Skip to content

Refactor namespaces #791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ahouseholder merged 119 commits into from
Jun 23, 2025
Merged

Refactor namespaces #791

ahouseholder merged 119 commits into from
Jun 23, 2025

Conversation

@ahouseholder
Copy link
Contributor

@ahouseholder ahouseholder commented Jun 16, 2025
edited
Loading

This PR refactors the python module layout so that namespaced objects are organized by namespace (pushing ssvc namespace objects into their own directory so they are peers to other namespaces like cisa etc.). This results in a lot of files being renamed and a lot of python import statement changes. Some other incidental changes are also included.

Sorry the PR is so large, it was not possible to do the refactoring without touching a lot of files.

CoPilot Summary

This pull request includes updates to documentation and JSON files to improve clarity and consistency in terminology. The changes primarily involve replacing "no" with "negligible" in descriptions and updating testing instructions in the README.md file.

Documentation Updates:

  • README.md: Updated testing instructions to clarify that tests run in the host OS, and removed references to Docker.

Terminology Consistency in JSON Files:

@ahouseholder
add __str__() method to SsvcDecisionPointValue
a096d15
@ahouseholder
add combinations and combo_strings methods to `SsvcDecisionPointG…
b753aed 
…roup`

make it easier to build decision frameworks
@ahouseholder
wip commit
5a50e8a
@ahouseholder
Merge branch 'main' of https://github.com/CERTCC/SSVC into feature/59…
0727a06 
…2-we-need-a-policy-object
@ahouseholder
Merge branch 'main' of https://github.com/CERTCC/SSVC into feature/59…
9266736 
…2-we-need-a-policy-object
@ahouseholder
fix type hint on SsvcDecisionPointGroup object
e1de818
@ahouseholder
add VERSIONS and LATEST pattern to decision point groups
6f9fae7
@ahouseholder
add keys to outcome groups
d953c6a
@ahouseholder
refactor DecisionFramework for testability
e8c94dd
@ahouseholder
replace list with tuple to match type hint
e0af9c2
@ahouseholder
black reformat
85af209
@ahouseholder
add validator method to check mapping
1139ca0
@ahouseholder
refactor
f51b3f2
@ahouseholder
fixup type hints
3cc382c
@ahouseholder
add test
af28a08
@ahouseholder
rename DecisionFramework to PrioritizationFramework
34632e8
@ahouseholder
rename new class to DecisionTable
57fb8a6
@ahouseholder
create a _Valued mixin
aa5040f
@ahouseholder
add _Valued mixin to base decision point class. Also reorder mixins…
f46b420 
… to adjust default json output key order
@ahouseholder
update json examples to reflect new base class mixin ordering
03d103a
@ahouseholder
Merge branch 'main' into feature/592-we-need-a-policy-object
b985425
@ahouseholder
empty the ssvc/decision_tables/__init__.py
7fe39a3
@ahouseholder
rename OutcomeGroup.outcomes to OutcomeGroup.values
b31e7d7 
Prepares for future ability to convert from OutcomeGroup to DecisionPoint
@ahouseholder
Merge branch 'feature/reorder-base-class-mixins' into feature/592-we-…
b977e20 
…need-a-policy-object
@ahouseholder
add len() to _Valued mixin
b720435
@ahouseholder
use _Valued mixin
71c9003
@ahouseholder
add len() to _Valued mixin
5b03c6a
@ahouseholder
Merge branch 'feature/reorder-base-class-mixins' into feature/592-we-…
469bbae 
…need-a-policy-object
@ahouseholder
add tests
66e8410
@ahouseholder
add tests
c496db4
@ahouseholder ahouseholder requested a review from j--- as a code owner June 16, 2025 20:00
@ahouseholder ahouseholder added the python Pull requests that update Python code label Jun 16, 2025
@sei-vsarvepalli
Copy link
Contributor

sei-vsarvepalli commented Jun 17, 2025

Some duplicate keys found:

ssvc/decision_points/ssvc_/supplier_contacted.py:    key="SC",
ssvc/decision_points/ssvc_/supplier_cardinality.py:    key="SC",

ssvc/decision_points/ssvc_/supplier_involvement.py:    key="SI",
ssvc/decision_points/ssvc_/safety_impact.py:    key="SI",

ssvc/decision_points/cvss/scope.py:    key="S",
ssvc/decision_points/cvss/supplemental/safety.py:    key="S",

@sei-vsarvepalli
Copy link
Contributor

sei-vsarvepalli commented Jun 17, 2025

There are a few strange json files, for example these 5 files for integrity requirements under CVSS.

data/json/decision_points/cvss/integrity_requirement_1_0_0.json
data/json/decision_points/cvss/integrity_requirement_1_0_1.json
data/json/decision_points/cvss/integrity_requirement_1_0_1.json
data/json/decision_points/cvss/integrity_requirement_1_1_0.json
data/json/decision_points/cvss/integrity_requirement_1_1_1.json

