Skip to content

Create DecisionTable representation of coordinator triage decision model #868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ahouseholder merged 25 commits into from
Aug 12, 2025
Merged

Create DecisionTable representation of coordinator triage decision model #868

ahouseholder merged 25 commits into from
Aug 12, 2025

Conversation

@ahouseholder
Copy link
Contributor

@ahouseholder ahouseholder commented Aug 12, 2025
edited
Loading

Creating as DRAFT until I can verify the table data.

This PR models the Coordinator Triage decision model as a DecisionTable object.
Unit tests verify the "screening" points:

Report Public: If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact.
Supplier Contacted: If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact. In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.

with accommodations for specific exception cases. The unit tests also verify the structure based on the coordinator triage table originally included in the SSVC documentation as a CSV file.

ahouseholder and others added 21 commits August 8, 2025 10:06
@ahouseholder
extract decision table print helper method
90853b3
@ahouseholder
add first attempt at EQ1 (note: default mapping is unverified)
50c1729
@ahouseholder
bring EQ 1 into alignment with CVSSv4 spec
d7809ef
@ahouseholder
fix AC and AT value order
ff2387c
@ahouseholder
add EQ2 decision table
0edf40c
@ahouseholder
add EQ3
8587b0a 
verified against spec
@ahouseholder
create modified subsequent availability and integrity decision points
ab64985
@ahouseholder
add EQ4 decision table
3b0888a
@ahouseholder
add EQ6
a25b5b1
@ahouseholder
wip on EQ5. blocked by #859
d16d103
@ahouseholder
add expected failure test for #859
e5e00f1
@ahouseholder
fix #859
c3bbe9c
@ahouseholder
Update src/ssvc/decision_tables/cvss/equivalence_set_two.py
1979396 
Co-authored-by: Copilot <[email protected]>
@ahouseholder
Update src/ssvc/decision_points/cvss/helpers.py
ae4df68 
Co-authored-by: Copilot <[email protected]>
@ahouseholder
Update data/json/decision_tables/cvss/cvss_v4_equivalence_set_2_1_0_0…
dc321d5 
….json

Co-authored-by: Copilot <[email protected]>
@ahouseholder
fix errors in EQ4
768e1c2
@ahouseholder
Merge branch '835-cvss-equiv' of https://github.com/CERTCC/SSVC into …
2bfed68 
…835-cvss-equiv
@ahouseholder
regenerate registry
f961656
@ahouseholder
add unit tests
99548b6
@ahouseholder
add coord triage table
31e0042
@ahouseholder
Merge branch 'main' of https://github.com/CERTCC/SSVC into 851-create…
630fab1 
…-decisiontable-representation-of-coordinator-triage-decision-model
@ahouseholder ahouseholder self-assigned this Aug 12, 2025
@ahouseholder ahouseholder added enhancement New feature or request python Pull requests that update Python code labels Aug 12, 2025
@ahouseholder ahouseholder linked an issue Aug 12, 2025 that may be closed by this pull request
Create DecisionTable representation of Coordinator Triage decision model #851
Closed
@ahouseholder ahouseholder added tech/backend Back-end tools, code, infrastructure tech/data Data implementation (content of /data, data object instances, etc.) labels Aug 12, 2025
@laurie-tyz
Copy link
Contributor

laurie-tyz commented Aug 12, 2025

Allen

Report Public: If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact.
Supplier Contacted: If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact. In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.

Significant Public Safety Impact independent of all other selections Public Safety shall be the variable in the coordination decision.

@ahouseholder ahouseholder marked this pull request as ready for review August 12, 2025 16:59
@ahouseholder
Copy link
Contributor Author

