distribution import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.target_distribution import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/user_interaction.md b/docs/reference/decision_points/cvss/user_interaction.md new file mode 100644 index 00000000..0f03c589 --- /dev/null +++ b/docs/reference/decision_points/cvss/user_interaction.md @@ -0,0 +1,22 @@ +# User Interaction + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.user_interaction import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +## Previous Versions + +Following are the previous versions of the decision point: + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.user_interaction import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/cvss/value_density.md b/docs/reference/decision_points/cvss/value_density.md new file mode 100644 index 00000000..885b3bf0 --- /dev/null +++ b/docs/reference/decision_points/cvss/value_density.md @@ -0,0 +1,10 @@ +# Value Density (CVSS) + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.supplemental.value_density import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +{% include-markdown "../../../_includes/value_density_cvss_ssvc.md" %} diff --git a/docs/reference/decision_points/cvss/vulnerability_response_effort.md b/docs/reference/decision_points/cvss/vulnerability_response_effort.md new file mode 100644 index 00000000..b9b49f93 --- /dev/null +++ b/docs/reference/decision_points/cvss/vulnerability_response_effort.md @@ -0,0 +1,8 @@ +# Vulnerability Response Effort + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.supplemental.vulnerability_response_effort import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/exploitation.md b/docs/reference/decision_points/exploitation.md index 58b398c2..478d4033 100644 --- a/docs/reference/decision_points/exploitation.md +++ b/docs/reference/decision_points/exploitation.md @@ -1,6 +1,11 @@ -# Exploitation +# Exploitation -{% include-markdown "../../_generated/decision_points/exploitation.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.exploitation import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` The intent of this measure is the present state of exploitation of the vulnerability. The intent is not to predict future exploitation but only to acknowledge the current state of affairs. Predictive systems, such as EPSS, could be used to augment this decision or to notify stakeholders of likely changes [@jacobs2021epss]. @@ -30,10 +35,8 @@ The intent of this measure is the present state of exploitation of the vulnerabi ## CWE-IDs for *PoC* - The table below lists CWE-IDs that could be used to mark a vulnerability as *PoC* if the vulnerability is described by the CWE-ID. - !!! example "CWE-295" For example, [CWE-295 Improper Certificate Validation @@ -46,4 +49,14 @@ The table below lists CWE-IDs that could be used to mark a vulnerability as *PoC {{ read_csv('cwe/possible-cwe-with-poc-examples.csv') }} ---- \ No newline at end of file +## Prior Versions + +```python exec="true" idprefix="" +from ssvc.decision_points.exploitation import VERSIONS +from ssvc.doc_helpers import prior_version, example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/human_impact.md b/docs/reference/decision_points/human_impact.md index a8a22036..04057d11 100644 --- a/docs/reference/decision_points/human_impact.md +++ b/docs/reference/decision_points/human_impact.md @@ -1,6 +1,11 @@ # Human Impact -{% include-markdown "../../_generated/decision_points/human_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.human_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` !!! tip "See also" @@ -10,7 +15,7 @@ Note: This is a compound decision point[^1], therefore it is a notational convenience. *Human Impact* is a combination of how a vulnerability can affect an organization's mission essential functions as well as -safety considerations, whether for the organization's personnel or the public at large. +safety considerations, whether for the organization's personnel or the public at large. We observe that the day-to-day operations of an organization often have already built in a degree of tolerance to small-scale variance in mission impacts. Thus in our opinion we need only concern ourselves with discriminating well at the upper end of the scale. Therefore we combine the two lesser mission impacts of degraded and MEF support crippled into a single category, while retaining the distinction between MEF Failure and Mission Failure at the extreme. @@ -25,10 +30,9 @@ The mapping is shown in the table above. [^1]: In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as if they were combined into a single factor: in other words, the priority increases regardless which of the two impact factors was increased. We therefore combine [Safety Impact](safety_impact.md) and -[Mission Impact](mission_impact.md) for deployers into a single _Human Impact_ factor +[Mission Impact](mission_impact.md) for deployers into a single *Human Impact* factor as a dimension reduction step. - ## Safety and Mission Impact Decision Points for Industry Sectors We expect to encounter diversity in both safety and mission impacts across different organizations. @@ -40,9 +44,14 @@ provide SSVC information tailored as appropriate to their constituency's safety For considerations on how organizations might communicate SSVC information to their constituents, see [Guidance on Communicating Results](../../howto/bootstrap/use.md). - ## Prior Versions -{% include-markdown "../../_generated/decision_points/human_impact_2_0_0.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.human_impact import VERSIONS +from ssvc.doc_helpers import prior_version, example_block -{% include-markdown "../../_generated/decision_points/mission_and_well-being_impact_1_0_0.md" %} +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/index.md b/docs/reference/decision_points/index.md index ec64f9a7..1f002796 100644 --- a/docs/reference/decision_points/index.md +++ b/docs/reference/decision_points/index.md @@ -41,7 +41,7 @@ decision points. Sometimes this is a "better" or "worse" dimension, but it seems to generalize to a "more likely to act" or "less likely to act" of dimension. -!!! question "Where are the _Unknown_ options?" +!!! question "Where are the *Unknown* options?" One important omission from the values for each category is an *unknown* option. Instead, we recommend explicitly identifying an option that is a reasonable assumption based on prior events. diff --git a/docs/reference/decision_points/mission_impact.md b/docs/reference/decision_points/mission_impact.md index ca2a05c7..f8b80503 100644 --- a/docs/reference/decision_points/mission_impact.md +++ b/docs/reference/decision_points/mission_impact.md @@ -1,43 +1,52 @@ # Mission Impact -{% include-markdown "../../_generated/decision_points/mission_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.mission_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` !!! tip "See also" Mission Impact combines with [Safety Impact](./safety_impact.md) to inform [Human Impact](./human_impact.md) -A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1]. -Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning. +A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1]. +Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning. Mission Essential Functions are in effect critical activities within an organization that are used to identify key assets, supporting tasks, and resources that an organization requires to remain operational in a crises situation, and so must be included in its planning process. During an event, key resources may be limited and personnel may be unavailable, so organizations must consider these factors and validate assumptions when identifying, validating, and prioritizing MEFs. -When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential. -The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies [@FCD2_2017, page B-2]. +When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential. +The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies [@FCD2_2017, page B-2]. Essential functions are both important and urgent. Functions that can be deferred until after an emergency are identified as non-essential. For example, DoD defines MEFs in [DoD Directive 3020.26 DoD Continuity Policy](https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/302026p.pdf) using similar terminology to [FCD-2](https://www.fema.gov/sites/default/files/2020-07/Federal_Continuity_Directive-2_June132017.pdf) [@dod3026_26_2018]. -As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning. -For example, infrastructure providers in the US may better align with [National Critical Functions](https://www.cisa.gov/national-critical-functions). -Private sector businesses may better align with [operational and financial impacts](https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf) in a [business continuity plan](https://www.ready.gov/business-continuity-plan). +As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning. +For example, infrastructure providers in the US may better align with [National Critical Functions](https://www.cisa.gov/national-critical-functions). +Private sector businesses may better align with [operational and financial impacts](https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf) in a [business continuity plan](https://www.ready.gov/business-continuity-plan). While the processes, terminology, and audience for these different frameworks differ, they all can provide a sense of the criticality of an asset or assets within the scope of the stakeholder conducting the cyber vulnerability prioritization with SSVC. -In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents. - +In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents. ## Gathering Information About Mission Impact -The factors that influence the mission impact level are diverse. -This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work. -At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission. -There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 [@FCD2_2017] or OCTAVE FORTE [@tucker2018octave]. +The factors that influence the mission impact level are diverse. +The material here does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work. +At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission. +There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 [@FCD2_2017] or OCTAVE FORTE [@tucker2018octave]. This is part of risk management more broadly. It should require the vulnerability management team to interact with more senior management to understand mission priorities and other aspects of risk mitigation. -As a heuristic, [Utility](utility.md) might constrain [*Mission Impact*](mission_impact.md) if both are not used in the same decision tree. -For example, if the [Utility](utility.md) is [*super effective*](utility.md), then [*Mission Impact*](mission_impact.md) is at least [*MEF support crippled*](mission_impact.md). - ## Prior Versions -{% include-markdown "../../_generated/decision_points/mission_impact_1_0_0.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.mission_impact import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/public_safety_impact.md b/docs/reference/decision_points/public_safety_impact.md index 1f26a47d..44b774b0 100644 --- a/docs/reference/decision_points/public_safety_impact.md +++ b/docs/reference/decision_points/public_safety_impact.md @@ -1,22 +1,31 @@ # Public Safety Impact -{% include-markdown "../../_generated/decision_points/public_safety_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.public_safety_impact import LATEST +from ssvc.doc_helpers import example_block -!!! tip "See also" +print(example_block(LATEST)) +``` - - [Safety Impact](./safety_impact.md) +{% include-markdown "../../_includes/safety_cvss_ssvc.md" %} This is a compound decision point, therefore it is a notational convenience. Suppliers necessarily have a rather coarse-grained perspective on the broadly defined [Safety Impact](safety_impact.md) Decision Point. Therefore we simplify the above into a binary categorization: -- _Significant_ is when any impact meets the criteria for an impact of Marginal, Critical, or Catastrophic in the +- *Significant* is when any impact meets the criteria for an impact of Marginal, Critical, or Catastrophic in the [Safety Impact](safety_impact.md) table. -- _Minimal_ is when none do. +- *Minimal* is when none do. ## Prior Versions -{% include-markdown "../../_generated/decision_points/public_safety_impact_2_0_0.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.public_safety_impact import VERSIONS +from ssvc.doc_helpers import example_block -{% include-markdown "../../_generated/decision_points/public_well-being_impact_1_0_0.md" %} +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/public_value_added.md b/docs/reference/decision_points/public_value_added.md index 03507837..0284c0da 100644 --- a/docs/reference/decision_points/public_value_added.md +++ b/docs/reference/decision_points/public_value_added.md @@ -1,12 +1,17 @@ # Public Value Added -{% include-markdown "../../_generated/decision_points/public_value_added.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.public_value_added import LATEST +from ssvc.doc_helpers import example_block -The intent of the definition is that one rarely if ever transitions from _limited_ to _ampliative_ or _ampliative_ to _precedence_. -A vulnerability could transition from _precedence_ to _ampliative_ and _ampliative_ to _limited_. +print(example_block(LATEST)) +``` + +The intent of the definition is that one rarely if ever transitions from *limited* to *ampliative* or *ampliative* to *precedence*. +A vulnerability could transition from *precedence* to *ampliative* and *ampliative* to *limited*. That is, *Public Value Added* should only be downgraded through future iterations or re-evaluations. This directionality is because once other organizations make something public, they cannot effectively un-publish it (it'll be recorded and people will know about it, even if they take down a webpage). -The rare case where *Public Value Added* increases would be if an organization published viable information, but +The rare case where *Public Value Added* increases would be if an organization published viable information, but then published additional misleading or obscuring information at a later time. Then one might go from *limited* to *ampliative* in the interest of pointing to the better information. diff --git a/docs/reference/decision_points/report_credibility.md b/docs/reference/decision_points/report_credibility.md index f508f7cd..acce744c 100644 --- a/docs/reference/decision_points/report_credibility.md +++ b/docs/reference/decision_points/report_credibility.md @@ -1,6 +1,11 @@ # Report Credibility -{% include-markdown "../../_generated/decision_points/report_credibility.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.report_credibility import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` An analyst should start with a presumption of credibility and proceed toward disqualification. The reason for this is that, as a coordinator, occasionally doing a bit of extra work on a bad report is preferable to rejecting legitimate reports. @@ -24,35 +29,35 @@ The indicators for or against are not commensurate, and so they cannot be put on If neither of these confirmations are available, then the value of the [*Report Credibility*](#report-credibility) decision point depends on a balancing test among the following indicators. **Indicators *for* Credibility** include: - - - The report is specific about what is affected - - The report provides sufficient detail to reproduce the vulnerability. - - The report describes an attack scenario. - - The report suggests mitigations. - - The report includes proof-of-concept exploit code or steps to reproduce. - - Screenshots and videos, if provided, support the written text of the report and do not replace it. - - The report neither exaggerates nor understates the impact. + +- The report is specific about what is affected +- The report provides sufficient detail to reproduce the vulnerability. +- The report describes an attack scenario. +- The report suggests mitigations. +- The report includes proof-of-concept exploit code or steps to reproduce. +- Screenshots and videos, if provided, support the written text of the report and do not replace it. +- The report neither exaggerates nor understates the impact. **Indicators *against* Credibility** include: - - The report is “spammy” or exploitative (for example, the report is an attempt to upsell the receiver on some product or service). - - The report is vague or ambiguous about which vendors, products, or versions are affected (for example, the report claims that all “cell phones” or “wifi” or “routers” are affected). - - The report is vague or ambiguous about the preconditions necessary to exploit the vulnerability. - - The report is vague or ambiguous about the impact if exploited. - - The report exaggerates the impact if exploited. - - The report makes extraordinary claims without correspondingly extraordinary evidence (for example, the report claims that exploitation could result in catastrophic damage to some critical system without a clear causal connection between the facts presented and the impacts claimed). - - The report is unclear about what the attacker gains by exploiting the vulnerability. What do they get that they didn't already have? For example, an attacker with system privileges can already do lots of bad things, so a report that assumes system privileges as a precondition to exploitation needs to explain what else this gives the attacker. - - The report depends on preconditions that are extremely rare in practice, and lacks adequate evidence for why those preconditions might be expected to occur (for example, the vulnerability is only exposed in certain non-default configurations—unless there is evidence that a community of practice has established a norm of such a non-default setup). - - The report claims dire impact for a trivially found vulnerability. It is not impossible for this to occur, but most products and services that have been around for a while have already had their low-hanging fruit major vulnerabilities picked. One notable exception would be if the reporter applied a completely new method for finding vulnerabilities to discover the subject of the report. - - The report is rambling and is more about a narrative than describing the vulnerability. One description is that the report reads like a food recipe with the obligatory search engine optimization preamble. - - The reporter is known to have submitted low-quality reports in the past. - - The report conspicuously misuses technical terminology. This is evidence that the reporter may not understand what they are talking about. - - The analyst's professional colleagues consider the report to be not credible. - - The report consists of mostly raw tool output. Fuzz testing outputs are not vulnerability reports. - - The report lacks sufficient detail for someone to reproduce the vulnerability. - - The report is just a link to a video or set of images, or lacks written detail while claiming “it's all in the video”. Imagery should support a written description, not replace it. - - The report describes a bug with no discernible security impact. - - The report fails to describe an attack scenario, and none is obvious. +- The report is “spammy” or exploitative (for example, the report is an attempt to upsell the receiver on some product or service). +- The report is vague or ambiguous about which vendors, products, or versions are affected (for example, the report claims that all “cell phones” or “wifi” or “routers” are affected). +- The report is vague or ambiguous about the preconditions necessary to exploit the vulnerability. +- The report is vague or ambiguous about the impact if exploited. +- The report exaggerates the impact if exploited. +- The report makes extraordinary claims without correspondingly extraordinary evidence (for example, the report claims that exploitation could result in catastrophic damage to some critical system without a clear causal connection between the facts presented and the impacts claimed). +- The report is unclear about what the attacker gains by exploiting the vulnerability. What do they get that they didn't already have? For example, an attacker with system privileges can already do lots of bad things, so a report that assumes system privileges as a precondition to exploitation needs to explain what else this gives the attacker. +- The report depends on preconditions that are extremely rare in practice, and lacks adequate evidence for why those preconditions might be expected to occur (for example, the vulnerability is only exposed in certain non-default configurations—unless there is evidence that a community of practice has established a norm of such a non-default setup). +- The report claims dire impact for a trivially found vulnerability. It is not impossible for this to occur, but most products and services that have been around for a while have already had their low-hanging fruit major vulnerabilities picked. One notable exception would be if the reporter applied a completely new method for finding vulnerabilities to discover the subject of the report. +- The report is rambling and is more about a narrative than describing the vulnerability. One description is that the report reads like a food recipe with the obligatory search engine optimization preamble. +- The reporter is known to have submitted low-quality reports in the past. +- The report conspicuously misuses technical terminology. This is evidence that the reporter may not understand what they are talking about. +- The analyst's professional colleagues consider the report to be not credible. +- The report consists of mostly raw tool output. Fuzz testing outputs are not vulnerability reports. +- The report lacks sufficient detail for someone to reproduce the vulnerability. +- The report is just a link to a video or set of images, or lacks written detail while claiming “it's all in the video”. Imagery should support a written description, not replace it. +- The report describes a bug with no discernible security impact. +- The report fails to describe an attack scenario, and none is obvious. We considered adding poor grammar or spelling as an indicator of non-credibility. On further reflection, we do not recommend that poor grammar or spelling be used as an indicator of low report quality, as many reporters may not be native to the coordinator's language. @@ -72,7 +77,5 @@ Furthermore, a report may be factual but not identify any security implications; A coordinator also has a scope defined by their specific constituency and mission. A report can be entirely credible yet remain out of scope for your coordination practice. -Decide what to do about out of scope reports separately, before the vulnerability coordination triage decision begins. +Decide what to do about out of scope reports separately, before the vulnerability coordination triage decision begins. If a report arrives and would be out of scope even if true, there will be no need to proceed with judging its credibility. - - diff --git a/docs/reference/decision_points/report_public.md b/docs/reference/decision_points/report_public.md index 5f02a81e..aa795f2e 100644 --- a/docs/reference/decision_points/report_public.md +++ b/docs/reference/decision_points/report_public.md @@ -1,3 +1,8 @@ # Report Public -{% include-markdown "../../_generated/decision_points/report_public.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.report_public import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/safety_impact.md b/docs/reference/decision_points/safety_impact.md index 41cd2eb4..2c9418c4 100644 --- a/docs/reference/decision_points/safety_impact.md +++ b/docs/reference/decision_points/safety_impact.md @@ -1,13 +1,18 @@ # Safety Impact -{% include-markdown "../../_generated/decision_points/safety_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.safety_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +{% include-markdown "../../_includes/safety_cvss_ssvc.md" %} !!! tip "See also" - Safety Impact combines with [Mission Impact](./mission_impact.md) to inform [Human Impact](./human_impact.md). - - [Public Safety Impact](./public_safety_impact.md) provides a simplified - version of this decision point. We take an expansive view of safety, in which a safety violation is a violation of what the United States [Centers for Disease Control (CDC)](https://www.cdc.gov/hrqol/wellbeing.htm) calls **well-being**. Physical well-being violations are common safety violations, but we also consider economic, social, emotional, and psychological well-being to be important. Weighing fine differences among these categories is probably not possible, so we will not try. Each decision option lists examples of the effects that qualify for that value/answer in the various types of violations of well-being. These examples should not be considered comprehensive or exhaustive, but rather as suggestive. - ### Situated Safety Impact Deployers are anticipated to have a more fine-grained perspective on the safety impacts broadly defined in *Safety Impact*. We defer this topic for now because we combine it with [*Mission Impact*](mission_impact.md) to simplify implementation for deployers. - ## Prior Versions -{% include-markdown "../../_generated/decision_points/safety_impact_1_0_0.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.safety_impact import VERSIONS +from ssvc.doc_helpers import example_block +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/supplier_cardinality.md b/docs/reference/decision_points/supplier_cardinality.md index ef55c8bf..ccd088fa 100644 --- a/docs/reference/decision_points/supplier_cardinality.md +++ b/docs/reference/decision_points/supplier_cardinality.md @@ -1,3 +1,8 @@ # Supplier Cardinality -{% include-markdown "../../_generated/decision_points/supplier_cardinality.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.supplier_cardinality import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/supplier_contacted.md b/docs/reference/decision_points/supplier_contacted.md index 7a3d9d38..f75e1615 100644 --- a/docs/reference/decision_points/supplier_contacted.md +++ b/docs/reference/decision_points/supplier_contacted.md @@ -1,10 +1,12 @@ # Supplier Contacted -{% include-markdown "../../_generated/decision_points/supplier_contacted.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.supplier_contacted import LATEST +from ssvc.doc_helpers import example_block +print(example_block(LATEST)) +``` !!! tip "Quality Contact Method" A quality contact method is a publicly posted known good email address, public portal on vendor website, etc. - - diff --git a/docs/reference/decision_points/supplier_engagement.md b/docs/reference/decision_points/supplier_engagement.md index 42e306af..c8a7426b 100644 --- a/docs/reference/decision_points/supplier_engagement.md +++ b/docs/reference/decision_points/supplier_engagement.md @@ -1,3 +1,8 @@ # Supplier Engagement -{% include-markdown "../../_generated/decision_points/supplier_engagement.