There are only three defined in src/ssvc/decision_points/cvss/integrity_requirement.py

INTEGRITY_REQUIREMENT_1 = CvssDecisionPoint(
    name="Integrity Requirement",
    description="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
    key="IR",
    version="1.0.0",
    values=(
        _LOW,
        _MEDIUM,
        _HIGH,
        NOT_DEFINED_ND,
    ),
)

INTEGRITY_REQUIREMENT_1_1 = CvssDecisionPoint(
    name="Integrity Requirement",
    description="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
    key="IR",
    version="1.1.0",
    values=(
        _LOW,
        _MEDIUM,
        _HIGH,
        NOT_DEFINED_X,
    ),
)

INTEGRITY_REQUIREMENT_1_1_1 = CvssDecisionPoint(
    name="Integrity Requirement",
    description="This metric enables the consumer to customize the assessment depending on the importance of the "
    "affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
    key="IR",
    version="1.1.1",
    values=(
        _LOW_2,
        _MEDIUM_2,
        _HIGH_2,
        NOT_DEFINED_X,
    ),
)

VERSIONS = (
    INTEGRITY_REQUIREMENT_1,
    INTEGRITY_REQUIREMENT_1_1,
    INTEGRITY_REQUIREMENT_1_1_1,
)

If you have way you are iterating through all the decision points, can you share it? We can completely remove data/json/decision_points folder and start over. The modified may be another one to be concerned about which provide 23 with the "Not Defined" keyword added to the CVSS decision points as a decision point value.

@ahouseholder
Copy link
Contributor Author

ahouseholder commented Jun 18, 2025

@sei-vsarvepalli I think I've fixed the problems you found.

  • New makefile target make regenerate_json added so it's reproducible
  • Fixed up doctools.py so it's walking directories for python modules

@sei-vsarvepalli
Copy link
Contributor

sei-vsarvepalli commented Jun 18, 2025

@sei-vsarvepalli I think I've fixed the problems you found.

  • New makefile target make regenerate_json added so it's reproducible
  • Fixed up doctools.py so it's walking directories for python modules

Still some issues.. The files should be generated under data/json/outcomes folder.

data/json/decision_points/x_community/theparanoids_1_0_0.json
data/json/decision_points/x_basic/yes_no_1_0_0.json
data/json/decision_points/x_basic/moscow_1_0_0.json
data/json/decision_points/x_basic/value_complexity_1_0_0.json
data/json/decision_points/x_basic/do_schedule_delegate_delete_1_0_0.json
data/json/decision_points/cisa/cisa_levels_1_0_0.json

The file src/ssvc/decision_points/ssvc/mission_prevalence.py still has

from ssvc.decision_points.ssvc_.base import SsvcDecisionPoint

We can probably delete the whole mission_prevalence.py looks like it is not used anymore anywhere. The old Mission Prevalence may be gone now?

@ahouseholder
Copy link
Contributor Author

ahouseholder commented Jun 18, 2025
edited
Loading

So the outcome groups are now decision point objects (which lets them be used as inputs to downstream decisions). Their appearance in the decision_point json dirs was intentional. This is how we can deal with "compound decision points" too.

flowchart TB

subgraph cdp[Compound Decision Point]
A
B
C
D
end

A --> D
B --> D
C --> D

D --> G
E --> G
F --> G
Loading

Mission Prevalence only ever showed up in CISA's model, so I just fixed it and moved it to the CISA namespace. I don't want to start deleting things that were used previously though, so I think it's okay to keep it for now.

sei-vsarvepalli
sei-vsarvepalli approved these changes Jun 23, 2025
View reviewed changes
Copy link
Contributor

@sei-vsarvepalli sei-vsarvepalli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now.

@ahouseholder ahouseholder merged commit 398963a into CERTCC:main Jun 23, 2025
2 checks passed
@ahouseholder ahouseholder added tech/backend Back-end tools, code, infrastructure tech/data Data implementation (content of /data, data object instances, etc.) and removed tech/environment Project environment, deployment, CI, etc. labels Jul 1, 2025
@ahouseholder ahouseholder mentioned this pull request Jul 1, 2025
Closed
@ahouseholder ahouseholder mentioned this pull request Jul 29, 2025
Merged
@ahouseholder ahouseholder deleted the refactor_namespaces branch August 7, 2025 17:49
@ahouseholder ahouseholder mentioned this pull request Aug 13, 2025
Closed
@ahouseholder ahouseholder added this to the 2025-09 milestone Aug 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli approved these changes

@cgyarbrough cgyarbrough Awaiting requested review from cgyarbrough cgyarbrough is a code owner

@j--- j--- Awaiting requested review from j--- j--- is a code owner

Assignees

@ahouseholder ahouseholder

Labels

enhancement New feature or request python Pull requests that update Python code tech/backend Back-end tools, code, infrastructure tech/data Data implementation (content of /data, data object instances, etc.)

Projects

None yet

Milestone

2025-09

2 participants

@ahouseholder @sei-vsarvepalli