diff --git a/Makefile b/Makefile
index a30b4f5f..efbfc498 100644
--- a/Makefile
+++ b/Makefile
@@ -55,7 +55,7 @@ down:
regenerate_json:
@echo "Regenerating JSON files..."
rm -rf data/json/decision_points
- export PYTHONPATH=$(PWD)/src && ./src/ssvc/doctools.py --jsondir=./data/json/decision_points --overwrite
+ export PYTHONPATH=$(PWD)/src && ./src/ssvc/doctools.py --jsondir=./data/json --overwrite
clean:
@echo "Cleaning up Docker resources..."
diff --git a/data/json/decision_points/basic/do_schedule_delegate_delete_1_0_0.json b/data/json/decision_points/basic/do_schedule_delegate_delete_1_0_0.json
index b3dffaba..49c5dd0d 100644
--- a/data/json/decision_points/basic/do_schedule_delegate_delete_1_0_0.json
+++ b/data/json/decision_points/basic/do_schedule_delegate_delete_1_0_0.json
@@ -3,28 +3,28 @@
"key": "IKE",
"version": "1.0.0",
"name": "Do, Schedule, Delegate, Delete",
- "description": "The Eisenhower outcome group.",
+ "definition": "The Eisenhower outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Delete",
- "description": "Delete"
+ "definition": "Delete"
},
{
"key": "G",
"name": "Delegate",
- "description": "Delegate"
+ "definition": "Delegate"
},
{
"key": "S",
"name": "Schedule",
- "description": "Schedule"
+ "definition": "Schedule"
},
{
"key": "O",
"name": "Do",
- "description": "Do"
+ "definition": "Do"
}
]
}
diff --git a/data/json/decision_points/basic/lowmediumhigh_1_0_0.json b/data/json/decision_points/basic/lowmediumhigh_1_0_0.json
index 8b178ab2..3cfd0a8f 100644
--- a/data/json/decision_points/basic/lowmediumhigh_1_0_0.json
+++ b/data/json/decision_points/basic/lowmediumhigh_1_0_0.json
@@ -3,23 +3,23 @@
"key": "LMH",
"version": "1.0.0",
"name": "LowMediumHigh",
- "description": "A Low/Medium/High decision point / outcome group.",
+ "definition": "A Low/Medium/High decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Low"
+ "definition": "Low"
},
{
"key": "M",
"name": "Medium",
- "description": "Medium"
+ "definition": "Medium"
},
{
"key": "H",
"name": "High",
- "description": "High"
+ "definition": "High"
}
]
}
diff --git a/data/json/decision_points/basic/moscow_1_0_0.json b/data/json/decision_points/basic/moscow_1_0_0.json
index 7b29da07..ce8ddcba 100644
--- a/data/json/decision_points/basic/moscow_1_0_0.json
+++ b/data/json/decision_points/basic/moscow_1_0_0.json
@@ -3,28 +3,28 @@
"key": "MSCW",
"version": "1.0.0",
"name": "MoSCoW",
- "description": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
+ "definition": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "W",
"name": "Won't",
- "description": "Won't"
+ "definition": "Won't"
},
{
"key": "C",
"name": "Could",
- "description": "Could"
+ "definition": "Could"
},
{
"key": "S",
"name": "Should",
- "description": "Should"
+ "definition": "Should"
},
{
"key": "M",
"name": "Must",
- "description": "Must"
+ "definition": "Must"
}
]
}
diff --git a/data/json/decision_points/basic/value_complexity_1_0_0.json b/data/json/decision_points/basic/value_complexity_1_0_0.json
index d3354f2d..11c0fc20 100644
--- a/data/json/decision_points/basic/value_complexity_1_0_0.json
+++ b/data/json/decision_points/basic/value_complexity_1_0_0.json
@@ -3,28 +3,28 @@
"key": "VALUE_COMPLEXITY",
"version": "1.0.0",
"name": "Value, Complexity",
- "description": "The Value/Complexity outcome group.",
+ "definition": "The Value/Complexity outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Drop",
- "description": "Drop"
+ "definition": "Drop"
},
{
"key": "R",
"name": "Reconsider Later",
- "description": "Reconsider Later"
+ "definition": "Reconsider Later"
},
{
"key": "E",
"name": "Easy Win",
- "description": "Easy Win"
+ "definition": "Easy Win"
},
{
"key": "F",
"name": "Do First",
- "description": "Do First"
+ "definition": "Do First"
}
]
}
diff --git a/data/json/decision_points/basic/yesno_1_0_0.json b/data/json/decision_points/basic/yesno_1_0_0.json
index b376989b..d177d2cf 100644
--- a/data/json/decision_points/basic/yesno_1_0_0.json
+++ b/data/json/decision_points/basic/yesno_1_0_0.json
@@ -3,18 +3,18 @@
"key": "YN",
"version": "1.0.0",
"name": "YesNo",
- "description": "A Yes/No decision point / outcome group.",
+ "definition": "A Yes/No decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "No"
+ "definition": "No"
},
{
"key": "Y",
"name": "Yes",
- "description": "Yes"
+ "definition": "Yes"
}
]
}
diff --git a/data/json/decision_points/cisa/cisa_levels_1_1_0.json b/data/json/decision_points/cisa/cisa_levels_1_1_0.json
index 965874bb..7633ec00 100644
--- a/data/json/decision_points/cisa/cisa_levels_1_1_0.json
+++ b/data/json/decision_points/cisa/cisa_levels_1_1_0.json
@@ -3,28 +3,28 @@
"key": "CISA",
"version": "1.1.0",
"name": "CISA Levels",
- "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+ "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "T",
"name": "Track",
- "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
+ "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
{
"key": "T*",
"name": "Track*",
- "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+ "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
"key": "AT",
"name": "Attend",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
"key": "AC",
"name": "Act",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
}
diff --git a/data/json/decision_points/cisa/in_kev_1_0_0.json b/data/json/decision_points/cisa/in_kev_1_0_0.json
index dad51ecb..5431bbd0 100644
--- a/data/json/decision_points/cisa/in_kev_1_0_0.json
+++ b/data/json/decision_points/cisa/in_kev_1_0_0.json
@@ -3,18 +3,18 @@
"key": "KEV",
"version": "1.0.0",
"name": "In KEV",
- "description": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
+ "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Vulnerability is not listed in KEV."
+ "definition": "Vulnerability is not listed in KEV."
},
{
"key": "Y",
"name": "Yes",
- "description": "Vulnerability is listed in KEV."
+ "definition": "Vulnerability is listed in KEV."
}
]
}
diff --git a/data/json/decision_points/cisa/mission_prevalence_1_0_0.json b/data/json/decision_points/cisa/mission_prevalence_1_0_0.json
index c3b8285b..07546241 100644
--- a/data/json/decision_points/cisa/mission_prevalence_1_0_0.json
+++ b/data/json/decision_points/cisa/mission_prevalence_1_0_0.json
@@ -3,23 +3,23 @@
"key": "MP",
"version": "1.0.0",
"name": "Mission Prevalence",
- "description": "Prevalence of the mission essential functions",
+ "definition": "Prevalence of the mission essential functions",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
+ "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
},
{
"key": "S",
"name": "Support",
- "description": "The vulnerable component only supports MEFs for two or more entities."
+ "definition": "The vulnerable component only supports MEFs for two or more entities."
},
{
"key": "E",
"name": "Essential",
- "description": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
+ "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
}
]
}
diff --git a/data/json/decision_points/cvss/access_complexity_1_0_0.json b/data/json/decision_points/cvss/access_complexity_1_0_0.json
index 2fb2dca4..41063a4b 100644
--- a/data/json/decision_points/cvss/access_complexity_1_0_0.json
+++ b/data/json/decision_points/cvss/access_complexity_1_0_0.json
@@ -3,18 +3,18 @@
"key": "AC",
"version": "1.0.0",
"name": "Access Complexity",
- "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+ "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
}
]
}
diff --git a/data/json/decision_points/cvss/access_complexity_2_0_0.json b/data/json/decision_points/cvss/access_complexity_2_0_0.json
index ff8b6c5d..12b744cc 100644
--- a/data/json/decision_points/cvss/access_complexity_2_0_0.json
+++ b/data/json/decision_points/cvss/access_complexity_2_0_0.json
@@ -3,23 +3,23 @@
"key": "AC",
"version": "2.0.0",
"name": "Access Complexity",
- "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "Specialized access conditions exist."
+ "definition": "Specialized access conditions exist."
},
{
"key": "M",
"name": "Medium",
- "description": "The access conditions are somewhat specialized."
+ "definition": "The access conditions are somewhat specialized."
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist."
}
]
}
diff --git a/data/json/decision_points/cvss/access_vector_1_0_0.json b/data/json/decision_points/cvss/access_vector_1_0_0.json
index 89c5976a..f9fced74 100644
--- a/data/json/decision_points/cvss/access_vector_1_0_0.json
+++ b/data/json/decision_points/cvss/access_vector_1_0_0.json
@@ -3,18 +3,18 @@
"key": "AV",
"version": "1.0.0",
"name": "Access Vector",
- "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+ "definition": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Local",
- "description": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+ "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
},
{
"key": "R",
"name": "Remote",
- "description": "The vulnerability is exploitable remotely."
+ "definition": "The vulnerability is exploitable remotely."
}
]
}
diff --git a/data/json/decision_points/cvss/access_vector_2_0_0.json b/data/json/decision_points/cvss/access_vector_2_0_0.json
index 48ec3f7b..ab92b164 100644
--- a/data/json/decision_points/cvss/access_vector_2_0_0.json
+++ b/data/json/decision_points/cvss/access_vector_2_0_0.json
@@ -3,23 +3,23 @@
"key": "AV",
"version": "2.0.0",
"name": "Access Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
+ "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
},
{
"key": "A",
"name": "Adjacent Network",
- "description": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+ "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
},
{
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+ "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
}
]
}
diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_0.json b/data/json/decision_points/cvss/attack_complexity_3_0_0.json
index d5d89c07..a2ef8eaa 100644
--- a/data/json/decision_points/cvss/attack_complexity_3_0_0.json
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_0.json
@@ -3,18 +3,18 @@
"key": "AC",
"version": "3.0.0",
"name": "Attack Complexity",
- "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+ "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "A successful attack depends on conditions beyond the attacker's control."
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
}
]
}
diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
index 88ed9707..9267e9df 100644
--- a/data/json/decision_points/cvss/attack_complexity_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
@@ -3,18 +3,18 @@
"key": "AC",
"version": "3.0.1",
"name": "Attack Complexity",
- "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
}
]
}
diff --git a/data/json/decision_points/cvss/attack_requirements_1_0_0.json b/data/json/decision_points/cvss/attack_requirements_1_0_0.json
index 49219df7..8ff48413 100644
--- a/data/json/decision_points/cvss/attack_requirements_1_0_0.json
+++ b/data/json/decision_points/cvss/attack_requirements_1_0_0.json
@@ -3,18 +3,18 @@
"key": "AT",
"version": "1.0.0",
"name": "Attack Requirements",
- "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
{
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
}
]
}
diff --git a/data/json/decision_points/cvss/attack_vector_3_0_0.json b/data/json/decision_points/cvss/attack_vector_3_0_0.json
index a369277a..f8415045 100644
--- a/data/json/decision_points/cvss/attack_vector_3_0_0.json
+++ b/data/json/decision_points/cvss/attack_vector_3_0_0.json
@@ -3,28 +3,28 @@
"key": "AV",
"version": "3.0.0",
"name": "Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
{
"key": "A",
"name": "Adjacent",
- "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
},
{
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
}
]
}
diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json
index c5843891..494691ea 100644
--- a/data/json/decision_points/cvss/attack_vector_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json
@@ -3,28 +3,28 @@
"key": "AV",
"version": "3.0.1",
"name": "Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
{
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
{
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
]
}
diff --git a/data/json/decision_points/cvss/authentication_1_0_0.json b/data/json/decision_points/cvss/authentication_1_0_0.json
index 2faea2b0..46bb9637 100644
--- a/data/json/decision_points/cvss/authentication_1_0_0.json
+++ b/data/json/decision_points/cvss/authentication_1_0_0.json
@@ -3,18 +3,18 @@
"key": "Au",
"version": "1.0.0",
"name": "Authentication",
- "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
+ "definition": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Not Required",
- "description": "Authentication is not required to access or exploit the vulnerability."
+ "definition": "Authentication is not required to access or exploit the vulnerability."
},
{
"key": "R",
"name": "Required",
- "description": "Authentication is required to access and exploit the vulnerability."
+ "definition": "Authentication is required to access and exploit the vulnerability."
}
]
}
diff --git a/data/json/decision_points/cvss/authentication_2_0_0.json b/data/json/decision_points/cvss/authentication_2_0_0.json
index b95dc185..e3422570 100644
--- a/data/json/decision_points/cvss/authentication_2_0_0.json
+++ b/data/json/decision_points/cvss/authentication_2_0_0.json
@@ -3,23 +3,23 @@
"key": "Au",
"version": "2.0.0",
"name": "Authentication",
- "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
+ "definition": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Multiple",
- "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
+ "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
},
{
"key": "S",
"name": "Single",
- "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
+ "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
},
{
"key": "N",
"name": "None",
- "description": "Authentication is not required to exploit the vulnerability."
+ "definition": "Authentication is not required to exploit the vulnerability."
}
]
}
diff --git a/data/json/decision_points/cvss/automatable_1_0_0.json b/data/json/decision_points/cvss/automatable_1_0_0.json
index 65751950..0e7464bf 100644
--- a/data/json/decision_points/cvss/automatable_1_0_0.json
+++ b/data/json/decision_points/cvss/automatable_1_0_0.json
@@ -3,23 +3,23 @@
"key": "AU",
"version": "1.0.0",
"name": "Automatable",
- "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
+ "definition": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+ "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_impact_1_0_0.json b/data/json/decision_points/cvss/availability_impact_1_0_0.json
index db9dcfce..5a98cf85 100644
--- a/data/json/decision_points/cvss/availability_impact_1_0_0.json
+++ b/data/json/decision_points/cvss/availability_impact_1_0_0.json
@@ -3,23 +3,23 @@
"key": "A",
"version": "1.0.0",
"name": "Availability Impact",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No impact on availability."
+ "definition": "No impact on availability."
},
{
"key": "P",
"name": "Partial",
- "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
+ "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
},
{
"key": "C",
"name": "Complete",
- "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
+ "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_impact_2_0_0.json b/data/json/decision_points/cvss/availability_impact_2_0_0.json
index 2dc9723d..80a86a13 100644
--- a/data/json/decision_points/cvss/availability_impact_2_0_0.json
+++ b/data/json/decision_points/cvss/availability_impact_2_0_0.json
@@ -3,23 +3,23 @@
"key": "A",
"version": "2.0.0",
"name": "Availability Impact",
- "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the availability of the system."
+ "definition": "There is no impact to the availability of the system."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability."
+ "definition": "There is reduced performance or interruptions in resource availability."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json
index 4aec18d9..e6d67244 100644
--- a/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json
+++ b/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json
@@ -3,23 +3,23 @@
"key": "SA",
"version": "1.0.0",
"name": "Availability Impact to the Subsequent System",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json
index e72867d5..cd3f640f 100644
--- a/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json
+++ b/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json
@@ -3,23 +3,23 @@
"key": "VA",
"version": "3.0.0",
"name": "Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_requirement_1_0_0.json b/data/json/decision_points/cvss/availability_requirement_1_0_0.json
index 01e98283..2a953169 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_0_0.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_0_0.json
@@ -3,28 +3,28 @@
"key": "AR",
"version": "1.0.0",
"name": "Availability Requirement",
- "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_0.json b/data/json/decision_points/cvss/availability_requirement_1_1_0.json
index 400a6ee6..17621b17 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1_0.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_0.json
@@ -3,28 +3,28 @@
"key": "AR",
"version": "1.1.0",
"name": "Availability Requirement",
- "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
index 2188b155..8836d40c 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
@@ -3,28 +3,28 @@
"key": "AR",
"version": "1.1.1",
"name": "Availability Requirement",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/availability_requirement_without_not_defined__1_1_1.json b/data/json/decision_points/cvss/availability_requirement_without_not_defined__1_1_1.json
index c4d36b64..230831d3 100644
--- a/data/json/decision_points/cvss/availability_requirement_without_not_defined__1_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_without_not_defined__1_1_1.json
@@ -3,23 +3,23 @@
"key": "AR_NoX",
"version": "1.1.1",
"name": "Availability Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
}
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
index 0b40ec7a..fb14a84a 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
@@ -3,28 +3,28 @@
"key": "CDP",
"version": "1.0.0",
"name": "Collateral Damage Potential",
- "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
+ "definition": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no potential for physical or property damage."
+ "definition": "There is no potential for physical or property damage."
},
{
"key": "L",
"name": "Low",
- "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
+ "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
},
{
"key": "M",
"name": "Medium",
- "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
{
"key": "H",
"name": "High",
- "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
}
]
}
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
index 8b3e106e..0fcd9bab 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
@@ -3,33 +3,33 @@
"key": "CDP",
"version": "2.0.0",
"name": "Collateral Damage Potential",
- "description": "This metric measures the potential for loss of life or physical assets.",
+ "definition": "This metric measures the potential for loss of life or physical assets.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no potential for loss of life, physical assets, productivity or revenue."
+ "definition": "There is no potential for loss of life, physical assets, productivity or revenue."
},
{
"key": "LM",
"name": "Low-Medium",
- "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
},
{
"key": "MH",
"name": "Medium-High",
- "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
{
"key": "H",
"name": "High",
- "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
index 5634d799..f4b17718 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
@@ -3,23 +3,23 @@
"key": "C",
"version": "1.0.0",
"name": "Confidentiality Impact",
- "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
+ "definition": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No impact on confidentiality."
+ "definition": "No impact on confidentiality."