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.supplier_engagement import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/supplier_involvement.md b/docs/reference/decision_points/supplier_involvement.md index d28e978e..d4fb9d70 100644 --- a/docs/reference/decision_points/supplier_involvement.md +++ b/docs/reference/decision_points/supplier_involvement.md @@ -1,3 +1,8 @@ # Supplier Involvement -{% include-markdown "../../_generated/decision_points/supplier_involvement.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.supplier_involvement import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/system_exposure.md b/docs/reference/decision_points/system_exposure.md index 9ada4318..9a2f52dd 100644 --- a/docs/reference/decision_points/system_exposure.md +++ b/docs/reference/decision_points/system_exposure.md @@ -1,6 +1,11 @@ # System Exposure -{% include-markdown "../../_generated/decision_points/system_exposure.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.system_exposure import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` Measuring the attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed. @@ -12,7 +17,6 @@ Therefore, a deployer’s response to Exposure may change if such mitigations ar If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success. Whether that mitigation allows the deployer to defer further action varies according to each case. - ## Gathering Information About System Exposure *System Exposure* is primarily used by Deployers, so the question is about whether some specific system is in fact exposed, not a hypothetical or aggregate question about systems of that type. @@ -26,16 +30,25 @@ An analyst should also choose *open* for a phone or PC that connects to the web Distinguishing between *small* and *controlled* is more nuanced. If *open* has been ruled out, some suggested heuristics for differentiating the other two are as follows. Apply these heuristics in order and stop when one of them applies. - - If the system's networking and communication interfaces have been physically removed or disabled, choose *small*. - - If [*Automatable*](automatable.md) is [*yes*](automatable.md), then choose *controlled*. The reasoning behind this heuristic is that if reconnaissance through exploitation is automatable, then the usual deployment scenario exposes the system sufficiently that access can be automated, which contradicts the expectations of *small*. - - If the vulnerable component is on a network where other hosts can browse the web or receive email, choose *controlled*. - - If the vulnerable component is in a third party library that is unreachable because the feature is unused in the surrounding product, choose *small*. + +- If the system's networking and communication interfaces have been physically removed or disabled, choose *small*. +- If [*Automatable*](automatable.md) is [*yes*](automatable.md), then choose *controlled*. The reasoning behind this heuristic is that if reconnaissance through exploitation is automatable, then the usual deployment scenario exposes the system sufficiently that access can be automated, which contradicts the expectations of *small*. +- If the vulnerable component is on a network where other hosts can browse the web or receive email, choose *controlled*. +- If the vulnerable component is in a third party library that is unreachable because the feature is unused in the surrounding product, choose *small*. The unreachable vulnerable component scenario may be a point of concern for stakeholders like patch suppliers who often find it more cost-effective to simply update the included library to an existing fixed version rather than try to explain to customers why the vulnerable code is unreachable in their own product. -In those cases, we suggest the stakeholder reviews the decision outcomes of the tree to ensure the appropriate action is taken (paying attention to [_defer_](../../howto/supplier_tree.md) vs [_scheduled_](../../howto/supplier_tree.md), for example). +In those cases, we suggest the stakeholder reviews the decision outcomes of the tree to ensure the appropriate action is taken (paying attention to [*defer*](../../howto/supplier_tree.md) vs [*scheduled*](../../howto/supplier_tree.md), for example). If you have suggestions for further heuristics, or potential counterexamples to these, please describe the example and reasoning in an issue on the [SSVC GitHub](https://github.com/CERTCC/SSVC/issues). ## Prior Versions -{% include-markdown "../../_generated/decision_points/system_exposure_1_0_0.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.system_exposure import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` diff --git a/docs/reference/decision_points/technical_impact.md b/docs/reference/decision_points/technical_impact.md index f7280b9a..4b1dcaf6 100644 --- a/docs/reference/decision_points/technical_impact.md +++ b/docs/reference/decision_points/technical_impact.md @@ -1,6 +1,11 @@ # Technical Impact -{% include-markdown "../../_generated/decision_points/technical_impact.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.technical_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` When evaluating *Technical Impact*, recall the scope definition in the [Scope Section](../../topics/scope.md). Total control is relative to the affected component where the vulnerability resides. @@ -11,7 +16,6 @@ Our definition of **vulnerability** is based on the determination that some secu We consider a security policy violation to be a technical impact—or at least, a security policy violation must have some technical instantiation. Therefore, if there is a vulnerability then there must be some technical impact. - !!! tip "Gathering Information About Technical Impact" Assessing *Technical Impact* amounts to assessing the degree of control over the vulnerable component the attacker stands to gain by exploiting the vulnerability. @@ -28,4 +32,3 @@ Therefore, if there is a vulnerability then there must be some technical impact. If you find a vulnerability that should have *total* *Technical Impact* but that does not answer yes to any of these questions, please describe the example and what question we might add to this list in an issue on the [SSVC GitHub](https://github.com/CERTCC/SSVC/issues). - diff --git a/docs/reference/decision_points/utility.md b/docs/reference/decision_points/utility.md index 93e94124..1c465d41 100644 --- a/docs/reference/decision_points/utility.md +++ b/docs/reference/decision_points/utility.md @@ -1,13 +1,17 @@ # Utility -{% include-markdown "../../_generated/decision_points/utility.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.utility import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` !!! tip "See also" Utility is a combination of [Automatable](./automatable.md) and [Value Density](./value_density.md) - This is a compound decision point, therefore it is a notational convenience. *Utility* estimates an adversary's benefit compared to their effort based on the assumption that they can exploit the vulnerability. @@ -25,7 +29,6 @@ This framing makes it easier to analytically derive these categories from a desc Roughly, *Utility* is a combination of two things: (1) the value of each exploitation event and (2) the ease and speed with which the adversary can cause exploitation events. We define *Utility* as laborious, efficient, or super effective, as described in the table above. - ## Alternative Utility Outputs Alternative heuristics can plausibly be used as proxies for adversary utility. @@ -40,13 +43,19 @@ Price does not only track the [*Value Density*](value_density.md) of the system, Currently, we simplify the analysis and ignore these factors. However, future work should look for and prevent large mismatches between the outputs of the *Utility* decision point and the exploit markets. - - ## Previous Versions -{% include-markdown "../../_generated/decision_points/utility_1_0_0.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.utility import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\n---\n") +``` !!! tip "See also" Utility v1.0.0 was a combination of [Virulence](./automatable.md) and - [Value Density](./value_density.md) \ No newline at end of file + [Value Density](./value_density.md) diff --git a/docs/reference/decision_points/value_density.md b/docs/reference/decision_points/value_density.md index 934231f6..11b02a3b 100644 --- a/docs/reference/decision_points/value_density.md +++ b/docs/reference/decision_points/value_density.md @@ -1,12 +1,19 @@ -# Value Density +# Value Density (SSVC) -{% include-markdown "../../_generated/decision_points/value_density.md" %} +```python exec="true" idprefix="" +from ssvc.decision_points.value_density import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` !!! tip "See also" Value Density combines with [Automatability](./automatable.md) to inform [Utility](./utility.md). +{% include-markdown "../../_includes/value_density_cvss_ssvc.md" %} + !!! info "User vs. System Operator" A “user” is anyone whose professional task is something other than the maintenance of the system or component. diff --git a/docs/reference/index.md b/docs/reference/index.md index af7ff33b..26a2efc0 100644 --- a/docs/reference/index.md +++ b/docs/reference/index.md @@ -11,19 +11,18 @@ In this section, we provide reference documentation for SSVC. We have organized the reference documentation into two main sections: -
-- :material-arrow-decision-outline: [**Decision Points**](decision_points/index.md) +- :material-arrow-decision-outline: [**Decision Points**](decision_points/index.md) --- - + A list of all the decision points, values, and versions. -- :material-language-python: [**Code Documentation**](code/index.md) - +- :material-language-python: [**Code Documentation**](code/index.md) + --- Documentation for the SSVC Python modules. -
\ No newline at end of file + diff --git a/docs/ssvc-calc/README.md b/docs/ssvc-calc/README.md index db57b28d..f4e9d740 100644 --- a/docs/ssvc-calc/README.md +++ b/docs/ssvc-calc/README.md @@ -1,20 +1,19 @@ -# Dryad +# Dryad + Stakeholder-Specific Vulnerability Categorization Calculator Dryad is a SSVC calculator app that guides you through the simple steps needed in making a vulnerability priority decision. The result of applying SSVC is a priority decision, providing you with a recommended action. See the demo in our [SSVC calc website](https://democert.org/ssvc/) -Some examples of actions are +Some examples of actions are defer, scheduled, out-of-cycle, and immediate. -* The top drop-down allows you to select from multiple decision trees that map to an appropriate Role in SSVC. -* To explore the decision tree, use the button "Show Full Tree" This will show all the branches, nodes and edges that make up the decision tree. A small zoom control horizontal range slider that can help with very large decision trees. -* A drop-down allows you to move from Graphic mode to Simple mode. -* There are also a number of sample CVE in a dropdown that will auto-select a number of steps in the decision tree -* Use the "Start Decision" to navigate the tree for assesing your prioritization for a vulnerability. -* You can also import custom decision trees and custom CVE samples for the current decision tree. -* There is a [data](../data/) folder where there is a number of examples both of schema and examples of exported outputs. -* You can install this directory as a folder in your public website directory. and expose it. All referenced url's are relative in the scripts and HTML files. - - +- The top drop-down allows you to select from multiple decision trees that map to an appropriate Role in SSVC. +- To explore the decision tree, use the button "Show Full Tree" This will show all the branches, nodes and edges that make up the decision tree. A small zoom control horizontal range slider that can help with very large decision trees. +- A drop-down allows you to move from Graphic mode to Simple mode. +- There are also a number of sample CVE in a dropdown that will auto-select a number of steps in the decision tree +- Use the "Start Decision" to navigate the tree for assesing your prioritization for a vulnerability. +- You can also import custom decision trees and custom CVE samples for the current decision tree. +- There is a [data](../data/) folder where there is a number of examples both of schema and examples of exported outputs. +- You can install this directory as a folder in your public website directory. and expose it. All referenced url's are relative in the scripts and HTML files. diff --git a/docs/ssvc-calc/findex.html b/docs/ssvc-calc/findex.html index afab1d97..63456ee2 100644 --- a/docs/ssvc-calc/findex.html +++ b/docs/ssvc-calc/findex.html @@ -1,3 +1,18 @@ + + diff --git a/docs/ssvc-calc/index.md b/docs/ssvc-calc/index.md index 2152c657..7e9df37f 100644 --- a/docs/ssvc-calc/index.md +++ b/docs/ssvc-calc/index.md @@ -1,4 +1,5 @@ # SSVC Calculator + - + diff --git a/docs/ssvc-calc/old_index.html b/docs/ssvc-calc/old_index.html index 32b1e3d6..9d99945f 100644 --- a/docs/ssvc-calc/old_index.html +++ b/docs/ssvc-calc/old_index.html @@ -1,3 +1,18 @@ + + diff --git a/docs/ssvc-calc/ssvc-calc.html b/docs/ssvc-calc/ssvc-calc.html new file mode 100644 index 00000000..e09e4783 --- /dev/null +++ b/docs/ssvc-calc/ssvc-calc.html @@ -0,0 +1,182 @@ + + + + + + SSVC Lookup Table + + + +

SSVC Lookup Table

+
+ +
+ + + diff --git a/docs/ssvc-calc/ssvc.js b/docs/ssvc-calc/ssvc.js index 812bf022..f9d6cdc6 100644 --- a/docs/ssvc-calc/ssvc.js +++ b/docs/ssvc-calc/ssvc.js @@ -1,3 +1,18 @@ +/* + * Copyright (c) 2025 Carnegie Mellon University and Contributors. + * - see Contributors.md for a full list of Contributors + * - see ContributionInstructions.md for information on how you can Contribute to this project + * Stakeholder Specific Vulnerability Categorization (SSVC) is + * licensed under a MIT (SEI)-style license, please see LICENSE.md distributed + * with this Software or contact permission@sei.cmu.edu for full terms. + * Created, in part, with funding and support from the United States Government + * (see Acknowledgments file). This program may include and/or can make use of + * certain third party source code, object code, documentation and other files + * (“Third Party Software”). See LICENSE.md for more details. + * Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the + * U.S. Patent and Trademark Office by Carnegie Mellon University + */ + /* SSVC code for graph building */ const _version = "5.1.7" const _tool = "Dryad SSVC Calculator "+_version diff --git a/docs/ssvc-calc/ungraph.js b/docs/ssvc-calc/ungraph.js index 717ffded..8fc751e6 100644 --- a/docs/ssvc-calc/ungraph.js +++ b/docs/ssvc-calc/ungraph.js @@ -1,3 +1,18 @@ +/* + * Copyright (c) 2025 Carnegie Mellon University and Contributors. + * - see Contributors.md for a full list of Contributors + * - see ContributionInstructions.md for information on how you can Contribute to this project + * Stakeholder Specific Vulnerability Categorization (SSVC) is + * licensed under a MIT (SEI)-style license, please see LICENSE.md distributed + * with this Software or contact permission@sei.cmu.edu for full terms. + * Created, in part, with funding and support from the United States Government + * (see Acknowledgments file). This program may include and/or can make use of + * certain third party source code, object code, documentation and other files + * (“Third Party Software”). See LICENSE.md for more details. + * Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the + * U.S. Patent and Trademark Office by Carnegie Mellon University + */ + /* SSVC code for no graphics implementation of SSVC calculator */ const ungraph_libversion = "1.1.4" function checkclose() { diff --git a/docs/topics/asset_management.md b/docs/topics/asset_management.md index a86cddaa..5e697623 100644 --- a/docs/topics/asset_management.md +++ b/docs/topics/asset_management.md @@ -37,4 +37,3 @@ If an organization does not have an asset management or risk management (see also [Gathering Information About Mission Impact](../reference/decision_points/mission_impact.md)) plan and process in place, then SSVC provides some guidance as to what information is important to vulnerability management decisions and the organization should start capturing, storing, and managing. - diff --git a/docs/topics/decision_points_as_bricks.md b/docs/topics/decision_points_as_bricks.md index c60bc044..47aafdea 100644 --- a/docs/topics/decision_points_as_bricks.md +++ b/docs/topics/decision_points_as_bricks.md @@ -1,8 +1,8 @@ # Putting the Pieces Together As we have continued to refine our concept of SSVC, we have an increasing understanding of the importance of -[_Decision Points_](../reference/decision_points/index.md) as the foundational blocks from which the rest of the -SSVC concept is built. A second, but less foundational, concept are the [_Outcomes_](../reference/code/outcomes.md) that +[*Decision Points*](../reference/decision_points/index.md) as the foundational blocks from which the rest of the +SSVC concept is built. A second, but less foundational, concept are the [*Outcomes*](../reference/code/outcomes.md) that provide a vocabulary to describe the results of a decision. ## Decision Points and Outcomes as Bricks @@ -14,13 +14,13 @@ Over time, we have come to think of decision points and outcomes as the LEGO® LEGO® is a trademark of the [LEGO](https://www.lego.com/) Group of companies which does not sponsor, authorize or endorse this site. LEGO® Bricks come in different shapes and sizes, and they can be combined in different ways to build different structures. -Similarly, decision points come in different shapes and sizes, and they can be combined in different ways to build +Similarly, decision points come in different shapes and sizes, and they can be combined in different ways to build different decision models. -And just as some bricks can be substituted for others to add variation, some decision points are substitutable for others. +And just as some bricks can be substituted for others to add variation, some decision points are substitutable for others. We have realized that part of the value of enumerated decision points is that they provide a way to organize the information that is relevant to a decision. This organization is important because it helps us to understand the decision and to communicate -the decision model to others. +the decision model to others. Decision points and outcomes have a few key characteristics that make them useful for organizing information: @@ -32,8 +32,8 @@ Decision points and outcomes have a few key characteristics that make them usefu - **Well-Definedness**: Each decision point has a clear meaning and a clear, ordered set of possible values. This means that the decision point values are not ambiguous or open to interpretation. -In our brick analogy, the toy bricks are similarly independent, discrete, and well-defined. -Independence means that different bricks can serve different purposes in the model. +In our brick analogy, the toy bricks are similarly independent, discrete, and well-defined. +Independence means that different bricks can serve different purposes in the model. The pips on the bricks provide discrete points of attachment to allow bricks to connect together. Well-definedness (specification and manufacturing consistency) allows bricks to be combined effectively. @@ -72,15 +72,15 @@ In that scenario, they might think of the kit more as a supply of specific brick Advanced builders need to understand more about what they are trying to build and how the bricks can be combined to build it. The point is that the model kits serve as a starting point with a lot of flexibility, but it is up to the builder -to decide how much of that flexibility to use. +to decide how much of that flexibility to use. ## SSVC Decision Models as Kits Similarly, SSVC provides a set of "bricks" in the form of [decision points](../reference/decision_points/index.md) -and [outcomes](../reference/code/outcomes.md). +and [outcomes](../reference/code/outcomes.md). We have provided a set of [example decision models](../howto/index.md) and [policies](../howto/index.md) to get you started. You might choose to simply use what we've provided as a starting point. -Or you might already recognize that our example gets the structure of the decision model right, +Or you might already recognize that our example gets the structure of the decision model right, but you need to adapt the outcomes or policy to better fit your situation. You might also recognize that you need to combine different example decision models to build the model you need. @@ -89,19 +89,18 @@ with the [deployer decision model](../howto/deployer_tree.md) to build a model that is relevant to your situation as both a supplier and a deployer. Or, perhaps you have a decision problem that we have not yet addressed with any of our examples. -In that case, you might examine the [decision points](../reference/decision_points/index.md) we've provided and +In that case, you might examine the [decision points](../reference/decision_points/index.md) we've provided and decide which ones are relevant to your situation. You could choose to customize a decision point to better fit your situation, or you might choose to add a new decision point to better suit your needs. -This is the embodiment of the _Stakeholder-Specific_ concept in [SSVC](../index.md): +This is the embodiment of the *Stakeholder-Specific* concept in [SSVC](../index.md): SSVC provides the components for you to build your own decision models, and we provide some examples to get you started. If the examples are sufficient for your needs, then you can simply use them as they are. -But we recognize that you are the expert in your own situation, and that you are in a better position than we are to +But we recognize that you are the expert in your own situation, and that you are in a better position than we are to decide how to combine the provided components to build the decision model you need. If you need to adapt the components we've provided, or if you need to add new components, then we encourage you to do so. And if you think that your adaptations or additions would be useful to others, then we encourage you to share your [suggestions](https://github.com/CERTCC/SSVC/issues), [ideas](https://github.com/CERTCC/SSVC/discussions), and [changes](https://github.com/CERTCC/SSVC/pulls) with the [community](https://github.com/CERTCC/SSVC). - diff --git a/docs/topics/decision_trees.md b/docs/topics/decision_trees.md index e6be7d96..8e03ce6c 100644 --- a/docs/topics/decision_trees.md +++ b/docs/topics/decision_trees.md @@ -24,9 +24,11 @@ Examples are located in [SSVC/data](https://github.com/CERTCC/SSVC/tree/main/dat An interoperable CSV format is also flexible enough to support a variety of uses. Every situation in SSVC is defined by the values for each decision point and the priority label (outcome) for that situation (as defined in [Likely Decision Points and Relevant Data](../reference/decision_points/index.md)). A CSV will typically be 30-100 rows that each look something like: + ``` 2,none,laborious,partial,significant,scheduled ``` + Where “2” is the row number, [*none*](../reference/decision_points/exploitation.md) through [*significant*](../reference/decision_points/public_safety_impact.md) are values for decision points, and *scheduled* is a priority label or outcome. Different stakeholders will have different decision points (and so different options for values) and different outcomes, but this is the basic shape of a CSV file to define SSVC stakeholder decisions. @@ -36,6 +38,7 @@ The tree visualization options are more diverse. We provide an example format, and codified it in [src/SSVC_csv-to-latex.py](https://github.com/CERTCC/SSVC/tree/main/src). Why have we gone to this trouble when (for example) the R data.tree package has a handy print-to-ASCII function? Because this function produces output like the following: + ``` 1 start 2 ¦--AV:N diff --git a/docs/topics/enumerating_decisions.md b/docs/topics/enumerating_decisions.md index 9ce6de99..3e228a97 100644 --- a/docs/topics/enumerating_decisions.md +++ b/docs/topics/enumerating_decisions.md @@ -12,8 +12,6 @@ Some decision makers may have different responsibilities in relation to differen - A web browser developer makes decisions about applying patches to DNS lookup libraries and transport layer security (TLS) libraries. - A video game developer makes decisions about applying patches released to the Unreal Engine. - A medical device developer makes decisions about applying patches to the Linux kernel. - - One might view applying patches as including some development and distribution of the updated product. Or one might take the converse view, that development includes updating libraries. @@ -33,7 +31,6 @@ SSVC models the decision of to be agnostic to whether or not a patch is available. If their decisions are explicit, then the decision makers can use the recommendations from this documentation that are relevant to them. - !!! tip "The Stakeholder Role / Decision Identity" As we have continued to develop SSVC and received feedback from SSVC implementers, we've found that similar @@ -57,7 +54,6 @@ If their decisions are explicit, then the decision makers can use the recommenda - [Coordinator deciding whether to coordinate a case](../howto/coordination_triage_decision.md) - [Coordinator deciding whether to publish about a case](../howto/publication_decision.md) - ## Enumerating Vulnerability Management Units of Work !!! example inline end "Stakeholder Units of Work" @@ -80,9 +76,9 @@ Coordinators might make triage decisions on individual reports, but then make pu ### Aggregation of SSVC Across Units of Work -SSVC users should answer the suggested questions for whatever discrete unit of work they are considering. -There is not necessarily a reliable function to aggregate a recommendation about remediation out of its constituent -vulnerabilities. +SSVC users should answer the suggested questions for whatever discrete unit of work they are considering. +There is not necessarily a reliable function to aggregate a recommendation about remediation out of its constituent +vulnerabilities. For the sake of simplicity of examples, we treat the remediation as a patch of one vulnerability, and comment on any difficulty in generalizing our advice to a more complex patch where appropriate. @@ -99,8 +95,6 @@ difficulty in generalizing our advice to a more complex patch where appropriate. Mitigating actions may include software configuration changes, adding firewall ACLs, or otherwise limiting the system's exposure to reduce the risk of the impact of the vulnerability; or accepting the risk. - - ## Enumerating Action Priority !!! example inline end "Decision Outcomes and Action Priority" @@ -120,10 +114,9 @@ lead to different priorities. For example, some suppliers might need to map their vulnerability response decisions onto a specific set of service level expectations (SLEs) set by their contractual obligations to their customers. Similarly, deployers might need to integrate -their decisions into a broader risk management framework or +their decisions into a broader risk management framework or [IT Service Management](https://en.wikipedia.org/wiki/IT_service_management) (ITSM) process. - !!! example "SSVC, Vulnerability Response, and Risk Management Processes" A few examples from the US Government of organizational process requirements that can affect the decision @@ -137,6 +130,3 @@ their decisions into a broader risk management framework or SSVC implementers in organizations subject to requirements like these may need to adapt their decision models to ensure that they are consistent with the requirements of the organization's broader risk management and ITSM processes. - - - diff --git a/docs/topics/enumerating_stakeholders.md b/docs/topics/enumerating_stakeholders.md index 91adc98f..e6e05a74 100644 --- a/docs/topics/enumerating_stakeholders.md +++ b/docs/topics/enumerating_stakeholders.md @@ -36,5 +36,3 @@ In [Enumerating Decisions](./enumerating_decisions.md), we describe the decision While C-level executives and public policy professionals often make, shape, or incentivize decisions about managing information systems, they are not the target audience, either. To the extent that decision trees for vulnerability management help higher level policy decisions, we believe the best way to help policy makers is by making technical decisions more transparent and explainable. Policy makers may see indirect benefits, but they are not our primary audience and we are not designing an approach for them directly. - - diff --git a/docs/topics/evaluation_of_draft_trees.md b/docs/topics/evaluation_of_draft_trees.md index d4ea0bc3..8de54a65 100644 --- a/docs/topics/evaluation_of_draft_trees.md +++ b/docs/topics/evaluation_of_draft_trees.md @@ -1,5 +1,4 @@ - # Evaluation of the Draft Trees We conducted a pilot test on the adequacy of the hypothesized decision trees. @@ -39,13 +38,13 @@ In some domains, namely exploit availability, we have started that work in paral The structure of the pilot test is as follows. The next table provides an example of the information provided to each analyst. The supplier portfolio details use ~~strikeout font~~ because this decision item was removed after the pilot. The decision procedure for each case is as follows: for each analyst, for each vulnerability, for each stakeholder group, do the following. -1. Start at the root node of the relevant decision tree (deployer or supplier). +1. Start at the root node of the relevant decision tree (deployer or supplier). -2. Document the decision branch that matches the vulnerability for this stakeholder context. +2. Document the decision branch that matches the vulnerability for this stakeholder context. -3. Document the evidence that supports that decision. +3. Document the evidence that supports that decision. -4. Repeat this decision-and-evidence process until the analyst reaches a leaf node in the tree. +4. Repeat this decision-and-evidence process until the analyst reaches a leaf node in the tree. Table: Example of Scenario Information Provided to Analysts (Using [CVE-2019-9042](https://nvd.nist.gov/vuln/detail/CVE-2019-9042) as the Example) @@ -130,7 +129,6 @@ This solution identifies another difficulty of Fleiss’ kappa, namely that it d Nonetheless, *k* provides some way to measure improvement on this a conceptual engineering task. The pilot evaluation can be repeated, with more diverse groups of stakeholders after the descriptions have been refined by stakeholder input, to measure fit to this goal. For a standard to be reliably applied across different analyst backgrounds, skill sets, and cultures, a set of decision point descriptions should ideally achieve *k* of 1 for each item in multiple studies with diverse participants. Such a high level of agreement would be difficult to achieve, but it would ensure that when two analysts assign a priority with the system that they get the same answer. Such agreement is not the norm with CVSS currently [@allodi2018effect]. - Table: SSVC pilot scores compared with the CVSS base scores for the vulnerabilities provided by NVD. | CVE-ID | Representative SSVC decision values | SSVC recommendation (supplier, deployer) | NVD’s CVSS base score | @@ -153,19 +151,19 @@ Based on these results, we made about ten changes, some bigger than others. We d The following changes were reflected in the version 1 Section "Decision Trees for Vulnerability Management." - - Technical impact: We clarified that partial/total is decided regarding the system scope definition, which considers a database or a web server program as the “whole” system. Furthermore, “total” also includes any technical impact that exposes authentication credentials to the adversary, if those credentials are to the whole system. +- Technical impact: We clarified that partial/total is decided regarding the system scope definition, which considers a database or a web server program as the “whole” system. Furthermore, “total” also includes any technical impact that exposes authentication credentials to the adversary, if those credentials are to the whole system. - - We added advice for information gathering to answer safety impact and mission impact questions. This change is needed because of the particularly wide variety of background assumptions analysts made that influenced results and agreement. +- We added advice for information gathering to answer safety impact and mission impact questions. This change is needed because of the particularly wide variety of background assumptions analysts made that influenced results and agreement. - - We clarified that “MEF failure” refers to any **one** essential function failing, not failure of all of them. We changed most severe mission impact to “mission failure” to better reflect the relationship between MEFs and the organization’s mission. +- We clarified that “MEF failure” refers to any **one** essential function failing, not failure of all of them. We changed most severe mission impact to “mission failure” to better reflect the relationship between MEFs and the organization’s mission. - - We removed the “supplier portfolio value” question since it had poor agreement, and there is no clear way to correct it. We replaced this question with *Utility*, which better captures the relevant kinds of value (namely, to the adversary) of the affected component while remaining amenable to pragmatic analysis. +- We removed the “supplier portfolio value” question since it had poor agreement, and there is no clear way to correct it. We replaced this question with *Utility*, which better captures the relevant kinds of value (namely, to the adversary) of the affected component while remaining amenable to pragmatic analysis. - - We clarified that “proof of concept” (see *Exploitation*) includes cases in which existing tooling counts as a PoC. The examples listed are suggestive, not exhaustive. +- We clarified that “proof of concept” (see *Exploitation*) includes cases in which existing tooling counts as a PoC. The examples listed are suggestive, not exhaustive. - - We reorganized the decision trees based on which items are easier to gather information for or which ones have a widely verifiable state. This change moved *exploitation* to the first question. +- We reorganized the decision trees based on which items are easier to gather information for or which ones have a widely verifiable state. This change moved *exploitation* to the first question. - - We changed the decision tree results such that if exposure is “small,” then the resulting priority is lower than before the pilot study. That is, “small” exposure has a stronger effect on reducing urgency. +- We changed the decision tree results such that if exposure is “small,” then the resulting priority is lower than before the pilot study. That is, “small” exposure has a stronger effect on reducing urgency. ### Questions Removed as Ineffective diff --git a/docs/topics/formalization_options.md b/docs/topics/formalization_options.md index b96676bb..75d8d14e 100644 --- a/docs/topics/formalization_options.md +++ b/docs/topics/formalization_options.md @@ -45,4 +45,3 @@ We use decision trees in the tradition of decision analysis, not ML. | *Other ML* | :x: | Maybe | :x: | :x: | :x: | :x: | | *Boolean First Order Logics* | Maybe | Maybe | :white_check_mark: | :white_check_mark: | :white_check_mark: | Maybe | | *Decision Trees* | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | - diff --git a/docs/topics/future_work.md b/docs/topics/future_work.md index 61588546..05d09574 100644 --- a/docs/topics/future_work.md +++ b/docs/topics/future_work.md @@ -2,7 +2,7 @@ We intend SSVC to offer a workable baseline from which to improve and refine a vulnerability-prioritization methodology. We are working to improve SSVC. -Several of the future work items in this section have issues associated with them on the SSVC GitHub page (https://github.com/CERTCC/SSVC/issues), which is a good place to go to check on progress or help. +Several of the future work items in this section have issues associated with them on the SSVC GitHub page (), which is a good place to go to check on progress or help. Plans for future work focus on further requirements gathering, analysis of types of risk, and further testing of the reliability of the decision process. ## Requirements Gathering via Sociological Research @@ -10,9 +10,9 @@ Plans for future work focus on further requirements gathering, analysis of types The community should know what users of a vulnerability prioritization system want. To explore their needs, it is important to understand how people actually use CVSS and what they think it tells them. In general, such empirical, grounded evidence about what practitioners and decision makers want from vulnerability scoring is lacking. -We have based SSVC’s methodology on multiple decades of professional experience and myriad informal conversations with practitioners. -Such evidence is not a bad place to start, but it does not lend itself to examination and validation by others. -The purpose of understanding practitioner expectations is to inform what a vulnerability-prioritization methodology should actually provide by matching it to what people need or expect. +We have based SSVC’s methodology on multiple decades of professional experience and myriad informal conversations with practitioners. +Such evidence is not a bad place to start, but it does not lend itself to examination and validation by others. +The purpose of understanding practitioner expectations is to inform what a vulnerability-prioritization methodology should actually provide by matching it to what people need or expect. The method this future work should take is long-form, structured interviews. We do not expect anyone to have access to enough consumers of CVSS to get statistically valid results out of a short survey, nor to pilot a long survey. @@ -43,7 +43,6 @@ The “credible effects” to consider are those of all vulnerabilities remediat How exactly to aggregate these different effects is not currently specified except to say that the unit of analysis is the whole work item. Future work should provide some examples of how this holistic analysis of multiple vulnerabilities remediated in one patch should be conducted. - ## Further Decision Tree Testing More testing with diverse analysts is necessary before the decision trees are reliable. In this context, **reliable** means that two analysts, given the same vulnerability description and decision process description, will reach the same decision. Such reliability is important if scores and priorities are going to be useful. If they are not reliable, they will vary widely over time and among analysts. Such variability makes it impossible to tell whether a difference in scores is really due to one vulnerability being higher priority than other. diff --git a/docs/topics/index.md b/docs/topics/index.md index eff8e9f3..d1e73a6d 100644 --- a/docs/topics/index.md +++ b/docs/topics/index.md @@ -11,7 +11,6 @@ [SSVC How-To](../howto/index.md) provides practical guidance for implementing SSVC in your organization. For technical reference, see [Reference](../reference/index.md). - This documentation defines a testable Stakeholder-Specific Vulnerability Categorization (SSVC) for prioritizing actions during vulnerability management. The stakeholders in vulnerability management are diverse. This diversity must be accommodated in the main functionality, rather than squeezed into hard-to-use optional features. @@ -23,7 +22,6 @@ As such, the modeling framework is important but difficult to pin down. We approach this problem as a satisficing process. We do not seek optimal formalisms, but an adequate formalism. - ## Key Concepts in SSVC Decision Models SSVC models individual vulnerability management decisions. It is built around the following concepts: @@ -34,14 +32,13 @@ SSVC models individual vulnerability management decisions. It is built around th are an ordered set of enumerated values. They are ordered because they are sortable in some dimension, usually having to do with priority or urgency. They are enumerated because they are finite and discrete. - **Outcomes** are the dependent variables that are relevant to the decision. Each outcome represents a different - possible result of the decision. -- **Outcome Values** are the possible values for an Outcome. Outcomes are similarly defined as an ordered set of + possible result of the decision. +- **Outcome Values** are the possible values for an Outcome. Outcomes are similarly defined as an ordered set of enumerated values, usually indicating a priority or urgency. - A **Policy** is a mapping from each combination of decision point values to the set of outcome values. - A **Decision Function** is a function that accepts a set of decision point values and returns an outcome value based on a policy. - ```mermaid --- title: Decision Points and Values @@ -69,7 +66,6 @@ flowchart LR Policy --> Outcomes ``` - !!! question "Where do the trees come in?" Our initial concept for SSVC's decision modeling was based on decision trees. @@ -89,7 +85,7 @@ flowchart LR convenient way to visualize the decision function, but they are not a requirement of the model. ## Topics Overview - + The remainder of this section is organized as follows:
diff --git a/docs/topics/information_sources.md b/docs/topics/information_sources.md index 2e080f6f..3ed11424 100644 --- a/docs/topics/information_sources.md +++ b/docs/topics/information_sources.md @@ -21,7 +21,6 @@ Although the lists are all different, we expect they are all valid information s We are not aware of a comparative study of the different lists of active exploits; however, we expect they have similar properties to block lists of network touchpoints [@metcalf2015blocklist] and malware [@kuhrer2014paint]. Namely, each list has a different view and vantage on the problem, which makes them appear to be different, but each list accurately represents its particular vantage at a point in time. - ## System Exposure [*System Exposure*](../reference/decision_points/system_exposure.md) could be informed by the various scanning platforms such as Shodan and Shadowserver. @@ -30,6 +29,7 @@ Such scans do not find all [*open*](../reference/decision_points/system_exposure Scanning software, such as the open-source tool Nessus, could be used to scan for connectivity inside an organization to catalogue what devices should be scored [*controlled*](../reference/decision_points/system_exposure.md) if, say, the scan finds them on an internal network where devices regularly connect to the Internet. --- + ## Adapting other Information Sources Some information sources that were not designed with SSVC in mind can be adapted to work with it. @@ -54,16 +54,16 @@ The interpretation is different for CVSS version 3 than version 4. That is, if the vulnerability leads to a high impact on the confidentiality and integrity of the vulnerable system, then that is equivalent to total technical impact on the system. -The following considerations are accounted for in this recommendation. +The following considerations are accounted for in this recommendation. 1. A denial of service condition is modeled as a *partial* [*Technical Impact*](../reference/decision_points/technical_impact.md). Therefore, a high availability impact to the vulnerable system should not be mapped to *total* [*Technical Impact*](../reference/decision_points/technical_impact.md) on its own. -2. There may be situations in which a high confidentiality impact is sufficient for total technical impact; for example, disclosure of the root or administrative password for the system leads to total technical control of the system. -So this suggested mapping is a useful heuristic, but there may be exceptions, depending on exactly what the CVSS v4 metric value assignment norms are and become for these situations. +2. There may be situations in which a high confidentiality impact is sufficient for total technical impact; for example, disclosure of the root or administrative password for the system leads to total technical control of the system. +So this suggested mapping is a useful heuristic, but there may be exceptions, depending on exactly what the CVSS v4 metric value assignment norms are and become for these situations. 3. While the Subsequent System impact metric group in CVSS v4 is useful, those concepts are not captured by [*Technical Impact*](../reference/decision_points/technical_impact.md). -Subsequent System impacts are captured, albeit in different framings, by decision points such as [*Situated Safety Impact*](../reference/decision_points/safety_impact.md), [*Mission Impact*](../reference/decision_points/mission_impact.md), and [*Value Density*](../reference/decision_points/value_density.md). -There is not a direct mapping between the subsequent system impact metric group and these decision points, except in the case of [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md) and the CVSS v4 environmental metrics for Safety Impact in the subsequent system metric group. -In that case, both definitions map back to the same safety impact standard for definitions (IEC 61508) and so are easily mapped to each other. +Subsequent System impacts are captured, albeit in different framings, by decision points such as [*Situated Safety Impact*](../reference/decision_points/safety_impact.md), [*Mission Impact*](../reference/decision_points/mission_impact.md), and [*Value Density*](../reference/decision_points/value_density.md). +There is not a direct mapping between the subsequent system impact metric group and these decision points, except in the case of [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md) and the CVSS v4 environmental metrics for Safety Impact in the subsequent system metric group. +In that case, both definitions map back to the same safety impact standard for definitions (IEC 61508) and so are easily mapped to each other. #### CVSS v3 and Technical Impact @@ -72,10 +72,10 @@ For CVSS v3, the impact metric group cannot be directly mapped to [*Technical Im If the CVSS version 3 value of “Scope” is “Unchanged,” then the recommendation is the same as that for CVSS v4, above, as the impact metric group is information exclusively about the vulnerable system. If the CVSS version 3 value of “Scope” is “Changed,” then the impact metrics may be about either the vulnerable system or the subsequent systems, based on whichever makes the final score higher. Since [*Technical Impact*](../reference/decision_points/technical_impact.md) is based only on the vulnerable system impacts, if "Scope" is "Changed" then the ambiguity between vulnerable and subsequent system impacts is not documented in the vector string. -This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../reference/decision_points/technical_impact.md) value in this case. +This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../reference/decision_points/technical_impact.md) value in this case. !!! tip "Mapping CVSS v3 to Technical Impact" - + Summarizing the discussion above, the mapping between CVSS v3 and [*Technical Impact*](../reference/decision_points/technical_impact.md) is | CVSS Scope | Confidentiality
(C) | Integrity
(I) | Availability
(A) | [*Technical Impact*](../reference/decision_points/technical_impact.md) | @@ -85,7 +85,6 @@ This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../re | Unchanged | Low (L) or None (N) | High (H) | *any* | Partial | | Changed | *any* | *any* | *any* | (ambiguous) | - ### CWE and Exploitation As mentioned in the discussion of [*Exploitation*](../reference/decision_points/exploitation.md), [CWE](https://cwe.mitre.org/) could be used to inform one of the conditions that satisfy [*proof of concept*](../reference/decision_points/exploitation.md). diff --git a/docs/topics/items_with_same_priority.md b/docs/topics/items_with_same_priority.md index 87641842..e1b3f661 100644 --- a/docs/topics/items_with_same_priority.md +++ b/docs/topics/items_with_same_priority.md @@ -31,5 +31,3 @@ The priority is equivalent. fine-grained priorities within qualitative categories anyway. With our system, organizations can be more deliberate about conveniently organizing work that is of equivalent priority. - - diff --git a/docs/topics/limitations.md b/docs/topics/limitations.md index c6b365fd..2b2d0bf5 100644 --- a/docs/topics/limitations.md +++ b/docs/topics/limitations.md @@ -25,16 +25,16 @@ This is not a calculation of any kind, just an assignment of a label which may m Of course, these labels are dangerous, as they may be misused as numbers. Therefore, we prefer the use *defer*, *scheduled*, etc., as listed in [Enumerating Vulnerability Management Actions](../howto/deployer_tree.md). - + ## Expanded Context We incorporated a wider variety of inputs from contexts beyond the affected component. Some organizations are not prepared or configured to reliably produce such data (e.g., around mission impact or safety impact). There is adequate guidance for how to elicit and curate this type information from various risk management frameworks, including OCTAVE [@caralli2007octave]. Not every organization is going to have sufficiently mature risk management functions to apply SSVC.\ - + This second limitation should be approached with two strategies: 1. Organizations should be encouraged and enabled to mature their risk management capabilities -2. In the meantime, organizations such as NIST could consider developing default advice. +2. In the meantime, organizations such as NIST could consider developing default advice. The most practical framing of this approach might be for the NIST NVD to produce scores from the perspective of a - new stakeholder—something like “national security” or “public well-being” that is explicitly a sort of default + new stakeholder—something like “national security” or “public well-being” that is explicitly a sort of default advice for otherwise uninformed organizations that can then explicitly account for national priorities, such as critical infrastructure. diff --git a/docs/topics/related_systems.md b/docs/topics/related_systems.md index 4a4ed6ee..16c71596 100644 --- a/docs/topics/related_systems.md +++ b/docs/topics/related_systems.md @@ -107,7 +107,6 @@ CVSS is one-size-fits-all by design. These customization efforts struggle with adapting CVSS because it was not designed to be adaptable to different stakeholder considerations. The SSVC section [Tree Construction and Customization Guidance](../howto/tree_customization.md) explains how stakeholders or stakeholder communities can adapt SSVC in a reliable way that still promotes repeatability and communication. - ## vPrioritizer vPrioritizer is an open-source project that attempts to integrate asset management and vulnerablity prioritization. @@ -118,5 +117,3 @@ In that sense, it is compatible with any of methods mentioned above or SSVC. However, SSVC would be better suited to address vPrioritizer's broad spectrum asset management data. For example, vPrioritizer aims to collect data points on topics such as asset significance. Asset significance could be expressed through the SSVC decision points of [*Mission Impact*](../reference/decision_points/mission_impact.md) and situated [*Well-being Impact*](../reference/decision_points/human_impact.md), but it does not have a ready expression in CVSS, EPSS, or VPR. - - diff --git a/docs/topics/representing_information.md b/docs/topics/representing_information.md index 0d09753f..d5c6f471 100644 --- a/docs/topics/representing_information.md +++ b/docs/topics/representing_information.md @@ -1,7 +1,7 @@ # Representing Information for Decisions About Vulnerabilities We propose that decisions about vulnerabilities—rather than their severity—are a more useful approach. -Our design goals for the decision-making process are to +Our design goals for the decision-making process are to - clearly define whose decisions are involved - properly use evidentiary categories @@ -35,23 +35,22 @@ Therefore, under a Gaussian error distribution, 8.9 is really 60\% high and 40\% SSVC decisions should be distinct and crisp, without such statistical overlaps. We avoid numerical representations for either inputs or outputs of a vulnerability management decision process. -Quantified metrics are more useful when +Quantified metrics are more useful when -1. data for decision making is available, and +1. data for decision making is available, and 2. the stakeholders agree on how to measure. Vulnerability management does not yet meet either criterion. Furthermore, it is not clear to what extent measurements about a vulnerability can be informative about other vulnerabilities. Each vulnerability has a potentially unique relationship to the socio-technical system in which it exists, including the Internet. - ## Be Based on Reliably Available Evidence Vulnerability management decisions are often contextual: given what is known at the time, the decision is to do X. But what is known can change over time, which can and should influence the decision. The context of the vulnerability, and the systems it impacts, are inextricably linked to managing it. Some information about the context will be relatively static over time, such as the contribution of a system to an organization's mission. -Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. +Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. Temporal and environmental considerations should be primary, not optional as they are in CVSS. We discuss the temporal aspects further in [Information Changes over Time](../howto/bootstrap/use.md). @@ -65,9 +64,9 @@ Transparency should improve trust in the results. Finally, any result of a decision-making process should be **explainable** Explainable is defined and used with its common meaning, not as it is used in the research area of explainable artificial intelligence. An explanation should make the process intelligible to an interested, competent, non-expert person. -There are at least two reasons common explainability is important: +There are at least two reasons common explainability is important: -1. for troubleshooting and error correction and +1. for troubleshooting and error correction and 2. for justifying proposed decisions. ## Summary @@ -75,17 +74,16 @@ There are at least two reasons common explainability is important: To summarize, the following are our design goals for a vulnerability management process: - - Outputs are decisions. +- Outputs are decisions. - - Pluralistic recommendations are made among a manageable number of +- Pluralistic recommendations are made among a manageable number of stakeholder groups. - - Inputs are qualitative. +- Inputs are qualitative. - - Outputs are qualitative, and there are no (unjustified) shifts to +- Outputs are qualitative, and there are no (unjustified) shifts to quantitative calculations. - - Process justification is transparent. - - - Results are explainable. +- Process justification is transparent. +- Results are explainable. diff --git a/docs/topics/risk_tolerance_and_priority.md b/docs/topics/risk_tolerance_and_priority.md index 631be2dc..e738e411 100644 --- a/docs/topics/risk_tolerance_and_priority.md +++ b/docs/topics/risk_tolerance_and_priority.md @@ -21,11 +21,10 @@ A successful vulnerability management practice must balance at least two risks: problems that could arise from making changes to production systems. 