CERTCC · ahouseholder · Jun 23, 2025 · Feb 25, 2025 · Feb 25, 2025 · Feb 27, 2025
@@ -3,7 +3,7 @@ MKDOCS_PORT=8765
 DOCKER_DIR=docker
 
 # Targets
-.PHONY: all test docs docker_test clean help
+.PHONY: all test docs docker_test clean help mdlint_fix up down regenerate_json
 
 all: help
 
@@ -31,6 +31,11 @@ down:
 	@echo "Stopping Docker services..."
 	pushd $(DOCKER_DIR) && docker-compose down
 
+regenerate_json:
+	@echo "Regenerating JSON files..."
+	rm -rf data/json/decision_points
+	export PYTHONPATH=$(PWD)/src && ./src/ssvc/doctools.py --jsondir=./data/json/decision_points --overwrite
+
 clean:
 	@echo "Cleaning up Docker resources..."
 	pushd $(DOCKER_DIR) && docker-compose down --rmi local || true
@@ -40,9 +45,14 @@ help:
 	@echo ""
 	@echo "Targets:"
 	@echo " all         - Display this help message"
-	@echo " mdlint_fix  - Run markdownlint with --fix"
-	@echo " test        - Run the tests in a local shell"
-	@echo " docs        - Build and run the docs Docker service"
-	@echo " docker_test - Run the tests in a Docker container"
-	@echo " clean       - Remove Docker containers and images"
-	@echo " help        - Display this help message"
+	@echo " mdlint_fix  - Run markdownlint with fix"
+	@echo " test       - Run tests locally"
+	@echo " docker_test - Run tests in Docker"
+	@echo " docs       - Build and run documentation in Docker"
+	@echo " up         - Start Docker services"
+	@echo " down       - Stop Docker services"
+	@echo " regenerate_json - Regenerate JSON files from python modules"
+	@echo " clean      - Clean up Docker resources"
+	@echo " help       - Display this help message"
+
+
@@ -140,7 +140,6 @@ Options for running the test suite are provided below.
 | Make, ~~Docker~~ | `make test` | runs in host OS |
 | ~~Make~~, ~~Docker~~ | `pytest src/test` | runs in host OS |
 
-
 ## Environment Variables
 
 If you encounter a problem with the `ssvc` module not being found, you may need to set the `PYTHONPATH` environment variable.

@@ -1,9 +1,11 @@
 {
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "name": "CISA Levels",
   "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
-  "outcomes": [
+  "namespace": "cisa",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "CISA",
+  "values": [
     {
       "key": "T",
       "name": "Track",
@@ -25,4 +27,4 @@
       "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
     }
   ]
-}
+}
@@ -0,0 +1,25 @@
+{
+  "name": "Mission Prevalence",
+  "description": "Prevalence of the mission essential functions",
+  "namespace": "cisa",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MP",
+  "values": [
+    {
+      "key": "M",
+      "name": "Minimal",
+      "description": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
+    },
+    {
+      "key": "S",
+      "name": "Support",
+      "description": "The vulnerable component only supports MEFs for two or more entities."
+    },
+    {
+      "key": "E",
+      "name": "Essential",
+      "description": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
+    }
+  ]
+}
@@ -0,0 +1,35 @@
+{
+  "name": "CVSS Qualitative Severity Rating Scale",
+  "description": "The CVSS Qualitative Severity Rating Scale group.",
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "CVSS",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "None (0.0)"
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Low (0.1-3.9)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Medium (4.0-6.9)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "High (7.0-8.9)"
+    },
+    {
+      "key": "C",
+      "name": "Critical",
+      "description": "Critical (9.0-10.0)"
+    }
+  ]
+}
@@ -8,7 +8,7 @@
   "values": [
     {
       "key": "N",
-      "name": "Negligible",
+      "name": "None",
       "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
     },
     {

@@ -1,15 +1,15 @@
 {
+  "name": "Modified Availability Impact to the Subsequent System",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
   "namespace": "cvss",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "schemaVersion": "1-0-1",
   "key": "MSA",
-  "name": "Modified Subsequent Availability Impact",
-  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
   "values": [
     {
       "key": "N",
       "name": "Negligible",
-      "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+      "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
     },
     {
       "key": "L",

@@ -1,25 +1,25 @@
 {
+  "name": "Modified Confidentiality Impact to the Subsequent System",
+  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
   "namespace": "cvss",
-  "version": "2.0.1",
+  "version": "1.0.1",
   "schemaVersion": "1-0-1",
-  "key": "MC",
-  "name": "Modified Confidentiality Impact",
-  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+  "key": "MSC",
   "values": [
     {
       "key": "N",
-      "name": "None",
-      "description": "There is no loss of confidentiality within the impacted component."
+      "name": "Negligible",
+      "description": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
     },
     {
       "key": "L",
       "name": "Low",
-      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
     },
     {
       "key": "H",
       "name": "High",
-      "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+      "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
     },
     {
       "key": "X",

@@ -8,7 +8,7 @@
   "values": [
     {
       "key": "N",
-      "name": "Negligible",
+      "name": "None",
       "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
     },
     {
@@ -25,11 +25,6 @@
       "key": "X",
       "name": "Not Defined",
       "description": "This metric value is not defined. See CVSS documentation for details."
-    },
-    {
-      "key": "S",
-      "name": "Safety",
-      "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
     }
   ]
 }