},
{
"key": "P",
"name": "Partial",
- "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
+ "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
},
{
"key": "C",
"name": "Complete",
- "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
+ "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
index 44f31e5a..1b92fd1f 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
@@ -3,23 +3,23 @@
"key": "C",
"version": "2.0.0",
"name": "Confidentiality Impact",
- "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
index 37208528..761697d1 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
@@ -3,23 +3,23 @@
"key": "SC",
"version": "1.0.0",
"name": "Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json
index 33b141c1..fd33d6e6 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json
@@ -3,23 +3,23 @@
"key": "VC",
"version": "3.0.0",
"name": "Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
index ad330ec3..d635256e 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
@@ -3,28 +3,28 @@
"key": "CR",
"version": "1.0.0",
"name": "Confidentiality Requirement",
- "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
index ab170f65..1c188c33 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
@@ -3,28 +3,28 @@
"key": "CR",
"version": "1.1.0",
"name": "Confidentiality Requirement",
- "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
index e78267b6..1d99b7cd 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
@@ -3,28 +3,28 @@
"key": "CR",
"version": "1.1.1",
"name": "Confidentiality Requirement",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_without_not_defined__1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_without_not_defined__1_1_1.json
index 12e989e4..a9970c8b 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_without_not_defined__1_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_without_not_defined__1_1_1.json
@@ -3,23 +3,23 @@
"key": "CR_NoX",
"version": "1.1.1",
"name": "Confidentiality Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
}
diff --git a/data/json/decision_points/cvss/cvss_qualitative_severity_rating_scale_1_0_0.json b/data/json/decision_points/cvss/cvss_qualitative_severity_rating_scale_1_0_0.json
index dca56b8b..96efe88c 100644
--- a/data/json/decision_points/cvss/cvss_qualitative_severity_rating_scale_1_0_0.json
+++ b/data/json/decision_points/cvss/cvss_qualitative_severity_rating_scale_1_0_0.json
@@ -3,33 +3,33 @@
"key": "CVSS",
"version": "1.0.0",
"name": "CVSS Qualitative Severity Rating Scale",
- "description": "The CVSS Qualitative Severity Rating Scale group.",
+ "definition": "The CVSS Qualitative Severity Rating Scale group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "None (0.0)"
+ "definition": "None (0.0)"
},
{
"key": "L",
"name": "Low",
- "description": "Low (0.1-3.9)"
+ "definition": "Low (0.1-3.9)"
},
{
"key": "M",
"name": "Medium",
- "description": "Medium (4.0-6.9)"
+ "definition": "Medium (4.0-6.9)"
},
{
"key": "H",
"name": "High",
- "description": "High (7.0-8.9)"
+ "definition": "High (7.0-8.9)"
},
{
"key": "C",
"name": "Critical",
- "description": "Critical (9.0-10.0)"
+ "definition": "Critical (9.0-10.0)"
}
]
}
diff --git a/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
index 4eefa33a..583fb814 100644
--- a/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
+++ b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
@@ -3,23 +3,23 @@
"key": "EQ1",
"version": "1.0.0",
"name": "Equivalence Set 1",
- "description": "AV/PR/UI with 3 levels specified in Table 24",
+ "definition": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
- "description": "0: AV:N and PR:N and UI:N"
+ "definition": "0: AV:N and PR:N and UI:N"
}
]
}
diff --git a/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
index ee665375..6d32a351 100644
--- a/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
+++ b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
@@ -3,18 +3,18 @@
"key": "EQ2",
"version": "1.0.0",
"name": "Equivalence Set 2",
- "description": "AC/AT with 2 levels specified in Table 25",
+ "definition": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (AC:L and AT:N)"
+ "definition": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
- "description": "0: AC:L and AT:N"
+ "definition": "0: AC:L and AT:N"
}
]
}
diff --git a/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
index 9d224fd9..b79a1b35 100644
--- a/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
+++ b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
@@ -3,23 +3,23 @@
"key": "EQ3",
"version": "1.0.0",
"name": "Equivalence Set 3",
- "description": "VC/VI/VA with 3 levels specified in Table 26",
+ "definition": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: VC:H and VI:H"
+ "definition": "0: VC:H and VI:H"
}
]
}
diff --git a/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
index b0daf241..bdf23b9c 100644
--- a/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
+++ b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
@@ -3,23 +3,23 @@
"key": "EQ4",
"version": "1.0.0",
"name": "Equivalence Set 4",
- "description": "SC/SI/SA with 3 levels specified in Table 27",
+ "definition": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: MSI:S or MSA:S"
+ "definition": "0: MSI:S or MSA:S"
}
]
}
diff --git a/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
index f0116db6..cee5ce58 100644
--- a/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
+++ b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
@@ -3,23 +3,23 @@
"key": "EQ5",
"version": "1.0.0",
"name": "Equivalence Set 5",
- "description": "E with 3 levels specified in Table 28",
+ "definition": "E with 3 levels specified in Table 28",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: E:U"
+ "definition": "2: E:U"
},
{
"key": "M",
"name": "Medium",
- "description": "1: E:P"
+ "definition": "1: E:P"
},
{
"key": "H",
"name": "High",
- "description": "0: E:A"
+ "definition": "0: E:A"
}
]
}
diff --git a/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
index a1790231..d2ef4775 100644
--- a/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
+++ b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
@@ -3,18 +3,18 @@
"key": "EQ6",
"version": "1.0.0",
"name": "Equivalence Set 6",
- "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
}
diff --git a/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
index 0722a613..60d471cd 100644
--- a/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
+++ b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
@@ -3,33 +3,33 @@
"key": "E",
"version": "1.2.0",
"name": "Exploit Code Maturity",
- "description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
+ "definition": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unproven",
- "description": "No exploit code is available, or an exploit is theoretical."
+ "definition": "No exploit code is available, or an exploit is theoretical."
},
{
"key": "POC",
"name": "Proof-of-Concept",
- "description": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
+ "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
},
{
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
},
{
"key": "H",
"name": "High",
- "description": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+ "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/exploit_maturity_2_0_0.json b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json
index 1c6985a7..e12b3c98 100644
--- a/data/json/decision_points/cvss/exploit_maturity_2_0_0.json
+++ b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json
@@ -3,28 +3,28 @@
"key": "E",
"version": "2.0.0",
"name": "Exploit Maturity",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/exploit_maturity_without_not_defined__2_0_0.json b/data/json/decision_points/cvss/exploit_maturity_without_not_defined__2_0_0.json
index c3f4e72c..879ddc6b 100644
--- a/data/json/decision_points/cvss/exploit_maturity_without_not_defined__2_0_0.json
+++ b/data/json/decision_points/cvss/exploit_maturity_without_not_defined__2_0_0.json
@@ -3,23 +3,23 @@
"key": "E_NoX",
"version": "2.0.0",
"name": "Exploit Maturity (without Not Defined)",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
}
]
}
diff --git a/data/json/decision_points/cvss/exploitability_1_0_0.json b/data/json/decision_points/cvss/exploitability_1_0_0.json
index acb0cf98..d94b8005 100644
--- a/data/json/decision_points/cvss/exploitability_1_0_0.json
+++ b/data/json/decision_points/cvss/exploitability_1_0_0.json
@@ -3,28 +3,28 @@
"key": "E",
"version": "1.0.0",
"name": "Exploitability",
- "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+ "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unproven",
- "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
"key": "P",
"name": "Proof of Concept",
- "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
{
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
"key": "H",
"name": "High",
- "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
}
]
}
diff --git a/data/json/decision_points/cvss/exploitability_1_1_0.json b/data/json/decision_points/cvss/exploitability_1_1_0.json
index 02685cba..e62634cd 100644
--- a/data/json/decision_points/cvss/exploitability_1_1_0.json
+++ b/data/json/decision_points/cvss/exploitability_1_1_0.json
@@ -3,33 +3,33 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitability",
- "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+ "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unproven",
- "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
"key": "P",
"name": "Proof of Concept",
- "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
{
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
"key": "H",
"name": "High",
- "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/impact_bias_1_0_0.json b/data/json/decision_points/cvss/impact_bias_1_0_0.json
index f2a9e366..22cb190c 100644
--- a/data/json/decision_points/cvss/impact_bias_1_0_0.json
+++ b/data/json/decision_points/cvss/impact_bias_1_0_0.json
@@ -3,28 +3,28 @@
"key": "IB",
"version": "1.0.0",
"name": "Impact Bias",
- "description": "This metric measures the impact bias of the vulnerability.",
+ "definition": "This metric measures the impact bias of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Normal",
- "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
+ "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
},
{
"key": "C",
"name": "Confidentiality",
- "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
+ "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
},
{
"key": "I",
"name": "Integrity",
- "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
+ "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
},
{
"key": "A",
"name": "Availability",
- "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
+ "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_impact_1_0_0.json b/data/json/decision_points/cvss/integrity_impact_1_0_0.json
index 8b380ad7..d2bd3620 100644
--- a/data/json/decision_points/cvss/integrity_impact_1_0_0.json
+++ b/data/json/decision_points/cvss/integrity_impact_1_0_0.json
@@ -3,23 +3,23 @@
"key": "I",
"version": "1.0.0",
"name": "Integrity Impact",
- "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.",
+ "definition": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No impact on integrity."
+ "definition": "No impact on integrity."
},
{
"key": "P",
"name": "Partial",
- "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
+ "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
},
{
"key": "C",
"name": "Complete",
- "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
+ "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_0.json b/data/json/decision_points/cvss/integrity_impact_2_0_0.json
index 89dc794b..66923efa 100644
--- a/data/json/decision_points/cvss/integrity_impact_2_0_0.json
+++ b/data/json/decision_points/cvss/integrity_impact_2_0_0.json
@@ -3,23 +3,23 @@
"key": "I",
"version": "2.0.0",
"name": "Integrity Impact",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the integrity of the system."
+ "definition": "There is no impact to the integrity of the system."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
index 32c37517..b65690ba 100644
--- a/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
+++ b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
@@ -3,23 +3,23 @@
"key": "SI",
"version": "1.0.0",
"name": "Integrity Impact to the Subsequent System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json
index 291d15b8..c8d16851 100644
--- a/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json
+++ b/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json
@@ -3,23 +3,23 @@
"key": "VI",
"version": "3.0.0",
"name": "Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_0_0.json b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json
index e19b1609..903e6cd4 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_0_0.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json
@@ -3,28 +3,28 @@
"key": "IR",
"version": "1.0.0",
"name": "Integrity Requirement",
- "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_0.json b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json
index 0eb8f298..80096996 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1_0.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json
@@ -3,28 +3,28 @@
"key": "IR",
"version": "1.1.0",
"name": "Integrity Requirement",
- "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
index a09b6123..95400381 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
@@ -3,28 +3,28 @@
"key": "IR",
"version": "1.1.1",
"name": "Integrity Requirement",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/integrity_requirement_without_not_defined__1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_without_not_defined__1_1_1.json
index 48563745..3abf6819 100644
--- a/data/json/decision_points/cvss/integrity_requirement_without_not_defined__1_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_without_not_defined__1_1_1.json
@@ -3,23 +3,23 @@
"key": "IR_NoX",
"version": "1.1.1",
"name": "Integrity Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
index c71ee607..fb5b8d39 100644
--- a/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
+++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
@@ -3,23 +3,23 @@
"key": "MAC",
"version": "3.0.0",
"name": "Modified Attack Complexity",
- "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+ "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "A successful attack depends on conditions beyond the attacker's control."
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
index 20df5d53..dc7a0f6b 100644
--- a/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
+++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
@@ -3,23 +3,23 @@
"key": "MAC",
"version": "3.0.1",
"name": "Modified Attack Complexity",
- "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
index 60ae3f61..8b650401 100644
--- a/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
+++ b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
@@ -3,23 +3,23 @@
"key": "MAT",
"version": "1.0.0",
"name": "Modified Attack Requirements",
- "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
{
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
index 20797e81..85e7dc16 100644
--- a/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
+++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
@@ -3,33 +3,33 @@
"key": "MAV",
"version": "3.0.0",
"name": "Modified Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
{
"key": "A",
"name": "Adjacent",
- "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
},
{
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
index b7ffc2cf..88c8d267 100644
--- a/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
+++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
@@ -3,33 +3,33 @@
"key": "MAV",
"version": "3.0.1",
"name": "Modified Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
{
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
{
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
index 62dc1ba9..c5aa2298 100644
--- a/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
+++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
@@ -3,28 +3,28 @@
"key": "MA",
"version": "2.0.0",
"name": "Modified Availability Impact",
- "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the availability of the system."
+ "definition": "There is no impact to the availability of the system."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability."
+ "definition": "There is reduced performance or interruptions in resource availability."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json
index 69f0c877..101ad830 100644
--- a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json
+++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json
@@ -3,28 +3,28 @@
"key": "MSA",
"version": "1.0.0",
"name": "Modified Availability Impact to the Subsequent System",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_1.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_1.json
index 0d8de3f9..c22b366c 100644
--- a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_1.json
+++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_1.json
@@ -3,33 +3,33 @@
"key": "MSA",
"version": "1.0.1",
"name": "Modified Availability Impact to the Subsequent System",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_without_not_defined__1_0_1.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_without_not_defined__1_0_1.json
index 5230980a..ae06a2ae 100644
--- a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_without_not_defined__1_0_1.json
+++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_without_not_defined__1_0_1.json
@@ -3,28 +3,28 @@
"key": "MSA_NoX",
"version": "1.0.1",
"name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json
index 59d90019..5f0feecb 100644
--- a/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json
+++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json
@@ -3,28 +3,28 @@
"key": "MVA",
"version": "3.0.0",
"name": "Modified Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
index b202d8e6..ddf0beba 100644
--- a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
@@ -3,28 +3,28 @@
"key": "MC",
"version": "2.0.0",
"name": "Modified Confidentiality Impact",
- "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
index f54dbe39..e201564b 100644
--- a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
@@ -3,28 +3,28 @@
"key": "MSC",
"version": "1.0.0",
"name": "Modified Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_1.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_1.json
index 591b0d95..31fa1d8d 100644
--- a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_1.json
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_1.json
@@ -3,28 +3,28 @@
"key": "MSC",
"version": "1.0.1",
"name": "Modified Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json
index 85ae8d10..425d4f03 100644
--- a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json
@@ -3,28 +3,28 @@
"key": "MVC",
"version": "3.0.0",
"name": "Modified Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
index deef28d3..fbf2eeae 100644
--- a/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
+++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
@@ -3,28 +3,28 @@
"key": "MI",
"version": "2.0.0",
"name": "Modified Integrity Impact",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the integrity of the system."
+ "definition": "There is no impact to the integrity of the system."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
index 7f159510..754befa2 100644
--- a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
+++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
@@ -3,28 +3,28 @@
"key": "MSI",
"version": "1.0.0",
"name": "Modified Integrity Impact to the Subsequent System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_1.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_1.json
index 448c1035..a116751d 100644
--- a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_1.json
+++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_1.json
@@ -3,33 +3,33 @@
"key": "MSI",
"version": "1.0.1",
"name": "Modified Integrity Impact to the Subsequent System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_without_not_defined__1_0_1.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_without_not_defined__1_0_1.json
index 1af512ba..92495703 100644
--- a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_without_not_defined__1_0_1.json
+++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_without_not_defined__1_0_1.json
@@ -3,28 +3,28 @@
"key": "MSI_NoX",
"version": "1.0.1",
"name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json
index 4cdf393a..7964a614 100644
--- a/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json
+++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json
@@ -3,28 +3,28 @@
"key": "MVI",
"version": "3.0.0",
"name": "Modified Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
index e7242d88..a88ee9f5 100644
--- a/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
+++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
@@ -3,28 +3,28 @@
"key": "MPR",
"version": "1.0.0",
"name": "Modified Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+ "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
index 8f693d5a..0e4a54c8 100644
--- a/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
+++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
@@ -3,28 +3,28 @@
"key": "MPR",
"version": "1.0.1",
"name": "Modified Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_scope_1_0_0.json b/data/json/decision_points/cvss/modified_scope_1_0_0.json
index 15685974..ca81fdd3 100644
--- a/data/json/decision_points/cvss/modified_scope_1_0_0.json
+++ b/data/json/decision_points/cvss/modified_scope_1_0_0.json
@@ -3,23 +3,23 @@
"key": "MS",
"version": "1.0.0",
"name": "Modified Scope",
- "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+ "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unchanged",
- "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
{
"key": "C",
"name": "Changed",
- "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
index 61eaea70..87d17ac2 100644
--- a/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
+++ b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
@@ -3,23 +3,23 @@
"key": "MUI",
"version": "1.0.0",
"name": "Modified User Interaction",
- "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+ "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "R",
"name": "Required",
- "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The vulnerable system can be exploited without interaction from any user."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
index 826233f7..e2964a66 100644
--- a/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
+++ b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
@@ -3,28 +3,28 @@
"key": "MUI",
"version": "2.0.0",
"name": "Modified User Interaction",
- "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/privileges_required_1_0_0.json b/data/json/decision_points/cvss/privileges_required_1_0_0.json
index a4134d43..1916bf3a 100644
--- a/data/json/decision_points/cvss/privileges_required_1_0_0.json
+++ b/data/json/decision_points/cvss/privileges_required_1_0_0.json
@@ -3,23 +3,23 @@
"key": "PR",
"version": "1.0.0",
"name": "Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+ "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
}
diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json
index c74a9b3c..0674b8e2 100644
--- a/data/json/decision_points/cvss/privileges_required_1_0_1.json
+++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json
@@ -3,23 +3,23 @@
"key": "PR",
"version": "1.0.1",
"name": "Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
}
diff --git a/data/json/decision_points/cvss/provider_urgency_1_0_0.json b/data/json/decision_points/cvss/provider_urgency_1_0_0.json
index f3db62ce..902c7d71 100644
--- a/data/json/decision_points/cvss/provider_urgency_1_0_0.json
+++ b/data/json/decision_points/cvss/provider_urgency_1_0_0.json
@@ -3,33 +3,33 @@
"key": "U",
"version": "1.0.0",
"name": "Provider Urgency",
- "description": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
+ "definition": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "C",
"name": "Clear",
- "description": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
+ "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
},
{
"key": "G",
"name": "Green",
- "description": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
},
{
"key": "A",
"name": "Amber",
- "description": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
},
{
"key": "R",
"name": "Red",
- "description": "Provider has assessed the impact of this vulnerability as having the highest urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency."
}
]
}
diff --git a/data/json/decision_points/cvss/recovery_1_0_0.json b/data/json/decision_points/cvss/recovery_1_0_0.json
index 42f1c7c1..31fd5b62 100644
--- a/data/json/decision_points/cvss/recovery_1_0_0.json
+++ b/data/json/decision_points/cvss/recovery_1_0_0.json
@@ -3,28 +3,28 @@
"key": "R",
"version": "1.0.0",
"name": "Recovery",
- "description": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
+ "definition": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "A",
"name": "Automatic",
- "description": "The system recovers services automatically after an attack has been performed."
+ "definition": "The system recovers services automatically after an attack has been performed."
},
{
"key": "U",
"name": "User",
- "description": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+ "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed."
},
{
"key": "I",
"name": "Irrecoverable",
- "description": "The system services are irrecoverable by the user, after an attack has been performed."
+ "definition": "The system services are irrecoverable by the user, after an attack has been performed."
}
]
}
diff --git a/data/json/decision_points/cvss/remediation_level_1_0_0.json b/data/json/decision_points/cvss/remediation_level_1_0_0.json
index 7f440814..7210259e 100644
--- a/data/json/decision_points/cvss/remediation_level_1_0_0.json
+++ b/data/json/decision_points/cvss/remediation_level_1_0_0.json
@@ -3,28 +3,28 @@
"key": "RL",
"version": "1.0.0",
"name": "Remediation Level",
- "description": "This metric measures the remediation status of a vulnerability.",
+ "definition": "This metric measures the remediation status of a vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "OF",
"name": "Official Fix",
- "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
{
"key": "TF",
"name": "Temporary Fix",
- "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
{
"key": "W",
"name": "Workaround",
- "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
{
"key": "U",
"name": "Unavailable",
- "description": "There is either no solution available or it is impossible to apply."
+ "definition": "There is either no solution available or it is impossible to apply."
}
]
}
diff --git a/data/json/decision_points/cvss/remediation_level_1_1_0.json b/data/json/decision_points/cvss/remediation_level_1_1_0.json
index 0b33e7c2..81216ea5 100644
--- a/data/json/decision_points/cvss/remediation_level_1_1_0.json
+++ b/data/json/decision_points/cvss/remediation_level_1_1_0.json
@@ -3,33 +3,33 @@
"key": "RL",
"version": "1.1.0",
"name": "Remediation Level",
- "description": "This metric measures the remediation status of a vulnerability.",
+ "definition": "This metric measures the remediation status of a vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "OF",
"name": "Official Fix",
- "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
{
"key": "TF",
"name": "Temporary Fix",
- "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
{
"key": "W",
"name": "Workaround",
- "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
{
"key": "U",
"name": "Unavailable",
- "description": "There is either no solution available or it is impossible to apply."