2. **Vulnerability risk**: the potential costs of incidents resulting from exploitation of vulnerable systems - In developing the decision trees in this document, we had in mind stakeholders with a moderate tolerance for risk. The resulting trees reflect that assumption. Organizations may of course be more or less conservative in their own vulnerability management practices, and we cannot presume to determine how an organization should balance their risk. We therefore remind our readers that the labels on the trees (defer, immediate, etc.) can and should be customized to -suit the needs of individual stakeholders wherever necessary and appropriate. +suit the needs of individual stakeholders wherever necessary and appropriate. --- @@ -37,5 +36,3 @@ suit the needs of individual stakeholders wherever necessary and appropriate. the most urgent response. - On the other hand, an organization with a high aversion to vulnerability risk could elevate the priority of many branches to ensure fixes are deployed quickly. - - diff --git a/docs/topics/state_of_practice.md b/docs/topics/state_of_practice.md index e2009777..a9c0997e 100644 --- a/docs/topics/state_of_practice.md +++ b/docs/topics/state_of_practice.md @@ -1,5 +1,4 @@ - # Current state of practice **Vulnerability management** covers “the discovery, analysis, and handling of new or reported security vulnerabilities in information systems \[and\] the detection of and response to known vulnerabilities in order to prevent them from being exploited” [@csirtservices_v2]. diff --git a/docs/topics/vulnerability_management_decisions.md b/docs/topics/vulnerability_management_decisions.md index 9744d8fd..6edc2258 100644 --- a/docs/topics/vulnerability_management_decisions.md +++ b/docs/topics/vulnerability_management_decisions.md @@ -8,4 +8,3 @@ The “what” is about the scope, both in how the affected system is defined an While we strive to make our examples realistic, we invite the community to engage and conduct empirical assessments to test them. The following construction should be treated as an informed hypothesis rather than a conclusion. - diff --git a/docs/topics/worked_example.md b/docs/topics/worked_example.md index 21542a34..ba00739b 100644 --- a/docs/topics/worked_example.md +++ b/docs/topics/worked_example.md @@ -43,7 +43,7 @@ use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select [*small*](../reference/decision_points/system_exposure.md) and move on to ask about mission impact. -According to the fictional pilot scenario, +According to the fictional pilot scenario, > Our mission dictates that the first and foremost priority is to contribute to human welfare and to uphold the Hippocratic oath (do no harm). diff --git a/docs/tutorials/index.md b/docs/tutorials/index.md index ba3c6f09..802ff565 100644 --- a/docs/tutorials/index.md +++ b/docs/tutorials/index.md @@ -44,9 +44,6 @@ SSVC can be used in conjunction with other tools and methodologies to help prior This information can be used to inform the [Exploitation](../reference/decision_points/exploitation.md) decision point in the [Supplier](../howto/supplier_tree.md), [Deployer](../howto/deployer_tree.md), and [Coordinator Publication](../howto/publication_decision.md) decision models. - - - ## Videos Provided below are videos that provide an overview of SSVC and the implementation of decision models. @@ -71,6 +68,6 @@ We've collected a list of articles and blog posts that provide additional inform | SEI | [Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization](https://insights.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/) | | CISA | [Stakeholder-Specific Vulnerability Categorization (SSVC)](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) | | Qualys | [Effective Vulnerability Management with Stakeholder Specific Vulnerability Categorization (SSVC) and Qualys TruRisk](https://blog.qualys.com/product-tech/2022/11/30/effective-vulnerability-management-with-ssvc-and-qualys-trurisk) | -| Vulcan Cyber | [The SSVC risk prioritization method: what it is, when to use it, and alternatives](https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/) | +| Vulcan Cyber | [The SSVC risk prioritization method: what it is, when to use it, and alternatives](https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/) | -Have a link to something we missed? Let us know in an [issue](https://github.com/CERTCC/SSVC/issues/new). \ No newline at end of file +Have a link to something we missed? Let us know in an [issue](https://github.com/CERTCC/SSVC/issues/new). diff --git a/mkdocs.yml b/mkdocs.yml index 3e2ff861..2e47540c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -71,6 +71,42 @@ nav: - Human Impact: 'reference/decision_points/human_impact.md' - Public Safety Impact: 'reference/decision_points/public_safety_impact.md' - Utility: 'reference/decision_points/utility.md' + - CVSS-based decision points: + - 'reference/decision_points/cvss/index.md' + - Qualitative Severity: 'reference/decision_points/cvss/qualitative_severity.md' + - Base Metrics: + - Attack Vector: 'reference/decision_points/cvss/attack_vector.md' + - Attack Complexity: 'reference/decision_points/cvss/attack_complexity.md' + - Attack Requirements: 'reference/decision_points/cvss/attack_requirements.md' + - Privileges Required: 'reference/decision_points/cvss/privileges_required.md' + - User Interaction: 'reference/decision_points/cvss/user_interaction.md' + - Confidentiality Impact: 'reference/decision_points/cvss/confidentiality_impact.md' + - Subsequent Confidentiality Impact: 'reference/decision_points/cvss/subsequent_confidentiality_impact.md' + - Integrity Impact: 'reference/decision_points/cvss/integrity_impact.md' + - Subsequent Integrity Impact: 'reference/decision_points/cvss/subsequent_integrity_impact.md' + - Availability Impact: 'reference/decision_points/cvss/availability_impact.md' + - Subsequent Availability Impact: 'reference/decision_points/cvss/subsequent_availability_impact.md' + - Threat Metrics: + - Exploit Maturity: 'reference/decision_points/cvss/exploit_maturity.md' + - Environmental Metrics: + - Confidentiality Requirement: 'reference/decision_points/cvss/confidentiality_requirement.md' + - Integrity Requirement: 'reference/decision_points/cvss/integrity_requirement.md' + - Availability Requirement: 'reference/decision_points/cvss/availability_requirement.md' + - Supplemental Metrics: + - Safety: 'reference/decision_points/cvss/safety.md' + - Automatable: 'reference/decision_points/cvss/automatable.md' + - Provider Urgency: 'reference/decision_points/cvss/provider_urgency.md' + - Recovery: 'reference/decision_points/cvss/recovery.md' + - Value Density: 'reference/decision_points/cvss/value_density.md' + - Vulnerability Response Effort: 'reference/decision_points/cvss/vulnerability_response_effort.md' + - Older Metrics: + - Authentication: 'reference/decision_points/cvss/authentication.md' + - Collateral Damage Potential: 'reference/decision_points/cvss/collateral_damage_potential.md' + - Impact Bias: 'reference/decision_points/cvss/impact_bias.md' + - Remediation Level: 'reference/decision_points/cvss/remediation_level.md' + - Report Confidence: 'reference/decision_points/cvss/report_confidence.md' + - Scope: 'reference/decision_points/cvss/scope.md' + - Target Distribution: 'reference/decision_points/cvss/target_distribution.md' - Code: - Intro: 'reference/code/index.md' - CSV Analyzer: 'reference/code/analyze_csv.md' @@ -117,6 +153,7 @@ plugins: data_path: 'data/csvs' - bibtex: bib_file: 'doc/md_src_files/sources_ssvc.bib' + - markdown-exec - mkdocstrings: handlers: python: diff --git a/requirements.txt b/requirements.txt index 7a27ea0b..f4294acb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,15 +1,17 @@ mkdocs==1.6.1 -mkdocs-bibtex==2.16.2 -mkdocs-include-markdown-plugin==7.1.2 +mkdocs-bibtex==4.2.1 +mkdocs-include-markdown-plugin==7.1.4 mkdocs-table-reader-plugin==3.1.0 -mkdocs-material==9.5.49 +mkdocs-material==9.6.5 mkdocs-material-extensions==1.3.1 -mkdocstrings==0.27.0 -mkdocstrings-python==1.13.0 +mkdocstrings==0.28.2 +mkdocstrings-python==1.16.2 mkdocs-print-site-plugin==2.6.0 -dataclasses-json==0.6.7 +markdown-exec==1.10.0 thefuzz==0.22.1 pandas==2.2.3 scikit-learn==1.6.1 jsonschema==4.23.0 networkx==3.4.2 +pydantic==2.10.6 +semver==3.0.4 \ No newline at end of file diff --git a/src/README.md b/src/README.md index 84b8f226..e90e39d1 100644 --- a/src/README.md +++ b/src/README.md @@ -7,13 +7,14 @@ This directory holds helper scripts that can make managing or using SSVC easier. This python script takes a CSV of the format in the `../data` directory and gets you (most of the way) to a pretty decision tree visualization. It creates a LaTeX file that can create a PDF (and from there, a PNG or whatever you want). `python SSVC_csv-to-latex.py --help` works and should explain all your options. -When the script finishes, it will also print a message with instructions for creating the PDF or PNG from the tex. A potential future improvement is to call `latexmk` directly from the python script. +When the script finishes, it will also print a message with instructions for creating the PDF or PNG from the tex. A potential future improvement is to call `latexmk` directly from the python script. Example usage: + ``` python SSVC_csv-to-latex.py --input=../data/ssvc_2_deployer_simplified.csv --output=tmp.tex --delim="," --columns="0,2,1" --label="3" --header-row --priorities="defer, scheduled, out-of-cycle, immediate" ``` Dependencies: LaTeX. -To install latex, see https://www.latex-project.org/get/ -`latexmk` is a helper script that is not included in all distributions by default; if you need it, see https://ctan.org/pkg/latexmk/?lang=en +To install latex, see +`latexmk` is a helper script that is not included in all distributions by default; if you need it, see diff --git a/src/SSVC_csv-to-latex.py b/src/SSVC_csv-to-latex.py index 0e2953fe..1112d0fe 100755 --- a/src/SSVC_csv-to-latex.py +++ b/src/SSVC_csv-to-latex.py @@ -1,4 +1,18 @@ #!/usr/bin/python + +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + ########## ## put import statements here import optparse, sys, string, glob, re @@ -224,7 +238,9 @@ def print_forest_options( """ ) location.write(pri5string) - location.write("}\n") # close the last tikzset; forestset is already closed + location.write( + "}\n" + ) # close the last tikzset; forestset is already closed def begin_forest(location): @@ -334,7 +350,9 @@ def main(): if path[i] not in dpoint_values[i]: dpoint_values[i].append(path[i]) for i in range(depth): - dpoint_values[i].sort(key=lambda j: sort_order[i].index(j), reverse=True) + dpoint_values[i].sort( + key=lambda j: sort_order[i].index(j), reverse=True + ) # reverse because the latex will flip it again # loop twice so we don't sort every time we check a new path @@ -366,7 +384,9 @@ def main(): del tmp_path[-1] i = i - 1 ofile.write(latex_brace_close) # close each latex brace - del tmp_path[-1] # every time we close a brace, update the path to reflect + del tmp_path[ + -1 + ] # every time we close a brace, update the path to reflect else: # "Normal" case if counts[i] == len(dpoint_values[i]): try: diff --git a/src/enumerate-coord-publish-options.sh b/src/enumerate-coord-publish-options.sh index 93a83982..d9e4739f 100755 --- a/src/enumerate-coord-publish-options.sh +++ b/src/enumerate-coord-publish-options.sh @@ -1,5 +1,20 @@ #!/bin/sh +# +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University +# + # row numbers make change discussion a lot easier i=1 diff --git a/src/enumerate-coord-triage-options.sh b/src/enumerate-coord-triage-options.sh index ef4b5857..9c283223 100755 --- a/src/enumerate-coord-triage-options.sh +++ b/src/enumerate-coord-triage-options.sh @@ -1,5 +1,20 @@ #!/bin/sh +# +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University +# + # row numbers make change discussion a lot easier i=1 diff --git a/src/enumerate-deployer-options.sh b/src/enumerate-deployer-options.sh index f2990052..bb2d63a8 100755 --- a/src/enumerate-deployer-options.sh +++ b/src/enumerate-deployer-options.sh @@ -1,5 +1,20 @@ #!/bin/sh +# +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University +# + # row numbers make change discussion a lot easier i=1 diff --git a/src/enumerate-supplier-options.sh b/src/enumerate-supplier-options.sh index faba3e93..cbee24c5 100755 --- a/src/enumerate-supplier-options.sh +++ b/src/enumerate-supplier-options.sh @@ -1,5 +1,20 @@ #!/bin/sh +# +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University +# + # row numbers make change discussion a lot easier i=1 diff --git a/src/outcomes_to_json.py b/src/outcomes_to_json.py new file mode 100644 index 00000000..192c8169 --- /dev/null +++ b/src/outcomes_to_json.py @@ -0,0 +1,29 @@ +#!/usr/bin/python3 + +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.outcomes import groups +from ssvc.outcomes.base import OutcomeGroup + + +def main(): + for x in dir(groups): + outcome = getattr(groups, x) + if type(outcome) == OutcomeGroup: + with open(f"../data/json/outcomes/{x}.json", "w") as f: + f.write(outcome.model_dump_json(indent=2)) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/__init__.py b/src/ssvc/__init__.py index 31995ad1..6706583d 100644 --- a/src/ssvc/__init__.py +++ b/src/ssvc/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py index 609c7b73..414c99e1 100644 --- a/src/ssvc/_mixins.py +++ b/src/ssvc/_mixins.py @@ -1,10 +1,8 @@ #!/usr/bin/env python """ -file: _basics -author: adh -created_at: 9/20/23 4:51 PM +This module provides mixin classes for adding features to SSVC objects. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,16 +15,15 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass, field from typing import Optional -from dataclasses_json import config, dataclass_json +from pydantic import BaseModel, ConfigDict, field_validator +from semver import Version from . import _schemaVersion -@dataclass_json -@dataclass(kw_only=True) -class _Versioned: + +class _Versioned(BaseModel): """ Mixin class for versioned SSVC objects. """ @@ -34,9 +31,25 @@ class _Versioned: version: str = "0.0.0" schemaVersion: str = _schemaVersion -@dataclass_json -@dataclass(kw_only=True) -class _Namespaced: + @field_validator("version") + @classmethod + def validate_version(cls, value): + """ + Validate the version field. + Args: + value: a string representing a version number + + Returns: + a fully qualified version number + + Raises: + ValueError: if the value is not a valid version number + """ + version = Version.parse(value, optional_minor_and_patch=True) + return version.__str__() + + +class _Namespaced(BaseModel): """ Mixin class for namespaced SSVC objects. """ @@ -44,9 +57,7 @@ class _Namespaced: namespace: str = "ssvc" -@dataclass_json -@dataclass(kw_only=True) -class _Keyed: +class _Keyed(BaseModel): """ Mixin class for keyed SSVC objects. """ @@ -58,21 +69,17 @@ def exclude_if_none(value): return value is None -@dataclass_json -@dataclass(kw_only=True) -class _Commented: +class _Commented(BaseModel): """ Mixin class for commented SSVC objects. """ - _comment: Optional[str] = field( - default=None, metadata=config(exclude=exclude_if_none) - ) + _comment: Optional[str] = None + + model_config = ConfigDict(json_encoders={Optional[str]: exclude_if_none}) -@dataclass_json -@dataclass(kw_only=True) -class _Base: +class _Base(BaseModel): """ Base class for SSVC objects. """ diff --git a/src/ssvc/csv_analyzer.py b/src/ssvc/csv_analyzer.py index c1c668af..159d43dc 100644 --- a/src/ssvc/csv_analyzer.py +++ b/src/ssvc/csv_analyzer.py @@ -40,7 +40,7 @@ Higher values imply more important features. """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -95,7 +95,9 @@ def _imp_df(column_names: list, importances: list) -> pd.DataFrame: a dataframe of feature importances """ df = ( - pd.DataFrame({"feature": column_names, "feature_importance": importances}) + pd.DataFrame( + {"feature": column_names, "feature_importance": importances} + ) .sort_values("feature_importance", ascending=False) .reset_index(drop=True) ) @@ -184,7 +186,9 @@ def _perm_feat_imp(model, x, y): def _parse_args(args) -> argparse.Namespace: # parse command line - parser = argparse.ArgumentParser(description="Analyze an SSVC tree csv file") + parser = argparse.ArgumentParser( + description="Analyze an SSVC tree csv file" + ) parser.add_argument( "csvfile", metavar="csvfile", type=str, help="the csv file to analyze" ) @@ -371,8 +375,12 @@ def check_topological_order(df, target): for u in H.nodes: H.nodes[u]["outcome"] = G.nodes[u]["outcome"] - logger.debug(f"Original graph: {len(G.nodes)} nodes with {len(G.edges)} edges") - logger.debug(f"Reduced graph: {len(H.nodes)} nodes with {len(H.edges)} edges") + logger.debug( + f"Original graph: {len(G.nodes)} nodes with {len(G.edges)} edges" + ) + logger.debug( + f"Reduced graph: {len(H.nodes)} nodes with {len(H.edges)} edges" + ) problems = [] # check if the outcome is topologically sorted diff --git a/src/ssvc/decision_points/__init__.py b/src/ssvc/decision_points/__init__.py index c4f79b7c..0ffc1a00 100644 --- a/src/ssvc/decision_points/__init__.py +++ b/src/ssvc/decision_points/__init__.py @@ -17,4 +17,17 @@ - A description - A key (a short, unique string) that can be used to identify the value in a shorthand way """ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from .base import SsvcDecisionPoint, SsvcDecisionPointValue diff --git a/src/ssvc/decision_points/automatable.py b/src/ssvc/decision_points/automatable.py index c7051279..843626b5 100644 --- a/src/ssvc/decision_points/automatable.py +++ b/src/ssvc/decision_points/automatable.py @@ -1,10 +1,9 @@ #!/usr/bin/env python + """ -file: automatable -author: adh -created_at: 9/21/23 10:37 AM +Provides the Automatable decision point and its values. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -66,11 +65,14 @@ values=(AUT_NO, AUT_YES), ) +# always append new VERSIONS to this list, do not remove old ones +VERSIONS = (VIRULENCE_1, AUTOMATABLE_2) +LATEST = VERSIONS[-1] + def main(): - versions = (VIRULENCE_1, AUTOMATABLE_2) + print_versions_and_diffs(VERSIONS) - print_versions_and_diffs(versions) if __name__ == "__main__": main() diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index 3e1d32ba..869e3263 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -1,10 +1,9 @@ #!/usr/bin/env python + """ -file: decisionpoints -author: adh -created_at: 9/20/23 10:07 AM +Defines the formatting for SSVC Decision Points. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -18,10 +17,8 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University import logging -from dataclasses import dataclass -from typing import Iterable -from dataclasses_json import dataclass_json +from pydantic import BaseModel from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned @@ -58,27 +55,18 @@ def _reset_registered(): REGISTERED_DECISION_POINTS = [] -@dataclass_json -@dataclass(kw_only=True) -class SsvcDecisionPointValue(_Base, _Keyed): +class SsvcDecisionPointValue(_Base, _Keyed, BaseModel): """ Models a single value option for a decision point. """ -@dataclass_json -@dataclass(kw_only=True) -class SsvcDecisionPoint( - _Base, - _Keyed, - _Versioned, - _Namespaced, -): +class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, BaseModel): """ Models a single decision point as a list of values. """ - values: Iterable[SsvcDecisionPointValue] = () + values: list[SsvcDecisionPointValue] = [] def __iter__(self): """ @@ -86,13 +74,12 @@ def __iter__(self): """ return iter(self.values) - def __post_init__(self): + def __init__(self, **data): + super().__init__(**data) register(self) - if isinstance(self.values[0], dict): - self.values = tuple( - SsvcDecisionPointValue.from_dict(v) for v in self.values - ) + def __post_init__(self): + register(self) def main(): @@ -116,7 +103,7 @@ def main(): version="1.0.0", ) - print(dp.to_json(indent=2)) + print(dp.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py index c2bdead3..d9dad7d9 100644 --- a/src/ssvc/decision_points/critical_software.py +++ b/src/ssvc/decision_points/critical_software.py @@ -1,8 +1,9 @@ #!/usr/bin/env python + """ Provides an SSVC decision point for critical software designation. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -16,6 +17,7 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs YES = SsvcDecisionPointValue( name="Yes", @@ -40,9 +42,12 @@ ), ) +VERSIONS = (CRITICAL_SOFTWARE_1,) +LATEST = VERSIONS[-1] + def main(): - print(CRITICAL_SOFTWARE_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/__init__.py b/src/ssvc/decision_points/cvss/__init__.py index a9bc6dd9..0fd60f21 100644 --- a/src/ssvc/decision_points/cvss/__init__.py +++ b/src/ssvc/decision_points/cvss/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/ssvc/decision_points/cvss/_not_defined.py b/src/ssvc/decision_points/cvss/_not_defined.py index 96ff8f22..8581f2b1 100644 --- a/src/ssvc/decision_points/cvss/_not_defined.py +++ b/src/ssvc/decision_points/cvss/_not_defined.py @@ -2,7 +2,7 @@ """ Provides a generic Not Define decision point value for CVSS decision points. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/ssvc/decision_points/cvss/attack_complexity.py b/src/ssvc/decision_points/cvss/attack_complexity.py index b679d524..5fa68d59 100644 --- a/src/ssvc/decision_points/cvss/attack_complexity.py +++ b/src/ssvc/decision_points/cvss/attack_complexity.py @@ -2,7 +2,7 @@ """ Models the CVSS Attack Complexity (formerly known as Access Complexity) metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -133,16 +133,17 @@ """ -versions = [ +VERSIONS = ( ACCESS_COMPLEXITY_1, ACCESS_COMPLEXITY_2, ATTACK_COMPLEXITY_3, ATTACK_COMPLEXITY_3_0_1, -] +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/attack_requirements.py b/src/ssvc/decision_points/cvss/attack_requirements.py index fd2348bd..8ae4ba7d 100644 --- a/src/ssvc/decision_points/cvss/attack_requirements.py +++ b/src/ssvc/decision_points/cvss/attack_requirements.py @@ -2,7 +2,7 @@ """ CVSS Attack Requirements """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -47,13 +47,12 @@ ), ) -versions = [ - ATTACK_REQUIREMENTS_1, -] +VERSIONS = (ATTACK_REQUIREMENTS_1,) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py index fba9ac29..f20a102d 100644 --- a/src/ssvc/decision_points/cvss/attack_vector.py +++ b/src/ssvc/decision_points/cvss/attack_vector.py @@ -2,7 +2,7 @@ """ Models the CVSS Attack Vector (formerly known as Access Vector) metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -194,11 +194,17 @@ ), ) -versions = [ACCESS_VECTOR_1, ACCESS_VECTOR_2, ATTACK_VECTOR_3, ATTACK_VECTOR_3_0_1] +VERSIONS = ( + ACCESS_VECTOR_1, + ACCESS_VECTOR_2, + ATTACK_VECTOR_3, + ATTACK_VECTOR_3_0_1, +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/authentication.py b/src/ssvc/decision_points/cvss/authentication.py index d4fa7fd7..516966f1 100644 --- a/src/ssvc/decision_points/cvss/authentication.py +++ b/src/ssvc/decision_points/cvss/authentication.py @@ -3,7 +3,7 @@ Models the CVSS Authentication metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -79,15 +79,12 @@ Includes MULTIPLE, SINGLE, and AUTH_NONE values for CVSS Authentication. """ - -versions = [ - AUTHENTICATION_1, - AUTHENTICATION_2, -] +VERSIONS = (AUTHENTICATION_1, AUTHENTICATION_2) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/availability_impact.py b/src/ssvc/decision_points/cvss/availability_impact.py index 3312b80c..bc689915 100644 --- a/src/ssvc/decision_points/cvss/availability_impact.py +++ b/src/ssvc/decision_points/cvss/availability_impact.py @@ -3,7 +3,7 @@ Models the CVSS Availability Impact metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -114,12 +114,12 @@ ) -AVAILABILITY_IMPACT_2_0_1 = CvssDecisionPoint( - name="Availability Impact", +AVAILABILITY_IMPACT_3_0_0 = CvssDecisionPoint( + name="Availability Impact to the Vulnerable System", description="This metric measures the impact to the availability of the impacted system resulting from a " "successfully exploited vulnerability.", - key="A", - version="2.0.1", + key="VA", + version="3.0.0", values=( _NONE_3, _LOW_2, @@ -127,11 +127,17 @@ ), ) -versions = [AVAILABILITY_IMPACT_1, AVAILABILITY_IMPACT_2, AVAILABILITY_IMPACT_2_0_1] + +VERSIONS = ( + AVAILABILITY_IMPACT_1, + AVAILABILITY_IMPACT_2, + AVAILABILITY_IMPACT_3_0_0, +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/availability_requirement.py b/src/ssvc/decision_points/cvss/availability_requirement.py index 0e84929b..09cd2660 100644 --- a/src/ssvc/decision_points/cvss/availability_requirement.py +++ b/src/ssvc/decision_points/cvss/availability_requirement.py @@ -3,7 +3,7 @@ Models the CVSS Availability Requirement metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,7 +17,10 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPointValue -from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X +from ssvc.decision_points.cvss._not_defined import ( + NOT_DEFINED_ND, + NOT_DEFINED_X, +) from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs @@ -109,15 +112,16 @@ ), ) -versions = [ +VERSIONS = ( AVAILABILITY_REQUIREMENT_1, AVAILABILITY_REQUIREMENT_1_1, AVAILABILITY_REQUIREMENT_1_1_1, -] +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/base.py b/src/ssvc/decision_points/cvss/base.py index 78aaf15f..9a935991 100644 --- a/src/ssvc/decision_points/cvss/base.py +++ b/src/ssvc/decision_points/cvss/base.py @@ -2,9 +2,7 @@ """ Provides a base class for modeling CVSS vector metrics as SSVC decision points. """ - - -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,16 +15,12 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass - -from dataclasses_json import dataclass_json +from pydantic import BaseModel from ssvc.decision_points.base import SsvcDecisionPoint -@dataclass_json -@dataclass(kw_only=True) -class CvssDecisionPoint(SsvcDecisionPoint): +class CvssDecisionPoint(SsvcDecisionPoint, BaseModel): """ Models a single CVSS decision point as a list of values. """ diff --git a/src/ssvc/decision_points/cvss/collateral_damage_potential.py b/src/ssvc/decision_points/cvss/collateral_damage_potential.py index 5d309fbe..3c541009 100644 --- a/src/ssvc/decision_points/cvss/collateral_damage_potential.py +++ b/src/ssvc/decision_points/cvss/collateral_damage_potential.py @@ -3,7 +3,7 @@ Models the CVSS Collateral Damage Potential metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -98,11 +98,12 @@ Updates None description. Adds Low-Medium, Medium-High, and Not Defined value. """ -versions = [COLLATERAL_DAMAGE_POTENTIAL_1, COLLATERAL_DAMAGE_POTENTIAL_2] +VERSIONS = (COLLATERAL_DAMAGE_POTENTIAL_1, COLLATERAL_DAMAGE_POTENTIAL_2) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/confidentiality_impact.py b/src/ssvc/decision_points/cvss/confidentiality_impact.py index 91e63ac1..c56abb6a 100644 --- a/src/ssvc/decision_points/cvss/confidentiality_impact.py +++ b/src/ssvc/decision_points/cvss/confidentiality_impact.py @@ -2,7 +2,7 @@ """ Models the CVSS Confidentiality Impact metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -122,14 +122,14 @@ description="There is no loss of confidentiality within the impacted component.", ) -CONFIDENTIALITY_IMPACT_2_0_1 = CvssDecisionPoint( - name="Confidentiality Impact", +CONFIDENTIALITY_IMPACT_3_0_0 = CvssDecisionPoint( + name="Confidentiality Impact to the Vulnerable System", description="This metric measures the impact to the confidentiality of the information managed by the system due " "to a successfully exploited vulnerability. Confidentiality refers to limiting information access " "and disclosure to only authorized users, as well as preventing access by, or disclosure to, " "unauthorized ones.", - key="C", - version="2.0.1", + key="VC", + version="3.0.0", values=( _CI_NONE_3, _LOW_1, @@ -138,15 +138,16 @@ ) -versions = [ +VERSIONS = ( CONFIDENTIALITY_IMPACT_1, CONFIDENTIALITY_IMPACT_2, - CONFIDENTIALITY_IMPACT_2_0_1, -] + CONFIDENTIALITY_IMPACT_3_0_0, +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/confidentiality_requirement.py b/src/ssvc/decision_points/cvss/confidentiality_requirement.py index 427cf6b3..288c05c8 100644 --- a/src/ssvc/decision_points/cvss/confidentiality_requirement.py +++ b/src/ssvc/decision_points/cvss/confidentiality_requirement.py @@ -3,7 +3,7 @@ Models the CVSS Confidentiality Requirement metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,7 +17,10 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPointValue -from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X +from ssvc.decision_points.cvss._not_defined import ( + NOT_DEFINED_ND, + NOT_DEFINED_X, +) from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs @@ -107,15 +110,16 @@ ), ) -versions = [ +VERSIONS = ( CONFIDENTIALITY_REQUIREMENT_1, CONFIDENTIALITY_REQUIREMENT_1_1, CONFIDENTIALITY_REQUIREMENT_1_1_1, -] +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/eq_sets.py b/src/ssvc/decision_points/cvss/eq_sets.py deleted file mode 100644 index aca56dde..00000000 --- a/src/ssvc/decision_points/cvss/eq_sets.py +++ /dev/null @@ -1,191 +0,0 @@ -#!