Refactor namespaces

[ahouseholder]

• Resolves Make OutcomeGroups interchangeable with DecisionPoints #745
• Resolves Organize data and python modules by namespace #751
• Resolves Some decision points missing in data/json/ folder #754
• Resolves Consider versioning Outcomes like Decision Points #454
• Prepares the way for resolution of We need a DecisionTable object #592 in a future PR.

This PR refactors the python module layout so that namespaced objects are organized by namespace (pushing ssvc namespace objects into their own directory so they are peers to other namespaces like cisa etc.). This results in a lot of files being renamed and a lot of python import statement changes. Some other incidental changes are also included.

Sorry the PR is so large, it was not possible to do the refactoring without touching a lot of files.

CoPilot Summary

This pull request includes updates to documentation and JSON files to improve clarity and consistency in terminology. The changes primarily involve replacing "no" with "negligible" in descriptions and updating testing instructions in the README.md file.

Documentation Updates:

• README.md: Updated testing instructions to clarify that tests run in the host OS, and removed references to Docker.

Terminology Consistency in JSON Files:

• data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json: Replaced "no impact" with "negligible impact" in the description of availability impact.
• data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json: Replaced "no loss of confidentiality" with "negligible loss of confidentiality" in the description of confidentiality impact.
• data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json: Replaced "no loss of integrity" with "negligible loss of integrity" in the description of integrity impact.

[sei-vsarvepalli]

Some duplicate keys found:

ssvc/decision_points/ssvc_/supplier_contacted.py:    key="SC",
ssvc/decision_points/ssvc_/supplier_cardinality.py:    key="SC",

ssvc/decision_points/ssvc_/supplier_involvement.py:    key="SI",
ssvc/decision_points/ssvc_/safety_impact.py:    key="SI",

ssvc/decision_points/cvss/scope.py:    key="S",
ssvc/decision_points/cvss/supplemental/safety.py:    key="S",

[sei-vsarvepalli]

There are a few strange json files, for example these 5 files for integrity requirements under CVSS.

data/json/decision_points/cvss/integrity_requirement_1_0_0.json
data/json/decision_points/cvss/integrity_requirement_1_0_1.json
data/json/decision_points/cvss/integrity_requirement_1_0_1.json
data/json/decision_points/cvss/integrity_requirement_1_1_0.json
data/json/decision_points/cvss/integrity_requirement_1_1_1.json

There are only three defined in src/ssvc/decision_points/cvss/integrity_requirement.py

INTEGRITY_REQUIREMENT_1 = CvssDecisionPoint(
    name="Integrity Requirement",
    description="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
    key="IR",
    version="1.0.0",
    values=(
        _LOW,
        _MEDIUM,
        _HIGH,
        NOT_DEFINED_ND,
    ),
)

INTEGRITY_REQUIREMENT_1_1 = CvssDecisionPoint(
    name="Integrity Requirement",
    description="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
    key="IR",
    version="1.1.0",
    values=(
        _LOW,
        _MEDIUM,
        _HIGH,
        NOT_DEFINED_X,
    ),
)

INTEGRITY_REQUIREMENT_1_1_1 = CvssDecisionPoint(
    name="Integrity Requirement",
    description="This metric enables the consumer to customize the assessment depending on the importance of the "
    "affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
    key="IR",
    version="1.1.1",
    values=(
        _LOW_2,
        _MEDIUM_2,
        _HIGH_2,
        NOT_DEFINED_X,
    ),
)

VERSIONS = (
    INTEGRITY_REQUIREMENT_1,
    INTEGRITY_REQUIREMENT_1_1,
    INTEGRITY_REQUIREMENT_1_1_1,
)

If you have way you are iterating through all the decision points, can you share it? We can completely remove data/json/decision_points folder and start over. The modified may be another one to be concerned about which provide 23 with the "Not Defined" keyword added to the CVSS decision points as a decision point value.

[ahouseholder]

@sei-vsarvepalli I think I've fixed the problems you found.

• New makefile target make regenerate_json added so it's reproducible
• Fixed up doctools.py so it's walking directories for python modules

[sei-vsarvepalli]

@sei-vsarvepalli I think I've fixed the problems you found.

• New makefile target make regenerate_json added so it's reproducible
• Fixed up doctools.py so it's walking directories for python modules

Still some issues.. The files should be generated under data/json/outcomes folder.

data/json/decision_points/x_community/theparanoids_1_0_0.json
data/json/decision_points/x_basic/yes_no_1_0_0.json
data/json/decision_points/x_basic/moscow_1_0_0.json
data/json/decision_points/x_basic/value_complexity_1_0_0.json
data/json/decision_points/x_basic/do_schedule_delegate_delete_1_0_0.json
data/json/decision_points/cisa/cisa_levels_1_0_0.json

The file src/ssvc/decision_points/ssvc/mission_prevalence.py still has

from ssvc.decision_points.ssvc_.base import SsvcDecisionPoint

We can probably delete the whole mission_prevalence.py looks like it is not used anymore anywhere. The old Mission Prevalence may be gone now?

[ahouseholder]

So the outcome groups are now decision point objects (which lets them be used as inputs to downstream decisions). Their appearance in the decision_point json dirs was intentional. This is how we can deal with "compound decision points" too.

flowchart TB

subgraph cdp[Compound Decision Point]
A
B
C
D
end

A --> D
B --> D
C --> D

D --> G
E --> G
F --> G

Loading

Mission Prevalence only ever showed up in CISA's model, so I just fixed it and moved it to the CISA namespace. I don't want to start deleting things that were used previously though, so I think it's okay to keep it for now.

[sei-vsarvepalli]

Looks good now.