+ "definition": "There is either no solution available or it is impossible to apply."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/report_confidence_1_0_0.json b/data/json/decision_points/cvss/report_confidence_1_0_0.json
index 2d9489bb..5df2b995 100644
--- a/data/json/decision_points/cvss/report_confidence_1_0_0.json
+++ b/data/json/decision_points/cvss/report_confidence_1_0_0.json
@@ -3,23 +3,23 @@
"key": "RC",
"version": "1.0.0",
"name": "Report Confidence",
- "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "UC",
"name": "Unconfirmed",
- "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
{
"key": "UR",
"name": "Uncorroborated",
- "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
{
"key": "C",
"name": "Confirmed",
- "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
}
]
}
diff --git a/data/json/decision_points/cvss/report_confidence_1_1_0.json b/data/json/decision_points/cvss/report_confidence_1_1_0.json
index ccbd5185..e817cb30 100644
--- a/data/json/decision_points/cvss/report_confidence_1_1_0.json
+++ b/data/json/decision_points/cvss/report_confidence_1_1_0.json
@@ -3,28 +3,28 @@
"key": "RC",
"version": "1.1.0",
"name": "Report Confidence",
- "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "UC",
"name": "Unconfirmed",
- "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
{
"key": "UR",
"name": "Uncorroborated",
- "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
{
"key": "C",
"name": "Confirmed",
- "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/report_confidence_2_0_0.json b/data/json/decision_points/cvss/report_confidence_2_0_0.json
index 2d1a51b8..50efb8f1 100644
--- a/data/json/decision_points/cvss/report_confidence_2_0_0.json
+++ b/data/json/decision_points/cvss/report_confidence_2_0_0.json
@@ -3,28 +3,28 @@
"key": "RC",
"version": "2.0.0",
"name": "Report Confidence",
- "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unknown",
- "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
+ "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
},
{
"key": "R",
"name": "Reasonable",
- "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
+ "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
},
{
"key": "C",
"name": "Confirmed",
- "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
+ "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/safety_1_0_0.json b/data/json/decision_points/cvss/safety_1_0_0.json
index 06ff99ce..3f9ea913 100644
--- a/data/json/decision_points/cvss/safety_1_0_0.json
+++ b/data/json/decision_points/cvss/safety_1_0_0.json
@@ -3,23 +3,23 @@
"key": "SF",
"version": "1.0.0",
"name": "Safety",
- "description": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
+ "definition": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "P",
"name": "Present",
- "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
},
{
"key": "N",
"name": "Negligible",
- "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
}
]
}
diff --git a/data/json/decision_points/cvss/scope_1_0_0.json b/data/json/decision_points/cvss/scope_1_0_0.json
index f0f8e16b..813c4365 100644
--- a/data/json/decision_points/cvss/scope_1_0_0.json
+++ b/data/json/decision_points/cvss/scope_1_0_0.json
@@ -3,18 +3,18 @@
"key": "S",
"version": "1.0.0",
"name": "Scope",
- "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+ "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unchanged",
- "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
{
"key": "C",
"name": "Changed",
- "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
}
]
}
diff --git a/data/json/decision_points/cvss/target_distribution_1_0_0.json b/data/json/decision_points/cvss/target_distribution_1_0_0.json
index f9c3e3c8..c6b7e412 100644
--- a/data/json/decision_points/cvss/target_distribution_1_0_0.json
+++ b/data/json/decision_points/cvss/target_distribution_1_0_0.json
@@ -3,28 +3,28 @@
"key": "TD",
"version": "1.0.0",
"name": "Target Distribution",
- "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
+ "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
{
"key": "L",
"name": "Low",
- "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
},
{
"key": "M",
"name": "Medium",
- "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
{
"key": "H",
"name": "High",
- "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
}
]
}
diff --git a/data/json/decision_points/cvss/target_distribution_1_1_0.json b/data/json/decision_points/cvss/target_distribution_1_1_0.json
index 820c76c5..90af4d1d 100644
--- a/data/json/decision_points/cvss/target_distribution_1_1_0.json
+++ b/data/json/decision_points/cvss/target_distribution_1_1_0.json
@@ -3,33 +3,33 @@
"key": "TD",
"version": "1.1.0",
"name": "Target Distribution",
- "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
+ "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
{
"key": "L",
"name": "Low",
- "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
},
{
"key": "M",
"name": "Medium",
- "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
{
"key": "H",
"name": "High",
- "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
}
diff --git a/data/json/decision_points/cvss/user_interaction_1_0_0.json b/data/json/decision_points/cvss/user_interaction_1_0_0.json
index 9e99caf3..de29297c 100644
--- a/data/json/decision_points/cvss/user_interaction_1_0_0.json
+++ b/data/json/decision_points/cvss/user_interaction_1_0_0.json
@@ -3,18 +3,18 @@
"key": "UI",
"version": "1.0.0",
"name": "User Interaction",
- "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+ "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "R",
"name": "Required",
- "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The vulnerable system can be exploited without interaction from any user."
}
]
}
diff --git a/data/json/decision_points/cvss/user_interaction_2_0_0.json b/data/json/decision_points/cvss/user_interaction_2_0_0.json
index fff2dc8b..4bc2c5f6 100644
--- a/data/json/decision_points/cvss/user_interaction_2_0_0.json
+++ b/data/json/decision_points/cvss/user_interaction_2_0_0.json
@@ -3,23 +3,23 @@
"key": "UI",
"version": "2.0.0",
"name": "User Interaction",
- "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
]
}
diff --git a/data/json/decision_points/cvss/value_density_1_0_0.json b/data/json/decision_points/cvss/value_density_1_0_0.json
index 6a09e1e2..1edffbd0 100644
--- a/data/json/decision_points/cvss/value_density_1_0_0.json
+++ b/data/json/decision_points/cvss/value_density_1_0_0.json
@@ -3,23 +3,23 @@
"key": "V",
"version": "1.0.0",
"name": "Value Density",
- "description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
+ "definition": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "D",
"name": "Diffuse",
- "description": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
+ "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
- "description": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
+ "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
}
]
}
diff --git a/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
index 12b26541..be0cb7ca 100644
--- a/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
+++ b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
@@ -3,28 +3,28 @@
"key": "RE",
"version": "1.0.0",
"name": "Vulnerability Response Effort",
- "description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
+ "definition": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "L",
"name": "Low",
- "description": "The effort required to respond to a vulnerability is low/trivial."
+ "definition": "The effort required to respond to a vulnerability is low/trivial."
},
{
"key": "M",
"name": "Moderate",
- "description": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+ "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
},
{
"key": "H",
"name": "High",
- "description": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
+ "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
}
]
}
diff --git a/data/json/decision_points/ssvc/automatable_2_0_0.json b/data/json/decision_points/ssvc/automatable_2_0_0.json
index 874297d0..858c79c0 100644
--- a/data/json/decision_points/ssvc/automatable_2_0_0.json
+++ b/data/json/decision_points/ssvc/automatable_2_0_0.json
@@ -3,18 +3,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
}
diff --git a/data/json/decision_points/ssvc/critical_software_1_0_0.json b/data/json/decision_points/ssvc/critical_software_1_0_0.json
index 1373b380..7a3867f7 100644
--- a/data/json/decision_points/ssvc/critical_software_1_0_0.json
+++ b/data/json/decision_points/ssvc/critical_software_1_0_0.json
@@ -3,18 +3,18 @@
"key": "CS",
"version": "1.0.0",
"name": "Critical Software",
- "description": "Denotes whether a system meets a critical software definition.",
+ "definition": "Denotes whether a system meets a critical software definition.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "System does not meet a critical software definition."
+ "definition": "System does not meet a critical software definition."
},
{
"key": "Y",
"name": "Yes",
- "description": "System meets a critical software definition."
+ "definition": "System meets a critical software definition."
}
]
}
diff --git a/data/json/decision_points/ssvc/decline_track_coordinate_1_0_0.json b/data/json/decision_points/ssvc/decline_track_coordinate_1_0_0.json
index 87e7fa38..5457a1d9 100644
--- a/data/json/decision_points/ssvc/decline_track_coordinate_1_0_0.json
+++ b/data/json/decision_points/ssvc/decline_track_coordinate_1_0_0.json
@@ -3,23 +3,23 @@
"key": "COORDINATE",
"version": "1.0.0",
"name": "Decline, Track, Coordinate",
- "description": "The coordinate outcome group.",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Decline",
- "description": "Decline"
+ "definition": "Decline"
},
{
"key": "T",
"name": "Track",
- "description": "Track"
+ "definition": "Track"
},
{
"key": "C",
"name": "Coordinate",
- "description": "Coordinate"
+ "definition": "Coordinate"
}
]
}
diff --git a/data/json/decision_points/ssvc/decline_track_coordinate_1_0_1.json b/data/json/decision_points/ssvc/decline_track_coordinate_1_0_1.json
index ff53fc5d..3a4041cb 100644
--- a/data/json/decision_points/ssvc/decline_track_coordinate_1_0_1.json
+++ b/data/json/decision_points/ssvc/decline_track_coordinate_1_0_1.json
@@ -3,23 +3,23 @@
"key": "COORDINATE",
"version": "1.0.1",
"name": "Decline, Track, Coordinate",
- "description": "The coordinate outcome group.",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Decline",
- "description": "Do not act on the report."
+ "definition": "Do not act on the report."
},
{
"key": "T",
"name": "Track",
- "description": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
+ "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
{
"key": "C",
"name": "Coordinate",
- "description": "Take action on the report."
+ "definition": "Take action on the report."
}
]
}
diff --git a/data/json/decision_points/ssvc/defer_scheduled_out_of_cycle_immediate_1_0_0.json b/data/json/decision_points/ssvc/defer_scheduled_out_of_cycle_immediate_1_0_0.json
index 49a60a1f..98b78916 100644
--- a/data/json/decision_points/ssvc/defer_scheduled_out_of_cycle_immediate_1_0_0.json
+++ b/data/json/decision_points/ssvc/defer_scheduled_out_of_cycle_immediate_1_0_0.json
@@ -3,28 +3,28 @@
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
- "description": "The original SSVC outcome group.",
+ "definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
- "description": "Defer"
+ "definition": "Defer"
},
{
"key": "S",
"name": "Scheduled",
- "description": "Scheduled"
+ "definition": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
- "description": "Out-of-Cycle"
+ "definition": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
- "description": "Immediate"
+ "definition": "Immediate"
}
]
}
diff --git a/data/json/decision_points/ssvc/exploitation_1_0_0.json b/data/json/decision_points/ssvc/exploitation_1_0_0.json
index 3fd20507..bdae60b9 100644
--- a/data/json/decision_points/ssvc/exploitation_1_0_0.json
+++ b/data/json/decision_points/ssvc/exploitation_1_0_0.json
@@ -3,23 +3,23 @@
"key": "E",
"version": "1.0.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "PoC",
- "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
}
diff --git a/data/json/decision_points/ssvc/exploitation_1_1_0.json b/data/json/decision_points/ssvc/exploitation_1_1_0.json
index dbd8670f..d1eb2fb9 100644
--- a/data/json/decision_points/ssvc/exploitation_1_1_0.json
+++ b/data/json/decision_points/ssvc/exploitation_1_1_0.json
@@ -3,23 +3,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
}
diff --git a/data/json/decision_points/ssvc/high_value_asset_1_0_0.json b/data/json/decision_points/ssvc/high_value_asset_1_0_0.json
index 610e3006..f12e832e 100644
--- a/data/json/decision_points/ssvc/high_value_asset_1_0_0.json
+++ b/data/json/decision_points/ssvc/high_value_asset_1_0_0.json
@@ -3,18 +3,18 @@
"key": "HVA",
"version": "1.0.0",
"name": "High Value Asset",
- "description": "Denotes whether a system meets a high value asset definition.",
+ "definition": "Denotes whether a system meets a high value asset definition.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "System does not meet a high value asset definition."
+ "definition": "System does not meet a high value asset definition."
},
{
"key": "Y",
"name": "Yes",
- "description": "System meets a high value asset definition."
+ "definition": "System meets a high value asset definition."
}
]
}
diff --git a/data/json/decision_points/ssvc/human_impact_2_0_0.json b/data/json/decision_points/ssvc/human_impact_2_0_0.json
index 10f837dc..9d24b932 100644
--- a/data/json/decision_points/ssvc/human_impact_2_0_0.json
+++ b/data/json/decision_points/ssvc/human_impact_2_0_0.json
@@ -3,28 +3,28 @@
"key": "HI",
"version": "2.0.0",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
+ "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
diff --git a/data/json/decision_points/ssvc/human_impact_2_0_1.json b/data/json/decision_points/ssvc/human_impact_2_0_1.json
index 80224c2f..58f11f8c 100644
--- a/data/json/decision_points/ssvc/human_impact_2_0_1.json
+++ b/data/json/decision_points/ssvc/human_impact_2_0_1.json
@@ -3,28 +3,28 @@
"key": "HI",
"version": "2.0.1",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
diff --git a/data/json/decision_points/ssvc/human_impact_2_0_2.json b/data/json/decision_points/ssvc/human_impact_2_0_2.json
index f6164b6b..ab777d65 100644
--- a/data/json/decision_points/ssvc/human_impact_2_0_2.json
+++ b/data/json/decision_points/ssvc/human_impact_2_0_2.json
@@ -3,28 +3,28 @@
"key": "HI",
"version": "2.0.2",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
diff --git a/data/json/decision_points/ssvc/mission_and_well_being_impact_1_0_0.json b/data/json/decision_points/ssvc/mission_and_well_being_impact_1_0_0.json
index ec9a3b92..1ac6533d 100644
--- a/data/json/decision_points/ssvc/mission_and_well_being_impact_1_0_0.json
+++ b/data/json/decision_points/ssvc/mission_and_well_being_impact_1_0_0.json
@@ -3,23 +3,23 @@
"key": "MWI",
"version": "1.0.0",
"name": "Mission and Well-Being Impact",
- "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
+ "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
- "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
- "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
}
diff --git a/data/json/decision_points/ssvc/mission_impact_1_0_0.json b/data/json/decision_points/ssvc/mission_impact_1_0_0.json
index 3d5b93d5..76f496f7 100644
--- a/data/json/decision_points/ssvc/mission_impact_1_0_0.json
+++ b/data/json/decision_points/ssvc/mission_impact_1_0_0.json
@@ -3,33 +3,33 @@
"key": "MI",
"version": "1.0.0",
"name": "Mission Impact",
- "description": "Impact on Mission Essential Functions of the Organization",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "Little to no impact"
+ "definition": "Little to no impact"
},
{
"key": "NED",
"name": "Non-Essential Degraded",
- "description": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
}
diff --git a/data/json/decision_points/ssvc/mission_impact_2_0_0.json b/data/json/decision_points/ssvc/mission_impact_2_0_0.json
index 527b8201..3822302a 100644
--- a/data/json/decision_points/ssvc/mission_impact_2_0_0.json
+++ b/data/json/decision_points/ssvc/mission_impact_2_0_0.json
@@ -3,28 +3,28 @@
"key": "MI",
"version": "2.0.0",
"name": "Mission Impact",
- "description": "Impact on Mission Essential Functions of the Organization",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Degraded",
- "description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
}
diff --git a/data/json/decision_points/ssvc/public_safety_impact_2_0_0.json b/data/json/decision_points/ssvc/public_safety_impact_2_0_0.json
index 6730bfdf..2cfcf18c 100644
--- a/data/json/decision_points/ssvc/public_safety_impact_2_0_0.json
+++ b/data/json/decision_points/ssvc/public_safety_impact_2_0_0.json
@@ -3,18 +3,18 @@
"key": "PSI",
"version": "2.0.0",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:(None OR Minor)"
+ "definition": "Safety Impact:(None OR Minor)"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
}
]
}
diff --git a/data/json/decision_points/ssvc/public_safety_impact_2_0_1.json b/data/json/decision_points/ssvc/public_safety_impact_2_0_1.json
index 729bed14..a8e96eb6 100644
--- a/data/json/decision_points/ssvc/public_safety_impact_2_0_1.json
+++ b/data/json/decision_points/ssvc/public_safety_impact_2_0_1.json
@@ -3,18 +3,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
}
diff --git a/data/json/decision_points/ssvc/public_value_added_1_0_0.json b/data/json/decision_points/ssvc/public_value_added_1_0_0.json
index c1f2f7b7..33759d6c 100644
--- a/data/json/decision_points/ssvc/public_value_added_1_0_0.json
+++ b/data/json/decision_points/ssvc/public_value_added_1_0_0.json
@@ -3,23 +3,23 @@
"key": "PVA",
"version": "1.0.0",
"name": "Public Value Added",
- "description": "How much value would a publication from the coordinator benefit the broader community?",
+ "definition": "How much value would a publication from the coordinator benefit the broader community?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Limited",
- "description": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
},
{
"key": "A",
"name": "Ampliative",
- "description": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
},
{
"key": "P",
"name": "Precedence",
- "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
]
}
diff --git a/data/json/decision_points/ssvc/public_well_being_impact_1_1_0.json b/data/json/decision_points/ssvc/public_well_being_impact_1_1_0.json
index 38780b34..a441c6ff 100644
--- a/data/json/decision_points/ssvc/public_well_being_impact_1_1_0.json
+++ b/data/json/decision_points/ssvc/public_well_being_impact_1_1_0.json
@@ -3,23 +3,23 @@
"key": "PWI",
"version": "1.1.0",
"name": "Public Well-Being Impact",
- "description": "A coarse-grained representation of impact to public well-being.",
+ "definition": "A coarse-grained representation of impact to public well-being.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "The effect is below the threshold for all aspects described in material. "
+ "definition": "The effect is below the threshold for all aspects described in material. "
},
{
"key": "MA",
"name": "Material",
- "description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
+ "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
{
"key": "I",
"name": "Irreversible",
- "description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
+ "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
}
]
}
diff --git a/data/json/decision_points/ssvc/publish_do_not_publish_1_0_0.json b/data/json/decision_points/ssvc/publish_do_not_publish_1_0_0.json
index 641c55d2..eaad66ee 100644
--- a/data/json/decision_points/ssvc/publish_do_not_publish_1_0_0.json
+++ b/data/json/decision_points/ssvc/publish_do_not_publish_1_0_0.json
@@ -3,18 +3,18 @@
"key": "PUBLISH",
"version": "1.0.0",
"name": "Publish, Do Not Publish",
- "description": "The publish outcome group.",
+ "definition": "The publish outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Do Not Publish",
- "description": "Do Not Publish"
+ "definition": "Do Not Publish"
},
{
"key": "P",
"name": "Publish",
- "description": "Publish"
+ "definition": "Publish"
}
]
}
diff --git a/data/json/decision_points/ssvc/report_credibility_1_0_0.json b/data/json/decision_points/ssvc/report_credibility_1_0_0.json
index bb45bb12..ae5a793f 100644
--- a/data/json/decision_points/ssvc/report_credibility_1_0_0.json
+++ b/data/json/decision_points/ssvc/report_credibility_1_0_0.json
@@ -3,18 +3,18 @@
"key": "RC",
"version": "1.0.0",
"name": "Report Credibility",
- "description": "Is the report credible?",
+ "definition": "Is the report credible?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "NC",
"name": "Not Credible",
- "description": "The report is not credible."
+ "definition": "The report is not credible."
},
{
"key": "C",
"name": "Credible",
- "description": "The report is credible."
+ "definition": "The report is credible."
}
]
}
diff --git a/data/json/decision_points/ssvc/report_public_1_0_0.json b/data/json/decision_points/ssvc/report_public_1_0_0.json
index c6c8b699..c859f165 100644
--- a/data/json/decision_points/ssvc/report_public_1_0_0.json
+++ b/data/json/decision_points/ssvc/report_public_1_0_0.json
@@ -3,18 +3,18 @@
"key": "RP",
"version": "1.0.0",
"name": "Report Public",
- "description": "Is a viable report of the details of the vulnerability already publicly available?",
+ "definition": "Is a viable report of the details of the vulnerability already publicly available?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "Y",
"name": "Yes",
- "description": "A public report of the vulnerability exists."
+ "definition": "A public report of the vulnerability exists."
},
{
"key": "N",
"name": "No",
- "description": "No public report of the vulnerability exists."
+ "definition": "No public report of the vulnerability exists."
}
]
}
diff --git a/data/json/decision_points/ssvc/safety_impact_1_0_0.json b/data/json/decision_points/ssvc/safety_impact_1_0_0.json
index a9d923cb..264b75eb 100644
--- a/data/json/decision_points/ssvc/safety_impact_1_0_0.json
+++ b/data/json/decision_points/ssvc/safety_impact_1_0_0.json
@@ -3,33 +3,33 @@
"key": "SI",
"version": "1.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability.",
+ "definition": "The safety impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "The effect is below the threshold for all aspects described in Minor."
+ "definition": "The effect is below the threshold for all aspects described in Minor."
},
{
"key": "M",
"name": "Minor",
- "description": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "J",
"name": "Major",
- "description": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "H",
"name": "Hazardous",
- "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
}
]
}
diff --git a/data/json/decision_points/ssvc/safety_impact_2_0_0.json b/data/json/decision_points/ssvc/safety_impact_2_0_0.json
index 073067a3..dd224fae 100644
--- a/data/json/decision_points/ssvc/safety_impact_2_0_0.json
+++ b/data/json/decision_points/ssvc/safety_impact_2_0_0.json
@@ -3,28 +3,28 @@
"key": "SI",
"version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
"name": "Marginal",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
}
diff --git a/data/json/decision_points/ssvc/supplier_cardinality_1_0_0.json b/data/json/decision_points/ssvc/supplier_cardinality_1_0_0.json
index c291caf8..12ad6531 100644
--- a/data/json/decision_points/ssvc/supplier_cardinality_1_0_0.json
+++ b/data/json/decision_points/ssvc/supplier_cardinality_1_0_0.json
@@ -3,18 +3,18 @@
"key": "SC",
"version": "1.0.0",
"name": "Supplier Cardinality",
- "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+ "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "O",
"name": "One",
- "description": "There is only one supplier of the vulnerable component."
+ "definition": "There is only one supplier of the vulnerable component."
},
{
"key": "M",
"name": "Multiple",
- "description": "There are multiple suppliers of the vulnerable component."