/usr/bin/env python -""" -CVSS v4 Equivalence Sets -""" -# Copyright (c) 2023 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University - -from ssvc.decision_points import SsvcDecisionPointValue -from ssvc.decision_points.cvss.base import CvssDecisionPoint - - -# EQ1 → AV/PR/UI with 3 levels specified in Table 24 -# Levels Constraints Highest Severity Vector(s) -# 0 AV:N and PR:N and UI:N AV:N/PR:N/UI:N -# 1 (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P AV:A/PR:N/UI:N or AV:N/PR:L/UI:N or AV:N/PR:N:/UI:P -# 2 AV:P or not(AV:N or PR:N or UI:N) AV:P/PR:N/UI:N or AV:A/PR:L/UI:P -EQ1 = CvssDecisionPoint( - name="Equivalence Set 1", - key="EQ1", - description="AV/PR/UI with 3 levels specified in Table 24", - version="1.0.0", - values=[ - SsvcDecisionPointValue( - name="Low", - key="L", - description="2: AV:P or not(AV:N or PR:N or UI:N)", - ), - SsvcDecisionPointValue( - name="Medium", - key="M", - description="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P", - ), - SsvcDecisionPointValue( - name="High", - key="H", - description="0: AV:N and PR:N and UI:N", - ), - ], -) - -# EQ2 → AC/AT with 2 levels specified in Table 25 -# Levels Constraints Highest Severity Vector(s) -# 0 AC:L and AT:N AC:L/AT:N -# 1 not (AC:L and AT:N) AC:L/AT:P or AC:H/AT:N -EQ2 = CvssDecisionPoint( - name="Equivalence Set 2", - key="EQ2", - description="AC/AT with 2 levels specified in Table 25", - version="1.0.0", - values=[ - SsvcDecisionPointValue( - name="Low", - key="L", - description="1: not (AC:L and AT:N)", - ), - SsvcDecisionPointValue( - name="High", - key="H", - description="0: AC:L and AT:N", - ), - ], -) - - -# EQ3 → VC/VI/VA with 3 levels specified in Table 26 -# Levels Constraints Highest Severity Vector(s) -# 0 VC:H and VI:H VC:H/VI:H/VA:H -# 1 not (VC:H and VI:H) and (VC:H or VI:H or VA:H) VC:L/VI:H/VA:H or VC:H/VI:L/VA:H -# 2 not (VC:H or VI:H or VA:H) VC:L/VI:L/VA:L -EQ3 = CvssDecisionPoint( - name="Equivalence Set 3", - key="EQ3", - description="VC/VI/VA with 3 levels specified in Table 26", - version="1.0.0", - values=[ - SsvcDecisionPointValue( - name="Low", - key="L", - description="2: not (VC:H or VI:H or VA:H)", - ), - SsvcDecisionPointValue( - name="Medium", - key="M", - description="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)", - ), - SsvcDecisionPointValue( - name="High", - key="H", - description="0: VC:H and VI:H", - ), - ], -) - - -# EQ4 → SC/SI/SA with 3 levels specified in Table 27 -# 0 MSI:S or MSA:S SC:H/SI:S/SA:S -# 1 not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H) SC:H/SI:H/SA:H -# 2 not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H) SC:L/SI:L/SA:L -EQ4 = CvssDecisionPoint( - name="Equivalence Set 4", - key="EQ4", - description="SC/SI/SA with 3 levels specified in Table 27", - version="1.0.0", - values=[ - SsvcDecisionPointValue( - name="Low", - key="L", - description="2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)", - ), - SsvcDecisionPointValue( - name="Medium", - key="M", - description="1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)", - ), - SsvcDecisionPointValue( - name="High", - key="H", - description="0: MSI:S or MSA:S", - ), - ], -) - - -# EQ5 → E with 3 levels specified in Table 28 -# 0 E:A E:A -# 1 E:P E:P -# 2 E:U E:U -EQ5 = CvssDecisionPoint( - name="Equivalence Set 5", - key="EQ5", - description="E with 3 levels specified in Table 28", - version="1.0.0", - values=[ - SsvcDecisionPointValue( - name="Low", - key="L", - description="2: E:U", - ), - SsvcDecisionPointValue( - name="Medium", - key="M", - description="1: E:P", - ), - SsvcDecisionPointValue( - name="High", - key="H", - description="0: E:A", - ), - ], -) - -# EQ6 → VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29 -# 0 (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H) VC:H/VI:H/VA:H/CR:H/IR:H/AR:H -# 1 not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H) VC:H/VI:H/VA:H/CR:M/IR:M/AR:M or VC:H/VI:H/VA:L/CR:M/IR:M/AR:H or VC:H/VI:L/VA:H/CR:M/IR:H/AR:M or VC:H/VI:L/VA:L/CR:M/IR:H/AR:H or VC:L/VI:H/VA:H/CR:H/IR:M/AR:M or VC:L/VI:H/VA:L/CR:H/IR:M/AR:H or VC:L/VI:L/VA:H/CR:H/IR:H/AR:M or VC:L/VI:L/VA:L/CR:H/IR:H/AR:H -EQ6 = CvssDecisionPoint( - name="Equivalence Set 6", - key="EQ6", - description="VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", - version="1.0.0", - values=[ - SsvcDecisionPointValue( - name="Low", - key="L", - description="1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)", - ), - SsvcDecisionPointValue( - name="High", - key="H", - description="0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)", - ), - ], -) - - -def main(): - for dp in [EQ1, EQ2, EQ3, EQ4, EQ5, EQ6]: - print(dp.to_json(indent=2)) - - -if __name__ == "__main__": - main() diff --git a/src/ssvc/decision_points/cvss/equivalence_set_1.py b/src/ssvc/decision_points/cvss/equivalence_set_1.py new file mode 100644 index 00000000..6e832210 --- /dev/null +++ b/src/ssvc/decision_points/cvss/equivalence_set_1.py @@ -0,0 +1,66 @@ +#!/usr/bin/env python +""" +Provides an object representing the CVSS Equivalence Set 1 as a decision point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss.base import CvssDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +TWO = SsvcDecisionPointValue( + name="Low", + key="L", + description="2: AV:P or not(AV:N or PR:N or UI:N)", +) + +ONE = SsvcDecisionPointValue( + name="Medium", + key="M", + description="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P", +) + +ZERO = SsvcDecisionPointValue( + name="High", + key="H", + description="0: AV:N and PR:N and UI:N", +) + +# EQ1 → AV/PR/UI with 3 levels specified in Table 24 +# Levels Constraints Highest Severity Vector(s) +# 0 AV:N and PR:N and UI:N AV:N/PR:N/UI:N +# 1 (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P AV:A/PR:N/UI:N or AV:N/PR:L/UI:N or AV:N/PR:N:/UI:P +# 2 AV:P or not(AV:N or PR:N or UI:N) AV:P/PR:N/UI:N or AV:A/PR:L/UI:P +EQ1 = CvssDecisionPoint( + name="Equivalence Set 1", + key="EQ1", + description="AV/PR/UI with 3 levels specified in Table 24", + version="1.0.0", + values=( + TWO, + ONE, + ZERO, + ), +) + +VERSIONS = (EQ1,) +LATEST = EQ1 + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cvss/equivalence_set_2.py b/src/ssvc/decision_points/cvss/equivalence_set_2.py new file mode 100644 index 00000000..b20e1cd1 --- /dev/null +++ b/src/ssvc/decision_points/cvss/equivalence_set_2.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python +""" +This module provides an object representing the CVSS Equivalence Set 2 as a decision point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss.base import CvssDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +# EQ2 → AC/AT with 2 levels specified in Table 25 +# Levels Constraints Highest Severity Vector(s) +# 0 AC:L and AT:N AC:L/AT:N +# 1 not (AC:L and AT:N) AC:L/AT:P or AC:H/AT:N +ONE = SsvcDecisionPointValue( + name="Low", + key="L", + description="1: not (AC:L and AT:N)", +) +ZERO = SsvcDecisionPointValue( + name="High", + key="H", + description="0: AC:L and AT:N", +) + +EQ2 = CvssDecisionPoint( + name="Equivalence Set 2", + key="EQ2", + description="AC/AT with 2 levels specified in Table 25", + version="1.0.0", + values=( + ONE, + ZERO, + ), +) + +VERSIONS = (EQ2,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cvss/equivalence_set_3.py b/src/ssvc/decision_points/cvss/equivalence_set_3.py new file mode 100644 index 00000000..5d551b39 --- /dev/null +++ b/src/ssvc/decision_points/cvss/equivalence_set_3.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python +""" +This module provides an object representing the CVSS Equivalence Set 3 as a decision point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss.base import CvssDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +# EQ3 → VC/VI/VA with 3 levels specified in Table 26 +# Levels Constraints Highest Severity Vector(s) +# 0 VC:H and VI:H VC:H/VI:H/VA:H +# 1 not (VC:H and VI:H) and (VC:H or VI:H or VA:H) VC:L/VI:H/VA:H or VC:H/VI:L/VA:H +# 2 not (VC:H or VI:H or VA:H) VC:L/VI:L/VA:L +TWO = SsvcDecisionPointValue( + name="Low", + key="L", + description="2: not (VC:H or VI:H or VA:H)", +) +ONE = SsvcDecisionPointValue( + name="Medium", + key="M", + description="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)", +) +ZERO = SsvcDecisionPointValue( + name="High", + key="H", + description="0: VC:H and VI:H", +) + +EQ3 = CvssDecisionPoint( + name="Equivalence Set 3", + key="EQ3", + description="VC/VI/VA with 3 levels specified in Table 26", + version="1.0.0", + values=( + TWO, + ONE, + ZERO, + ), +) + + +VERSIONS = (EQ3,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cvss/equivalence_set_4.py b/src/ssvc/decision_points/cvss/equivalence_set_4.py new file mode 100644 index 00000000..c7caf550 --- /dev/null +++ b/src/ssvc/decision_points/cvss/equivalence_set_4.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python +""" +This module provides an object representing the CVSS Equivalence Set 4 as a decision point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss.base import CvssDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +# EQ4 → SC/SI/SA with 3 levels specified in Table 27 +# 0 MSI:S or MSA:S SC:H/SI:S/SA:S +# 1 not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H) SC:H/SI:H/SA:H +# 2 not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H) SC:L/SI:L/SA:L +TWO = SsvcDecisionPointValue( + name="Low", + key="L", + description="2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)", +) +ONE = SsvcDecisionPointValue( + name="Medium", + key="M", + description="1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)", +) +ZERO = SsvcDecisionPointValue( + name="High", + key="H", + description="0: MSI:S or MSA:S", +) +EQ4 = CvssDecisionPoint( + name="Equivalence Set 4", + key="EQ4", + description="SC/SI/SA with 3 levels specified in Table 27", + version="1.0.0", + values=( + TWO, + ONE, + ZERO, + ), +) + +VERSIONS = (EQ4,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cvss/equivalence_set_5.py b/src/ssvc/decision_points/cvss/equivalence_set_5.py new file mode 100644 index 00000000..30e3fdba --- /dev/null +++ b/src/ssvc/decision_points/cvss/equivalence_set_5.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python +""" +This module provides an object representing the CVSS Equivalence Set 5 as a decision point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss.base import CvssDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +# EQ5 → E with 3 levels specified in Table 28 +# 0 E:A E:A +# 1 E:P E:P +# 2 E:U E:U +TWO = SsvcDecisionPointValue(name="Low", key="L", description="2: E:U", ) +ONE = SsvcDecisionPointValue(name="Medium", key="M", description="1: E:P", ) +ZERO = SsvcDecisionPointValue(name="High", key="H", description="0: E:A", ) +EQ5 = CvssDecisionPoint( + name="Equivalence Set 5", + key="EQ5", + description="E with 3 levels specified in Table 28", + version="1.0.0", + values=( + TWO, + ONE, + ZERO, +), +) + + +VERSIONS = (EQ5,) +LATEST = VERSIONS[-1] + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/cvss/equivalence_set_6.py b/src/ssvc/decision_points/cvss/equivalence_set_6.py new file mode 100644 index 00000000..4b4887c8 --- /dev/null +++ b/src/ssvc/decision_points/cvss/equivalence_set_6.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python +""" +This module provides an object representing the CVSS Equivalence Set 6 as a decision point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss.base import CvssDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +# EQ6 → VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29 +# 0 (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H) VC:H/VI:H/VA:H/CR:H/IR:H/AR:H +# 1 not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H) VC:H/VI:H/VA:H/CR:M/IR:M/AR:M or VC:H/VI:H/VA:L/CR:M/IR:M/AR:H or VC:H/VI:L/VA:H/CR:M/IR:H/AR:M or VC:H/VI:L/VA:L/CR:M/IR:H/AR:H or VC:L/VI:H/VA:H/CR:H/IR:M/AR:M or VC:L/VI:H/VA:L/CR:H/IR:M/AR:H or VC:L/VI:L/VA:H/CR:H/IR:H/AR:M or VC:L/VI:L/VA:L/CR:H/IR:H/AR:H +ONE = SsvcDecisionPointValue(name="Low", key="L", + description="1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)", ) +ZERO = SsvcDecisionPointValue(name="High", key="H", + description="0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)", ) +EQ6 = CvssDecisionPoint( + name="Equivalence Set 6", + key="EQ6", + description="VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", + version="1.0.0", + values=( + ONE, + ZERO, + ), +) + +VERSIONS = (EQ6,) +LATEST = VERSIONS[-1] + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() + diff --git a/src/ssvc/decision_points/cvss/exploitability.py b/src/ssvc/decision_points/cvss/exploit_maturity.py similarity index 96% rename from src/ssvc/decision_points/cvss/exploitability.py rename to src/ssvc/decision_points/cvss/exploit_maturity.py index 06815614..2a3eee2a 100644 --- a/src/ssvc/decision_points/cvss/exploitability.py +++ b/src/ssvc/decision_points/cvss/exploit_maturity.py @@ -3,7 +3,7 @@ Model the CVSS Exploitability and Exploit Code Maturity metrics as SSVC decision points. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,7 +17,10 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPointValue -from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X +from ssvc.decision_points.cvss._not_defined import ( + NOT_DEFINED_ND, + NOT_DEFINED_X, +) from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs @@ -177,16 +180,17 @@ ), ) -versions = [ +VERSIONS = ( EXPLOITABILITY_1, EXPLOITABILITY_1_1, EXPLOIT_CODE_MATURITY_1_2, EXPLOIT_MATURITY_2, -] +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/helpers.py b/src/ssvc/decision_points/cvss/helpers.py index 6e2e4ba9..25782192 100644 --- a/src/ssvc/decision_points/cvss/helpers.py +++ b/src/ssvc/decision_points/cvss/helpers.py @@ -2,7 +2,7 @@ """ Provides helpers for working with CVSS decision points. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -34,7 +34,7 @@ def _modify_3(dp: SsvcDecisionPoint): names = [v.name for v in values] if nd.name not in names: values.append(nd) - _dp.values = tuple(values) + _dp.values = list(values) return _dp @@ -98,7 +98,7 @@ def _modify_4(dp: SsvcDecisionPoint): ) values = list(_dp.values) values.append(_SAFETY) - _dp.values = tuple(values) + _dp.values = list(values) return _dp diff --git a/src/ssvc/decision_points/cvss/impact_bias.py b/src/ssvc/decision_points/cvss/impact_bias.py index 744e3576..ad113083 100644 --- a/src/ssvc/decision_points/cvss/impact_bias.py +++ b/src/ssvc/decision_points/cvss/impact_bias.py @@ -2,7 +2,7 @@ """ Model the CVSS Impact Bias as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -59,13 +59,12 @@ Defines Normal, Confidentiality, Integrity, and Availability values for CVSS Impact Bias. """ -versions = [ - IMPACT_BIAS_1, -] +VERSIONS = (IMPACT_BIAS_1,) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/integrity_impact.py b/src/ssvc/decision_points/cvss/integrity_impact.py index 1a78dcd3..6cc2584c 100644 --- a/src/ssvc/decision_points/cvss/integrity_impact.py +++ b/src/ssvc/decision_points/cvss/integrity_impact.py @@ -3,7 +3,7 @@ Models the CVSS Integrity Impact metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -113,11 +113,11 @@ ) -INTEGRITY_IMPACT_2_0_1 = CvssDecisionPoint( - name="Integrity Impact", +INTEGRITY_IMPACT_3_0_0 = CvssDecisionPoint( + name="Integrity Impact to the Vulnerable System", description="This metric measures the impact to integrity of a successfully exploited vulnerability.", - key="I", - version="2.0.1", + key="VI", + version="3.0.0", values=( _II_NONE_3, _II_LOW_2, @@ -125,11 +125,13 @@ ), ) -versions = [INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_2_0_1] + +VERSIONS = (INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_3_0_0) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/integrity_requirement.py b/src/ssvc/decision_points/cvss/integrity_requirement.py index a5c5eba5..fed364a6 100644 --- a/src/ssvc/decision_points/cvss/integrity_requirement.py +++ b/src/ssvc/decision_points/cvss/integrity_requirement.py @@ -3,7 +3,7 @@ Models the CVSS Integrity Requirement metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,7 +17,10 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPointValue -from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X +from ssvc.decision_points.cvss._not_defined import ( + NOT_DEFINED_ND, + NOT_DEFINED_X, +) from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs @@ -98,7 +101,7 @@ description="This metric enables the consumer to customize the assessment depending on the importance of the " "affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", key="IR", - version="1.0.1", + version="1.1.1", values=( _LOW_2, _MEDIUM_2, @@ -107,15 +110,16 @@ ), ) -versions = [ +VERSIONS = ( INTEGRITY_REQUIREMENT_1, INTEGRITY_REQUIREMENT_1_1, INTEGRITY_REQUIREMENT_1_1_1, -] +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/privileges_required.py b/src/ssvc/decision_points/cvss/privileges_required.py index 62313e28..e9cb0ea5 100644 --- a/src/ssvc/decision_points/cvss/privileges_required.py +++ b/src/ssvc/decision_points/cvss/privileges_required.py @@ -2,7 +2,7 @@ """ Models the CVSS Privileges Required metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -101,11 +101,12 @@ ), ) -versions = [PRIVILEGES_REQUIRED_1, PRIVILEGES_REQUIRED_1_0_1] +VERSIONS = (PRIVILEGES_REQUIRED_1, PRIVILEGES_REQUIRED_1_0_1) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/qualitative_severity.py b/src/ssvc/decision_points/cvss/qualitative_severity.py new file mode 100644 index 00000000..23358fe7 --- /dev/null +++ b/src/ssvc/decision_points/cvss/qualitative_severity.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python +""" +Provides a decision point for the [CVSS Qualitative Severity Rating Scale](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale). +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss.base import CvssDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +QS_NONE = SsvcDecisionPointValue( + name="None", + key="N", + description="No severity rating (0.0)", +) + +LOW = SsvcDecisionPointValue( + name="Low", + key="L", + description="Low (0.1 - 3.9)", +) +MEDIUM = SsvcDecisionPointValue( + name="Medium", + key="M", + description="Medium (4.0 - 6.9)", +) +HIGH = SsvcDecisionPointValue( + name="High", + key="H", + description="High (7.0 - 8.9)", +) +CRITICAL = SsvcDecisionPointValue( + name="Critical", + key="C", + description="Critical (9.0 - 10.0)", +) + +QUALITATIVE_SEVERITY = CvssDecisionPoint( + name="CVSS Qualitative Severity Rating Scale", + key="QS", + description="The CVSS Qualitative Severity Rating Scale provides " + "a categorical representation of a CVSS Score.", + version="1.0.0", + values=( + QS_NONE, + LOW, + MEDIUM, + HIGH, + CRITICAL, + ), +) + +VERSIONS = (QUALITATIVE_SEVERITY,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cvss/remediation_level.py b/src/ssvc/decision_points/cvss/remediation_level.py index adc7a5a1..73a031ef 100644 --- a/src/ssvc/decision_points/cvss/remediation_level.py +++ b/src/ssvc/decision_points/cvss/remediation_level.py @@ -3,7 +3,7 @@ Models the CVSS Remediation Level metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -84,11 +84,12 @@ Adds Not Defined to the CVSS Remediation Level decision point. """ -versions = [REMEDIATION_LEVEL_1, REMEDIATION_LEVEL_1_1] +VERSIONS = (REMEDIATION_LEVEL_1, REMEDIATION_LEVEL_1_1) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/report_confidence.py b/src/ssvc/decision_points/cvss/report_confidence.py index 7c87f076..93ea24fc 100644 --- a/src/ssvc/decision_points/cvss/report_confidence.py +++ b/src/ssvc/decision_points/cvss/report_confidence.py @@ -3,7 +3,7 @@ Models the CVSS Report Confidence metric as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,7 +17,10 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPointValue -from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X +from ssvc.decision_points.cvss._not_defined import ( + NOT_DEFINED_ND, + NOT_DEFINED_X, +) from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs @@ -123,15 +126,16 @@ """ -versions = [ +VERSIONS = ( REPORT_CONFIDENCE_1, REPORT_CONFIDENCE_1_1, REPORT_CONFIDENCE_2, -] +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/scope.py b/src/ssvc/decision_points/cvss/scope.py index b6cf95a8..9eaf0b35 100644 --- a/src/ssvc/decision_points/cvss/scope.py +++ b/src/ssvc/decision_points/cvss/scope.py @@ -3,7 +3,7 @@ Models CVSS Scope as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -49,13 +49,12 @@ Defines Changed and Unchanged values for CVSS Scope. """ -versions = [ - SCOPE_1, -] +VERSIONS = (SCOPE_1,) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py index 927e9326..1a4cf449 100644 --- a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py +++ b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py @@ -2,7 +2,7 @@ """ CVSS Subsequent system availability impact decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -44,7 +44,7 @@ SUBSEQUENT_AVAILABILITY_IMPACT_1 = CvssDecisionPoint( - name="Subsequent Availability Impact", + name="Availability Impact to the Subsequent System", description="This metric measures the impact on availability a successful exploit of the vulnerability will have " "on the Subsequent System.", key="SA", @@ -56,13 +56,12 @@ ), ) -versions = [ - SUBSEQUENT_AVAILABILITY_IMPACT_1, -] +VERSIONS = (SUBSEQUENT_AVAILABILITY_IMPACT_1,) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py index a8bd1fc4..413dc803 100644 --- a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py +++ b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py @@ -2,7 +2,7 @@ """ CVSS Subsequent System Confidentiality Impact """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -57,13 +57,12 @@ ), ) -versions = [ - SUBSEQUENT_CONFIDENTIALITY_IMPACT_1, -] +VERSIONS = (SUBSEQUENT_CONFIDENTIALITY_IMPACT_1,) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py index 3d885aa2..4a2efbf5 100644 --- a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py +++ b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py @@ -2,7 +2,7 @@ """ CVSS Subsequent System Integrity Impact Decision Point """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -60,13 +60,12 @@ ), ) -versions = [ - SUBSEQUENT_INTEGRITY_IMPACT_1, -] +VERSIONS = (SUBSEQUENT_INTEGRITY_IMPACT_1,) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/supplemental/__init__.py b/src/ssvc/decision_points/cvss/supplemental/__init__.py index 1c16ef64..b281a4ee 100644 --- a/src/ssvc/decision_points/cvss/supplemental/__init__.py +++ b/src/ssvc/decision_points/cvss/supplemental/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/ssvc/decision_points/cvss/supplemental/automatable.py b/src/ssvc/decision_points/cvss/supplemental/automatable.py index aef2ae4f..38c1ffe2 100644 --- a/src/ssvc/decision_points/cvss/supplemental/automatable.py +++ b/src/ssvc/decision_points/cvss/supplemental/automatable.py @@ -2,7 +2,7 @@ """ Provides the CVSS supplemental metric Automatable """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -16,10 +16,23 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_X from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs - +NO = SsvcDecisionPointValue( + name="No", + key="N", + description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for " + "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.", +) +YES = SsvcDecisionPointValue( + name="Yes", + key="Y", + description="Attackers can reliably automate all 4 steps of the kill chain. These steps are " + "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is " + '"wormable").', +) AUTOMATABLE_1 = CvssDecisionPoint( name="Automatable", description='The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation ' @@ -27,29 +40,18 @@ key="AU", version="1.0.0", values=( - SsvcDecisionPointValue( - name="No", - key="N", - description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for " - "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.", - ), - SsvcDecisionPointValue( - name="Yes", - key="Y", - description="Attackers can reliably automate all 4 steps of the kill chain. These steps are " - "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is " - '"wormable").', - ), + NO, + YES, + NOT_DEFINED_X, ), ) +VERSIONS = (AUTOMATABLE_1,) +LATEST = AUTOMATABLE_1 -def main(): - versions = [ - AUTOMATABLE_1, - ] - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py index 3f0176a6..4aaeb452 100644 --- a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py +++ b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py @@ -2,7 +2,7 @@ """ Provides the CVSS supplemental metric Provider Urgency as a SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -20,6 +20,26 @@ from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs +RED = SsvcDecisionPointValue( + name="Red", + key="R", + description="Provider has assessed the