Fix a few bugs around Human Impact decision point and decision table #870
Conversation
…e combined a while back.
|
The only thing this doesn't currently do is regenerate a new CSV file to replace https://github.com/CERTCC/SSVC/blob/main/data/csvs/child_trees/human-impact.csv I have been holding off on those because I wasn't sure what depends on them yet. |
- log warning on benign duplicates (same inputs, same outcome) - throw exception on conflicts (same inputs, different outcome)
… combinations in DecisionTable Fix cvss eq5 as a result. Also noticed that cisa uses mission and well being 1, not human impact 2.x
|
When I added the new validator in d2b1799 that requires full coverage of all input value combinations, I found that CVSS EQ5 and CISA Coordinate were lacking full coverage.
|
…x offending decision points.
|
Discovered that the CISA model also was not discriminating between "Attend" and "Act" because both values had the key "A". Fixed that, and then added a validator to |
sei-vsarvepalli
left a comment
sei-vsarvepalli
left a comment
There was a problem hiding this comment.
Wow - a lot of good bug finds.
ahouseholder
deleted the
803-missing-combination-in-human-impact-v201-calculation
branch
resolves Missing Combination in Human Impact v2.0.1 Calculation #803
resolves Human Impact DecisionTable uses wrong version of Safety Impact #872
resolves Human Impact value descriptions do not match Mission Impact 2.0.0 values #873
resolves PUBLIC_WELL_BEING_IMPACT_1 has two values with key "M" #874
resolves DecisionTable does not detect duplicate mapping rows. #875
resolves DecisionTable does not detect missing value combination coverage #876
resolves CISA Coordinate DecisionTable should be pinned to specific versions of input and outcome decision points #877
resolves CISA outcome set has duplicate "A" keys #878
resolves DecisionPoint does not detect duplicate value keys #879
Fix a bug in Human Impact
DecisionTable(using an older version ofSafety Impact).Update value descriptions of Human Impact
DecisionPointto reflect that "None" was merged with "Degraded" a while ago. This bumps HI to v2.0.2Pin specific versions of decision points to decision tables in CISA, Deployer, and Human Impact (all touched because of the HI bump).
add unit tests to confirm logic of Human Impact
DecisionTableCopilot Summary
This pull request updates several decision point and decision table JSON files to improve consistency, clarify definitions, and update key mappings for vulnerability assessment frameworks (CISA, CVSS, SSVC). The changes include key renaming for clarity, updates to value descriptions, introduction of new or revised decision points, and adjustments to mappings in decision tables.
Key changes:
CISA Decision Points and Tables:
"A"to"AT"and"AC"respectively in bothcisa_levels_1_0_0.jsonandcisa_coordinator_2_0_3.jsonto avoid ambiguity and improve clarity. [1] [2]cisa_coordinator_2_0_3.jsonto use the new"AT"and"AC"keys and switched from referencingssvc:HI:2.0.1tossvc:MWI:1.0.0("Mission and Well-Being Impact") for impact assessment. [1] [2]SSVC Decision Points:
"M"to"MA"inpublic_well_being_impact_1_0_0.jsonfor better distinction.HI("Human Impact") version 2.0.2 inhuman_impact_2_0_2.json, refining the descriptions and logic for impact levels.ssvc:HI:2.0.2and adjusted value descriptions to match the new definition.CVSS Decision Points and Tables:
E_NoX("Exploit Maturity (without Not Defined)") inexploit_maturity_without_not_defined__2_0_0.jsonand updated the equivalence set table to reference this, removing the "Not Defined" (X) value for greater precision. [1] [2] [3] [4]These updates help ensure that the decision frameworks are more precise, less ambiguous, and better aligned with their intended use.