CERTCC · ahouseholder · Aug 5, 2025 · Jun 16, 2025 · Jun 23, 2025 · Jun 23, 2025
@@ -25,7 +25,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.10'
+          python-version: '3.12'
 
       - name: Install dependencies
         run: |

@@ -16,6 +16,8 @@ test:
 	pytest -v src/test
 
 docker_test:
+	@echo "Building the latest test image..."
+	pushd $(DOCKER_DIR) && docker-compose build test
 	@echo "Running tests in Docker..."
 	pushd $(DOCKER_DIR) && docker-compose run --rm test
 

@@ -0,0 +1,30 @@
+{
+  "namespace": "basic",
+  "key": "IKE",
+  "version": "1.0.0",
+  "name": "Do, Schedule, Delegate, Delete",
+  "description": "The Eisenhower outcome group.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "D",
+      "name": "Delete",
+      "description": "Delete"
+    },
+    {
+      "key": "G",
+      "name": "Delegate",
+      "description": "Delegate"
+    },
+    {
+      "key": "S",
+      "name": "Schedule",
+      "description": "Schedule"
+    },
+    {
+      "key": "O",
+      "name": "Do",
+      "description": "Do"
+    }
+  ]
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "basic",
+  "key": "LMH",
+  "version": "1.0.0",
+  "name": "LowMediumHigh",
+  "description": "A Low/Medium/High decision point / outcome group.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Low"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Medium"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "High"
+    }
+  ]
+}
@@ -0,0 +1,30 @@
+{
+  "namespace": "basic",
+  "key": "MSCW",
+  "version": "1.0.0",
+  "name": "MoSCoW",
+  "description": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "W",
+      "name": "Won't",
+      "description": "Won't"
+    },
+    {
+      "key": "C",
+      "name": "Could",
+      "description": "Could"
+    },
+    {
+      "key": "S",
+      "name": "Should",
+      "description": "Should"
+    },
+    {
+      "key": "M",
+      "name": "Must",
+      "description": "Must"
+    }
+  ]
+}
@@ -0,0 +1,30 @@
+{
+  "namespace": "basic",
+  "key": "VALUE_COMPLEXITY",
+  "version": "1.0.0",
+  "name": "Value, Complexity",
+  "description": "The Value/Complexity outcome group.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "D",
+      "name": "Drop",
+      "description": "Drop"
+    },
+    {
+      "key": "R",
+      "name": "Reconsider Later",
+      "description": "Reconsider Later"
+    },
+    {
+      "key": "E",
+      "name": "Easy Win",
+      "description": "Easy Win"
+    },
+    {
+      "key": "F",
+      "name": "Do First",
+      "description": "Do First"
+    }
+  ]
+}
@@ -0,0 +1,20 @@
+{
+  "namespace": "basic",
+  "key": "YN",
+  "version": "1.0.0",
+  "name": "YesNo",
+  "description": "A Yes/No decision point / outcome group.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "N",
+      "name": "No",
+      "description": "No"
+    },
+    {
+      "key": "Y",
+      "name": "Yes",
+      "description": "Yes"
+    }
+  ]
+}
@@ -1,10 +1,10 @@
 {
-  "name": "CISA Levels",
-  "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
   "namespace": "cisa",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "CISA",
+  "version": "1.0.0",
+  "name": "CISA Levels",
+  "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "T",

@@ -1,10 +1,10 @@
 {
+  "namespace": "cisa",
+  "key": "KEV",
+  "version": "1.0.0",
   "name": "In KEV",
   "description": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
-  "namespace": "ssvc",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
-  "key": "KEV",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
-  "name": "Mission Prevalence",
-  "description": "Prevalence of the mission essential functions",
   "namespace": "cisa",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "MP",
+  "version": "1.0.0",
+  "name": "Mission Prevalence",
+  "description": "Prevalence of the mission essential functions",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "M",

@@ -1,10 +1,10 @@
 {
-  "name": "Access Complexity",
-  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
   "namespace": "cvss",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AC",
+  "version": "1.0.0",
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
-  "name": "Access Complexity",
-  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
   "namespace": "cvss",
-  "version": "2.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AC",
+  "version": "2.0.0",
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
-  "name": "Access Vector",
-  "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
   "namespace": "cvss",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AV",
+  "version": "1.0.0",
+  "name": "Access Vector",
+  "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
-  "name": "Access Vector",
-  "description": "This metric reflects the context by which vulnerability exploitation is possible.",
   "namespace": "cvss",
-  "version": "2.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AV",
+  "version": "2.0.0",
+  "name": "Access Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
-  "name": "Attack Complexity",
-  "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
   "namespace": "cvss",
-  "version": "3.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AC",
+  "version": "3.0.0",
+  "name": "Attack Complexity",
+  "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
-  "name": "Attack Complexity",
-  "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
   "namespace": "cvss",
-  "version": "3.0.1",
-  "schemaVersion": "1-0-1",
   "key": "AC",
+  "version": "3.0.1",
+  "name": "Attack Complexity",
+  "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
-  "name": "Attack Requirements",
-  "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
   "namespace": "cvss",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AT",
+  "version": "1.0.0",
+  "name": "Attack Requirements",
+  "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
-  "name": "Attack Vector",
-  "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
   "namespace": "cvss",
-  "version": "3.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AV",
+  "version": "3.0.0",
+  "name": "Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "P",

@@ -1,10 +1,10 @@
 {
-  "name": "Attack Vector",
-  "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
   "namespace": "cvss",
-  "version": "3.0.1",
-  "schemaVersion": "1-0-1",
   "key": "AV",
+  "version": "3.0.1",
+  "name": "Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "P",

@@ -1,10 +1,10 @@
 {
-  "name": "Authentication",
-  "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
   "namespace": "cvss",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "Au",
+  "version": "1.0.0",
+  "name": "Authentication",
+  "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
-  "name": "Authentication",
-  "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
   "namespace": "cvss",
-  "version": "2.0.0",
-  "schemaVersion": "1-0-1",
   "key": "Au",
+  "version": "2.0.0",
+  "name": "Authentication",
+  "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "M",

@@ -1,10 +1,10 @@
 {
-  "name": "Automatable",
-  "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
   "namespace": "cvss",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "AU",
+  "version": "1.0.0",
+  "name": "Automatable",
+  "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
-  "name": "Availability Impact",
-  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
   "namespace": "cvss",
-  "version": "1.0.0",
-  "schemaVersion": "1-0-1",
   "key": "A",
+  "version": "1.0.0",
+  "name": "Availability Impact",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
+  "schemaVersion": "2.0.0",
   "values": [
     {
       "key": "N",