impact of this vulnerability as having the highest urgency.", +) +AMBER = SsvcDecisionPointValue( + name="Amber", + key="A", + description="Provider has assessed the impact of this vulnerability as having a moderate urgency.", +) +GREEN = SsvcDecisionPointValue( + name="Green", + key="G", + description="Provider has assessed the impact of this vulnerability as having a reduced urgency.", +) +CLEAR = SsvcDecisionPointValue( + name="Clear", + key="C", + description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).", +) PROVIDER_URGENCY_1 = CvssDecisionPoint( name="Provider Urgency", description="Many vendors currently provide supplemental severity ratings to consumers via product security " @@ -30,37 +50,19 @@ version="1.0.0", values=( NOT_DEFINED_X, - # Red, Amber, Green, Clear - SsvcDecisionPointValue( - name="Red", - key="R", - description="Provider has assessed the impact of this vulnerability as having the highest urgency.", - ), - SsvcDecisionPointValue( - name="Amber", - key="A", - description="Provider has assessed the impact of this vulnerability as having a moderate urgency.", - ), - SsvcDecisionPointValue( - name="Green", - key="G", - description="Provider has assessed the impact of this vulnerability as having a reduced urgency.", - ), - SsvcDecisionPointValue( - name="Clear", - key="C", - description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).", - ), + CLEAR, + GREEN, + AMBER, + RED, ), ) +VERSIONS = (PROVIDER_URGENCY_1,) +LATEST = PROVIDER_URGENCY_1 -def main(): - versions = [ - PROVIDER_URGENCY_1, - ] - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/supplemental/recovery.py b/src/ssvc/decision_points/cvss/supplemental/recovery.py index cc815c28..14ea6ef8 100644 --- a/src/ssvc/decision_points/cvss/supplemental/recovery.py +++ b/src/ssvc/decision_points/cvss/supplemental/recovery.py @@ -2,7 +2,7 @@ """ Provides the CVSS supplemental metric Recovery """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -20,7 +20,22 @@ from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs - +AUTOMATIC = SsvcDecisionPointValue( + name="Automatic", + key="A", + description="The system recovers services automatically after an attack has been performed.", +) +USER = SsvcDecisionPointValue( + name="User", + key="U", + description="The system requires manual intervention by the user to recover services, after an attack has " + "been performed.", +) +IRRECOVERABLE = SsvcDecisionPointValue( + name="Irrecoverable", + key="I", + description="The system services are irrecoverable by the user, after an attack has been performed.", +) RECOVERY_1 = CvssDecisionPoint( name="Recovery", description="The Recovery metric describes the resilience of a system to recover services, in terms of performance " @@ -29,32 +44,18 @@ version="1.0.0", values=( NOT_DEFINED_X, - SsvcDecisionPointValue( - name="Automatic", - key="A", - description="The system recovers services automatically after an attack has been performed.", - ), - SsvcDecisionPointValue( - name="User", - key="U", - description="The system requires manual intervention by the user to recover services, after an attack has " - "been performed.", - ), - SsvcDecisionPointValue( - name="Irrecoverable", - key="I", - description="The system services are irrecoverable by the user, after an attack has been performed.", - ), + AUTOMATIC, + USER, + IRRECOVERABLE, ), ) +VERSIONS = (RECOVERY_1,) +LATEST = VERSIONS[-1] -def main(): - versions = [ - RECOVERY_1, - ] - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/supplemental/safety.py b/src/ssvc/decision_points/cvss/supplemental/safety.py index 807d677a..14152687 100644 --- a/src/ssvc/decision_points/cvss/supplemental/safety.py +++ b/src/ssvc/decision_points/cvss/supplemental/safety.py @@ -3,7 +3,7 @@ Provides CVSS v4 Supplemental Metric for Safety """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -21,6 +21,18 @@ from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs +PRESENT = SsvcDecisionPointValue( + name="Present", + key="P", + description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of " + '"marginal," "critical," or "catastrophic."', +) +NEGLIGIBLE = SsvcDecisionPointValue( + name="Negligible", + key="N", + description="Consequences of the vulnerability meet definition of IEC 61508 consequence category " + '"negligible."', +) SAFETY_1 = CvssDecisionPoint( name="Safety", description="The Safety decision point is a measure of the potential for harm to humans or the environment.", @@ -28,29 +40,17 @@ version="1.0.0", values=( NOT_DEFINED_X, - # Present, Negligible - SsvcDecisionPointValue( - name="Present", - key="P", - description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of " - '"marginal," "critical," or "catastrophic."', - ), - SsvcDecisionPointValue( - name="Negligible", - key="N", - description="Consequences of the vulnerability meet definition of IEC 61508 consequence category " - '"negligible."', - ), + PRESENT, + NEGLIGIBLE, ), ) +VERSIONS = (SAFETY_1,) +LATEST = SAFETY_1 -def main(): - versions = [ - SAFETY_1, - ] - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/supplemental/value_density.py b/src/ssvc/decision_points/cvss/supplemental/value_density.py index 35e61b7d..4e56c1dc 100644 --- a/src/ssvc/decision_points/cvss/supplemental/value_density.py +++ b/src/ssvc/decision_points/cvss/supplemental/value_density.py @@ -2,7 +2,7 @@ """ Provides the CVSS supplemental metric Value Density """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -20,7 +20,18 @@ from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs - +DIFFUSE = SsvcDecisionPointValue( + name="Diffuse", + key="D", + description="The vulnerable system has limited resources. That is, the resources that the attacker will " + "gain control over with a single exploitation event are relatively small.", +) +CONCENTRATED = SsvcDecisionPointValue( + name="Concentrated", + key="C", + description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct " + 'responsibility of "system operators" rather than users.', +) VALUE_DENSITY_1 = CvssDecisionPoint( name="Value Density", description="Value Density describes the resources that the attacker will gain control over with a single " @@ -29,28 +40,17 @@ version="1.0.0", values=( NOT_DEFINED_X, - SsvcDecisionPointValue( - name="Diffuse", - key="D", - description="The vulnerable system has limited resources. That is, the resources that the attacker will " - "gain control over with a single exploitation event are relatively small.", - ), - SsvcDecisionPointValue( - name="Concentrated", - key="C", - description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct " - 'responsibility of "system operators" rather than users.', - ), + DIFFUSE, + CONCENTRATED, ), ) +VERSIONS = (VALUE_DENSITY_1,) +LATEST = VERSIONS[-1] -def main(): - versions = [ - VALUE_DENSITY_1, - ] - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py index 13f61107..d69077ee 100644 --- a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py +++ b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py @@ -2,7 +2,7 @@ """ Provides the CVSS supplemental metric Vulnerability Response Effort. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -20,7 +20,27 @@ from ssvc.decision_points.cvss.base import CvssDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs - +LOW = SsvcDecisionPointValue( + name="Low", + key="L", + description="The effort required to respond to a vulnerability is low/trivial.", +) +MODERATE = SsvcDecisionPointValue( + name="Moderate", + key="M", + description="The actions required to respond to a vulnerability require some effort on behalf of the " + "consumer and could cause minimal service impact to implement.", +) +HIGH = SsvcDecisionPointValue( + name="High", + key="H", + description="The actions required to respond to a vulnerability are significant and/or difficult, and may " + "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling " + "purposes including honoring any embargo on deployment of the selected response. Alternatively, response " + "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability " + "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or " + "replacement).", +) VULNERABILITY_RESPONSE_EFFORT_1 = CvssDecisionPoint( name="Vulnerability Response Effort", description="The intention of the Vulnerability Response Effort metric is to provide supplemental information on " @@ -31,37 +51,18 @@ version="1.0.0", values=( NOT_DEFINED_X, - SsvcDecisionPointValue( - name="Low", - key="L", - description="The effort required to respond to a vulnerability is low/trivial.", - ), - SsvcDecisionPointValue( - name="Moderate", - key="M", - description="The actions required to respond to a vulnerability require some effort on behalf of the " - "consumer and could cause minimal service impact to implement.", - ), - SsvcDecisionPointValue( - name="High", - key="H", - description="The actions required to respond to a vulnerability are significant and/or difficult, and may " - "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling " - "purposes including honoring any embargo on deployment of the selected response. Alternatively, response " - "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability " - "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or " - "replacement).", - ), + LOW, + MODERATE, + HIGH, ), ) +VERSIONS = (VULNERABILITY_RESPONSE_EFFORT_1,) +LATEST = VERSIONS[-1] -def main(): - versions = [ - VULNERABILITY_RESPONSE_EFFORT_1, - ] - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/target_distribution.py b/src/ssvc/decision_points/cvss/target_distribution.py index 3601f07b..2f408e67 100644 --- a/src/ssvc/decision_points/cvss/target_distribution.py +++ b/src/ssvc/decision_points/cvss/target_distribution.py @@ -3,7 +3,7 @@ Models CVSS Target Distribution as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -87,14 +87,15 @@ Introduces Not Defined value. """ -versions = [ +VERSIONS = ( TARGET_DISTRIBUTION_1, TARGET_DISTRIBUTION_1_1, -] +) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/user_interaction.py b/src/ssvc/decision_points/cvss/user_interaction.py index f5ce27e0..02e75941 100644 --- a/src/ssvc/decision_points/cvss/user_interaction.py +++ b/src/ssvc/decision_points/cvss/user_interaction.py @@ -3,7 +3,7 @@ Models CVSS User Interaction as an SSVC decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -89,11 +89,12 @@ ), ) -versions = [USER_INTERACTION_1, USER_INTERACTION_2] +VERSIONS = (USER_INTERACTION_1, USER_INTERACTION_2) +LATEST = VERSIONS[-1] def main(): - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/exploitation.py b/src/ssvc/decision_points/exploitation.py index 15034d9d..bb1a2a52 100644 --- a/src/ssvc/decision_points/exploitation.py +++ b/src/ssvc/decision_points/exploitation.py @@ -2,7 +2,7 @@ """ Provides the Exploitation decision point and its values. """ -# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -74,11 +74,12 @@ def _strip_spaces(s): ), ) +VERSIONS = (EXPLOITATION_1, EXPLOITATION_1_1_0) +LATEST = VERSIONS[-1] -def main(): - versions = [EXPLOITATION_1, EXPLOITATION_1_1_0] - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py index 84c61bdc..111ec8e1 100644 --- a/src/ssvc/decision_points/helpers.py +++ b/src/ssvc/decision_points/helpers.py @@ -1,8 +1,9 @@ #!/usr/bin/env python + """ Provides helper functions for working with SSVC decision points. """ -# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,21 +18,9 @@ from typing import Sequence -from ssvc.decision_points import SsvcDecisionPoint - +import semver -# Copyright (c) 2023 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +from ssvc.decision_points import SsvcDecisionPoint def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]: @@ -132,10 +121,10 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]: # did the value keys change? for name in intersection: - v1 = {value["name"]: value["key"] for value in dp1.to_dict()["values"]} + v1 = {value["name"]: value["key"] for value in dp1.model_dump()["values"]} v1 = v1[name] - v2 = {value["name"]: value["key"] for value in dp2.to_dict()["values"]} + v2 = {value["name"]: value["key"] for value in dp2.model_dump()["values"]} v2 = v2[name] if v1 != v2: @@ -146,10 +135,14 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]: # did the value descriptions change? for name in intersection: - v1 = {value["name"]: value["description"] for value in dp1.to_dict()["values"]} + v1 = { + value["name"]: value["description"] for value in dp1.model_dump()["values"] + } v1 = v1[name] - v2 = {value["name"]: value["description"] for value in dp2.to_dict()["values"]} + v2 = { + value["name"]: value["description"] for value in dp2.model_dump()["values"] + } v2 = v2[name] if v1 != v2: @@ -162,12 +155,30 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]: f"{dp2.name} v{dp2.version} value {name} description did not change" ) + v1 = semver.VersionInfo.parse(dp1.version) + v2 = semver.VersionInfo.parse(dp2.version) + if major: diffs.append(f"{dp2.name} v{dp2.version} appears to be a major change") + expected = v1.bump_major() + if v2 != expected: + diffs.append( + f"Expected version to be bumped to {expected}, but was bumped to {v2}" + ) elif minor: diffs.append(f"{dp2.name} v{dp2.version} appears to be a minor change") - elif patch: + expected = v1.bump_minor() + if v2 != expected: + diffs.append( + f"Expected version to be bumped to {expected}, but was bumped to {v2}" + ) + elif patch and not any([maybe_minor, maybe_major]): diffs.append(f"{dp2.name} v{dp2.version} appears to be a patch change") + expected = v1.bump_patch() + if v2 != expected: + diffs.append( + f"Expected version to be bumped to {expected}, but was bumped to {v2}" + ) if maybe_new_obj: diffs.append( @@ -176,13 +187,23 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]: ) if not major: + check_possible = False + possible1 = v1.bump_major() + possible2 = v1.bump_minor() if maybe_major: diffs.append( - f"{dp2.name} v{dp2.version} could be a major change depending on context" + f"{dp2.name} v{dp2.version} could be a major change ({v1} -> {possible1}) depending on context" ) + check_possible = True if maybe_minor: diffs.append( - f"{dp2.name} v{dp2.version} could be a minor change depending on context" + f"{dp2.name} v{dp2.version} could be a minor change ({v1} -> {possible2}) depending on context" + ) + check_possible = True + # did one of possible1 or possible2 match v2? + if check_possible and v2 not in [possible1, possible2]: + diffs.append( + f"Expected version to be bumped to {possible1} or {possible2}, but was bumped to {v2}" ) if not any([major, minor, patch, maybe_major, maybe_minor]): @@ -213,7 +234,7 @@ def print_versions_and_diffs(versions: Sequence[SsvcDecisionPoint]) -> None: None """ for version in versions: - print(version.to_json(indent=2)) + print(version.model_dump_json(indent=2)) show_diffs(versions) diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py index 9cf95f96..35d2c9d4 100644 --- a/src/ssvc/decision_points/high_value_asset.py +++ b/src/ssvc/decision_points/high_value_asset.py @@ -1,8 +1,9 @@ #!/usr/bin/env python + """ Models a high value asset as a decision point. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -16,6 +17,7 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs YES = SsvcDecisionPointValue( name="Yes", @@ -40,9 +42,12 @@ ), ) +VERSIONS = (HIGH_VALUE_ASSET_1,) +LATEST = VERSIONS[-1] + def main(): - print(HIGH_VALUE_ASSET_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/human_impact.py b/src/ssvc/decision_points/human_impact.py index bc3c48ad..ac2deac0 100644 --- a/src/ssvc/decision_points/human_impact.py +++ b/src/ssvc/decision_points/human_impact.py @@ -1,8 +1,9 @@ #!/usr/bin/env python + """ Provides the Human Impact decision point and its values. """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -119,11 +120,16 @@ ), ) +VERSIONS = ( + MISSION_AND_WELL_BEING_IMPACT_1, + HUMAN_IMPACT_2, + HUMAN_IMPACT_2_0_1, +) +LATEST = VERSIONS[-1] + def main(): - versions = (MISSION_AND_WELL_BEING_IMPACT_1, HUMAN_IMPACT_2, HUMAN_IMPACT_2_0_1) - - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/in_kev.py b/src/ssvc/decision_points/in_kev.py index 70772dba..31466aaa 100644 --- a/src/ssvc/decision_points/in_kev.py +++ b/src/ssvc/decision_points/in_kev.py @@ -2,7 +2,7 @@ """ Provides a decision point representing whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -16,6 +16,7 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs YES = SsvcDecisionPointValue( name="Yes", @@ -40,9 +41,12 @@ ), ) +VERSIONS = (IN_KEV_1,) +LATEST = VERSIONS[-1] + def main(): - print(IN_KEV_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/mission_impact.py b/src/ssvc/decision_points/mission_impact.py index 299657ff..d0a3a132 100644 --- a/src/ssvc/decision_points/mission_impact.py +++ b/src/ssvc/decision_points/mission_impact.py @@ -1,11 +1,10 @@ #!/usr/bin/env python + """ -file: mission_impact -author: adh -created_at: 9/21/23 10:20 AM +Provides the Mission Impact decision point and its values. """ -# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -81,11 +80,12 @@ values=(DEGRADED, MEF_CRIPPLED, MEF_FAILURE, MISSION_FAILURE), ) +VERSIONS = (MISSION_IMPACT_1, MISSION_IMPACT_2) +LATEST = VERSIONS[-1] -def main(): - versions = (MISSION_IMPACT_1, MISSION_IMPACT_2) - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py index 73998bcc..8bf55920 100644 --- a/src/ssvc/decision_points/mission_prevalence.py +++ b/src/ssvc/decision_points/mission_prevalence.py @@ -1,4 +1,10 @@ -# Copyright (c) 2024 Carnegie Mellon University and Contributors. +#!/usr/bin/env python + +""" +Provides the Mission Prevalence decision point and its values. +""" + +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -46,7 +52,9 @@ ), ) +VERSIONS = (MISSION_PREVALENCE,) +LATEST = VERSIONS[-1] + if __name__ == "__main__": - versions = (MISSION_PREVALENCE,) - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) diff --git a/src/ssvc/decision_points/public_safety_impact.py b/src/ssvc/decision_points/public_safety_impact.py index cb857797..54df0a8e 100644 --- a/src/ssvc/decision_points/public_safety_impact.py +++ b/src/ssvc/decision_points/public_safety_impact.py @@ -1,9 +1,10 @@ #!/usr/bin/env python + """ Provides the Public Safety Impact decision point and its values. """ -# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -108,14 +109,16 @@ ), ) +VERSIONS = ( + PUBLIC_WELL_BEING_IMPACT_1, + PUBLIC_SAFETY_IMPACT_2, + PUBLIC_SAFETY_IMPACT_2_0_1, +) +LATEST = VERSIONS[-1] + def main(): - versions = ( - PUBLIC_WELL_BEING_IMPACT_1, - PUBLIC_SAFETY_IMPACT_2, - PUBLIC_SAFETY_IMPACT_2_0_1, - ) - print_versions_and_diffs(versions) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/public_value_added.py b/src/ssvc/decision_points/public_value_added.py index 6f8158de..87b4700a 100644 --- a/src/ssvc/decision_points/public_value_added.py +++ b/src/ssvc/decision_points/public_value_added.py @@ -1,9 +1,10 @@ #!/usr/bin/env python + """ This module provides the Public Value Added decision point for the Stakeholder Specific Vulnerability Categorization (SSVC) framework. """ -# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -46,10 +47,12 @@ ) -def main(): - versions = (PUBLIC_VALUE_ADDED_1,) +VERSIONS = (PUBLIC_VALUE_ADDED_1,) +LATEST = VERSIONS[-1] - print_versions_and_diffs(versions) + +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py index 93ff6c4b..1e4cf105 100644 --- a/src/ssvc/decision_points/report_credibility.py +++ b/src/ssvc/decision_points/report_credibility.py @@ -1,9 +1,10 @@ #!/usr/bin/env python + """ Provides the SSVC Report Credibility Decision Point """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,6 +18,7 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs NOT_CREDIBLE = SsvcDecisionPointValue( name="Not Credible", @@ -41,9 +43,12 @@ ), ) +VERSIONS = (REPORT_CREDIBILITY_1,) +LATEST = VERSIONS[-1] + def main(): - print(REPORT_CREDIBILITY_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py index 7947e1fb..a072e185 100644 --- a/src/ssvc/decision_points/report_public.py +++ b/src/ssvc/decision_points/report_public.py @@ -1,8 +1,9 @@ #!/usr/bin/env python + """ Provides the SSVC Report Public Decision Point """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -16,6 +17,7 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs YES = SsvcDecisionPointValue( name="Yes", @@ -40,9 +42,12 @@ ), ) +VERSIONS = (REPORT_PUBLIC_1,) +LATEST = VERSIONS[-1] + def main(): - print(REPORT_PUBLIC_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/safety_impact.py b/src/ssvc/decision_points/safety_impact.py index 691263c2..5a5c16ae 100644 --- a/src/ssvc/decision_points/safety_impact.py +++ b/src/ssvc/decision_points/safety_impact.py @@ -1,9 +1,10 @@ #!/usr/bin/env python + """ Provides the Safety Impact decision point and its values. """ -# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -158,10 +159,12 @@ ) -def main(): - versions = (SAFETY_IMPACT_1, SAFETY_IMPACT_2) +VERSIONS = (SAFETY_IMPACT_1, SAFETY_IMPACT_2) +LATEST = VERSIONS[-1] - print_versions_and_diffs(versions) + +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py index ebde9d27..934ebfdf 100644 --- a/src/ssvc/decision_points/supplier_cardinality.py +++ b/src/ssvc/decision_points/supplier_cardinality.py @@ -1,10 +1,23 @@ #!/usr/bin/env python + """ -file: supplier_cardinality -author: adh -created_at: 9/21/23 11:20 AM +Provides the Supplier Cardinality decision point and its values. """ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs MULTIPLE = SsvcDecisionPointValue( name="Multiple", @@ -29,9 +42,12 @@ ), ) +VERSIONS = (SUPPLIER_CARDINALITY_1,) +LATEST = VERSIONS[-1] + def main(): - print(SUPPLIER_CARDINALITY_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py index eff08419..f3586008 100644 --- a/src/ssvc/decision_points/supplier_contacted.py +++ b/src/ssvc/decision_points/supplier_contacted.py @@ -1,10 +1,22 @@ #!/usr/bin/env python """ -file: supplier_contacted -author: adh -created_at: 9/21/23 11:17 AM +Provides the Supplier Engagement decision point and its values. """ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs YES = SsvcDecisionPointValue( name="Yes", @@ -29,9 +41,12 @@ ), ) +VERSIONS = (SUPPLIER_CONTACTED_1,) +LATEST = VERSIONS[-1] + def main(): - print(SUPPLIER_CONTACTED_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py index 69380931..cb0aef24 100644 --- a/src/ssvc/decision_points/supplier_engagement.py +++ b/src/ssvc/decision_points/supplier_engagement.py @@ -1,11 +1,24 @@ #!/usr/bin/env python + """ -file: supplier_engagement -author: adh -created_at: 9/21/23 11:22 AM +Provides the Supplier Engagement decision point and its values. """ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs UNRESPONSIVE = SsvcDecisionPointValue( name="Unresponsive", @@ -30,9 +43,12 @@ ), ) +VERSIONS = (SUPPLIER_ENGAGEMENT_1,) +LATEST = VERSIONS[-1] + def main(): - print(SUPPLIER_ENGAGEMENT_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py index afc3ce07..823afd4d 100644 --- a/src/ssvc/decision_points/supplier_involvement.py +++ b/src/ssvc/decision_points/supplier_involvement.py @@ -1,11 +1,23 @@ #!/usr/bin/env python """ -file: supplier_involvement -author: adh -created_at: 9/21/23 11:28 AM +Provides the Supplier Involvement decision point and its values. """ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs UNCOOPERATIVE = SsvcDecisionPointValue( name="Uncooperative/Unresponsive", @@ -37,9 +49,12 @@ ), ) +VERSIONS = (SUPPLIER_INVOLVEMENT_1,) +LATEST = VERSIONS[-1] + def main(): - print(SUPPLIER_INVOLVEMENT_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py index 61dc6766..9f0c813a 100644 --- a/src/ssvc/decision_points/system_exposure.py +++ b/src/ssvc/decision_points/system_exposure.py @@ -1,10 +1,23 @@ #!/usr/bin/env python + """ -file: exposure -author: adh -created_at: 9/21/23 10:16 AM +Provides the System Exposure decision point and its values. """ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs EXP_UNAVOIDABLE = SsvcDecisionPointValue( name="Unavoidable", @@ -64,10 +77,12 @@ ), ) +VERSIONS = (SYSTEM_EXPOSURE_1, SYSTEM_EXPOSURE_1_0_1) +LATEST = VERSIONS[-1] + def main(): - print(SYSTEM_EXPOSURE_1.to_json(indent=2)) - print(SYSTEM_EXPOSURE_1_0_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py index da042f62..3fa10eff 100644 --- a/src/ssvc/decision_points/technical_impact.py +++ b/src/ssvc/decision_points/technical_impact.py @@ -1,10 +1,24 @@ #!/usr/bin/env python + """ -file: technical_impact -author: adh -created_at: 9/21/23 9:49 AM +Provides the Technical Impact decision point and its values. """ + +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs TOTAL = SsvcDecisionPointValue( name="Total", @@ -29,9 +43,12 @@ ), ) +VERSIONS = (TECHNICAL_IMPACT_1,) +LATEST = VERSIONS[-1] + def main(): - print(TECHNICAL_IMPACT_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py index 9aace78a..10b43924 100644 --- a/src/ssvc/decision_points/utility.py +++ b/src/ssvc/decision_points/utility.py @@ -1,6 +1,10 @@ #!/usr/bin/env python -# Copyright (c) 2024 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors + +""" +Provides the Utility decision point and its values. +""" + +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is # licensed under a MIT (SEI)-style license, please see LICENSE.md distributed @@ -28,7 +32,9 @@ ) LABORIOUS_2 = SsvcDecisionPointValue( - name="Laborious", key="L", description="Automatable:No AND Value Density:Diffuse" + name="Laborious", + key="L", + description="Automatable:No AND Value Density:Diffuse", ) SUPER_EFFECTIVE = SsvcDecisionPointValue( @@ -44,7 +50,9 @@ ) LABORIOUS = SsvcDecisionPointValue( - name="Laborious", key="L", description="Virulence:Slow and Value Density:Diffuse" + name="Laborious", + key="L", + description="Virulence:Slow and Value Density:Diffuse", ) UTILITY_1 = SsvcDecisionPoint( @@ -71,11 +79,12 @@ ), ) +VERSIONS = (UTILITY_1, UTILITY_1_0_1) +LATEST = VERSIONS[-1] -def main(): - versions = (UTILITY_1, UTILITY_1_0_1) - print_versions_and_diffs(versions) +def main(): + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py index eac48a13..81b9fd14 100644 --- a/src/ssvc/decision_points/value_density.py +++ b/src/ssvc/decision_points/value_density.py @@ -1,10 +1,23 @@ #!/usr/bin/env python """ -file: value_density -author: adh -created_at: 9/21/23 10:01 AM +Provides the Value Density decision point and its values. """ + +# Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs CONCENTRATED = SsvcDecisionPointValue( name="Concentrated", @@ -29,9 +42,12 @@ ), ) +VERSIONS = (VALUE_DENSITY_1,) +LATEST = VERSIONS[-1] + def main(): - print(VALUE_DENSITY_1.to_json(indent=2)) + print_versions_and_diffs(VERSIONS) if __name__ == "__main__": diff --git a/src/ssvc/doc_helpers.py b/src/ssvc/doc_helpers.py new file mode 100644 index 00000000..16a48bc8 --- /dev/null +++ b/src/ssvc/doc_helpers.py @@ -0,0 +1,144 @@ +#!