ahouseholder commented Aug 12, 2025
edited
Loading

A CSV of the current table 
,ssvc:RP:1.0.0,ssvc:SCON:1.0.0,ssvc:RC:1.0.0,ssvc:SC:1.0.0,ssvc:SE:1.0.0,ssvc:U:1.0.1,ssvc:PSI:2.0.1,ssvc:COORDINATE:1.0.0
0,Y,N,NC,O,A,L,M,D
1,N,N,NC,O,A,L,M,D
2,Y,Y,NC,O,A,L,M,D
3,Y,N,C,O,A,L,M,D
4,Y,N,NC,M,A,L,M,D
5,Y,N,NC,O,U,L,M,D
6,Y,N,NC,O,A,E,M,D
7,Y,N,NC,O,A,L,S,D
8,N,Y,NC,O,A,L,M,D
9,N,N,C,O,A,L,M,D
10,Y,Y,C,O,A,L,M,D
11,N,N,NC,M,A,L,M,D
12,Y,Y,NC,M,A,L,M,D
13,Y,N,C,M,A,L,M,D
14,N,N,NC,O,U,L,M,D
15,Y,Y,NC,O,U,L,M,D
16,Y,N,C,O,U,L,M,D
17,Y,N,NC,M,U,L,M,D
18,N,N,NC,O,A,E,M,D
19,Y,Y,NC,O,A,E,M,D
20,Y,N,C,O,A,E,M,D
21,Y,N,NC,M,A,E,M,D
22,Y,N,NC,O,U,E,M,D
23,Y,N,NC,O,A,S,M,D
24,N,N,NC,O,A,L,S,D
25,Y,Y,NC,O,A,L,S,D
26,Y,N,C,O,A,L,S,D
27,Y,N,NC,M,A,L,S,D
28,Y,N,NC,O,U,L,S,D
29,Y,N,NC,O,A,E,S,D
30,N,Y,C,O,A,L,M,D
31,N,Y,NC,M,A,L,M,D
32,N,N,C,M,A,L,M,D
33,Y,Y,C,M,A,L,M,D
34,N,Y,NC,O,U,L,M,D
35,N,N,C,O,U,L,M,D
36,Y,Y,C,O,U,L,M,D
37,N,N,NC,M,U,L,M,D
38,Y,Y,NC,M,U,L,M,D
39,Y,N,C,M,U,L,M,D
40,N,Y,NC,O,A,E,M,D
41,N,N,C,O,A,E,M,D
42,Y,Y,C,O,A,E,M,D
43,N,N,NC,M,A,E,M,D
44,Y,Y,NC,M,A,E,M,D
45,Y,N,C,M,A,E,M,D
46,N,N,NC,O,U,E,M,D
47,Y,Y,NC,O,U,E,M,D
48,Y,N,C,O,U,E,M,D
49,Y,N,NC,M,U,E,M,D
50,N,N,NC,O,A,S,M,D
51,Y,Y,NC,O,A,S,M,D
52,Y,N,C,O,A,S,M,D
53,Y,N,NC,M,A,S,M,D
54,Y,N,NC,O,U,S,M,D
55,N,Y,NC,O,A,L,S,D
56,N,N,C,O,A,L,S,D
57,Y,Y,C,O,A,L,S,D
58,N,N,NC,M,A,L,S,D
59,Y,Y,NC,M,A,L,S,D
60,Y,N,C,M,A,L,S,D
61,N,N,NC,O,U,L,S,D
62,Y,Y,NC,O,U,L,S,D
63,Y,N,C,O,U,L,S,D
64,Y,N,NC,M,U,L,S,D
65,N,N,NC,O,A,E,S,D
66,Y,Y,NC,O,A,E,S,D
67,Y,N,C,O,A,E,S,D
68,Y,N,NC,M,A,E,S,D
69,Y,N,NC,O,U,E,S,D
70,Y,N,NC,O,A,S,S,D
71,N,Y,C,M,A,L,M,D
72,N,Y,C,O,U,L,M,T
73,N,Y,NC,M,U,L,M,D
74,N,N,C,M,U,L,M,D
75,Y,Y,C,M,U,L,M,D
76,N,Y,C,O,A,E,M,D
77,N,Y,NC,M,A,E,M,D
78,N,N,C,M,A,E,M,D
79,Y,Y,C,M,A,E,M,D
80,N,Y,NC,O,U,E,M,D
81,N,N,C,O,U,E,M,D
82,Y,Y,C,O,U,E,M,D
83,N,N,NC,M,U,E,M,D
84,Y,Y,NC,M,U,E,M,D
85,Y,N,C,M,U,E,M,D
86,N,Y,NC,O,A,S,M,D
87,N,N,C,O,A,S,M,D
88,Y,Y,C,O,A,S,M,D
89,N,N,NC,M,A,S,M,D
90,Y,Y,NC,M,A,S,M,D
91,Y,N,C,M,A,S,M,D
92,N,N,NC,O,U,S,M,D
93,Y,Y,NC,O,U,S,M,D
94,Y,N,C,O,U,S,M,D
95,Y,N,NC,M,U,S,M,D
96,N,Y,C,O,A,L,S,D
97,N,Y,NC,M,A,L,S,T
98,N,N,C,M,A,L,S,D
99,Y,Y,C,M,A,L,S,D
100,N,Y,NC,O,U,L,S,D
101,N,N,C,O,U,L,S,D
102,Y,Y,C,O,U,L,S,D
103,N,N,NC,M,U,L,S,D
104,Y,Y,NC,M,U,L,S,D
105,Y,N,C,M,U,L,S,D
106,N,Y,NC,O,A,E,S,T
107,N,N,C,O,A,E,S,D
108,Y,Y,C,O,A,E,S,D
109,N,N,NC,M,A,E,S,D
110,Y,Y,NC,M,A,E,S,D
111,Y,N,C,M,A,E,S,D
112,N,N,NC,O,U,E,S,D
113,Y,Y,NC,O,U,E,S,D
114,Y,N,C,O,U,E,S,D
115,Y,N,NC,M,U,E,S,D
116,N,N,NC,O,A,S,S,D
117,Y,Y,NC,O,A,S,S,D
118,Y,N,C,O,A,S,S,D
119,Y,N,NC,M,A,S,S,C
120,Y,N,NC,O,U,S,S,D
121,N,Y,C,M,U,L,M,C
122,N,Y,C,M,A,E,M,D
123,N,Y,C,O,U,E,M,C
124,N,Y,NC,M,U,E,M,D
125,N,N,C,M,U,E,M,D
126,Y,Y,C,M,U,E,M,D
127,N,Y,C,O,A,S,M,D
128,N,Y,NC,M,A,S,M,T
129,N,N,C,M,A,S,M,D
130,Y,Y,C,M,A,S,M,D
131,N,Y,NC,O,U,S,M,D
132,N,N,C,O,U,S,M,D
133,Y,Y,C,O,U,S,M,D
134,N,N,NC,M,U,S,M,D
135,Y,Y,NC,M,U,S,M,D
136,Y,N,C,M,U,S,M,D
137,N,Y,C,M,A,L,S,T
138,N,Y,C,O,U,L,S,C
139,N,Y,NC,M,U,L,S,T
140,N,N,C,M,U,L,S,D
141,Y,Y,C,M,U,L,S,D
142,N,Y,C,O,A,E,S,T
143,N,Y,NC,M,A,E,S,T
144,N,N,C,M,A,E,S,D
145,Y,Y,C,M,A,E,S,D
146,N,Y,NC,O,U,E,S,T
147,N,N,C,O,U,E,S,D
148,Y,Y,C,O,U,E,S,D
149,N,N,NC,M,U,E,S,D
150,Y,Y,NC,M,U,E,S,D
151,Y,N,C,M,U,E,S,D
152,N,Y,NC,O,A,S,S,T
153,N,N,C,O,A,S,S,D
154,Y,Y,C,O,A,S,S,D
155,N,N,NC,M,A,S,S,C
156,Y,Y,NC,M,A,S,S,C
157,Y,N,C,M,A,S,S,C
158,N,N,NC,O,U,S,S,D
159,Y,Y,NC,O,U,S,S,D
160,Y,N,C,O,U,S,S,D
161,Y,N,NC,M,U,S,S,C
162,N,Y,C,M,U,E,M,C
163,N,Y,C,M,A,S,M,C
164,N,Y,C,O,U,S,M,C
165,N,Y,NC,M,U,S,M,T
166,N,N,C,M,U,S,M,D
167,Y,Y,C,M,U,S,M,D
168,N,Y,C,M,U,L,S,C
169,N,Y,C,M,A,E,S,T
170,N,Y,C,O,U,E,S,C
171,N,Y,NC,M,U,E,S,T
172,N,N,C,M,U,E,S,D
173,Y,Y,C,M,U,E,S,D
174,N,Y,C,O,A,S,S,T
175,N,Y,NC,M,A,S,S,C
176,N,N,C,M,A,S,S,C
177,Y,Y,C,M,A,S,S,C
178,N,Y,NC,O,U,S,S,T
179,N,N,C,O,U,S,S,D
180,Y,Y,C,O,U,S,S,D
181,N,N,NC,M,U,S,S,C
182,Y,Y,NC,M,U,S,S,C
183,Y,N,C,M,U,S,S,C
184,N,Y,C,M,U,S,M,C
185,N,Y,C,M,U,E,S,C
186,N,Y,C,M,A,S,S,C
187,N,Y,C,O,U,S,S,C
188,N,Y,NC,M,U,S,S,C
189,N,N,C,M,U,S,S,C
190,Y,Y,C,M,U,S,S,C
191,N,Y,C,M,U,S,S,C