+ "definition": "There are multiple suppliers of the vulnerable component."
}
]
}
diff --git a/data/json/decision_points/ssvc/supplier_contacted_1_0_0.json b/data/json/decision_points/ssvc/supplier_contacted_1_0_0.json
index dbd2cdc5..e8a4698f 100644
--- a/data/json/decision_points/ssvc/supplier_contacted_1_0_0.json
+++ b/data/json/decision_points/ssvc/supplier_contacted_1_0_0.json
@@ -3,18 +3,18 @@
"key": "SCON",
"version": "1.0.0",
"name": "Supplier Contacted",
- "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+ "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "The supplier has not been contacted."
+ "definition": "The supplier has not been contacted."
},
{
"key": "Y",
"name": "Yes",
- "description": "The supplier has been contacted."
+ "definition": "The supplier has been contacted."
}
]
}
diff --git a/data/json/decision_points/ssvc/supplier_engagement_1_0_0.json b/data/json/decision_points/ssvc/supplier_engagement_1_0_0.json
index 5142fcb9..29d45ac5 100644
--- a/data/json/decision_points/ssvc/supplier_engagement_1_0_0.json
+++ b/data/json/decision_points/ssvc/supplier_engagement_1_0_0.json
@@ -3,18 +3,18 @@
"key": "SE",
"version": "1.0.0",
"name": "Supplier Engagement",
- "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
+ "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
+ "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
{
"key": "U",
"name": "Unresponsive",
- "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
+ "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
]
}
diff --git a/data/json/decision_points/ssvc/supplier_involvement_1_0_0.json b/data/json/decision_points/ssvc/supplier_involvement_1_0_0.json
index cee58610..eea94740 100644
--- a/data/json/decision_points/ssvc/supplier_involvement_1_0_0.json
+++ b/data/json/decision_points/ssvc/supplier_involvement_1_0_0.json
@@ -3,23 +3,23 @@
"key": "SINV",
"version": "1.0.0",
"name": "Supplier Involvement",
- "description": "What is the state of the supplier’s work on addressing the vulnerability?",
+ "definition": "What is the state of the supplier’s work on addressing the vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "FR",
"name": "Fix Ready",
- "description": "The supplier has provided a patch or fix."
+ "definition": "The supplier has provided a patch or fix."
},
{
"key": "C",
"name": "Cooperative",
- "description": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
},
{
"key": "UU",
"name": "Uncooperative/Unresponsive",
- "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
]
}
diff --git a/data/json/decision_points/ssvc/system_exposure_1_0_0.json b/data/json/decision_points/ssvc/system_exposure_1_0_0.json
index 089fa443..f09137c0 100644
--- a/data/json/decision_points/ssvc/system_exposure_1_0_0.json
+++ b/data/json/decision_points/ssvc/system_exposure_1_0_0.json
@@ -3,23 +3,23 @@
"key": "EXP",
"version": "1.0.0",
"name": "System Exposure",
- "description": "The Accessible Attack Surface of the Affected System or Service",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "U",
"name": "Unavoidable",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
}
diff --git a/data/json/decision_points/ssvc/system_exposure_1_0_1.json b/data/json/decision_points/ssvc/system_exposure_1_0_1.json
index 23095082..0ee50eef 100644
--- a/data/json/decision_points/ssvc/system_exposure_1_0_1.json
+++ b/data/json/decision_points/ssvc/system_exposure_1_0_1.json
@@ -3,23 +3,23 @@
"key": "EXP",
"version": "1.0.1",
"name": "System Exposure",
- "description": "The Accessible Attack Surface of the Affected System or Service",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "O",
"name": "Open",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
}
diff --git a/data/json/decision_points/ssvc/technical_impact_1_0_0.json b/data/json/decision_points/ssvc/technical_impact_1_0_0.json
index a23475e4..25d7cb68 100644
--- a/data/json/decision_points/ssvc/technical_impact_1_0_0.json
+++ b/data/json/decision_points/ssvc/technical_impact_1_0_0.json
@@ -3,18 +3,18 @@
"key": "TI",
"version": "1.0.0",
"name": "Technical Impact",
- "description": "The technical impact of the vulnerability.",
+ "definition": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Partial",
- "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
"key": "T",
"name": "Total",
- "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
}
diff --git a/data/json/decision_points/ssvc/utility_1_0_0.json b/data/json/decision_points/ssvc/utility_1_0_0.json
index 463c772e..bbdcc41b 100644
--- a/data/json/decision_points/ssvc/utility_1_0_0.json
+++ b/data/json/decision_points/ssvc/utility_1_0_0.json
@@ -3,23 +3,23 @@
"key": "U",
"version": "1.0.0",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Virulence:Slow and Value Density:Diffuse"
+ "definition": "Virulence:Slow and Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Virulence:Rapid and Value Density:Concentrated"
+ "definition": "Virulence:Rapid and Value Density:Concentrated"
}
]
}
diff --git a/data/json/decision_points/ssvc/utility_1_0_1.json b/data/json/decision_points/ssvc/utility_1_0_1.json
index 4e2e50d4..33d3c787 100644
--- a/data/json/decision_points/ssvc/utility_1_0_1.json
+++ b/data/json/decision_points/ssvc/utility_1_0_1.json
@@ -3,23 +3,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
}
diff --git a/data/json/decision_points/ssvc/value_density_1_0_0.json b/data/json/decision_points/ssvc/value_density_1_0_0.json
index 263f4087..1d2e7eb3 100644
--- a/data/json/decision_points/ssvc/value_density_1_0_0.json
+++ b/data/json/decision_points/ssvc/value_density_1_0_0.json
@@ -3,18 +3,18 @@
"key": "VD",
"version": "1.0.0",
"name": "Value Density",
- "description": "The concentration of value in the target",
+ "definition": "The concentration of value in the target",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Diffuse",
- "description": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
- "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
]
}
diff --git a/data/json/decision_points/ssvc/virulence_1_0_0.json b/data/json/decision_points/ssvc/virulence_1_0_0.json
index 37571357..055ca76b 100644
--- a/data/json/decision_points/ssvc/virulence_1_0_0.json
+++ b/data/json/decision_points/ssvc/virulence_1_0_0.json
@@ -3,18 +3,18 @@
"key": "V",
"version": "1.0.0",
"name": "Virulence",
- "description": "The speed at which the vulnerability can be exploited.",
+ "definition": "The speed at which the vulnerability can be exploited.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Slow",
- "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
{
"key": "R",
"name": "Rapid",
- "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
+ "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
}
]
}
diff --git a/data/json/decision_points/x_com_yahooinc/theparanoids_1_0_0.json b/data/json/decision_points/x_com_yahooinc/theparanoids_1_0_0.json
deleted file mode 100644
index 4bb333e5..00000000
--- a/data/json/decision_points/x_com_yahooinc/theparanoids_1_0_0.json
+++ /dev/null
@@ -1,40 +0,0 @@
-{
- "namespace": "x_com.yahooinc",
- "key": "PARANOIDS",
- "version": "1.0.0",
- "name": "theParanoids",
- "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.",
- "schemaVersion": "2.0.0",
- "values": [
- {
- "key": "5",
- "name": "Track 5",
- "description": "Track"
- },
- {
- "key": "4",
- "name": "Track Closely 4",
- "description": "Track Closely"
- },
- {
- "key": "3",
- "name": "Attend 3",
- "description": "Attend"
- },
- {
- "key": "2",
- "name": "Attend 2",
- "description": "Attend"
- },
- {
- "key": "1",
- "name": "Act 1",
- "description": "Act"
- },
- {
- "key": "0",
- "name": "Act ASAP 0",
- "description": "Act ASAP"
- }
- ]
-}
diff --git a/data/json/decision_points/x_com_yahooinc_prioritized_risk_remediation/theparanoids_1_0_0.json b/data/json/decision_points/x_com_yahooinc_prioritized_risk_remediation/theparanoids_1_0_0.json
index 40735809..d5cad0b8 100644
--- a/data/json/decision_points/x_com_yahooinc_prioritized_risk_remediation/theparanoids_1_0_0.json
+++ b/data/json/decision_points/x_com_yahooinc_prioritized_risk_remediation/theparanoids_1_0_0.json
@@ -3,38 +3,38 @@
"key": "PARANOIDS",
"version": "1.0.0",
"name": "theParanoids",
- "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.",
+ "definition": "PrioritizedRiskRemediation outcome group based on TheParanoids.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "5",
"name": "Track 5",
- "description": "Track"
+ "definition": "Track"
},
{
"key": "4",
"name": "Track Closely 4",
- "description": "Track Closely"
+ "definition": "Track Closely"
},
{
"key": "3",
"name": "Attend 3",
- "description": "Attend"
+ "definition": "Attend"
},
{
"key": "2",
"name": "Attend 2",
- "description": "Attend"
+ "definition": "Attend"
},
{
"key": "1",
"name": "Act 1",
- "description": "Act"
+ "definition": "Act"
},
{
"key": "0",
"name": "Act ASAP 0",
- "description": "Act ASAP"
+ "definition": "Act ASAP"
}
]
}
diff --git a/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json b/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json
index 92c7fac7..2a076a2c 100644
--- a/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json
+++ b/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json
@@ -3,7 +3,7 @@
"key": "DT_CO",
"version": "2.0.3",
"name": "CISA Coordinator",
- "description": "CISA Coordinator decision table for SSVC",
+ "definition": "CISA Coordinator decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:E:1.1.0": {
@@ -11,23 +11,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -36,18 +36,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
},
@@ -56,18 +56,18 @@
"key": "TI",
"version": "1.0.0",
"name": "Technical Impact",
- "description": "The technical impact of the vulnerability.",
+ "definition": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Partial",
- "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
"key": "T",
"name": "Total",
- "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
},
@@ -76,23 +76,23 @@
"key": "MWI",
"version": "1.0.0",
"name": "Mission and Well-Being Impact",
- "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
+ "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
- "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
- "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
},
@@ -101,28 +101,28 @@
"key": "CISA",
"version": "1.1.0",
"name": "CISA Levels",
- "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+ "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "T",
"name": "Track",
- "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
+ "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
{
"key": "T*",
"name": "Track*",
- "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+ "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
"key": "AT",
"name": "Attend",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
"key": "AC",
"name": "Act",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_0_qualitative_severity_ratings_4_0_0.json b/data/json/decision_tables/cvss/cvss_v4_0_qualitative_severity_ratings_4_0_0.json
index 370ce1ce..fd5a7f1b 100644
--- a/data/json/decision_tables/cvss/cvss_v4_0_qualitative_severity_ratings_4_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_0_qualitative_severity_ratings_4_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_CVSS_QSR",
"version": "4.0.0",
"name": "CVSS v4.0 Qualitative Severity Ratings",
- "description": "CVSS v4.0 using MacroVectors and Interpolation. See https://www.first.org/cvss/specification-document#New-Scoring-System-Development for details",
+ "definition": "CVSS v4.0 using MacroVectors and Interpolation. See https://www.first.org/cvss/specification-document#New-Scoring-System-Development for details",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:EQ1:1.0.0": {
@@ -11,23 +11,23 @@
"key": "EQ1",
"version": "1.0.0",
"name": "Equivalence Set 1",
- "description": "AV/PR/UI with 3 levels specified in Table 24",
+ "definition": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
- "description": "0: AV:N and PR:N and UI:N"
+ "definition": "0: AV:N and PR:N and UI:N"
}
]
},
@@ -36,18 +36,18 @@
"key": "EQ2",
"version": "1.0.0",
"name": "Equivalence Set 2",
- "description": "AC/AT with 2 levels specified in Table 25",
+ "definition": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (AC:L and AT:N)"
+ "definition": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
- "description": "0: AC:L and AT:N"
+ "definition": "0: AC:L and AT:N"
}
]
},
@@ -56,23 +56,23 @@
"key": "EQ3",
"version": "1.0.0",
"name": "Equivalence Set 3",
- "description": "VC/VI/VA with 3 levels specified in Table 26",
+ "definition": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: VC:H and VI:H"
+ "definition": "0: VC:H and VI:H"
}
]
},
@@ -81,23 +81,23 @@
"key": "EQ4",
"version": "1.0.0",
"name": "Equivalence Set 4",
- "description": "SC/SI/SA with 3 levels specified in Table 27",
+ "definition": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: MSI:S or MSA:S"
+ "definition": "0: MSI:S or MSA:S"
}
]
},
@@ -106,23 +106,23 @@
"key": "EQ5",
"version": "1.0.0",
"name": "Equivalence Set 5",
- "description": "E with 3 levels specified in Table 28",
+ "definition": "E with 3 levels specified in Table 28",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: E:U"
+ "definition": "2: E:U"
},
{
"key": "M",
"name": "Medium",
- "description": "1: E:P"
+ "definition": "1: E:P"
},
{
"key": "H",
"name": "High",
- "description": "0: E:A"
+ "definition": "0: E:A"
}
]
},
@@ -131,18 +131,18 @@
"key": "EQ6",
"version": "1.0.0",
"name": "Equivalence Set 6",
- "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
},
@@ -151,33 +151,33 @@
"key": "CVSS",
"version": "1.0.0",
"name": "CVSS Qualitative Severity Rating Scale",
- "description": "The CVSS Qualitative Severity Rating Scale group.",
+ "definition": "The CVSS Qualitative Severity Rating Scale group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "None (0.0)"
+ "definition": "None (0.0)"
},
{
"key": "L",
"name": "Low",
- "description": "Low (0.1-3.9)"
+ "definition": "Low (0.1-3.9)"
},
{
"key": "M",
"name": "Medium",
- "description": "Medium (4.0-6.9)"
+ "definition": "Medium (4.0-6.9)"
},
{
"key": "H",
"name": "High",
- "description": "High (7.0-8.9)"
+ "definition": "High (7.0-8.9)"
},
{
"key": "C",
"name": "Critical",
- "description": "Critical (9.0-10.0)"
+ "definition": "Critical (9.0-10.0)"
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_1_1_0_0.json b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_1_1_0_0.json
index 6f3ade36..97711ae8 100644
--- a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_1_1_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_1_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_CVSS4_EQ1",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 1",
- "description": "This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).",
+ "definition": "This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:AV:3.0.1": {
@@ -11,28 +11,28 @@
"key": "AV",
"version": "3.0.1",
"name": "Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
{
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
{
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
]
},
@@ -41,23 +41,23 @@
"key": "PR",
"version": "1.0.1",
"name": "Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
},
@@ -66,23 +66,23 @@
"key": "UI",
"version": "2.0.0",
"name": "User Interaction",
- "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
]
},
@@ -91,23 +91,23 @@
"key": "EQ1",
"version": "1.0.0",
"name": "Equivalence Set 1",
- "description": "AV/PR/UI with 3 levels specified in Table 24",
+ "definition": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
- "description": "0: AV:N and PR:N and UI:N"
+ "definition": "0: AV:N and PR:N and UI:N"
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_2_1_0_0.json b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_2_1_0_0.json
index f60778e9..1bee90bf 100644
--- a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_2_1_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_2_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_CVSS4_EQ2",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 2",
- "description": "This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).",
+ "definition": "This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:AC:3.0.1": {
@@ -11,18 +11,18 @@
"key": "AC",
"version": "3.0.1",
"name": "Attack Complexity",
- "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
}
]
},
@@ -31,18 +31,18 @@
"key": "AT",
"version": "1.0.0",
"name": "Attack Requirements",
- "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
{
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
}
]
},
@@ -51,18 +51,18 @@
"key": "EQ2",
"version": "1.0.0",
"name": "Equivalence Set 2",
- "description": "AC/AT with 2 levels specified in Table 25",
+ "definition": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (AC:L and AT:N)"
+ "definition": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
- "description": "0: AC:L and AT:N"
+ "definition": "0: AC:L and AT:N"
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_3_1_0_0.json b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_3_1_0_0.json
index b27b5d8b..dd5c4502 100644
--- a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_3_1_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_3_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_CVSS4_EQ3",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 3",
- "description": "This decision table models equivalence set 3 from CVSS v4.",
+ "definition": "This decision table models equivalence set 3 from CVSS v4.",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:VC:3.0.0": {
@@ -11,23 +11,23 @@
"key": "VC",
"version": "3.0.0",
"name": "Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
@@ -36,23 +36,23 @@
"key": "VI",
"version": "3.0.0",
"name": "Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
@@ -61,23 +61,23 @@
"key": "VA",
"version": "3.0.0",
"name": "Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
@@ -86,23 +86,23 @@
"key": "EQ3",
"version": "1.0.0",
"name": "Equivalence Set 3",
- "description": "VC/VI/VA with 3 levels specified in Table 26",
+ "definition": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: VC:H and VI:H"
+ "definition": "0: VC:H and VI:H"
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_4_1_0_0.json b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_4_1_0_0.json
index 440b97cf..6e587adf 100644
--- a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_4_1_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_4_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_CVSS4_EQ4",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 4",
- "description": "This decision table models equivalence set 4 from CVSS v4.",
+ "definition": "This decision table models equivalence set 4 from CVSS v4.",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:SC:1.0.0": {
@@ -11,23 +11,23 @@
"key": "SC",
"version": "1.0.0",
"name": "Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
]
},
@@ -36,28 +36,28 @@
"key": "MSI_NoX",
"version": "1.0.1",
"name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -66,28 +66,28 @@
"key": "MSA_NoX",
"version": "1.0.1",
"name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -96,23 +96,23 @@
"key": "EQ4",
"version": "1.0.0",
"name": "Equivalence Set 4",
- "description": "SC/SI/SA with 3 levels specified in Table 27",
+ "definition": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: MSI:S or MSA:S"
+ "definition": "0: MSI:S or MSA:S"
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json
index dc517df1..12c737db 100644
--- a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_CVSS_EQ5",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 5",
- "description": "CVSS Equivalence Set 5 Decision Table",
+ "definition": "CVSS Equivalence Set 5 Decision Table",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:E_NoX:2.0.0": {
@@ -11,23 +11,23 @@
"key": "E_NoX",
"version": "2.0.0",
"name": "Exploit Maturity (without Not Defined)",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
}
]
},
@@ -36,23 +36,23 @@
"key": "EQ5",
"version": "1.0.0",
"name": "Equivalence Set 5",
- "description": "E with 3 levels specified in Table 28",
+ "definition": "E with 3 levels specified in Table 28",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: E:U"
+ "definition": "2: E:U"
},
{
"key": "M",
"name": "Medium",
- "description": "1: E:P"
+ "definition": "1: E:P"
},
{
"key": "H",
"name": "High",
- "description": "0: E:A"
+ "definition": "0: E:A"
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_6_1_0_0.json b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_6_1_0_0.json
index b51bf831..887ff00a 100644
--- a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_6_1_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_6_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_CVSS4_EQ6",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 6",
- "description": "This decision table models equivalence set 6 from CVSS v4.",
+ "definition": "This decision table models equivalence set 6 from CVSS v4.",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:CR_NoX:1.1.1": {
@@ -11,23 +11,23 @@
"key": "CR_NoX",
"version": "1.1.1",
"name": "Confidentiality Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -36,23 +36,23 @@
"key": "VC",
"version": "3.0.0",
"name": "Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
@@ -61,23 +61,23 @@
"key": "IR_NoX",
"version": "1.1.1",
"name": "Integrity Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -86,23 +86,23 @@
"key": "VI",
"version": "3.0.0",
"name": "Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
@@ -111,23 +111,23 @@
"key": "AR_NoX",
"version": "1.1.1",
"name": "Availability Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -136,23 +136,23 @@
"key": "VA",
"version": "3.0.0",
"name": "Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
@@ -161,18 +161,18 @@
"key": "EQ6",
"version": "1.0.0",
"name": "Equivalence Set 6",
- "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
}
diff --git a/data/json/decision_tables/ssvc/coordinator_publish_decision_table_1_0_0.json b/data/json/decision_tables/ssvc/coordinator_publish_decision_table_1_0_0.json
index 796e2ad5..6d478ced 100644
--- a/data/json/decision_tables/ssvc/coordinator_publish_decision_table_1_0_0.json
+++ b/data/json/decision_tables/ssvc/coordinator_publish_decision_table_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_COORD_PUBLISH",
"version": "1.0.0",
"name": "Coordinator Publish Decision Table",
- "description": "This decision table is used to determine the priority of a coordinator publish.",
+ "definition": "This decision table is used to determine the priority of a coordinator publish.",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:SINV:1.0.0": {
@@ -11,23 +11,23 @@
"key": "SINV",
"version": "1.0.0",
"name": "Supplier Involvement",
- "description": "What is the state of the supplier’s work on addressing the vulnerability?",
+ "definition": "What is the state of the supplier’s work on addressing the vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "FR",
"name": "Fix Ready",
- "description": "The supplier has provided a patch or fix."