/usr/bin/env python +""" +file: doc_helpers +author: adh +created_at: 2/14/25 2:54 PM +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points.base import SsvcDecisionPoint + +MD_TABLE_ROW_TEMPLATE = "| {value.name} | {value.description} |" + + +def markdown_table(dp: SsvcDecisionPoint, indent: int = 0) -> str: + """ + Generate a markdown table for a decision point. + + Args: + dp (SsvcDecisionPoint): The decision point to generate a markdown table for. + + Returns: + str: The markdown table. + """ + rows = [] + # prepend the header + _indent = " " * indent + rows.append(f"{_indent}{dp.description}") + rows.append("") + rows.append(f"{_indent}| Value | Definition |") + rows.append(f"{_indent}|:-----|:-----------|") + + # add a row for each value + for value in dp.values: + rows.append(_indent + MD_TABLE_ROW_TEMPLATE.format(value=value)) + + return "\n".join(rows) + + +def example_block_tabbed(dp: SsvcDecisionPoint, indent=4) -> str: + """Given a decision point, return a markdown block that contains an example of the decision point.""" + + indent_ = " " * 4 + rows = [] + rows.append(f'!!! note "{dp.name} v{dp.version}"') + rows.append("") + + rows.append(indent_ + '=== "Table"') + rows.append("") + for row in markdown_table(dp, indent=4).splitlines(): + rows.append(indent_ + row) + rows.append("") + + rows.append(indent_ + '=== "JSON"') + rows.append("") + for row in json_example(dp, indent=4).splitlines(): + rows.append(indent_ + row) + + return "\n".join(rows) + + +def example_block( + dp: SsvcDecisionPoint, indent: int = 4, include_json: bool = True +) -> str: + """Given a decision point, return a markdown block that contains an example of the decision point.""" + + indent_ = " " * indent + rows = [] + rows.append(f'!!! note "{dp.name} v{dp.version}"') + rows.append("") + + for row in markdown_table(dp).splitlines(): + rows.append(indent_ + row) + rows.append("") + + if include_json: + rows.append(indent_ + f'??? example "{dp.name} v{dp.version} JSON Example"') + rows.append("") + for row in json_example(dp, indent=4).splitlines(): + rows.append(indent_ + row) + + return "\n".join(rows) + + +def prior_version(dp: SsvcDecisionPoint, indent=4) -> str: + """Given a decision point, return a markdown block that contains an example of the decision point.""" + + indent_ = " " * 4 + rows = [] + rows.append(f'!!! note "{dp.name} v{dp.version}"') + rows.append("") + + rows.append("") + for row in markdown_table(dp, indent=0).splitlines(): + rows.append(indent_ + row) + + return "\n".join(rows) + + +def json_example(dp, indent=0): + """ + Generate a markdown block that contains a JSON example. + + Args: + dp: the decision point object + jstr: + collapsible: + + Returns: + + """ + indent_ = " " * indent + json_rows = [ + indent_ + "```json", + ] + + jstr = dp.model_dump_json(indent=2).strip() + + for line in jstr.splitlines(): + json_rows.append(indent_ + line) + + json_rows.append( + indent_ + "```", + ) + json_block = "\n".join(json_rows) + return json_block + + +def main(): + pass + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py index 5baca11b..93b4591c 100644 --- a/src/ssvc/doctools.py +++ b/src/ssvc/doctools.py @@ -1,5 +1,5 @@ #!/usr/bin/env python -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -15,27 +15,28 @@ Provides tools to assist with generating documentation for SSVC decision points. Writes the following files for each decision point: -- a markdown table that can be used in the decision point documentation - a json example that can be used in the decision point documentation -- a markdown file that builds an insert using mkdocs tabs to switch between the markdown description and the json - example Examples To generate the documentation for the decision points, use the following command: - python -m ssvc.doctools --overwrite --outdir ./tmp/md_out --jsondir ./tmp/json_out` + python -m ssvc.doctools --overwrite --jsondir ./tmp/json_out` To regenerate the existing docs, use the following command: - python -m ssvc.doctools --overwrite --outdir docs/_generated/decision_points --jsondir data/json/decision_points + python -m ssvc.doctools --overwrite --jsondir data/json/decision_points """ import logging import os -from ssvc.decision_points.base import REGISTERED_DECISION_POINTS, SsvcDecisionPoint -from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1 # noqa +import ssvc.dp_groups.cvss.collections # noqa +import ssvc.dp_groups.ssvc.collections # noqa +from ssvc.decision_points.base import ( + REGISTERED_DECISION_POINTS, + SsvcDecisionPoint, +) logger = logging.getLogger(__name__) @@ -53,49 +54,6 @@ def _filename_friendly(name: str) -> str: return name.lower().replace(" ", "_").replace(".", "_") -MD_TABLE_ROW_TEMPLATE = "| {value.name} | {value.description} |" - -# indent by 4 spaces to make it a code block -MD_INCLUDE_TEMPLATE = """ -!!! note "{dp.name} v{dp.version}" - -=== "Text" - -{table} - -=== "JSON" - - ```json - {{% include "{json_file}" %}} - ``` -""" - - -def to_markdown_table(dp: SsvcDecisionPoint) -> str: - """ - Generate a markdown table for a decision point. - - Args: - dp (SsvcDecisionPoint): The decision point to generate a markdown table for. - - Returns: - str: The markdown table. - """ - rows = [] - # prepend the header - rows.append(f" {dp.description}") - rows.append("") - indent = " " * 4 - rows.append(f"{indent}| Value | Definition |") - rows.append(f"{indent}|:-----|:-----------|") - - # add a row for each value - for value in dp.values: - rows.append(indent + MD_TABLE_ROW_TEMPLATE.format(value=value)) - - return "\n".join(rows) - - # create a runtime context that ensures that dir exists class EnsureDirExists: """ @@ -134,9 +92,8 @@ def remove_if_exists(file): logger.debug(f"File {file} does not exist, nothing to remove") -def dump_decision_point( - jsondir: str, outdir: str, dp: SsvcDecisionPoint, overwrite: bool -) -> dict: +def dump_decision_point(jsondir: str, dp: SsvcDecisionPoint, overwrite: bool +) -> None: """ Generate the markdown table, json example, and markdown table file for a decision point. @@ -152,69 +109,10 @@ def dump_decision_point( - symlink: The path to the symlink that points to the markdown table file. - json_file: The path to the json example file. """ - # - generate markdown table # make dp.name safe for use in a filename basename = _filename_friendly(dp.name) + f"_{_filename_friendly(dp.version)}" # - generate json example - json_file = dump_json(basename, dp, jsondir, overwrite) - - # - generate markdown table file - r = dump_markdown(basename, dp, json_file, outdir, overwrite) - r["json_file"] = json_file - return r - - -def dump_markdown( - basename: str, dp: SsvcDecisionPoint, json_file: str, outdir: str, overwrite: bool -) -> dict: - """ - Generate the markdown table file for a decision point. - - Args: - basename (str): The basename of the markdown table file. - dp (SsvcDecisionPoint): The decision point to generate documentation for. - json_file (str): The path to the json example file. - outdir (str): The directory to write the markdown table file to. - overwrite (bool): Whether to overwrite existing files. - - Returns: - dict: A dictionary with the following keys: - - include_file: The path to the markdown table file. - - symlink: The path to the symlink that points to the markdown table file. - """ - include_file = f"{outdir}/{basename}.md" - - relative_json_file = os.path.relpath(json_file, outdir) - - if overwrite: - remove_if_exists(include_file) - with EnsureDirExists(outdir): - try: - with open(include_file, "x") as f: - formatted_template = MD_INCLUDE_TEMPLATE.format( - dp=dp, - json_file=relative_json_file, - table=(to_markdown_table(dp)), - ) - f.write(formatted_template) - except FileExistsError: - logger.warning( - f"File {include_file} already exists, use --overwrite to replace" - ) - - # update the symlink - # because we don't want to have to edit each markdown file every time something changes - symlink = f"{outdir}/{_filename_friendly(dp.name)}.md" - remove_if_exists(symlink) - relative_md_file = os.path.relpath(include_file, outdir) - os.symlink(relative_md_file, symlink) - - result = { - "include_file": include_file, - "symlink": symlink, - } - - return result + dump_json(basename, dp, jsondir, overwrite) def dump_json( @@ -232,13 +130,24 @@ def dump_json( Returns: str: The path to the json example file. """ - json_file = f"{jsondir}/{basename}.json" + # if namespace is ssvc, it goes in jsondir + filename = f"{basename}.json" + parts = [ + jsondir, + ] + if dp.namespace != "ssvc": + parts.append(_filename_friendly(dp.namespace)) + parts.append(filename) + + json_file = os.path.join(*parts) + if overwrite: remove_if_exists(json_file) with EnsureDirExists(jsondir): try: with open(json_file, "x") as f: - f.write(dp.to_json(indent=2)) + f.write(dp.model_dump_json(indent=2)) + f.write("\n") # newline at end of file except FileExistsError: logger.warning( f"File {json_file} already exists, use --overwrite to replace" @@ -266,19 +175,17 @@ def main(): default=False, ) - parser.add_argument("--outdir", help="output directory", default="./tmp/md_out") parser.add_argument( "--jsondir", help="json output directory", default="./tmp/json_out" ) args = parser.parse_args() overwrite = args.overwrite - outdir = args.outdir jsondir = args.jsondir # for each decision point: for dp in REGISTERED_DECISION_POINTS: - dump_decision_point(jsondir, outdir, dp, overwrite) + dump_decision_point(jsondir, dp, overwrite) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/__init__.py b/src/ssvc/dp_groups/__init__.py index 90a47e3a..216dc3ea 100644 --- a/src/ssvc/dp_groups/__init__.py +++ b/src/ssvc/dp_groups/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/ssvc/dp_groups/base.py b/src/ssvc/dp_groups/base.py index 3c37512b..d198a0df 100644 --- a/src/ssvc/dp_groups/base.py +++ b/src/ssvc/dp_groups/base.py @@ -4,7 +4,7 @@ author: adh created_at: 9/20/23 4:47 PM """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -17,23 +17,18 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass -from typing import Iterable - -from dataclasses_json import dataclass_json +from pydantic import BaseModel from ssvc._mixins import _Base, _Versioned from ssvc.decision_points.base import SsvcDecisionPoint -@dataclass_json -@dataclass(kw_only=True) -class SsvcDecisionPointGroup(_Base, _Versioned): +class SsvcDecisionPointGroup(_Base, _Versioned, BaseModel): """ Models a group of decision points. """ - decision_points: Iterable[SsvcDecisionPoint] + decision_points: list[SsvcDecisionPoint] def __iter__(self): """ @@ -45,11 +40,13 @@ def __len__(self): """ Allow len() to be called on the group. """ - return len(self.decision_points) + dplist = list(self.decision_points) + l = len(dplist) + return l def get_all_decision_points_from( - *groups: Iterable[SsvcDecisionPointGroup], + *groups: list[SsvcDecisionPointGroup], ) -> list[SsvcDecisionPoint]: """ Given a list of SsvcDecisionPointGroup objects, return a list of all diff --git a/src/ssvc/dp_groups/cvss/__init__.py b/src/ssvc/dp_groups/cvss/__init__.py index 7b9251b9..29615765 100644 --- a/src/ssvc/dp_groups/cvss/__init__.py +++ b/src/ssvc/dp_groups/cvss/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py index e7adf706..55e3c300 100644 --- a/src/ssvc/dp_groups/cvss/collections.py +++ b/src/ssvc/dp_groups/cvss/collections.py @@ -2,7 +2,7 @@ """ Models CVSS vectors as SSVC decision point groups """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -28,11 +28,14 @@ ATTACK_VECTOR_3, ATTACK_VECTOR_3_0_1, ) -from ssvc.decision_points.cvss.authentication import AUTHENTICATION_1, AUTHENTICATION_2 +from ssvc.decision_points.cvss.authentication import ( + AUTHENTICATION_1, + AUTHENTICATION_2, +) from ssvc.decision_points.cvss.availability_impact import ( AVAILABILITY_IMPACT_1, AVAILABILITY_IMPACT_2, - AVAILABILITY_IMPACT_2_0_1, + AVAILABILITY_IMPACT_3_0_0, ) from ssvc.decision_points.cvss.availability_requirement import ( AVAILABILITY_REQUIREMENT_1, @@ -46,15 +49,20 @@ from ssvc.decision_points.cvss.confidentiality_impact import ( CONFIDENTIALITY_IMPACT_1, CONFIDENTIALITY_IMPACT_2, - CONFIDENTIALITY_IMPACT_2_0_1, + CONFIDENTIALITY_IMPACT_3_0_0, ) from ssvc.decision_points.cvss.confidentiality_requirement import ( CONFIDENTIALITY_REQUIREMENT_1, CONFIDENTIALITY_REQUIREMENT_1_1, CONFIDENTIALITY_REQUIREMENT_1_1_1, ) -from ssvc.decision_points.cvss.eq_sets import EQ1, EQ2, EQ3, EQ4, EQ5, EQ6 -from ssvc.decision_points.cvss.exploitability import ( +from ssvc.decision_points.cvss.equivalence_set_1 import EQ1 +from ssvc.decision_points.cvss.equivalence_set_2 import EQ2 +from ssvc.decision_points.cvss.equivalence_set_3 import EQ3 +from ssvc.decision_points.cvss.equivalence_set_4 import EQ4 +from ssvc.decision_points.cvss.equivalence_set_5 import EQ5 +from ssvc.decision_points.cvss.equivalence_set_6 import EQ6 +from ssvc.decision_points.cvss.exploit_maturity import ( EXPLOITABILITY_1, EXPLOITABILITY_1_1, EXPLOIT_CODE_MATURITY_1_2, @@ -65,7 +73,7 @@ from ssvc.decision_points.cvss.integrity_impact import ( INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, - INTEGRITY_IMPACT_2_0_1, + INTEGRITY_IMPACT_3_0_0, ) from ssvc.decision_points.cvss.integrity_requirement import ( INTEGRITY_REQUIREMENT_1, @@ -96,10 +104,14 @@ SUBSEQUENT_INTEGRITY_IMPACT_1, ) from ssvc.decision_points.cvss.supplemental.automatable import AUTOMATABLE_1 -from ssvc.decision_points.cvss.supplemental.provider_urgency import PROVIDER_URGENCY_1 +from ssvc.decision_points.cvss.supplemental.provider_urgency import ( + PROVIDER_URGENCY_1, +) from ssvc.decision_points.cvss.supplemental.recovery import RECOVERY_1 from ssvc.decision_points.cvss.supplemental.safety import SAFETY_1 -from ssvc.decision_points.cvss.supplemental.value_density import VALUE_DENSITY_1 +from ssvc.decision_points.cvss.supplemental.value_density import ( + VALUE_DENSITY_1, +) from ssvc.decision_points.cvss.supplemental.vulnerability_response_effort import ( VULNERABILITY_RESPONSE_EFFORT_1, ) @@ -261,9 +273,9 @@ USER_INTERACTION_2, ] _IMPACT_4 = [ - CONFIDENTIALITY_IMPACT_2_0_1, - INTEGRITY_IMPACT_2_0_1, - AVAILABILITY_IMPACT_2_0_1, + CONFIDENTIALITY_IMPACT_3_0_0, + INTEGRITY_IMPACT_3_0_0, + AVAILABILITY_IMPACT_3_0_0, SUBSEQUENT_CONFIDENTIALITY_IMPACT_1, SUBSEQUENT_INTEGRITY_IMPACT_1, SUBSEQUENT_AVAILABILITY_IMPACT_1, @@ -366,7 +378,7 @@ def main(): CVSSv4, ]: print(f"## {group.name} v{group.version}") - print(group.to_json(indent=2)) + print(group.model_dump_json(indent=2)) print() diff --git a/src/ssvc/dp_groups/ssvc/__init__.py b/src/ssvc/dp_groups/ssvc/__init__.py index ebb125a0..37d9487d 100644 --- a/src/ssvc/dp_groups/ssvc/__init__.py +++ b/src/ssvc/dp_groups/ssvc/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/ssvc/dp_groups/ssvc/collections.py b/src/ssvc/dp_groups/ssvc/collections.py index 006d824a..c7b2b527 100644 --- a/src/ssvc/dp_groups/ssvc/collections.py +++ b/src/ssvc/dp_groups/ssvc/collections.py @@ -2,7 +2,7 @@ """ Provides collections of decision points for each version of the SSVC. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -16,10 +16,19 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University -from ssvc.dp_groups.base import SsvcDecisionPointGroup, get_all_decision_points_from -from ssvc.dp_groups.ssvc.coordinator_publication import COORDINATOR_PUBLICATION_1 +from ssvc.dp_groups.base import ( + SsvcDecisionPointGroup, + get_all_decision_points_from, +) +from ssvc.dp_groups.ssvc.coordinator_publication import ( + COORDINATOR_PUBLICATION_1, +) from ssvc.dp_groups.ssvc.coordinator_triage import COORDINATOR_TRIAGE_1 -from ssvc.dp_groups.ssvc.deployer import DEPLOYER_2, DEPLOYER_3, PATCH_APPLIER_1 +from ssvc.dp_groups.ssvc.deployer import ( + DEPLOYER_2, + DEPLOYER_3, + PATCH_APPLIER_1, +) from ssvc.dp_groups.ssvc.supplier import PATCH_DEVELOPER_1, SUPPLIER_2 @@ -27,7 +36,9 @@ name="SSVCv1", description="The first version of the SSVC.", version="1.0.0", - decision_points=get_all_decision_points_from(PATCH_APPLIER_1, PATCH_DEVELOPER_1), + decision_points=get_all_decision_points_from( + PATCH_APPLIER_1, PATCH_DEVELOPER_1 + ), ) SSVCv2 = SsvcDecisionPointGroup( name="SSVCv2", @@ -49,7 +60,7 @@ def main(): for dpg in [SSVCv1, SSVCv2, SSVCv2_1]: - print(dpg.to_json(indent=2)) + print(dpg.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/coordinator_publication.py b/src/ssvc/dp_groups/ssvc/coordinator_publication.py index 90258406..35423fd9 100644 --- a/src/ssvc/dp_groups/ssvc/coordinator_publication.py +++ b/src/ssvc/dp_groups/ssvc/coordinator_publication.py @@ -4,7 +4,7 @@ author: adh created_at: 9/21/23 11:40 AM """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -45,7 +45,7 @@ def main(): - print(COORDINATOR_PUBLICATION_1.to_json(indent=2)) + print(COORDINATOR_PUBLICATION_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/coordinator_triage.py b/src/ssvc/dp_groups/ssvc/coordinator_triage.py index 8a8f52e5..2fedb785 100644 --- a/src/ssvc/dp_groups/ssvc/coordinator_triage.py +++ b/src/ssvc/dp_groups/ssvc/coordinator_triage.py @@ -4,7 +4,7 @@ author: adh created_at: 9/21/23 11:40 AM """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -66,7 +66,7 @@ def main(): - print(COORDINATOR_TRIAGE_1.to_json(indent=2)) + print(COORDINATOR_TRIAGE_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/deployer.py b/src/ssvc/dp_groups/ssvc/deployer.py index feb2b4b4..76218acd 100644 --- a/src/ssvc/dp_groups/ssvc/deployer.py +++ b/src/ssvc/dp_groups/ssvc/deployer.py @@ -5,7 +5,7 @@ created_at: 9/21/23 11:40 AM """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -21,7 +21,10 @@ from ssvc.decision_points.automatable import AUTOMATABLE_2 from ssvc.decision_points.exploitation import EXPLOITATION_1 from ssvc.decision_points.human_impact import HUMAN_IMPACT_2 -from ssvc.decision_points.mission_impact import MISSION_IMPACT_1, MISSION_IMPACT_2 +from ssvc.decision_points.mission_impact import ( + MISSION_IMPACT_1, + MISSION_IMPACT_2, +) from ssvc.decision_points.safety_impact import SAFETY_IMPACT_1 from ssvc.decision_points.system_exposure import ( SYSTEM_EXPOSURE_1, @@ -121,9 +124,9 @@ def main(): - print(PATCH_APPLIER_1.to_json(indent=2)) - print(DEPLOYER_2.to_json(indent=2)) - print(DEPLOYER_3.to_json(indent=2)) + print(PATCH_APPLIER_1.model_dump_json(indent=2)) + print(DEPLOYER_2.model_dump_json(indent=2)) + print(DEPLOYER_3.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/supplier.py b/src/ssvc/dp_groups/ssvc/supplier.py index b245d035..05fb092c 100644 --- a/src/ssvc/dp_groups/ssvc/supplier.py +++ b/src/ssvc/dp_groups/ssvc/supplier.py @@ -5,7 +5,7 @@ created_at: 9/21/23 11:41 AM """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -91,8 +91,8 @@ def main(): - print(PATCH_DEVELOPER_1.to_json(indent=2)) - print(SUPPLIER_2.to_json(indent=2)) + print(PATCH_DEVELOPER_1.model_dump_json(indent=2)) + print(SUPPLIER_2.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/md_gen.py b/src/ssvc/md_gen.py new file mode 100644 index 00000000..beca4fcd --- /dev/null +++ b/src/ssvc/md_gen.py @@ -0,0 +1,154 @@ +#!/usr/bin/env python +""" +file: md_gen +author: adh +created_at: 2/17/25 4:25 PM +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +import os + + +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + + +def cutfname(fname): + # foo_bar_1_0_0 -> foo_bar + parts = fname.split("_") + parts_ = [] + + for part in parts: + if part.isnumeric(): + break + parts_.append(part) + + return "_".join(parts_) + + +PAGE_TOP_TEMPLATE = """# {dp_name} + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.{module} import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` +""" + +PAGE_BOTTOM_TEMPLATE = """## Previous Versions + +```python exec="true" idprefix="" +from ssvc.decision_points.cvss.{module} import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) + print("\\n---\\n") +``` +""" + + +def snake_to_title(s): + return " ".join([w.capitalize() for w in s.split("_")]) + + +def main(): + # add overwrite command line argument + import argparse + + parser = argparse.ArgumentParser( + description="Generate decision point documentation" + ) + parser.add_argument( + "--overwrite", + action="store_true", + help="overwrite existing files", + default=False, + ) + + parser.add_argument( + "--outdir", + help="output directory", + default="../../docs/reference/decision_points/cvss", + ) + + parser.add_argument( + "--jsondir", + help="json directory", + default="../../data/json/decision_points/cvss", + ) + + args = parser.parse_args() + + json_dir = args.jsondir + json_files = sorted(os.listdir(json_dir)) + print(json_files) + + dp_fnames = sorted(list(set([cutfname(f) for f in json_files]))) + print(dp_fnames) + + md_dir = args.outdir + os.makedirs(md_dir, exist_ok=True) + + for dp_fname in dp_fnames: + + fname = dp_fname + ".md" + path = os.path.join(md_dir, fname) + + if os.path.exists(path): + if not args.overwrite: + # skip if file already exists + continue + else: + os.remove(path) + + # does the module exist? + module = f"ssvc.decision_points.cvss.{dp_fname}" + try: + # try to import the module + mod = __import__(module) + print(f"Module {mod} exists") + except ImportError: + print(f"Module {module} does not exist") + continue + + with open(os.path.join(md_dir, fname), "w") as f: + f.write( + PAGE_TOP_TEMPLATE.format( + dp_name=snake_to_title(dp_fname), module=dp_fname + ) + ) + f.write("\n") + if len(mod.VERSIONS) > 1: + f.write("\n") + f.write(PAGE_BOTTOM_TEMPLATE.format(module=dp_fname)) + f.write("\n") + + pass + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/outcomes/__init__.py b/src/ssvc/outcomes/__init__.py index 063e8a7a..37d9487d 100644 --- a/src/ssvc/outcomes/__init__.py +++ b/src/ssvc/outcomes/__init__.py @@ -1 +1,12 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py index 09235be2..11eaf873 100644 --- a/src/ssvc/outcomes/base.py +++ b/src/ssvc/outcomes/base.py @@ -2,7 +2,7 @@ """ Provides outcome group and outcome value classes for SSVC. """ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -15,30 +15,23 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass -from typing import Iterable +from pydantic import BaseModel -from dataclasses_json import dataclass_json +from ssvc._mixins import _Base, _Keyed, _Versioned -from ssvc._mixins import _Base, _Keyed - -@dataclass_json -@dataclass(kw_only=True) -class OutcomeValue(_Base, _Keyed): +class OutcomeValue(_Base, _Keyed, BaseModel): """ Models a single value option for an SSVC outcome. """ -@dataclass_json -@dataclass(kw_only=True) -class OutcomeGroup(_Base): +class OutcomeGroup(_Base, _Versioned, BaseModel): """ Models an outcome group. """ - outcomes: Iterable[OutcomeValue] + outcomes: list[OutcomeValue] def __iter__(self): """ @@ -50,6 +43,8 @@ def __len__(self): """ Allow len() to be called on the group. """ - return len(self.outcomes) + olist = list(self.outcomes) + l = len(olist) + return l # register all instances diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py index 0da720a5..5326b6d9 100644 --- a/src/ssvc/outcomes/groups.py +++ b/src/ssvc/outcomes/groups.py @@ -2,7 +2,7 @@ """ Provides a set of outcome groups for use in SSVC. """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -23,6 +23,7 @@ DSOI = OutcomeGroup( name="Defer, Scheduled, Out-of-Cycle, Immediate", description="The original SSVC outcome group.", + version="1.0.0", outcomes=( OutcomeValue(name="Defer", key="D", description="Defer"), OutcomeValue(name="Scheduled", key="S", description="Scheduled"), @@ -37,8 +38,11 @@ PUBLISH = OutcomeGroup( name="Publish, Do Not Publish", description="The publish outcome group.", + version="1.0.0", outcomes=( - OutcomeValue(name="Do Not Publish", key="N", description="Do Not Publish"), + OutcomeValue( + name="Do Not Publish", key="N", description="Do Not Publish" + ), OutcomeValue(name="Publish", key="P", description="Publish"), ), ) @@ -49,6 +53,7 @@ COORDINATE = OutcomeGroup( name="Decline, Track, Coordinate", description="The coordinate outcome group.", + version="1.0.0", outcomes=( OutcomeValue(name="Decline", key="D", description="Decline"), OutcomeValue(name="Track", key="T", description="Track"), @@ -62,6 +67,7 @@ MOSCOW = OutcomeGroup( name="Must, Should, Could, Won't", description="The Moscow outcome group.", + version="1.0.0", outcomes=( OutcomeValue(name="Won't", key="W", description="Won't"), OutcomeValue(name="Could", key="C", description="Could"), @@ -76,6 +82,7 @@ EISENHOWER = OutcomeGroup( name="Do, Schedule, Delegate, Delete", description="The Eisenhower outcome group.", + version="1.0.0", outcomes=( OutcomeValue(name="Delete", key="D", description="Delete"), OutcomeValue(name="Delegate", key="G", description="Delegate"), @@ -90,6 +97,7 @@ CVSS = OutcomeGroup( name="CVSS Levels", description="The CVSS outcome group.", + version="1.0.0", outcomes=( OutcomeValue(name="Low", key="L", description="Low"), OutcomeValue(name="Medium", key="M", description="Medium"), @@ -105,6 +113,7 @@ name="CISA Levels", description="The CISA outcome group. " "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", + version="1.0.0", outcomes=( OutcomeValue( name="Track", @@ -144,6 +153,7 @@ YES_NO = OutcomeGroup( name="Yes, No", description="The Yes/No outcome group.", + version="1.0.0", outcomes=( OutcomeValue(name="No", key="N", description="No"), OutcomeValue(name="Yes", key="Y", description="Yes"), @@ -156,10 +166,13 @@ VALUE_COMPLEXITY = OutcomeGroup( name="Value, Complexity", description="The Value/Complexity outcome group.", + version="1.0.0", outcomes=( # drop, reconsider later, easy win, do first OutcomeValue(name="Drop", key="D", description="Drop"), - OutcomeValue(name="Reconsider Later", key="R", description="Reconsider Later"), + OutcomeValue( + name="Reconsider Later", key="R", description="Reconsider Later" + ), OutcomeValue(name="Easy Win", key="E", description="Easy Win"), OutcomeValue(name="Do First", key="F", description="Do First"), ), @@ -171,9 +184,12 @@ THE_PARANOIDS = OutcomeGroup( name="theParanoids", description="PrioritizedRiskRemediation outcome group based on TheParanoids.", + version="1.0.0", outcomes=( OutcomeValue(name="Track 5", key="5", description="Track"), - OutcomeValue(name="Track Closely 4", key="4", description="Track Closely"), + OutcomeValue( + name="Track Closely 4", key="4", description="Track Closely" + ), OutcomeValue(name="Attend 3", key="3", description="Attend"), OutcomeValue(name="Attend 2", key="2", description="Attend"), OutcomeValue(name="Act 1", key="1", description="Act"), diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py index b52e20b1..38e75f01 100644 --- a/src/ssvc/policy_generator.py +++ b/src/ssvc/policy_generator.py @@ -3,7 +3,7 @@ Provides a Policy Generator class for SSVC decision point groups. """ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -19,7 +19,6 @@ import itertools import logging import math -from typing import List, Tuple import networkx as nx import pandas as pd @@ -48,7 +47,7 @@ def __init__( self, dp_group: SsvcDecisionPointGroup = None, outcomes: OutcomeGroup = None, - outcome_weights: List[float] = None, + outcome_weights: list[float] = None, validate: bool = False, ): """ @@ -87,15 +86,17 @@ def __init__( # validate that the outcome weights sum to 1.0 total = sum(outcome_weights) if not math.isclose(total, 1.0): - raise ValueError(f"Outcome weights must sum to 1.0, but sum to {total}") + raise ValueError( + f"Outcome weights must sum to 1.0, but sum to {total}" + ) self.outcome_weights = outcome_weights logger.debug(f"Outcome weights: {self.outcome_weights}") self.policy: pd.DataFrame = None self.G: nx.DiGraph = nx.DiGraph() - self.top: Tuple[int] = None - self.bottom: Tuple[int] = None + self.top: tuple[int] = None + self.bottom: tuple[int] = None self._enumerated_vec = None self._check_valid_paths = validate @@ -203,7 +204,9 @@ def _assign_outcomes(self): logger.debug(f"Layer count: {len(layers)}") logger.debug(f"Layer sizes: {[len(layer) for layer in layers]}") - outcome_counts = [round(node_count * weight) for weight in self.outcome_weights] + outcome_counts = [ + round(node_count * weight) for weight in self.outcome_weights + ] toposort = list(nx.topological_sort(self.G)) logger.debug(f"Toposort: {toposort[:4]}...