@ahouseholder
Copy link
Contributor Author

ahouseholder commented Aug 12, 2025

Allen

Report Public: If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact. Supplier Contacted: If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact. In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.

Significant Public Safety Impact independent of all other selections Public Safety shall be the variable in the coordination decision.

So those words were taken directly from

SSVC/docs/howto/coordination_triage_decision.md

Lines 64 to 71 in 0e85eea

The first two function as gating questions:
- [Report Public](../reference/decision_points/report_public.md): If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md).
- [Supplier Contacted](../reference/decision_points/supplier_contacted.md): If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md).
In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.
These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage
tree can be compressed slightly, as the decision model below shows.

But as I was implementing the DecisionTable object in this PR, it became evident that this is a simplification of what's actually represented in the CSV File. So in fact, the actual decision model does do a bit more when PSI is significant. The unit tests ensure that the new object reflects the actual table we've provided in CSV format rather than just blindly implementing the "rule" from the docs as written.

That said, it's possible that you might also disagree with the resulting table—if that's the case, I'd request that you submit a new issue for that, as this PR is focused on implementing something as-is from one format to another whereas that would represent a change to a previously published table.

@ahouseholder ahouseholder merged commit aae4b5a into main Aug 12, 2025
4 checks passed
@ahouseholder ahouseholder deleted the 851-create-decisiontable-representation-of-coordinator-triage-decision-model branch August 12, 2025 19:24
@ahouseholder ahouseholder added this to the 2025-09 milestone Aug 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli approved these changes

Assignees

@ahouseholder ahouseholder

Labels

enhancement New feature or request python Pull requests that update Python code tech/backend Back-end tools, code, infrastructure tech/data Data implementation (content of /data, data object instances, etc.)

Projects

None yet

Milestone

2025-09

4 participants

@ahouseholder @laurie-tyz @sei-vsarvepalli