+ "definition": "The supplier has provided a patch or fix."
},
{
"key": "C",
"name": "Cooperative",
- "description": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
},
{
"key": "UU",
"name": "Uncooperative/Unresponsive",
- "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
]
},
@@ -36,23 +36,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -61,23 +61,23 @@
"key": "PVA",
"version": "1.0.0",
"name": "Public Value Added",
- "description": "How much value would a publication from the coordinator benefit the broader community?",
+ "definition": "How much value would a publication from the coordinator benefit the broader community?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Limited",
- "description": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
},
{
"key": "A",
"name": "Ampliative",
- "description": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
},
{
"key": "P",
"name": "Precedence",
- "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
]
},
@@ -86,18 +86,18 @@
"key": "PUBLISH",
"version": "1.0.0",
"name": "Publish, Do Not Publish",
- "description": "The publish outcome group.",
+ "definition": "The publish outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Do Not Publish",
- "description": "Do Not Publish"
+ "definition": "Do Not Publish"
},
{
"key": "P",
"name": "Publish",
- "description": "Publish"
+ "definition": "Publish"
}
]
}
diff --git a/data/json/decision_tables/ssvc/coordinator_triage_1_0_0.json b/data/json/decision_tables/ssvc/coordinator_triage_1_0_0.json
index 016b1d37..ca54f544 100644
--- a/data/json/decision_tables/ssvc/coordinator_triage_1_0_0.json
+++ b/data/json/decision_tables/ssvc/coordinator_triage_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_COORD_TRIAGE",
"version": "1.0.0",
"name": "Coordinator Triage",
- "description": "Decision table for coordinator triage",
+ "definition": "Decision table for coordinator triage",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:RP:1.0.0": {
@@ -11,18 +11,18 @@
"key": "RP",
"version": "1.0.0",
"name": "Report Public",
- "description": "Is a viable report of the details of the vulnerability already publicly available?",
+ "definition": "Is a viable report of the details of the vulnerability already publicly available?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "Y",
"name": "Yes",
- "description": "A public report of the vulnerability exists."
+ "definition": "A public report of the vulnerability exists."
},
{
"key": "N",
"name": "No",
- "description": "No public report of the vulnerability exists."
+ "definition": "No public report of the vulnerability exists."
}
]
},
@@ -31,18 +31,18 @@
"key": "SCON",
"version": "1.0.0",
"name": "Supplier Contacted",
- "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+ "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "The supplier has not been contacted."
+ "definition": "The supplier has not been contacted."
},
{
"key": "Y",
"name": "Yes",
- "description": "The supplier has been contacted."
+ "definition": "The supplier has been contacted."
}
]
},
@@ -51,18 +51,18 @@
"key": "RC",
"version": "1.0.0",
"name": "Report Credibility",
- "description": "Is the report credible?",
+ "definition": "Is the report credible?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "NC",
"name": "Not Credible",
- "description": "The report is not credible."
+ "definition": "The report is not credible."
},
{
"key": "C",
"name": "Credible",
- "description": "The report is credible."
+ "definition": "The report is credible."
}
]
},
@@ -71,18 +71,18 @@
"key": "SC",
"version": "1.0.0",
"name": "Supplier Cardinality",
- "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+ "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "O",
"name": "One",
- "description": "There is only one supplier of the vulnerable component."
+ "definition": "There is only one supplier of the vulnerable component."
},
{
"key": "M",
"name": "Multiple",
- "description": "There are multiple suppliers of the vulnerable component."
+ "definition": "There are multiple suppliers of the vulnerable component."
}
]
},
@@ -91,18 +91,18 @@
"key": "SE",
"version": "1.0.0",
"name": "Supplier Engagement",
- "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
+ "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
+ "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
{
"key": "U",
"name": "Unresponsive",
- "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
+ "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
]
},
@@ -111,23 +111,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
},
@@ -136,18 +136,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
},
@@ -156,23 +156,23 @@
"key": "COORDINATE",
"version": "1.0.1",
"name": "Decline, Track, Coordinate",
- "description": "The coordinate outcome group.",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Decline",
- "description": "Do not act on the report."
+ "definition": "Do not act on the report."
},
{
"key": "T",
"name": "Track",
- "description": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
+ "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
{
"key": "C",
"name": "Coordinate",
- "description": "Take action on the report."
+ "definition": "Take action on the report."
}
]
}
diff --git a/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json b/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json
index 19cb05ab..db82509f 100644
--- a/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json
+++ b/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_DP",
"version": "1.0.0",
"name": "Deployer Patch Application Priority",
- "description": "Decision table for evaluating deployer's patch application priority in SSVC",
+ "definition": "Decision table for evaluating deployer's patch application priority in SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:E:1.1.0": {
@@ -11,23 +11,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -36,23 +36,23 @@
"key": "EXP",
"version": "1.0.1",
"name": "System Exposure",
- "description": "The Accessible Attack Surface of the Affected System or Service",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "O",
"name": "Open",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
},
@@ -61,18 +61,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
},
@@ -81,28 +81,28 @@
"key": "HI",
"version": "2.0.2",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
@@ -111,28 +111,28 @@
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
- "description": "The original SSVC outcome group.",
+ "definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
- "description": "Defer"
+ "definition": "Defer"
},
{
"key": "S",
"name": "Scheduled",
- "description": "Scheduled"
+ "definition": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
- "description": "Out-of-Cycle"
+ "definition": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
- "description": "Immediate"
+ "definition": "Immediate"
}
]
}
diff --git a/data/json/decision_tables/ssvc/human_impact_1_0_0.json b/data/json/decision_tables/ssvc/human_impact_1_0_0.json
index e7f20d6b..fed1197f 100644
--- a/data/json/decision_tables/ssvc/human_impact_1_0_0.json
+++ b/data/json/decision_tables/ssvc/human_impact_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_HI",
"version": "1.0.0",
"name": "Human Impact",
- "description": "Human Impact decision table for SSVC",
+ "definition": "Human Impact decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:SI:2.0.0": {
@@ -11,28 +11,28 @@
"key": "SI",
"version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
"name": "Marginal",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
@@ -41,28 +41,28 @@
"key": "MI",
"version": "2.0.0",
"name": "Mission Impact",
- "description": "Impact on Mission Essential Functions of the Organization",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Degraded",
- "description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
},
@@ -71,28 +71,28 @@
"key": "HI",
"version": "2.0.2",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
diff --git a/data/json/decision_tables/ssvc/public_safety_impact_1_0_0.json b/data/json/decision_tables/ssvc/public_safety_impact_1_0_0.json
index 5f55ff27..ab7f2ab1 100644
--- a/data/json/decision_tables/ssvc/public_safety_impact_1_0_0.json
+++ b/data/json/decision_tables/ssvc/public_safety_impact_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_PSI",
"version": "1.0.0",
"name": "Public Safety Impact",
- "description": "Public Safety Impact Decision Table",
+ "definition": "Public Safety Impact Decision Table",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:SI:2.0.0": {
@@ -11,28 +11,28 @@
"key": "SI",
"version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
"name": "Marginal",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
@@ -41,18 +41,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
}
diff --git a/data/json/decision_tables/ssvc/supplier_patch_development_priority_1_0_0.json b/data/json/decision_tables/ssvc/supplier_patch_development_priority_1_0_0.json
index 97355890..0adff324 100644
--- a/data/json/decision_tables/ssvc/supplier_patch_development_priority_1_0_0.json
+++ b/data/json/decision_tables/ssvc/supplier_patch_development_priority_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_SP",
"version": "1.0.0",
"name": "Supplier Patch Development Priority",
- "description": "Decision table for evaluating supplier patch development priority in SSVC",
+ "definition": "Decision table for evaluating supplier patch development priority in SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:E:1.1.0": {
@@ -11,23 +11,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -36,23 +36,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
},
@@ -61,18 +61,18 @@
"key": "TI",
"version": "1.0.0",
"name": "Technical Impact",
- "description": "The technical impact of the vulnerability.",
+ "definition": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Partial",
- "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
"key": "T",
"name": "Total",
- "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
},
@@ -81,18 +81,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
},
@@ -101,28 +101,28 @@
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
- "description": "The original SSVC outcome group.",
+ "definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
- "description": "Defer"
+ "definition": "Defer"
},
{
"key": "S",
"name": "Scheduled",
- "description": "Scheduled"
+ "definition": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
- "description": "Out-of-Cycle"
+ "definition": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
- "description": "Immediate"
+ "definition": "Immediate"
}
]
}
diff --git a/data/json/decision_tables/ssvc/utility_1_0_0.json b/data/json/decision_tables/ssvc/utility_1_0_0.json
index 30602fa0..af8e8cba 100644
--- a/data/json/decision_tables/ssvc/utility_1_0_0.json
+++ b/data/json/decision_tables/ssvc/utility_1_0_0.json
@@ -3,7 +3,7 @@
"key": "DT_U",
"version": "1.0.0",
"name": "Utility",
- "description": "Utility decision table for SSVC",
+ "definition": "Utility decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:A:2.0.0": {
@@ -11,18 +11,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
},
@@ -31,18 +31,18 @@
"key": "VD",
"version": "1.0.0",
"name": "Value Density",
- "description": "The concentration of value in the target",
+ "definition": "The concentration of value in the target",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Diffuse",
- "description": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
- "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
]
},
@@ -51,23 +51,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
}
diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json
index ce84bb7d..70558bb9 100644
--- a/data/json/ssvc_object_registry.json
+++ b/data/json/ssvc_object_registry.json
@@ -1,6 +1,6 @@
{
"name": "SSVC Object Registry",
- "description": "A registry for SSVC objects organized by type, namespace, key, and version.",
+ "definition": "A registry for SSVC objects organized by type, namespace, key, and version.",
"schemaVersion": "2.0.0",
"types": {
"DecisionPoint": {
@@ -19,18 +19,18 @@
"key": "KEV",
"version": "1.0.0",
"name": "In KEV",
- "description": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
+ "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Vulnerability is not listed in KEV."
+ "definition": "Vulnerability is not listed in KEV."
},
{
"key": "Y",
"name": "Yes",
- "description": "Vulnerability is listed in KEV."
+ "definition": "Vulnerability is listed in KEV."
}
]
},
@@ -38,12 +38,12 @@
"N": {
"key": "N",
"name": "No",
- "description": "Vulnerability is not listed in KEV."
+ "definition": "Vulnerability is not listed in KEV."
},
"Y": {
"key": "Y",
"name": "Yes",
- "description": "Vulnerability is listed in KEV."
+ "definition": "Vulnerability is listed in KEV."
}
}
}
@@ -59,23 +59,23 @@
"key": "MP",
"version": "1.0.0",
"name": "Mission Prevalence",
- "description": "Prevalence of the mission essential functions",
+ "definition": "Prevalence of the mission essential functions",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
+ "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
},
{
"key": "S",
"name": "Support",
- "description": "The vulnerable component only supports MEFs for two or more entities."
+ "definition": "The vulnerable component only supports MEFs for two or more entities."
},
{
"key": "E",
"name": "Essential",
- "description": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
+ "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
}
]
},
@@ -83,17 +83,17 @@
"M": {
"key": "M",
"name": "Minimal",
- "description": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
+ "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
},
"S": {
"key": "S",
"name": "Support",
- "description": "The vulnerable component only supports MEFs for two or more entities."
+ "definition": "The vulnerable component only supports MEFs for two or more entities."
},
"E": {
"key": "E",
"name": "Essential",
- "description": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
+ "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
}
}
}
@@ -109,28 +109,28 @@
"key": "CISA",
"version": "1.1.0",
"name": "CISA Levels",
- "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+ "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "T",
"name": "Track",
- "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
+ "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
{
"key": "T*",
"name": "Track*",
- "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+ "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
"key": "AT",
"name": "Attend",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
"key": "AC",
"name": "Act",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
},
@@ -138,22 +138,22 @@
"T": {
"key": "T",
"name": "Track",
- "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
+ "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
"T*": {
"key": "T*",
"name": "Track*",
- "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+ "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
"AT": {
"key": "AT",
"name": "Attend",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
"AC": {
"key": "AC",
"name": "Act",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
}
}
@@ -174,18 +174,18 @@
"key": "AC",
"version": "1.0.0",
"name": "Access Complexity",
- "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+ "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
}
]
},
@@ -193,12 +193,12 @@
"H": {
"key": "H",
"name": "High",
- "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+ "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
},
"L": {
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
}
}
},
@@ -209,23 +209,23 @@
"key": "AC",
"version": "2.0.0",
"name": "Access Complexity",
- "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "Specialized access conditions exist."
+ "definition": "Specialized access conditions exist."
},
{
"key": "M",
"name": "Medium",
- "description": "The access conditions are somewhat specialized."
+ "definition": "The access conditions are somewhat specialized."
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist."
}
]
},
@@ -233,17 +233,17 @@
"H": {
"key": "H",
"name": "High",
- "description": "Specialized access conditions exist."
+ "definition": "Specialized access conditions exist."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "The access conditions are somewhat specialized."
+ "definition": "The access conditions are somewhat specialized."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist."
}
}
},
@@ -254,18 +254,18 @@
"key": "AC",
"version": "3.0.0",
"name": "Attack Complexity",
- "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+ "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "A successful attack depends on conditions beyond the attacker's control."
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
}
]
},
@@ -273,12 +273,12 @@
"H": {
"key": "H",
"name": "High",
- "description": "A successful attack depends on conditions beyond the attacker's control."
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
}
}
},
@@ -289,18 +289,18 @@
"key": "AC",
"version": "3.0.1",
"name": "Attack Complexity",
- "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
}
]
},
@@ -308,12 +308,12 @@
"H": {
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
"L": {
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
}
}
}
@@ -329,18 +329,18 @@
"key": "AT",
"version": "1.0.0",
"name": "Attack Requirements",
- "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
{
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
}
]
},
@@ -348,12 +348,12 @@
"P": {
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
"N": {
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
}
}
}
@@ -369,18 +369,18 @@
"key": "AV",
"version": "1.0.0",
"name": "Access Vector",
- "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+ "definition": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Local",
- "description": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+ "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
},
{
"key": "R",
"name": "Remote",
- "description": "The vulnerability is exploitable remotely."
+ "definition": "The vulnerability is exploitable remotely."
}
]
},
@@ -388,12 +388,12 @@
"L": {
"key": "L",
"name": "Local",
- "description": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+ "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
},
"R": {
"key": "R",
"name": "Remote",
- "description": "The vulnerability is exploitable remotely."
+ "definition": "The vulnerability is exploitable remotely."
}
}
},
@@ -404,23 +404,23 @@
"key": "AV",
"version": "2.0.0",
"name": "Access Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
+ "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
},
{
"key": "A",
"name": "Adjacent Network",
- "description": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+ "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
},
{
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+ "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
}
]
},
@@ -428,17 +428,17 @@
"L": {
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
+ "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
},
"A": {
"key": "A",
"name": "Adjacent Network",
- "description": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+ "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
},
"N": {
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+ "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
}
}
},
@@ -449,28 +449,28 @@
"key": "AV",
"version": "3.0.0",
"name": "Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
{
"key": "A",
"name": "Adjacent",
- "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
},
{
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
}
]
},
@@ -478,22 +478,22 @@
"P": {
"key": "P",
"name": "Physical",
- "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
"L": {
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
"A": {
"key": "A",
"name": "Adjacent",
- "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
},
"N": {
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
}
}
},
@@ -504,28 +504,28 @@
"key": "AV",
"version": "3.0.1",
"name": "Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
{
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
{
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
]
},
@@ -533,22 +533,22 @@
"P": {
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
"L": {
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
"A": {
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
"N": {
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
}
}
@@ -564,18 +564,18 @@
"key": "Au",
"version": "1.0.0",
"name": "Authentication",
- "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
+ "definition": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Not Required",
- "description": "Authentication is not required to access or exploit the vulnerability."
+ "definition": "Authentication is not required to access or exploit the vulnerability."
},
{
"key": "R",
"name": "Required",
- "description": "Authentication is required to access and exploit the vulnerability."
+ "definition": "Authentication is required to access and exploit the vulnerability."
}
]
},
@@ -583,12 +583,12 @@
"N": {
"key": "N",
"name": "Not Required",
- "description": "Authentication is not required to access or exploit the vulnerability."
+ "definition": "Authentication is not required to access or exploit the vulnerability."
},
"R": {
"key": "R",
"name": "Required",
- "description": "Authentication is required to access and exploit the vulnerability."
+ "definition": "Authentication is required to access and exploit the vulnerability."
}
}
},
@@ -599,23 +599,23 @@
"key": "Au",
"version": "2.0.0",
"name": "Authentication",
- "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
+ "definition": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Multiple",
- "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
+ "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
},
{
"key": "S",
"name": "Single",
- "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
+ "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
},
{
"key": "N",
"name": "None",
- "description": "Authentication is not required to exploit the vulnerability."
+ "definition": "Authentication is not required to exploit the vulnerability."
}
]
},
@@ -623,17 +623,17 @@
"M": {
"key": "M",
"name": "Multiple",
- "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
+ "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
},
"S": {
"key": "S",
"name": "Single",
- "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
+ "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
},
"N": {
"key": "N",
"name": "None",
- "description": "Authentication is not required to exploit the vulnerability."
+ "definition": "Authentication is not required to exploit the vulnerability."
}
}
}
@@ -649,23 +649,23 @@
"key": "A",
"version": "1.0.0",
"name": "Availability Impact",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No impact on availability."
+ "definition": "No impact on availability."
},
{
"key": "P",
"name": "Partial",
- "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
+ "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
},
{
"key": "C",
"name": "Complete",
- "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
+ "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
}
]
},
@@ -673,17 +673,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "No impact on availability."
+ "definition": "No impact on availability."
},
"P": {
"key": "P",
"name": "Partial",
- "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
+ "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
},
"C": {
"key": "C",
"name": "Complete",
- "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
+ "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
}
}
},
@@ -694,23 +694,23 @@
"key": "A",
"version": "2.0.0",
"name": "Availability Impact",
- "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the availability of the system."
+ "definition": "There is no impact to the availability of the system."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability."
+ "definition": "There is reduced performance or interruptions in resource availability."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
@@ -718,17 +718,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to the availability of the system."
+ "definition": "There is no impact to the availability of the system."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability."
+ "definition": "There is reduced performance or interruptions in resource availability."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
}
}
@@ -744,23 +744,23 @@
"key": "VA",
"version": "3.0.0",
"name": "Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
@@ -768,17 +768,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
}
}
@@ -794,28 +794,28 @@
"key": "AR",
"version": "1.0.0",
"name": "Availability Requirement",
- "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -823,22 +823,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"ND": {
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -849,28 +849,28 @@
"key": "AR",
"version": "1.1.0",
"name": "Availability Requirement",
- "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -878,22 +878,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -904,28 +904,28 @@
"key": "AR",
"version": "1.1.1",
"name": "Availability Requirement",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -933,22 +933,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -964,23 +964,23 @@
"key": "AR_NoX",
"version": "1.1.1",
"name": "Availability Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -988,17 +988,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
}
}
@@ -1014,28 +1014,28 @@
"key": "CDP",
"version": "1.0.0",
"name": "Collateral Damage Potential",
- "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
+ "definition": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no potential for physical or property damage."
+ "definition": "There is no potential for physical or property damage."
},
{
"key": "L",
"name": "Low",
- "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
+ "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
},
{
"key": "M",
"name": "Medium",
- "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
{
"key": "H",
"name": "High",
- "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
}
]
},
@@ -1043,22 +1043,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no potential for physical or property damage."
+ "definition": "There is no potential for physical or property damage."
},
"L": {
"key": "L",
"name": "Low",
- "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
+ "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
"H": {
"key": "H",
"name": "High",
- "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
}
}
},
@@ -1069,33 +1069,33 @@
"key": "CDP",
"version": "2.0.0",
"name": "Collateral Damage Potential",
- "description": "This metric measures the potential for loss of life or physical assets.",
+ "definition": "This metric measures the potential for loss of life or physical assets.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no potential for loss of life, physical assets, productivity or revenue."