{toposort[-4:]}") @@ -292,11 +295,15 @@ def _confirm_topological_order(self, node_order: list) -> None: # all nodes must be in the graph for node in node_order: if node not in self.G.nodes: - raise ValueError(f"Node order contains node {node} not in the graph") + raise ValueError( + f"Node order contains node {node} not in the graph" + ) for node in self.G.nodes: if node not in node_order: - raise ValueError(f"Graph contains node {node} not in the node order") + raise ValueError( + f"Graph contains node {node} not in the node order" + ) node_idx = {node: i for i, node in enumerate(node_order)} @@ -353,7 +360,9 @@ def main(): ) with PolicyGenerator( - dp_group=dpg, outcomes=DSOI, outcome_weights=[0.097, 0.583, 0.278, 0.042] + dp_group=dpg, + outcomes=DSOI, + outcome_weights=[0.097, 0.583, 0.278, 0.042], ) as pg: pg.emit_policy() diff --git a/src/ssvc_v2.py b/src/ssvc_v2.py index 9b73caae..01f041bf 100644 --- a/src/ssvc_v2.py +++ b/src/ssvc_v2.py @@ -1,38 +1,49 @@ #!/usr/bin/env python -''' +""" file: ssvc_v2 author: adh created_at: 3/23/21 3:23 PM -''' +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University import os + import pandas as pd -DATAPATH="../data/csvs" +DATAPATH = "../data/csvs" PATHS = { - 'coord_pub': os.path.join(DATAPATH,"coord-publish-options.csv"), - 'coord_triage': os.path.join(DATAPATH,"coord-triage-options.csv"), - 'deployer': os.path.join(DATAPATH,"deployer-options.csv"), - 'supplier': os.path.join(DATAPATH,"supplier-options.csv"), + "coord_pub": os.path.join(DATAPATH, "coord-publish-options.csv"), + "coord_triage": os.path.join(DATAPATH, "coord-triage-options.csv"), + "deployer": os.path.join(DATAPATH, "deployer-options.csv"), + "supplier": os.path.join(DATAPATH, "supplier-options.csv"), } DEFAULTS = { - 'coord_pub': { + "coord_pub": { # An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches # in the appropriate places for public PoCs and active exploitation (as described above) and found none. "Exploitation": "none", }, - 'coord_triage': { - - }, - 'deployer': { + "coord_triage": {}, + "deployer": { # An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches # in the appropriate places for public PoCs and active exploitation (as described above) and found none. "Exploitation": "none", - "Exposure": "unavoidable" + "Exposure": "unavoidable", }, - 'supplier': { + "supplier": { # An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches # in the appropriate places for public PoCs and active exploitation (as described above) and found none. "Exploitation": "none", @@ -40,28 +51,30 @@ } # confirm that PATHS and DEFAULTS keys match -assert(set(PATHS.keys()) == set(DEFAULTS.keys())) +assert set(PATHS.keys()) == set(DEFAULTS.keys()) + def _load_csvs(path_dict): data = {} - for key,path in path_dict.items(): + for key, path in path_dict.items(): df = pd.read_csv(path) data[key] = df return data + DATA = _load_csvs(PATHS) # confirm that PATHS and DATA keys match -assert(set(PATHS.keys()) == set(DATA.keys())) +assert set(PATHS.keys()) == set(DATA.keys()) -def lookup(key, query_dict,use_defaults=True): +def lookup(key, query_dict, use_defaults=True): # get the full table df = DATA[key] if use_defaults: # copy the defaults before we use them - defaults = DEFAULTS.get(key,{}) + defaults = DEFAULTS.get(key, {}) q = dict(defaults) else: q = {} @@ -69,21 +82,22 @@ def lookup(key, query_dict,use_defaults=True): q.update(query_dict) # with each pass, slice the table - for k,v in q.items(): + for k, v in q.items(): df = df.loc[df[k] == v] return df -def outcome_dist(df,normalize=True): - ''' + +def outcome_dist(df, normalize=True): + """ Given a dataframe representing an SSVC tree fragment, compute and return the distribution of outcomes - ''' - return df['Priority'].value_counts(normalize=normalize) + """ + return df["Priority"].value_counts(normalize=normalize) def main(): - for key,df in DATA.items(): + for key, df in DATA.items(): print(key, df.columns) print() @@ -91,24 +105,25 @@ def main(): "Utility": "laborious", "Public_Safety_Impact": "minimal", } - df = lookup('coord_triage',query) + df = lookup("coord_triage", query) print(query) print(df) - print(outcome_dist(df).round(decimals=3).to_dict()) + print(outcome_dist(df).round(decimals=3).model_dump()) print() - query = {'Value added': "precedence"} - df = lookup('coord_pub',query) + query = {"Value added": "precedence"} + df = lookup("coord_pub", query) print(query) print(df) - print(outcome_dist(df).round(decimals=3).to_dict()) + print(outcome_dist(df).round(decimals=3).model_dump()) print() query = {"Public-Safety Impact": "minimal"} - df = lookup('supplier',query) + df = lookup("supplier", query) print(query) print(df) - print(outcome_dist(df).round(decimals=3).to_dict()) + print(outcome_dist(df).round(decimals=3).model_dump()) + -if __name__ == '__main__': +if __name__ == "__main__": main() diff --git a/src/test/__init__.py b/src/test/__init__.py index cf0a9163..35c6fca4 100644 --- a/src/test/__init__.py +++ b/src/test/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/test/test_csv_analyzer.py b/src/test/test_csv_analyzer.py index b010367a..81be7572 100644 --- a/src/test/test_csv_analyzer.py +++ b/src/test/test_csv_analyzer.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -26,7 +26,8 @@ def test_col_norm(self): # fold to lowercase self.assertEqual(acsv._col_norm("Exploitation"), "exploitation") self.assertEqual( - acsv._col_norm("AbcdEfghIjklmnOpqrstUvwxYz"), "abcdefghijklmnopqrstuvwxyz" + acsv._col_norm("AbcdEfghIjklmnOpqrstUvwxYz"), + "abcdefghijklmnopqrstuvwxyz", ) # replace strings of non-alphanumeric characters with underscores @@ -40,7 +41,12 @@ def test_imp_df(self): # imp_df should return a dataframe with the column names and feature importances # sorted in descending order by feature importance - column_names = ["exploitation", "human_impact", "automatable", "exposure"] + column_names = [ + "exploitation", + "human_impact", + "automatable", + "exposure", + ] importances = [0.347222, 0.291667, 0.180556, 0.166667] df = acsv._imp_df(column_names, importances) self.assertEqual(df["feature"][0], "exploitation") @@ -81,7 +87,9 @@ def test_drop_col_feat_imp(self): ) def test_split_data(self): - df = pd.DataFrame({"A": [1, 2, 3, 4], "B": [5, 6, 7, 8], "C": [9, 10, 11, 12]}) + df = pd.DataFrame( + {"A": [1, 2, 3, 4], "B": [5, 6, 7, 8], "C": [9, 10, 11, 12]} + ) x, y = acsv._split_data(df, "C") self.assertTrue(x.equals(df.drop("C", axis=1))) diff --git a/src/test/test_cvss_helpers.py b/src/test/test_cvss_helpers.py index 70f0fb4b..a5dd413e 100644 --- a/src/test/test_cvss_helpers.py +++ b/src/test/test_cvss_helpers.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/test/test_doc_helpers.py b/src/test/test_doc_helpers.py new file mode 100644 index 00000000..76b217f4 --- /dev/null +++ b/src/test/test_doc_helpers.py @@ -0,0 +1,85 @@ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +import unittest + +from ssvc.decision_points import SsvcDecisionPoint, SsvcDecisionPointValue +from ssvc.doc_helpers import example_block, markdown_table + + +class MyTestCase(unittest.TestCase): + def setUp(self): + self.dp = SsvcDecisionPoint( + namespace="test", + name="test name", + description="test description", + key="TK", + version="1.0.0", + values=( + SsvcDecisionPointValue( + name="A", key="A", description="A Definition" + ), + SsvcDecisionPointValue( + name="B", key="B", description="B Definition" + ), + ), + ) + + def tearDown(self): + pass + + def test_markdown_table(self): + result = markdown_table(self.dp) + + expected = ( + "test description\n" + "\n" + "| Value | Definition |\n" + "|:-----|:-----------|\n" + "| A | A Definition |\n" + "| B | B Definition |" + ) + + self.assertEqual(result, expected) + + indented = markdown_table(self.dp, indent=4) + + expected_indented = ( + " test description\n" + "\n" + " | Value | Definition |\n" + " |:-----|:-----------|\n" + " | A | A Definition |\n" + " | B | B Definition |" + ) + + self.assertEqual(indented, expected_indented) + + def test_example_block(self): + + result = example_block(self.dp) + + self.assertIn("!!! note", result) + self.assertIn("\n | Value | Definition |", result) + self.assertIn("\n | A | A Definition |", result) + self.assertIn("\n | B | B Definition |", result) + self.assertIn("\n ??? example", result) + self.assertIn("\n ```json", result) + + for value in self.dp.values: + self.assertIn(value.name, result) + self.assertIn(value.description, result) + + +if __name__ == "__main__": + unittest.main() diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py index a41095cd..c59226a5 100644 --- a/src/test/test_doctools.py +++ b/src/test/test_doctools.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -22,9 +22,7 @@ _filename_friendly, dump_decision_point, dump_json, - dump_markdown, remove_if_exists, - to_markdown_table, ) _dp_dict = { @@ -42,7 +40,7 @@ class MyTestCase(unittest.TestCase): def setUp(self) -> None: - self.dp = SsvcDecisionPoint.from_dict(_dp_dict) + self.dp = SsvcDecisionPoint.model_validate(_dp_dict) # create a temp working dir self.tempdir = tempfile.TemporaryDirectory() @@ -60,18 +58,6 @@ def test__filename_friendly(self): # lowercase the string self.assertEqual("foo_bar", _filename_friendly("Foo.Bar")) - def test_to_markdown_table(self): - dp = self.dp - - table = to_markdown_table(dp) - self.assertIn(dp.description, table) - # self.assertIn(dp.name, table) - # self.assertIn(dp.version, table) - for value in dp.values: - self.assertIn(value.name, table) - self.assertIn(value.description, table) - self.assertIn(value.key, table) - def test_ensure_dir_exists(self): path = os.path.join(self.tempdir.name, "foo") self.assertFalse(os.path.exists(path)) @@ -98,76 +84,26 @@ def test_remove_if_exists(self): def test_dump_decision_point(self): jsondir = os.path.join(self.tempdir.name, "json") - outdir = os.path.join(self.tempdir.name, "out") dp = self.dp overwrite = False + # should create the files in the expected places + self.assertFalse(os.path.exists(jsondir)) self.assertEqual(0, len(os.listdir(self.tempdir.name))) - # should create the files in the expected places - r = dump_decision_point(jsondir, outdir, dp, overwrite) - self.assertTrue(os.path.exists(r["include_file"])) - self.assertTrue(os.path.exists(r["symlink"])) - self.assertTrue(os.path.exists(r["json_file"])) + r = dump_decision_point(jsondir, dp, overwrite) - # not checking these thoroughly, just making sure they are there - # because they are tested elsewhere in dump_markdown and dump_json + self.assertTrue(os.path.exists(jsondir)) + self.assertIn("json", os.listdir(self.tempdir.name)) + self.assertEqual(1, len(os.listdir(jsondir))) - def test_dump_markdown(self): - # dump_markdown should create a file, write to it, and then create a generic symlink - basename = "foo" - dp = self.dp - json_file = os.path.join(self.tempdir.name, f"{basename}.json") - outdir = self.tempdir.name - overwrite = False + file_created = os.listdir(jsondir)[0] - # should create the file in the expected place - include_file = os.path.join(outdir, f"{basename}.md") - symlink = os.path.join(outdir, f"{_filename_friendly(dp.name)}.md") - - self.assertFalse(os.path.exists(include_file)) - self.assertFalse(os.path.exists(symlink)) - r = dump_markdown(basename, dp, json_file, outdir, overwrite) - self.assertTrue(os.path.exists(include_file)) - - self.assertEqual(include_file, r["include_file"]) - self.assertEqual(symlink, r["symlink"]) - - # the file contains text based on the dp - with open(include_file, "r") as f: - text = f.read() - - self.assertIn(dp.description, text) - self.assertIn(dp.name, text) - self.assertIn(dp.version, text) - for value in dp.values: - self.assertIn(value.name, text) - self.assertIn(value.description, text) - self.assertIn(value.key, text) - - # should create the symlink in the expected place - self.assertTrue(os.path.exists(symlink), symlink) - # should be a symlink - self.assertTrue(os.path.islink(symlink)) - # should point to the include file - self.assertEqual(os.path.realpath(symlink), os.path.realpath(include_file)) + for word in dp.name.split(): + self.assertIn(word.lower(), file_created) - # should not overwrite the file - overwrite = False - # capture logger output - with self.assertLogs() as cm: - dump_markdown(basename, dp, json_file, outdir, overwrite) - # logger warns that the file exists - self.assertIn("already exists", cm.output[0]) - - # should overwrite the file - overwrite = True - dp.name = "Different Decision Point" - # capture logger output - with self.assertLogs(level=logging.DEBUG) as cm: - dump_markdown(basename, dp, json_file, outdir, overwrite) - # logger warns that the file was removed - self.assertIn("Removed", cm.output[0]) + # not checking these thoroughly, just making sure they are there + # because they are tested elsewhere in dump_markdown and dump_json def test_dump_json(self): basename = "foo" @@ -185,7 +121,7 @@ def test_dump_json(self): # file is loadable json d = json.load(open(json_file)) - for k, v in dp.to_dict().items(): + for k, v in dp.model_dump().items(): self.assertEqual(v, d[k]) # should not overwrite the file diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py index 7d0214d4..c6b580e6 100644 --- a/src/test/test_dp_base.py +++ b/src/test/test_dp_base.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -34,7 +34,7 @@ def setUp(self) -> None: key="bar", description="baz", version="1.0.0", - namespace="ns", + namespace="name1", values=tuple(self.values), ) @@ -90,30 +90,30 @@ def test_ssvc_decision_point(self): self.assertEqual(obj.key, "bar") self.assertEqual(obj.description, "baz") self.assertEqual(obj.version, "1.0.0") - self.assertEqual(obj.namespace, "ns") + self.assertEqual(obj.namespace, "name1") self.assertEqual(len(self.values), len(obj.values)) def test_ssvc_value_json_roundtrip(self): for i, obj in enumerate(self.values): - json = obj.to_json() + json = obj.model_dump_json() self.assertIsInstance(json, str) self.assertGreater(len(json), 0) - obj2 = base.SsvcDecisionPointValue.from_json(json) + obj2 = base.SsvcDecisionPointValue.model_validate_json(json) self.assertEqual(obj, obj2) def test_ssvc_decision_point_json_roundtrip(self): obj = self.dp - json = obj.to_json() + json = obj.model_dump_json() self.assertIsInstance(json, str) self.assertGreater(len(json), 0) - obj2 = base.SsvcDecisionPoint.from_json(json) + obj2 = base.SsvcDecisionPoint.model_validate_json(json) # the objects should be equal self.assertEqual(obj, obj2) - self.assertEqual(obj.to_dict(), obj2.to_dict()) + self.assertEqual(obj.model_dump(), obj2.model_dump()) if __name__ == "__main__": diff --git a/src/test/test_dp_groups.py b/src/test/test_dp_groups.py index 08c48b29..e4c2397e 100644 --- a/src/test/test_dp_groups.py +++ b/src/test/test_dp_groups.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -27,9 +27,15 @@ def setUp(self) -> None: description=f"Description of Decision Point {i}", version="1.0.0", values=( - SsvcDecisionPointValue(name="foo", key="FOO", description="foo"), - SsvcDecisionPointValue(name="bar", key="BAR", description="bar"), - SsvcDecisionPointValue(name="baz", key="BAZ", description="baz"), + SsvcDecisionPointValue( + name="foo", key="FOO", description="foo" + ), + SsvcDecisionPointValue( + name="bar", key="BAR", description="bar" + ), + SsvcDecisionPointValue( + name="baz", key="BAZ", description="baz" + ), ), ) self.dps.append(dp) @@ -40,7 +46,9 @@ def tearDown(self) -> None: def test_iter(self): # add them to a decision point group g = dpg.SsvcDecisionPointGroup( - name="Test Group", description="Test Group", decision_points=self.dps + name="Test Group", + description="Test Group", + decision_points=self.dps, ) self.assertTrue(hasattr(g, "__iter__")) @@ -52,25 +60,30 @@ def test_iter(self): def test_len(self): # add them to a decision point group g = dpg.SsvcDecisionPointGroup( - name="Test Group", description="Test Group", decision_points=self.dps + name="Test Group", + description="Test Group", + decision_points=self.dps, ) - self.assertEqual(len(self.dps), len(g.decision_points)) + self.assertGreater(len(self.dps), 0) + self.assertEqual(len(self.dps), len(list(g.decision_points))) self.assertEqual(len(self.dps), len(g)) def test_json_roundtrip(self): # add them to a decision point group g = dpg.SsvcDecisionPointGroup( - name="Test Group", description="Test Group", decision_points=self.dps + name="Test Group", + description="Test Group", + decision_points=self.dps, ) # serialize the group to json - g_json = g.to_json() + g_json = g.model_dump_json() # deserialize the json to a new group - g2 = dpg.SsvcDecisionPointGroup.from_json(g_json) + g2 = dpg.SsvcDecisionPointGroup.model_validate_json(g_json) # assert that the new group is the same as the old group - self.assertEqual(g.to_dict(), g2.to_dict()) + self.assertEqual(g_json, g2.model_dump_json()) if __name__ == "__main__": diff --git a/src/test/test_dp_helpers.py b/src/test/test_dp_helpers.py index 97e06046..3502419c 100644 --- a/src/test/test_dp_helpers.py +++ b/src/test/test_dp_helpers.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py index 53e7c517..f86ae5c1 100644 --- a/src/test/test_mixins.py +++ b/src/test/test_mixins.py @@ -1,9 +1,21 @@ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + import unittest -from dataclasses import dataclass -from dataclasses_json import dataclass_json +from pydantic import BaseModel, ValidationError -from ssvc._mixins import _Base, _Keyed, _Versioned, _Namespaced +from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned class TestMixins(unittest.TestCase): @@ -16,34 +28,33 @@ def test_ssvc_base_create(self): self.assertEqual(obj.description, "baz") # empty - self.assertRaises(TypeError, _Base) + self.assertRaises(ValidationError, _Base) # no name - self.assertRaises(TypeError, _Base, description="baz") + self.assertRaises(ValidationError, _Base, description="baz") # no description - self.assertRaises(TypeError, _Base, name="foo") + self.assertRaises(ValidationError, _Base, name="foo") def test_json_roundtrip(self): obj = self.obj - json = obj.to_json() + json = obj.model_dump_json() # is it a string? self.assertIsInstance(json, str) # does it look right? - self.assertEqual(json, '{"name": "foo", "description": "baz"}') + self.assertEqual(json, '{"name":"foo","description":"baz"}') # modify the raw json string json = json.replace("foo", "quux") - self.assertEqual(json, '{"name": "quux", "description": "baz"}') + self.assertEqual(json, '{"name":"quux","description":"baz"}') # does it load? - obj2 = _Base.from_json(json) + obj2 = _Base.model_validate_json(json) self.assertEqual(obj2.name, "quux") self.assertEqual(obj2.description, "baz") def test_asdict_roundtrip(self): - from dataclasses import asdict obj = self.obj - d = asdict(obj) + d = obj.model_dump() self.assertIsInstance(d, dict) self.assertEqual(d["name"], "foo") @@ -75,16 +86,26 @@ def test_keyed_create(self): obj = _Keyed(key="foo") self.assertEqual(obj.key, "foo") - self.assertRaises(TypeError, _Keyed) + self.assertRaises(ValidationError, _Keyed) def test_mixin_combos(self): # We need to test all the combinations mixins = [ {"class": _Keyed, "args": {"key": "fizz"}, "has_default": False}, - {"class": _Namespaced, "args": {"namespace": "buzz"}, "has_default": True}, - {"class": _Versioned, "args": {"version": "1.2.3"}, "has_default": True}, + { + "class": _Namespaced, + "args": {"namespace": "buzz"}, + "has_default": True, + }, + { + "class": _Versioned, + "args": {"version": "1.2.3"}, + "has_default": True, + }, + ] + keys_with_defaults = [ + x["args"].keys() for x in mixins if x["has_default"] ] - keys_with_defaults = [x["args"].keys() for x in mixins if x["has_default"]] # flatten the list keys_with_defaults = [ item for sublist in keys_with_defaults for item in sublist @@ -99,9 +120,7 @@ def test_mixin_combos(self): args = {k: v for x in combo for k, v in x["args"].items()} # create an object with the mixins - @dataclass_json - @dataclass(kw_only=True) - class Foo(_Base, *classes): + class Foo(_Base, *classes, BaseModel): pass # make sure it breaks if we leave out a required arg @@ -113,10 +132,14 @@ class Foo(_Base, *classes): # expect success obj = Foo(name="foo", description="baz", **args_copy) # make sure the key is defaulted - self.assertEqual(getattr(Foo, k), getattr(obj, k)) + self.assertIsNotNone(getattr(obj, k)) else: self.assertRaises( - TypeError, Foo, name="foo", description="baz", **args_copy + ValidationError, + Foo, + name="foo", + description="baz", + **args_copy, ) # instantiate the object @@ -128,19 +151,19 @@ class Foo(_Base, *classes): self.assertEqual(getattr(obj, k), v) # test json roundtrip - json = obj.to_json() + json = obj.model_dump_json() # is it a string? self.assertIsInstance(json, str) # does it look right? - self.assertIn('"name": "foo"', json) - self.assertIn('"description": "baz"', json) + self.assertIn('"name":"foo"', json) + self.assertIn('"description":"baz"', json) for k, v in args.items(): - self.assertIn(f'"{k}": "{v}"', json) + self.assertIn(f'"{k}":"{v}"', json) # change the name and description json = json.replace("foo", "quux") json = json.replace("baz", "fizz") # does it load? - obj2 = Foo.from_json(json) + obj2 = Foo.model_validate_json(json) self.assertEqual(obj2.name, "quux") self.assertEqual(obj2.description, "fizz") # make sure the args are set diff --git a/src/test/test_outcomes.py b/src/test/test_outcomes.py index 3645c8b1..4f5738e9 100644 --- a/src/test/test_outcomes.py +++ b/src/test/test_outcomes.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -27,8 +27,6 @@ def test_outcome_value(self): self.assertEqual(ov.description, x) def test_outcome_group(self): - ALPHABET - values = [] for x in ALPHABET: values.append(OutcomeValue(key=x, name=x, description=x)) @@ -42,10 +40,11 @@ def test_outcome_group(self): self.assertEqual(len(og), len(ALPHABET)) + og_outcomes = list(og.outcomes) for i, letter in enumerate(ALPHABET): - self.assertEqual(og.outcomes[i].key, letter) - self.assertEqual(og.outcomes[i].name, letter) - self.assertEqual(og.outcomes[i].description, letter) + self.assertEqual(og_outcomes[i].key, letter) + self.assertEqual(og_outcomes[i].name, letter) + self.assertEqual(og_outcomes[i].description, letter) if __name__ == "__main__": diff --git a/src/test/test_policy_generator.py b/src/test/test_policy_generator.py index bce92cf4..18162550 100644 --- a/src/test/test_policy_generator.py +++ b/src/test/test_policy_generator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -34,7 +34,8 @@ def setUp(self) -> None: name="test", description="test", outcomes=[ - OutcomeValue(key=c, name=c, description=c) for c in self.og_names + OutcomeValue(key=c, name=c, description=c) + for c in self.og_names ], ) self.dpg = SsvcDecisionPointGroup( @@ -317,8 +318,12 @@ def test_confirm_topological_order(self): self.assertIsNone(pg._confirm_topological_order([0, 1, 2, 3, 4, 5])) self.assertIsNone(pg._confirm_topological_order([0, 1, 3, 2, 4, 5])) - self.assertRaises(ValueError, pg._confirm_topological_order, [0, 1, 2, 4, 3, 5]) - self.assertRaises(ValueError, pg._confirm_topological_order, [0, 1, 2, 3, 5]) + self.assertRaises( + ValueError, pg._confirm_topological_order, [0, 1, 2, 4, 3, 5] + ) + self.assertRaises( + ValueError, pg._confirm_topological_order, [0, 1, 2, 3, 5] + ) if __name__ == "__main__": diff --git a/src/test/test_schema.py b/src/test/test_schema.py index 4fb346fb..a8835bf8 100644 --- a/src/test/test_schema.py +++ b/src/test/test_schema.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project # Stakeholder Specific Vulnerability Categorization (SSVC) is @@ -13,12 +13,12 @@ import json import logging +import os import unittest import jsonschema from jsonschema import Draft202012Validator from referencing import Registry, Resource -import os import ssvc.decision_points # noqa F401 from ssvc.decision_points.base import REGISTERED_DECISION_POINTS @@ -27,19 +27,34 @@ from ssvc.decision_points.critical_software import CRITICAL_SOFTWARE_1 # noqa from ssvc.decision_points.high_value_asset import HIGH_VALUE_ASSET_1 # noqa from ssvc.decision_points.in_kev import IN_KEV_1 -from ssvc.dp_groups.cvss.collections import CVSSv1, CVSSv2, CVSSv3, CVSSv4 # noqa +from ssvc.dp_groups.cvss.collections import ( + CVSSv1, + CVSSv2, + CVSSv3, + CVSSv4, +) # noqa # importing these causes the decision points to register themselves from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1 # noqa -def retrieve_local(uri): - fileuri = uri.replace("https://certcc.github.io/SSVC", os.getcwd()) - if os.path.exists(fileuri): - fh = open(fileuri) + +def retrieve_local(uri: str) -> Resource: + # retrieve_local gets called anytime we're trying to get a schema. + # Because our schemas refer to each other by https: uris, we need this function + # to load the schema from a local file instead of trying to download it from the internet + + # here we compute the path to the data directory where the schemas are stored + my_file_path = os.path.abspath(__file__) + my_dir = os.path.dirname(my_file_path) + data_path = os.path.join(my_dir, "..", "..", "data") + data_path = os.path.abspath(data_path) + + fileuri = uri.replace("https://certcc.github.io/SSVC/data", data_path) + + with open(fileuri) as fh: schema = json.load(fh) - fh.close() - return Resource.from_contents(schema) - raise FileNotFoundError(f"Could not find DEBUG path issues {fileuri}") + return Resource.from_contents(schema) + registry = Registry(retrieve=retrieve_local) @@ -75,15 +90,19 @@ def test_decision_point_validation(self): for dp in decision_points: exp = None - as_json = dp.to_json() + as_json = dp.model_dump_json() loaded = json.loads(as_json) try: - Draft202012Validator({"$ref": schema_url}, registry=registry).validate(loaded) + Draft202012Validator( + {"$ref": schema_url}, registry=registry + ).validate(loaded) except jsonschema.exceptions.ValidationError as e: exp = e - self.assertIsNone(exp, f"Validation failed for {dp.name} {dp.version}") + self.assertIsNone( + exp, f"Validation failed for {dp.name} {dp.version}" + ) self.logger.debug( f"Validation passed for Decision Point ({dp.namespace}) {dp.name} v{dp.version}" ) @@ -92,16 +111,27 @@ def test_decision_point_group_validation(self): schema_url = "https://certcc.github.io/SSVC/data/schema/current/Decision_Point_Group.schema.json" for dpg in self.dpgs: exp = None - as_json = dpg.to_json() + as_json = dpg.model_dump_json() loaded = json.loads(as_json) try: - Draft202012Validator({"$ref": schema_url},registry=registry).validate(loaded) + Draft202012Validator( + {"$ref": schema_url}, registry=registry + ).validate(loaded) except jsonschema.exceptions.ValidationError as e: exp = e - self.assertIsNone(exp, f"Validation failed for {dpg.name} {dpg.version}") - self.logger.debug(f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}") + self.assertIsNone( + exp, f"Validation failed for {dpg.name} {dpg.version}" + ) + self.logger.debug( + f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}" + ) + + @unittest.skip("Test not implemented") + def test_outcome_group_schema_validation(self): + # TODO: Implement test + self.fail() if __name__ == "__main__":