+ "definition": "There is no potential for loss of life, physical assets, productivity or revenue."
},
{
"key": "LM",
"name": "Low-Medium",
- "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
},
{
"key": "MH",
"name": "Medium-High",
- "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
{
"key": "H",
"name": "High",
- "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1103,27 +1103,27 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no potential for loss of life, physical assets, productivity or revenue."
+ "definition": "There is no potential for loss of life, physical assets, productivity or revenue."
},
"LM": {
"key": "LM",
"name": "Low-Medium",
- "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
},
"MH": {
"key": "MH",
"name": "Medium-High",
- "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
"H": {
"key": "H",
"name": "High",
- "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
},
"ND": {
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -1139,23 +1139,23 @@
"key": "C",
"version": "1.0.0",
"name": "Confidentiality Impact",
- "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
+ "definition": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No impact on confidentiality."
+ "definition": "No impact on confidentiality."
},
{
"key": "P",
"name": "Partial",
- "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
+ "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
},
{
"key": "C",
"name": "Complete",
- "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
+ "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
}
]
},
@@ -1163,17 +1163,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "No impact on confidentiality."
+ "definition": "No impact on confidentiality."
},
"P": {
"key": "P",
"name": "Partial",
- "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
+ "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
},
"C": {
"key": "C",
"name": "Complete",
- "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
+ "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
}
}
},
@@ -1184,23 +1184,23 @@
"key": "C",
"version": "2.0.0",
"name": "Confidentiality Impact",
- "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
@@ -1208,17 +1208,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
}
}
@@ -1234,23 +1234,23 @@
"key": "VC",
"version": "3.0.0",
"name": "Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
@@ -1258,17 +1258,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
}
}
@@ -1284,28 +1284,28 @@
"key": "CR",
"version": "1.0.0",
"name": "Confidentiality Requirement",
- "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1313,22 +1313,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"ND": {
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -1339,28 +1339,28 @@
"key": "CR",
"version": "1.1.0",
"name": "Confidentiality Requirement",
- "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1368,22 +1368,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -1394,28 +1394,28 @@
"key": "CR",
"version": "1.1.1",
"name": "Confidentiality Requirement",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1423,22 +1423,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -1454,23 +1454,23 @@
"key": "CR_NoX",
"version": "1.1.1",
"name": "Confidentiality Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -1478,17 +1478,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
}
}
@@ -1504,23 +1504,23 @@
"key": "EQ1",
"version": "1.0.0",
"name": "Equivalence Set 1",
- "description": "AV/PR/UI with 3 levels specified in Table 24",
+ "definition": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
- "description": "0: AV:N and PR:N and UI:N"
+ "definition": "0: AV:N and PR:N and UI:N"
}
]
},
@@ -1528,17 +1528,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
"H": {
"key": "H",
"name": "High",
- "description": "0: AV:N and PR:N and UI:N"
+ "definition": "0: AV:N and PR:N and UI:N"
}
}
}
@@ -1554,18 +1554,18 @@
"key": "EQ2",
"version": "1.0.0",
"name": "Equivalence Set 2",
- "description": "AC/AT with 2 levels specified in Table 25",
+ "definition": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (AC:L and AT:N)"
+ "definition": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
- "description": "0: AC:L and AT:N"
+ "definition": "0: AC:L and AT:N"
}
]
},
@@ -1573,12 +1573,12 @@
"L": {
"key": "L",
"name": "Low",
- "description": "1: not (AC:L and AT:N)"
+ "definition": "1: not (AC:L and AT:N)"
},
"H": {
"key": "H",
"name": "High",
- "description": "0: AC:L and AT:N"
+ "definition": "0: AC:L and AT:N"
}
}
}
@@ -1594,23 +1594,23 @@
"key": "EQ3",
"version": "1.0.0",
"name": "Equivalence Set 3",
- "description": "VC/VI/VA with 3 levels specified in Table 26",
+ "definition": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: VC:H and VI:H"
+ "definition": "0: VC:H and VI:H"
}
]
},
@@ -1618,17 +1618,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
"H": {
"key": "H",
"name": "High",
- "description": "0: VC:H and VI:H"
+ "definition": "0: VC:H and VI:H"
}
}
}
@@ -1644,23 +1644,23 @@
"key": "EQ4",
"version": "1.0.0",
"name": "Equivalence Set 4",
- "description": "SC/SI/SA with 3 levels specified in Table 27",
+ "definition": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: MSI:S or MSA:S"
+ "definition": "0: MSI:S or MSA:S"
}
]
},
@@ -1668,17 +1668,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
"H": {
"key": "H",
"name": "High",
- "description": "0: MSI:S or MSA:S"
+ "definition": "0: MSI:S or MSA:S"
}
}
}
@@ -1694,23 +1694,23 @@
"key": "EQ5",
"version": "1.0.0",
"name": "Equivalence Set 5",
- "description": "E with 3 levels specified in Table 28",
+ "definition": "E with 3 levels specified in Table 28",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: E:U"
+ "definition": "2: E:U"
},
{
"key": "M",
"name": "Medium",
- "description": "1: E:P"
+ "definition": "1: E:P"
},
{
"key": "H",
"name": "High",
- "description": "0: E:A"
+ "definition": "0: E:A"
}
]
},
@@ -1718,17 +1718,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "2: E:U"
+ "definition": "2: E:U"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "1: E:P"
+ "definition": "1: E:P"
},
"H": {
"key": "H",
"name": "High",
- "description": "0: E:A"
+ "definition": "0: E:A"
}
}
}
@@ -1744,18 +1744,18 @@
"key": "EQ6",
"version": "1.0.0",
"name": "Equivalence Set 6",
- "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
},
@@ -1763,12 +1763,12 @@
"L": {
"key": "L",
"name": "Low",
- "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
"H": {
"key": "H",
"name": "High",
- "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
}
}
@@ -1784,28 +1784,28 @@
"key": "E",
"version": "1.0.0",
"name": "Exploitability",
- "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+ "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unproven",
- "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
"key": "P",
"name": "Proof of Concept",
- "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
{
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
"key": "H",
"name": "High",
- "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
}
]
},
@@ -1813,22 +1813,22 @@
"U": {
"key": "U",
"name": "Unproven",
- "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
"P": {
"key": "P",
"name": "Proof of Concept",
- "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
"F": {
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
"H": {
"key": "H",
"name": "High",
- "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
}
}
},
@@ -1839,33 +1839,33 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitability",
- "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+ "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unproven",
- "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
"key": "P",
"name": "Proof of Concept",
- "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
{
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
"key": "H",
"name": "High",
- "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1873,27 +1873,27 @@
"U": {
"key": "U",
"name": "Unproven",
- "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
"P": {
"key": "P",
"name": "Proof of Concept",
- "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
"F": {
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
"H": {
"key": "H",
"name": "High",
- "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
},
"ND": {
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -1904,33 +1904,33 @@
"key": "E",
"version": "1.2.0",
"name": "Exploit Code Maturity",
- "description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
+ "definition": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unproven",
- "description": "No exploit code is available, or an exploit is theoretical."
+ "definition": "No exploit code is available, or an exploit is theoretical."
},
{
"key": "POC",
"name": "Proof-of-Concept",
- "description": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
+ "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
},
{
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
},
{
"key": "H",
"name": "High",
- "description": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+ "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1938,27 +1938,27 @@
"U": {
"key": "U",
"name": "Unproven",
- "description": "No exploit code is available, or an exploit is theoretical."
+ "definition": "No exploit code is available, or an exploit is theoretical."
},
"POC": {
"key": "POC",
"name": "Proof-of-Concept",
- "description": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
+ "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
},
"F": {
"key": "F",
"name": "Functional",
- "description": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
},
"H": {
"key": "H",
"name": "High",
- "description": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+ "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -1969,28 +1969,28 @@
"key": "E",
"version": "2.0.0",
"name": "Exploit Maturity",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1998,22 +1998,22 @@
"U": {
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
"P": {
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
"A": {
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -2029,23 +2029,23 @@
"key": "E_NoX",
"version": "2.0.0",
"name": "Exploit Maturity (without Not Defined)",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
}
]
},
@@ -2053,17 +2053,17 @@
"U": {
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
"P": {
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
"A": {
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
}
}
}
@@ -2079,28 +2079,28 @@
"key": "IB",
"version": "1.0.0",
"name": "Impact Bias",
- "description": "This metric measures the impact bias of the vulnerability.",
+ "definition": "This metric measures the impact bias of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Normal",
- "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
+ "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
},
{
"key": "C",
"name": "Confidentiality",
- "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
+ "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
},
{
"key": "I",
"name": "Integrity",
- "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
+ "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
},
{
"key": "A",
"name": "Availability",
- "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
+ "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
}
]
},
@@ -2108,22 +2108,22 @@
"N": {
"key": "N",
"name": "Normal",
- "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
+ "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
},
"C": {
"key": "C",
"name": "Confidentiality",
- "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
+ "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
},
"I": {
"key": "I",
"name": "Integrity",
- "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
+ "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
},
"A": {
"key": "A",
"name": "Availability",
- "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
+ "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
}
}
}
@@ -2139,23 +2139,23 @@
"key": "I",
"version": "1.0.0",
"name": "Integrity Impact",
- "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.",
+ "definition": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No impact on integrity."
+ "definition": "No impact on integrity."
},
{
"key": "P",
"name": "Partial",
- "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
+ "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
},
{
"key": "C",
"name": "Complete",
- "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
+ "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
}
]
},
@@ -2163,17 +2163,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "No impact on integrity."
+ "definition": "No impact on integrity."
},
"P": {
"key": "P",
"name": "Partial",
- "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
+ "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
},
"C": {
"key": "C",
"name": "Complete",
- "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
+ "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
}
}
},
@@ -2184,23 +2184,23 @@
"key": "I",
"version": "2.0.0",
"name": "Integrity Impact",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the integrity of the system."
+ "definition": "There is no impact to the integrity of the system."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
@@ -2208,17 +2208,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to the integrity of the system."
+ "definition": "There is no impact to the integrity of the system."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
}
}
@@ -2234,23 +2234,23 @@
"key": "VI",
"version": "3.0.0",
"name": "Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
@@ -2258,17 +2258,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
}
}
@@ -2284,28 +2284,28 @@
"key": "IR",
"version": "1.0.0",
"name": "Integrity Requirement",
- "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -2313,22 +2313,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"ND": {
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -2339,28 +2339,28 @@
"key": "IR",
"version": "1.1.0",
"name": "Integrity Requirement",
- "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -2368,22 +2368,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -2394,28 +2394,28 @@
"key": "IR",
"version": "1.1.1",
"name": "Integrity Requirement",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -2423,22 +2423,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -2454,23 +2454,23 @@
"key": "IR_NoX",
"version": "1.1.1",
"name": "Integrity Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -2478,17 +2478,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
}
}
@@ -2504,23 +2504,23 @@
"key": "SA",
"version": "1.0.0",
"name": "Availability Impact to the Subsequent System",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
@@ -2528,17 +2528,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
}
}
@@ -2554,28 +2554,28 @@
"key": "MSA",
"version": "1.0.0",
"name": "Modified Availability Impact to the Subsequent System",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -2583,22 +2583,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -2609,33 +2609,33 @@
"key": "MSA",
"version": "1.0.1",
"name": "Modified Availability Impact to the Subsequent System",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -2643,27 +2643,27 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
"S": {
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
}
@@ -2679,28 +2679,28 @@
"key": "MSA_NoX",
"version": "1.0.1",
"name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -2708,22 +2708,22 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
"S": {
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
}
@@ -2739,23 +2739,23 @@
"key": "SI",
"version": "1.0.0",
"name": "Integrity Impact to the Subsequent System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
}
]
},
@@ -2763,17 +2763,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
}
}
}
@@ -2789,28 +2789,28 @@
"key": "MSI",
"version": "1.0.0",
"name": "Modified Integrity Impact to the Subsequent System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -2818,22 +2818,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -2844,33 +2844,33 @@
"key": "MSI",
"version": "1.0.1",
"name": "Modified Integrity Impact to the Subsequent System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -2878,27 +2878,27 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
"S": {
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
}
@@ -2914,28 +2914,28 @@
"key": "MSI_NoX",
"version": "1.0.1",
"name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -2943,22 +2943,22 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
"S": {
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
}
@@ -2974,23 +2974,23 @@
"key": "PR",
"version": "1.0.0",
"name": "Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+ "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
},
@@ -2998,17 +2998,17 @@
"H": {
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
"L": {
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
"N": {
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
}
},
@@ -3019,23 +3019,23 @@
"key": "PR",
"version": "1.0.1",
"name": "Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
},
@@ -3043,17 +3043,17 @@
"H": {
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
"L": {
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
"N": {
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
}
}
@@ -3069,33 +3069,33 @@
"key": "QS",
"version": "1.0.0",
"name": "CVSS Qualitative Severity Rating Scale",
- "description": "The CVSS Qualitative Severity Rating Scale provides a categorical representation of a CVSS Score.",
+ "definition": "The CVSS Qualitative Severity Rating Scale provides a categorical representation of a CVSS Score.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No severity rating (0.0)"
+ "definition": "No severity rating (0.0)"
},
{
"key": "L",
"name": "Low",
- "description": "Low (0.1 - 3.9)"
+ "definition": "Low (0.1 - 3.9)"
},
{
"key": "M",
"name": "Medium",
- "description": "Medium (4.0 - 6.9)"
+ "definition": "Medium (4.0 - 6.9)"
},
{
"key": "H",
"name": "High",
- "description": "High (7.0 - 8.9)"
+ "definition": "High (7.0 - 8.9)"
},
{
"key": "C",
"name": "Critical",
- "description": "Critical (9.0 - 10.0)"
+ "definition": "Critical (9.0 - 10.0)"
}
]
},
@@ -3103,27 +3103,27 @@
"N": {
"key": "N",
"name": "None",
- "description": "No severity rating (0.0)"
+ "definition": "No severity rating (0.0)"
},
"L": {
"key": "L",
"name": "Low",
- "description": "Low (0.1 - 3.9)"
+ "definition": "Low (0.1 - 3.9)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Medium (4.0 - 6.9)"
+ "definition": "Medium (4.0 - 6.9)"
},
"H": {
"key": "H",
"name": "High",
- "description": "High (7.0 - 8.9)"
+ "definition": "High (7.0 - 8.9)"
},
"C": {
"key": "C",
"name": "Critical",
- "description": "Critical (9.0 - 10.0)"
+ "definition": "Critical (9.0 - 10.0)"
}
}
}
@@ -3139,28 +3139,28 @@
"key": "RL",
"version": "1.0.0",
"name": "Remediation Level",
- "description": "This metric measures the remediation status of a vulnerability.",
+ "definition": "This metric measures the remediation status of a vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "OF",
"name": "Official Fix",
- "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
{
"key": "TF",
"name": "Temporary Fix",
- "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
{
"key": "W",
"name": "Workaround",
- "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
{
"key": "U",
"name": "Unavailable",
- "description": "There is either no solution available or it is impossible to apply."
+ "definition": "There is either no solution available or it is impossible to apply."
}
]
},
@@ -3168,22 +3168,22 @@
"OF": {
"key": "OF",
"name": "Official Fix",
- "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
"TF": {
"key": "TF",
"name": "Temporary Fix",
- "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
"W": {
"key": "W",
"name": "Workaround",
- "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
"U": {
"key": "U",
"name": "Unavailable",
- "description": "There is either no solution available or it is impossible to apply."
+ "definition": "There is either no solution available or it is impossible to apply."
}
}
},
@@ -3194,33 +3194,33 @@
"key": "RL",
"version": "1.1.0",
"name": "Remediation Level",
- "description": "This metric measures the remediation status of a vulnerability.",
+ "definition": "This metric measures the remediation status of a vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "OF",
"name": "Official Fix",
- "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
{
"key": "TF",
"name": "Temporary Fix",
- "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
{
"key": "W",
"name": "Workaround",
- "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
{
"key": "U",
"name": "Unavailable",
- "description": "There is either no solution available or it is impossible to apply."
+ "definition": "There is either no solution available or it is impossible to apply."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -3228,27 +3228,27 @@
"OF": {
"key": "OF",
"name": "Official Fix",
- "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
"TF": {
"key": "TF",
"name": "Temporary Fix",
- "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
"W": {
"key": "W",
"name": "Workaround",
- "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
"U": {
"key": "U",
"name": "Unavailable",
- "description": "There is either no solution available or it is impossible to apply."
+ "definition": "There is either no solution available or it is impossible to apply."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -3264,23 +3264,23 @@
"key": "RC",
"version": "1.0.0",
"name": "Report Confidence",
- "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "UC",
"name": "Unconfirmed",
- "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
{
"key": "UR",
"name": "Uncorroborated",
- "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
{
"key": "C",
"name": "Confirmed",
- "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
}
]
},
@@ -3288,17 +3288,17 @@
"UC": {
"key": "UC",
"name": "Unconfirmed",
- "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
"UR": {
"key": "UR",
"name": "Uncorroborated",
- "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
"C": {
"key": "C",
"name": "Confirmed",
- "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
}
}
},
@@ -3309,28 +3309,28 @@
"key": "RC",
"version": "1.1.0",
"name": "Report Confidence",
- "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "UC",
"name": "Unconfirmed",
- "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
{
"key": "UR",
"name": "Uncorroborated",
- "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
{
"key": "C",
"name": "Confirmed",
- "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
},
{
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -3338,22 +3338,22 @@
"UC": {
"key": "UC",
"name": "Unconfirmed",
- "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
"UR": {
"key": "UR",
"name": "Uncorroborated",
- "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
"C": {
"key": "C",
"name": "Confirmed",
- "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
},
"ND": {
"key": "ND",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -3364,28 +3364,28 @@
"key": "RC",
"version": "2.0.0",
"name": "Report Confidence",
- "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unknown",
- "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
+ "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
},
{
"key": "R",
"name": "Reasonable",
- "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
+ "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
},
{
"key": "C",
"name": "Confirmed",
- "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
+ "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -3393,22 +3393,22 @@
"U": {
"key": "U",
"name": "Unknown",
- "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
+ "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
},
"R": {
"key": "R",
"name": "Reasonable",
- "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
+ "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
},
"C": {
"key": "C",
"name": "Confirmed",
- "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
+ "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -3424,18 +3424,18 @@
"key": "S",
"version": "1.0.0",
"name": "Scope",
- "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+ "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unchanged",
- "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
{
"key": "C",
"name": "Changed",
- "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
}
]
},
@@ -3443,12 +3443,12 @@
"U": {
"key": "U",
"name": "Unchanged",
- "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
"C": {
"key": "C",
"name": "Changed",
- "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
}
}
}
@@ -3464,23 +3464,23 @@
"key": "SC",
"version": "1.0.0",
"name": "Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
]
},
@@ -3488,17 +3488,17 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
}
}
@@ -3514,23 +3514,23 @@
"key": "AU",
"version": "1.0.0",
"name": "Automatable",
- "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
+ "definition": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+ "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -3538,17 +3538,17 @@
"N": {
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
"Y": {
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+ "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -3564,33 +3564,33 @@
"key": "U",
"version": "1.0.0",
"name": "Provider Urgency",
- "description": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
+ "definition": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "C",
"name": "Clear",
- "description": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
+ "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
},
{
"key": "G",
"name": "Green",
- "description": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
},
{
"key": "A",
"name": "Amber",
- "description": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
},
{
"key": "R",
"name": "Red",
- "description": "Provider has assessed the impact of this vulnerability as having the highest urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency."
}
]
},
@@ -3598,27 +3598,27 @@
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
"C": {
"key": "C",
"name": "Clear",
- "description": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
+ "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
},
"G": {
"key": "G",
"name": "Green",
- "description": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
},
"A": {
"key": "A",
"name": "Amber",
- "description": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
},
"R": {
"key": "R",
"name": "Red",
- "description": "Provider has assessed the impact of this vulnerability as having the highest urgency."
+ "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency."
}
}
}
@@ -3634,28 +3634,28 @@
"key": "R",
"version": "1.0.0",
"name": "Recovery",
- "description": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
+ "definition": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "A",
"name": "Automatic",
- "description": "The system recovers services automatically after an attack has been performed."
+ "definition": "The system recovers services automatically after an attack has been performed."
},
{
"key": "U",
"name": "User",
- "description": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+ "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed."
},
{
"key": "I",
"name": "Irrecoverable",
- "description": "The system services are irrecoverable by the user, after an attack has been performed."
+ "definition": "The system services are irrecoverable by the user, after an attack has been performed."
}
]
},
@@ -3663,22 +3663,22 @@
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
"A": {
"key": "A",
"name": "Automatic",
- "description": "The system recovers services automatically after an attack has been performed."
+ "definition": "The system recovers services automatically after an attack has been performed."
},
"U": {
"key": "U",
"name": "User",
- "description": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+ "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed."
},
"I": {
"key": "I",
"name": "Irrecoverable",
- "description": "The system services are irrecoverable by the user, after an attack has been performed."
+ "definition": "The system services are irrecoverable by the user, after an attack has been performed."
}
}
}
@@ -3694,23 +3694,23 @@
"key": "SF",
"version": "1.0.0",
"name": "Safety",
- "description": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
+ "definition": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "P",
"name": "Present",
- "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
},
{
"key": "N",
"name": "Negligible",
- "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
}
]
},
@@ -3718,17 +3718,17 @@
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
"P": {
"key": "P",
"name": "Present",
- "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
},
"N": {
"key": "N",
"name": "Negligible",
- "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
}
}
}
@@ -3744,23 +3744,23 @@
"key": "V",
"version": "1.0.0",
"name": "Value Density",
- "description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
+ "definition": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "D",
"name": "Diffuse",
- "description": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
+ "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
- "description": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
+ "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
}
]
},
@@ -3768,17 +3768,17 @@
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
"D": {
"key": "D",
"name": "Diffuse",
- "description": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
+ "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
},
"C": {
"key": "C",
"name": "Concentrated",
- "description": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
+ "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
}
}
}
@@ -3794,28 +3794,28 @@
"key": "RE",
"version": "1.0.0",
"name": "Vulnerability Response Effort",
- "description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
+ "definition": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "L",
"name": "Low",
- "description": "The effort required to respond to a vulnerability is low/trivial."
+ "definition": "The effort required to respond to a vulnerability is low/trivial."
},
{
"key": "M",
"name": "Moderate",
- "description": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+ "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
},
{
"key": "H",
"name": "High",
- "description": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
+ "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
}
]
},
@@ -3823,22 +3823,22 @@
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
"L": {
"key": "L",
"name": "Low",
- "description": "The effort required to respond to a vulnerability is low/trivial."
+ "definition": "The effort required to respond to a vulnerability is low/trivial."
},
"M": {
"key": "M",
"name": "Moderate",
- "description": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+ "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
},
"H": {
"key": "H",
"name": "High",
- "description": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
+ "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
}
}
}
@@ -3854,28 +3854,28 @@
"key": "TD",
"version": "1.0.0",
"name": "Target Distribution",
- "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
+ "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
{
"key": "L",
"name": "Low",
- "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
},
{
"key": "M",
"name": "Medium",
- "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
{
"key": "H",
"name": "High",
- "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
}
]
},
@@ -3883,22 +3883,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
"H": {
"key": "H",
"name": "High",
- "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
}
}
},
@@ -3909,33 +3909,33 @@
"key": "TD",
"version": "1.1.0",
"name": "Target Distribution",
- "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
+ "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
{
"key": "L",
"name": "Low",
- "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
},
{
"key": "M",
"name": "Medium",
- "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
{
"key": "H",
"name": "High",
- "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -3943,27 +3943,27 @@
"N": {
"key": "N",
"name": "None",
- "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
"H": {
"key": "H",
"name": "High",
- "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -3979,18 +3979,18 @@
"key": "UI",
"version": "1.0.0",
"name": "User Interaction",
- "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+ "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "R",
"name": "Required",
- "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The vulnerable system can be exploited without interaction from any user."
}
]
},
@@ -3998,12 +3998,12 @@
"R": {
"key": "R",
"name": "Required",
- "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
},
"N": {
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The vulnerable system can be exploited without interaction from any user."
}
}
},
@@ -4014,23 +4014,23 @@
"key": "UI",
"version": "2.0.0",
"name": "User Interaction",
- "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
]
},
@@ -4038,17 +4038,17 @@
"A": {
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
"P": {
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
"N": {
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
}
}
@@ -4064,33 +4064,33 @@
"key": "CVSS",
"version": "1.0.0",
"name": "CVSS Qualitative Severity Rating Scale",
- "description": "The CVSS Qualitative Severity Rating Scale group.",
+ "definition": "The CVSS Qualitative Severity Rating Scale group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "None (0.0)"
+ "definition": "None (0.0)"
},
{
"key": "L",
"name": "Low",
- "description": "Low (0.1-3.9)"
+ "definition": "Low (0.1-3.9)"
},
{
"key": "M",
"name": "Medium",
- "description": "Medium (4.0-6.9)"
+ "definition": "Medium (4.0-6.9)"
},
{
"key": "H",
"name": "High",
- "description": "High (7.0-8.9)"
+ "definition": "High (7.0-8.9)"
},
{
"key": "C",
"name": "Critical",
- "description": "Critical (9.0-10.0)"
+ "definition": "Critical (9.0-10.0)"
}
]
},
@@ -4098,27 +4098,27 @@
"N": {
"key": "N",
"name": "None",
- "description": "None (0.0)"
+ "definition": "None (0.0)"
},
"L": {
"key": "L",
"name": "Low",
- "description": "Low (0.1-3.9)"
+ "definition": "Low (0.1-3.9)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Medium (4.0-6.9)"
+ "definition": "Medium (4.0-6.9)"
},
"H": {
"key": "H",
"name": "High",
- "description": "High (7.0-8.9)"
+ "definition": "High (7.0-8.9)"
},
"C": {
"key": "C",
"name": "Critical",
- "description": "Critical (9.0-10.0)"
+ "definition": "Critical (9.0-10.0)"
}
}
}
@@ -4134,33 +4134,33 @@
"key": "MAV",
"version": "3.0.0",
"name": "Modified Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
{
"key": "A",
"name": "Adjacent",
- "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
},
{
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4168,27 +4168,27 @@
"P": {
"key": "P",
"name": "Physical",
- "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
"L": {
"key": "L",
"name": "Local",
- "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
"A": {
"key": "A",
"name": "Adjacent",
- "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
},
"N": {
"key": "N",
"name": "Network",
- "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -4199,33 +4199,33 @@
"key": "MAV",
"version": "3.0.1",
"name": "Modified Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
{
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
{
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4233,27 +4233,27 @@
"P": {
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
"L": {
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
"A": {
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
"N": {
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4269,23 +4269,23 @@
"key": "MAC",
"version": "3.0.0",
"name": "Modified Attack Complexity",
- "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+ "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "A successful attack depends on conditions beyond the attacker's control."
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
{
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4293,17 +4293,17 @@
"H": {
"key": "H",
"name": "High",
- "description": "A successful attack depends on conditions beyond the attacker's control."
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -4314,23 +4314,23 @@
"key": "MAC",
"version": "3.0.1",
"name": "Modified Attack Complexity",
- "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4338,17 +4338,17 @@
"H": {
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
"L": {
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4364,28 +4364,28 @@
"key": "MPR",
"version": "1.0.0",
"name": "Modified Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+ "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4393,22 +4393,22 @@
"H": {
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
"L": {
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
"N": {
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -4419,28 +4419,28 @@
"key": "MPR",
"version": "1.0.1",
"name": "Modified Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4448,22 +4448,22 @@
"H": {
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
"L": {
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
"N": {
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4479,23 +4479,23 @@
"key": "MUI",
"version": "1.0.0",
"name": "Modified User Interaction",
- "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+ "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "R",
"name": "Required",
- "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The vulnerable system can be exploited without interaction from any user."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4503,17 +4503,17 @@
"R": {
"key": "R",
"name": "Required",
- "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
},
"N": {
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The vulnerable system can be exploited without interaction from any user."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -4524,28 +4524,28 @@
"key": "MUI",
"version": "2.0.0",
"name": "Modified User Interaction",
- "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4553,22 +4553,22 @@
"A": {
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
"P": {
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
"N": {
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4584,23 +4584,23 @@
"key": "MS",
"version": "1.0.0",
"name": "Modified Scope",
- "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+ "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unchanged",
- "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
{
"key": "C",
"name": "Changed",
- "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4608,17 +4608,17 @@
"U": {
"key": "U",
"name": "Unchanged",
- "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
"C": {
"key": "C",
"name": "Changed",
- "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4634,28 +4634,28 @@
"key": "MC",
"version": "2.0.0",
"name": "Modified Confidentiality Impact",
- "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4663,22 +4663,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4694,28 +4694,28 @@
"key": "MI",
"version": "2.0.0",
"name": "Modified Integrity Impact",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the integrity of the system."
+ "definition": "There is no impact to the integrity of the system."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4723,22 +4723,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to the integrity of the system."
+ "definition": "There is no impact to the integrity of the system."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4754,28 +4754,28 @@
"key": "MA",
"version": "2.0.0",
"name": "Modified Availability Impact",
- "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to the availability of the system."
+ "definition": "There is no impact to the availability of the system."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability."
+ "definition": "There is reduced performance or interruptions in resource availability."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4783,22 +4783,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to the availability of the system."
+ "definition": "There is no impact to the availability of the system."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability."
+ "definition": "There is reduced performance or interruptions in resource availability."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4814,23 +4814,23 @@
"key": "MAT",
"version": "1.0.0",
"name": "Modified Attack Requirements",
- "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
{
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4838,17 +4838,17 @@
"P": {
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
"N": {
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4864,28 +4864,28 @@
"key": "MVC",
"version": "3.0.0",
"name": "Modified Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4893,22 +4893,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4924,28 +4924,28 @@
"key": "MVI",
"version": "3.0.0",
"name": "Modified Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -4953,22 +4953,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -4984,28 +4984,28 @@
"key": "MVA",
"version": "3.0.0",
"name": "Modified Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -5013,22 +5013,22 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -5044,28 +5044,28 @@
"key": "MSC",
"version": "1.0.0",
"name": "Modified Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -5073,22 +5073,22 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
@@ -5099,28 +5099,28 @@
"key": "MSC",
"version": "1.0.1",
"name": "Modified Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
},
{
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -5128,22 +5128,22 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
},
"X": {
"key": "X",
"name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
@@ -5164,18 +5164,18 @@
"key": "V",
"version": "1.0.0",
"name": "Virulence",
- "description": "The speed at which the vulnerability can be exploited.",
+ "definition": "The speed at which the vulnerability can be exploited.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Slow",
- "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
{
"key": "R",
"name": "Rapid",
- "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
+ "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
}
]
},
@@ -5183,12 +5183,12 @@
"S": {
"key": "S",
"name": "Slow",
- "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
"R": {
"key": "R",
"name": "Rapid",
- "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
+ "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
}
}
}
@@ -5204,18 +5204,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
},
@@ -5223,12 +5223,12 @@
"N": {
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
"Y": {
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
}
}
@@ -5244,18 +5244,18 @@
"key": "CS",
"version": "1.0.0",
"name": "Critical Software",
- "description": "Denotes whether a system meets a critical software definition.",
+ "definition": "Denotes whether a system meets a critical software definition.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "System does not meet a critical software definition."
+ "definition": "System does not meet a critical software definition."
},
{
"key": "Y",
"name": "Yes",
- "description": "System meets a critical software definition."
+ "definition": "System meets a critical software definition."
}
]
},
@@ -5263,12 +5263,12 @@
"N": {
"key": "N",
"name": "No",
- "description": "System does not meet a critical software definition."
+ "definition": "System does not meet a critical software definition."
},
"Y": {
"key": "Y",
"name": "Yes",
- "description": "System meets a critical software definition."
+ "definition": "System meets a critical software definition."
}
}
}
@@ -5284,23 +5284,23 @@
"key": "E",
"version": "1.0.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "PoC",
- "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -5308,17 +5308,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
"P": {
"key": "P",
"name": "PoC",
- "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
},
"A": {
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
}
},
@@ -5329,23 +5329,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -5353,17 +5353,17 @@
"N": {
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
"P": {
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
"A": {
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
}
}
@@ -5379,18 +5379,18 @@
"key": "HVA",
"version": "1.0.0",
"name": "High Value Asset",
- "description": "Denotes whether a system meets a high value asset definition.",
+ "definition": "Denotes whether a system meets a high value asset definition.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "System does not meet a high value asset definition."
+ "definition": "System does not meet a high value asset definition."
},
{
"key": "Y",
"name": "Yes",
- "description": "System meets a high value asset definition."
+ "definition": "System meets a high value asset definition."
}
]
},
@@ -5398,12 +5398,12 @@
"N": {
"key": "N",
"name": "No",
- "description": "System does not meet a high value asset definition."
+ "definition": "System does not meet a high value asset definition."
},
"Y": {
"key": "Y",
"name": "Yes",
- "description": "System meets a high value asset definition."
+ "definition": "System meets a high value asset definition."
}
}
}
@@ -5419,23 +5419,23 @@
"key": "MWI",
"version": "1.0.0",
"name": "Mission and Well-Being Impact",
- "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
+ "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
- "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
- "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
},
@@ -5443,17 +5443,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
"H": {
"key": "H",
"name": "High",
- "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
}
}
@@ -5469,28 +5469,28 @@
"key": "HI",
"version": "2.0.0",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
+ "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
@@ -5498,22 +5498,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
+ "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
},
"H": {
"key": "H",
"name": "High",
- "description": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
},
"VH": {
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
}
},
@@ -5524,28 +5524,28 @@
"key": "HI",
"version": "2.0.1",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
@@ -5553,22 +5553,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
},
"H": {
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
"VH": {
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
}
},
@@ -5579,28 +5579,28 @@
"key": "HI",
"version": "2.0.2",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
@@ -5608,22 +5608,22 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
"H": {
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
"VH": {
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
}
}
@@ -5639,33 +5639,33 @@
"key": "MI",
"version": "1.0.0",
"name": "Mission Impact",
- "description": "Impact on Mission Essential Functions of the Organization",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "Little to no impact"
+ "definition": "Little to no impact"
},
{
"key": "NED",
"name": "Non-Essential Degraded",
- "description": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
},
@@ -5673,27 +5673,27 @@
"N": {
"key": "N",
"name": "None",
- "description": "Little to no impact"
+ "definition": "Little to no impact"
},
"NED": {
"key": "NED",
"name": "Non-Essential Degraded",
- "description": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
"MSC": {
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
"MEF": {
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
"MF": {
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
}
},
@@ -5704,28 +5704,28 @@
"key": "MI",
"version": "2.0.0",
"name": "Mission Impact",
- "description": "Impact on Mission Essential Functions of the Organization",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Degraded",
- "description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
},
@@ -5733,22 +5733,22 @@
"D": {
"key": "D",
"name": "Degraded",
- "description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
"MSC": {
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
"MEF": {
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
"MF": {
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
}
}
@@ -5764,23 +5764,23 @@
"key": "PWI",
"version": "1.1.0",
"name": "Public Well-Being Impact",
- "description": "A coarse-grained representation of impact to public well-being.",
+ "definition": "A coarse-grained representation of impact to public well-being.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "The effect is below the threshold for all aspects described in material. "
+ "definition": "The effect is below the threshold for all aspects described in material. "
},
{
"key": "MA",
"name": "Material",
- "description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
+ "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
{
"key": "I",
"name": "Irreversible",
- "description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
+ "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
}
]
},
@@ -5788,17 +5788,17 @@
"M": {
"key": "M",
"name": "Minimal",
- "description": "The effect is below the threshold for all aspects described in material. "
+ "definition": "The effect is below the threshold for all aspects described in material. "
},
"MA": {
"key": "MA",
"name": "Material",
- "description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
+ "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
"I": {
"key": "I",
"name": "Irreversible",
- "description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
+ "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
}
}
}
@@ -5814,18 +5814,18 @@
"key": "PSI",
"version": "2.0.0",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:(None OR Minor)"
+ "definition": "Safety Impact:(None OR Minor)"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
}
]
},
@@ -5833,12 +5833,12 @@
"M": {
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:(None OR Minor)"
+ "definition": "Safety Impact:(None OR Minor)"
},
"S": {
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
}
}
},
@@ -5849,18 +5849,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
},
@@ -5868,12 +5868,12 @@
"M": {
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
"S": {
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
}
}
@@ -5889,23 +5889,23 @@
"key": "PVA",
"version": "1.0.0",
"name": "Public Value Added",
- "description": "How much value would a publication from the coordinator benefit the broader community?",
+ "definition": "How much value would a publication from the coordinator benefit the broader community?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Limited",
- "description": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
},
{
"key": "A",
"name": "Ampliative",
- "description": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
},
{
"key": "P",
"name": "Precedence",
- "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
]
},
@@ -5913,17 +5913,17 @@
"L": {
"key": "L",
"name": "Limited",
- "description": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
},
"A": {
"key": "A",
"name": "Ampliative",
- "description": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
},
"P": {
"key": "P",
"name": "Precedence",
- "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
}
}
@@ -5939,18 +5939,18 @@
"key": "RC",
"version": "1.0.0",
"name": "Report Credibility",
- "description": "Is the report credible?",
+ "definition": "Is the report credible?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "NC",
"name": "Not Credible",
- "description": "The report is not credible."
+ "definition": "The report is not credible."
},
{
"key": "C",
"name": "Credible",
- "description": "The report is credible."
+ "definition": "The report is credible."
}
]
},
@@ -5958,12 +5958,12 @@
"NC": {
"key": "NC",
"name": "Not Credible",
- "description": "The report is not credible."
+ "definition": "The report is not credible."
},
"C": {
"key": "C",
"name": "Credible",
- "description": "The report is credible."
+ "definition": "The report is credible."
}
}
}
@@ -5979,18 +5979,18 @@
"key": "RP",
"version": "1.0.0",
"name": "Report Public",
- "description": "Is a viable report of the details of the vulnerability already publicly available?",
+ "definition": "Is a viable report of the details of the vulnerability already publicly available?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "Y",
"name": "Yes",
- "description": "A public report of the vulnerability exists."
+ "definition": "A public report of the vulnerability exists."
},
{
"key": "N",
"name": "No",
- "description": "No public report of the vulnerability exists."
+ "definition": "No public report of the vulnerability exists."
}
]
},
@@ -5998,12 +5998,12 @@
"Y": {
"key": "Y",
"name": "Yes",
- "description": "A public report of the vulnerability exists."
+ "definition": "A public report of the vulnerability exists."
},
"N": {
"key": "N",
"name": "No",
- "description": "No public report of the vulnerability exists."
+ "definition": "No public report of the vulnerability exists."
}
}
}
@@ -6019,33 +6019,33 @@
"key": "SI",
"version": "1.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability.",
+ "definition": "The safety impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "The effect is below the threshold for all aspects described in Minor."
+ "definition": "The effect is below the threshold for all aspects described in Minor."
},
{
"key": "M",
"name": "Minor",
- "description": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "J",
"name": "Major",
- "description": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "H",
"name": "Hazardous",
- "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
}
]
},
@@ -6053,27 +6053,27 @@
"N": {
"key": "N",
"name": "None",
- "description": "The effect is below the threshold for all aspects described in Minor."
+ "definition": "The effect is below the threshold for all aspects described in Minor."
},
"M": {
"key": "M",
"name": "Minor",
- "description": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
"J": {
"key": "J",
"name": "Major",
- "description": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
"H": {
"key": "H",
"name": "Hazardous",
- "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
},
"C": {
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
}
}
},
@@ -6084,28 +6084,28 @@
"key": "SI",
"version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
"name": "Marginal",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
@@ -6113,22 +6113,22 @@
"N": {
"key": "N",
"name": "Negligible",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
"M": {
"key": "M",
"name": "Marginal",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
"R": {
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
"C": {
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
}
}
@@ -6144,18 +6144,18 @@
"key": "SC",
"version": "1.0.0",
"name": "Supplier Cardinality",
- "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+ "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "O",
"name": "One",
- "description": "There is only one supplier of the vulnerable component."
+ "definition": "There is only one supplier of the vulnerable component."
},
{
"key": "M",
"name": "Multiple",
- "description": "There are multiple suppliers of the vulnerable component."
+ "definition": "There are multiple suppliers of the vulnerable component."
}
]
},
@@ -6163,12 +6163,12 @@
"O": {
"key": "O",
"name": "One",
- "description": "There is only one supplier of the vulnerable component."
+ "definition": "There is only one supplier of the vulnerable component."
},
"M": {
"key": "M",
"name": "Multiple",
- "description": "There are multiple suppliers of the vulnerable component."
+ "definition": "There are multiple suppliers of the vulnerable component."
}
}
}
@@ -6184,18 +6184,18 @@
"key": "SCON",
"version": "1.0.0",
"name": "Supplier Contacted",
- "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+ "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "The supplier has not been contacted."
+ "definition": "The supplier has not been contacted."
},
{
"key": "Y",
"name": "Yes",
- "description": "The supplier has been contacted."
+ "definition": "The supplier has been contacted."
}
]
},
@@ -6203,12 +6203,12 @@
"N": {
"key": "N",
"name": "No",
- "description": "The supplier has not been contacted."
+ "definition": "The supplier has not been contacted."
},
"Y": {
"key": "Y",
"name": "Yes",
- "description": "The supplier has been contacted."
+ "definition": "The supplier has been contacted."
}
}
}
@@ -6224,18 +6224,18 @@
"key": "SE",
"version": "1.0.0",
"name": "Supplier Engagement",
- "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
+ "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
+ "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
{
"key": "U",
"name": "Unresponsive",
- "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
+ "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
]
},
@@ -6243,12 +6243,12 @@
"A": {
"key": "A",
"name": "Active",
- "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
+ "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
"U": {
"key": "U",
"name": "Unresponsive",
- "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
+ "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
}
}
@@ -6264,23 +6264,23 @@
"key": "SINV",
"version": "1.0.0",
"name": "Supplier Involvement",
- "description": "What is the state of the supplier’s work on addressing the vulnerability?",
+ "definition": "What is the state of the supplier’s work on addressing the vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "FR",
"name": "Fix Ready",
- "description": "The supplier has provided a patch or fix."
+ "definition": "The supplier has provided a patch or fix."
},
{
"key": "C",
"name": "Cooperative",
- "description": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
},
{
"key": "UU",
"name": "Uncooperative/Unresponsive",
- "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
]
},
@@ -6288,17 +6288,17 @@
"FR": {
"key": "FR",
"name": "Fix Ready",
- "description": "The supplier has provided a patch or fix."
+ "definition": "The supplier has provided a patch or fix."
},
"C": {
"key": "C",
"name": "Cooperative",
- "description": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
},
"UU": {
"key": "UU",
"name": "Uncooperative/Unresponsive",
- "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
}
}
@@ -6314,23 +6314,23 @@
"key": "EXP",
"version": "1.0.0",
"name": "System Exposure",
- "description": "The Accessible Attack Surface of the Affected System or Service",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "U",
"name": "Unavoidable",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
},
@@ -6338,17 +6338,17 @@
"S": {
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
"C": {
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
"U": {
"key": "U",
"name": "Unavoidable",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
}
},
@@ -6359,23 +6359,23 @@
"key": "EXP",
"version": "1.0.1",
"name": "System Exposure",
- "description": "The Accessible Attack Surface of the Affected System or Service",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "O",
"name": "Open",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
},
@@ -6383,17 +6383,17 @@
"S": {
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
"C": {
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
"O": {
"key": "O",
"name": "Open",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
}
}
@@ -6409,18 +6409,18 @@
"key": "TI",
"version": "1.0.0",
"name": "Technical Impact",
- "description": "The technical impact of the vulnerability.",
+ "definition": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Partial",
- "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
"key": "T",
"name": "Total",
- "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
},
@@ -6428,12 +6428,12 @@
"P": {
"key": "P",
"name": "Partial",
- "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
"T": {
"key": "T",
"name": "Total",
- "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
}
}
@@ -6449,23 +6449,23 @@
"key": "U",
"version": "1.0.0",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Virulence:Slow and Value Density:Diffuse"
+ "definition": "Virulence:Slow and Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Virulence:Rapid and Value Density:Concentrated"
+ "definition": "Virulence:Rapid and Value Density:Concentrated"
}
]
},
@@ -6473,17 +6473,17 @@
"L": {
"key": "L",
"name": "Laborious",
- "description": "Virulence:Slow and Value Density:Diffuse"
+ "definition": "Virulence:Slow and Value Density:Diffuse"
},
"E": {
"key": "E",
"name": "Efficient",
- "description": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
},
"S": {
"key": "S",
"name": "Super Effective",
- "description": "Virulence:Rapid and Value Density:Concentrated"
+ "definition": "Virulence:Rapid and Value Density:Concentrated"
}
}
},
@@ -6494,23 +6494,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
},
@@ -6518,17 +6518,17 @@
"L": {
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
"E": {
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
"S": {
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
}
}
@@ -6544,18 +6544,18 @@
"key": "VD",
"version": "1.0.0",
"name": "Value Density",
- "description": "The concentration of value in the target",
+ "definition": "The concentration of value in the target",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Diffuse",
- "description": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
- "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
]
},
@@ -6563,12 +6563,12 @@
"D": {
"key": "D",
"name": "Diffuse",
- "description": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
},
"C": {
"key": "C",
"name": "Concentrated",
- "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
}
}
@@ -6584,23 +6584,23 @@
"key": "COORDINATE",
"version": "1.0.0",
"name": "Decline, Track, Coordinate",
- "description": "The coordinate outcome group.",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Decline",
- "description": "Decline"
+ "definition": "Decline"
},
{
"key": "T",
"name": "Track",
- "description": "Track"
+ "definition": "Track"
},
{
"key": "C",
"name": "Coordinate",
- "description": "Coordinate"
+ "definition": "Coordinate"
}
]
},
@@ -6608,17 +6608,17 @@
"D": {
"key": "D",
"name": "Decline",
- "description": "Decline"
+ "definition": "Decline"
},
"T": {
"key": "T",
"name": "Track",
- "description": "Track"
+ "definition": "Track"
},
"C": {
"key": "C",
"name": "Coordinate",
- "description": "Coordinate"
+ "definition": "Coordinate"
}
}
},
@@ -6629,23 +6629,23 @@
"key": "COORDINATE",
"version": "1.0.1",
"name": "Decline, Track, Coordinate",
- "description": "The coordinate outcome group.",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Decline",
- "description": "Do not act on the report."
+ "definition": "Do not act on the report."
},
{
"key": "T",
"name": "Track",
- "description": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
+ "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
{
"key": "C",
"name": "Coordinate",
- "description": "Take action on the report."
+ "definition": "Take action on the report."
}
]
},
@@ -6653,17 +6653,17 @@
"D": {
"key": "D",
"name": "Decline",
- "description": "Do not act on the report."
+ "definition": "Do not act on the report."
},
"T": {
"key": "T",
"name": "Track",
- "description": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
+ "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
"C": {
"key": "C",
"name": "Coordinate",
- "description": "Take action on the report."
+ "definition": "Take action on the report."
}
}
}
@@ -6679,28 +6679,28 @@
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
- "description": "The original SSVC outcome group.",
+ "definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
- "description": "Defer"
+ "definition": "Defer"
},
{
"key": "S",
"name": "Scheduled",
- "description": "Scheduled"
+ "definition": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
- "description": "Out-of-Cycle"
+ "definition": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
- "description": "Immediate"
+ "definition": "Immediate"
}
]
},
@@ -6708,22 +6708,22 @@
"D": {
"key": "D",
"name": "Defer",
- "description": "Defer"
+ "definition": "Defer"
},
"S": {
"key": "S",
"name": "Scheduled",
- "description": "Scheduled"
+ "definition": "Scheduled"
},
"O": {
"key": "O",
"name": "Out-of-Cycle",
- "description": "Out-of-Cycle"
+ "definition": "Out-of-Cycle"
},
"I": {
"key": "I",
"name": "Immediate",
- "description": "Immediate"
+ "definition": "Immediate"
}
}
}
@@ -6739,18 +6739,18 @@
"key": "PUBLISH",
"version": "1.0.0",
"name": "Publish, Do Not Publish",
- "description": "The publish outcome group.",
+ "definition": "The publish outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Do Not Publish",
- "description": "Do Not Publish"
+ "definition": "Do Not Publish"
},
{
"key": "P",
"name": "Publish",
- "description": "Publish"
+ "definition": "Publish"
}
]
},
@@ -6758,12 +6758,12 @@
"N": {
"key": "N",
"name": "Do Not Publish",
- "description": "Do Not Publish"
+ "definition": "Do Not Publish"
},
"P": {
"key": "P",
"name": "Publish",
- "description": "Publish"
+ "definition": "Publish"
}
}
}
@@ -6784,28 +6784,28 @@
"key": "IKE",
"version": "1.0.0",
"name": "Do, Schedule, Delegate, Delete",
- "description": "The Eisenhower outcome group.",
+ "definition": "The Eisenhower outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Delete",
- "description": "Delete"
+ "definition": "Delete"
},
{
"key": "G",
"name": "Delegate",
- "description": "Delegate"
+ "definition": "Delegate"
},
{
"key": "S",
"name": "Schedule",
- "description": "Schedule"
+ "definition": "Schedule"
},
{
"key": "O",
"name": "Do",
- "description": "Do"
+ "definition": "Do"
}
]
},
@@ -6813,22 +6813,22 @@
"D": {
"key": "D",
"name": "Delete",
- "description": "Delete"
+ "definition": "Delete"
},
"G": {
"key": "G",
"name": "Delegate",
- "description": "Delegate"
+ "definition": "Delegate"
},
"S": {
"key": "S",
"name": "Schedule",
- "description": "Schedule"
+ "definition": "Schedule"
},
"O": {
"key": "O",
"name": "Do",
- "description": "Do"
+ "definition": "Do"
}
}
}
@@ -6844,28 +6844,28 @@
"key": "MSCW",
"version": "1.0.0",
"name": "MoSCoW",
- "description": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
+ "definition": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "W",
"name": "Won't",
- "description": "Won't"
+ "definition": "Won't"
},
{
"key": "C",
"name": "Could",
- "description": "Could"
+ "definition": "Could"
},
{
"key": "S",
"name": "Should",
- "description": "Should"
+ "definition": "Should"
},
{
"key": "M",
"name": "Must",
- "description": "Must"
+ "definition": "Must"
}
]
},
@@ -6873,22 +6873,22 @@
"W": {
"key": "W",
"name": "Won't",
- "description": "Won't"
+ "definition": "Won't"
},
"C": {
"key": "C",
"name": "Could",
- "description": "Could"
+ "definition": "Could"
},
"S": {
"key": "S",
"name": "Should",
- "description": "Should"
+ "definition": "Should"
},
"M": {
"key": "M",
"name": "Must",
- "description": "Must"
+ "definition": "Must"
}
}
}
@@ -6904,28 +6904,28 @@
"key": "VALUE_COMPLEXITY",
"version": "1.0.0",
"name": "Value, Complexity",
- "description": "The Value/Complexity outcome group.",
+ "definition": "The Value/Complexity outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Drop",
- "description": "Drop"
+ "definition": "Drop"
},
{
"key": "R",
"name": "Reconsider Later",
- "description": "Reconsider Later"
+ "definition": "Reconsider Later"
},
{
"key": "E",
"name": "Easy Win",
- "description": "Easy Win"
+ "definition": "Easy Win"
},
{
"key": "F",
"name": "Do First",
- "description": "Do First"
+ "definition": "Do First"
}
]
},
@@ -6933,22 +6933,22 @@
"D": {
"key": "D",
"name": "Drop",
- "description": "Drop"
+ "definition": "Drop"
},
"R": {
"key": "R",
"name": "Reconsider Later",
- "description": "Reconsider Later"
+ "definition": "Reconsider Later"
},
"E": {
"key": "E",
"name": "Easy Win",
- "description": "Easy Win"
+ "definition": "Easy Win"
},
"F": {
"key": "F",
"name": "Do First",
- "description": "Do First"
+ "definition": "Do First"
}
}
}
@@ -6964,18 +6964,18 @@
"key": "YN",
"version": "1.0.0",
"name": "YesNo",
- "description": "A Yes/No decision point / outcome group.",
+ "definition": "A Yes/No decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "No"
+ "definition": "No"
},
{
"key": "Y",
"name": "Yes",
- "description": "Yes"
+ "definition": "Yes"
}
]
},
@@ -6983,12 +6983,12 @@
"N": {
"key": "N",
"name": "No",
- "description": "No"
+ "definition": "No"
},
"Y": {
"key": "Y",
"name": "Yes",
- "description": "Yes"
+ "definition": "Yes"
}
}
}
@@ -7004,23 +7004,23 @@
"key": "LMH",
"version": "1.0.0",
"name": "LowMediumHigh",
- "description": "A Low/Medium/High decision point / outcome group.",
+ "definition": "A Low/Medium/High decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Low"
+ "definition": "Low"
},
{
"key": "M",
"name": "Medium",
- "description": "Medium"
+ "definition": "Medium"
},
{
"key": "H",
"name": "High",
- "description": "High"
+ "definition": "High"
}
]
},
@@ -7028,17 +7028,17 @@
"L": {
"key": "L",
"name": "Low",
- "description": "Low"
+ "definition": "Low"
},
"M": {
"key": "M",
"name": "Medium",
- "description": "Medium"
+ "definition": "Medium"
},
"H": {
"key": "H",
"name": "High",
- "description": "High"
+ "definition": "High"
}
}
}
@@ -7059,38 +7059,38 @@
"key": "PARANOIDS",
"version": "1.0.0",
"name": "theParanoids",
- "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.",
+ "definition": "PrioritizedRiskRemediation outcome group based on TheParanoids.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "5",
"name": "Track 5",
- "description": "Track"
+ "definition": "Track"
},
{
"key": "4",
"name": "Track Closely 4",
- "description": "Track Closely"
+ "definition": "Track Closely"
},
{
"key": "3",
"name": "Attend 3",
- "description": "Attend"
+ "definition": "Attend"
},
{
"key": "2",
"name": "Attend 2",
- "description": "Attend"
+ "definition": "Attend"
},
{
"key": "1",
"name": "Act 1",
- "description": "Act"
+ "definition": "Act"
},
{
"key": "0",
"name": "Act ASAP 0",
- "description": "Act ASAP"
+ "definition": "Act ASAP"
}
]
},
@@ -7098,32 +7098,32 @@
"5": {
"key": "5",
"name": "Track 5",
- "description": "Track"
+ "definition": "Track"
},
"4": {
"key": "4",
"name": "Track Closely 4",
- "description": "Track Closely"
+ "definition": "Track Closely"
},
"3": {
"key": "3",
"name": "Attend 3",
- "description": "Attend"
+ "definition": "Attend"
},
"2": {
"key": "2",
"name": "Attend 2",
- "description": "Attend"
+ "definition": "Attend"
},
"1": {
"key": "1",
"name": "Act 1",
- "description": "Act"
+ "definition": "Act"
},
"0": {
"key": "0",
"name": "Act ASAP 0",
- "description": "Act ASAP"
+ "definition": "Act ASAP"
}
}
}
@@ -7149,7 +7149,7 @@
"key": "DT_CO",
"version": "2.0.3",
"name": "CISA Coordinator",
- "description": "CISA Coordinator decision table for SSVC",
+ "definition": "CISA Coordinator decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:E:1.1.0": {
@@ -7157,23 +7157,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -7182,18 +7182,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
},
@@ -7202,18 +7202,18 @@
"key": "TI",
"version": "1.0.0",
"name": "Technical Impact",
- "description": "The technical impact of the vulnerability.",
+ "definition": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Partial",
- "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
"key": "T",
"name": "Total",
- "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
},
@@ -7222,23 +7222,23 @@
"key": "MWI",
"version": "1.0.0",
"name": "Mission and Well-Being Impact",
- "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
+ "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
- "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
- "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
},
@@ -7247,28 +7247,28 @@
"key": "CISA",
"version": "1.1.0",
"name": "CISA Levels",
- "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+ "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "T",
"name": "Track",
- "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
+ "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
{
"key": "T*",
"name": "Track*",
- "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+ "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
"key": "AT",
"name": "Attend",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
"key": "AC",
"name": "Act",
- "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
}
@@ -7547,7 +7547,7 @@
"key": "DT_CVSS_EQ5",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 5",
- "description": "CVSS Equivalence Set 5 Decision Table",
+ "definition": "CVSS Equivalence Set 5 Decision Table",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:E_NoX:2.0.0": {
@@ -7555,23 +7555,23 @@
"key": "E_NoX",
"version": "2.0.0",
"name": "Exploit Maturity (without Not Defined)",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "U",
"name": "Unreported",
- "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
"key": "P",
"name": "Proof-of-Concept",
- "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
"key": "A",
"name": "Attacked",
- "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
}
]
},
@@ -7580,23 +7580,23 @@
"key": "EQ5",
"version": "1.0.0",
"name": "Equivalence Set 5",
- "description": "E with 3 levels specified in Table 28",
+ "definition": "E with 3 levels specified in Table 28",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: E:U"
+ "definition": "2: E:U"
},
{
"key": "M",
"name": "Medium",
- "description": "1: E:P"
+ "definition": "1: E:P"
},
{
"key": "H",
"name": "High",
- "description": "0: E:A"
+ "definition": "0: E:A"
}
]
}
@@ -7630,7 +7630,7 @@
"key": "DT_CVSS4_EQ4",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 4",
- "description": "This decision table models equivalence set 4 from CVSS v4.",
+ "definition": "This decision table models equivalence set 4 from CVSS v4.",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:SC:1.0.0": {
@@ -7638,23 +7638,23 @@
"key": "SC",
"version": "1.0.0",
"name": "Confidentiality Impact to the Subsequent System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
]
},
@@ -7663,28 +7663,28 @@
"key": "MSI_NoX",
"version": "1.0.1",
"name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -7693,28 +7693,28 @@
"key": "MSA_NoX",
"version": "1.0.1",
"name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
- "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "S",
"name": "Safety",
- "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
@@ -7723,23 +7723,23 @@
"key": "EQ4",
"version": "1.0.0",
"name": "Equivalence Set 4",
- "description": "SC/SI/SA with 3 levels specified in Table 27",
+ "definition": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: MSI:S or MSA:S"
+ "definition": "0: MSI:S or MSA:S"
}
]
}
@@ -8049,7 +8049,7 @@
"key": "DT_CVSS4_EQ1",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 1",
- "description": "This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).",
+ "definition": "This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:AV:3.0.1": {
@@ -8057,28 +8057,28 @@
"key": "AV",
"version": "3.0.1",
"name": "Attack Vector",
- "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Physical",
- "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
"key": "L",
"name": "Local",
- "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
{
"key": "A",
"name": "Adjacent",
- "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
{
"key": "N",
"name": "Network",
- "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
]
},
@@ -8087,23 +8087,23 @@
"key": "PR",
"version": "1.0.1",
"name": "Privileges Required",
- "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
},
@@ -8112,23 +8112,23 @@
"key": "UI",
"version": "2.0.0",
"name": "User Interaction",
- "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
"key": "P",
"name": "Passive",
- "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
"key": "N",
"name": "None",
- "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
]
},
@@ -8137,23 +8137,23 @@
"key": "EQ1",
"version": "1.0.0",
"name": "Equivalence Set 1",
- "description": "AV/PR/UI with 3 levels specified in Table 24",
+ "definition": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
- "description": "0: AV:N and PR:N and UI:N"
+ "definition": "0: AV:N and PR:N and UI:N"
}
]
}
@@ -8391,7 +8391,7 @@
"key": "DT_CVSS4_EQ6",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 6",
- "description": "This decision table models equivalence set 6 from CVSS v4.",
+ "definition": "This decision table models equivalence set 6 from CVSS v4.",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:CR_NoX:1.1.1": {
@@ -8399,23 +8399,23 @@
"key": "CR_NoX",
"version": "1.1.1",
"name": "Confidentiality Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -8424,23 +8424,23 @@
"key": "VC",
"version": "3.0.0",
"name": "Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
@@ -8449,23 +8449,23 @@
"key": "IR_NoX",
"version": "1.1.1",
"name": "Integrity Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -8474,23 +8474,23 @@
"key": "VI",
"version": "3.0.0",
"name": "Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
@@ -8499,23 +8499,23 @@
"key": "AR_NoX",
"version": "1.1.1",
"name": "Availability Requirement (without Not Defined)",
- "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -8524,23 +8524,23 @@
"key": "VA",
"version": "3.0.0",
"name": "Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
@@ -8549,18 +8549,18 @@
"key": "EQ6",
"version": "1.0.0",
"name": "Equivalence Set 6",
- "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
}
@@ -15143,7 +15143,7 @@
"key": "DT_CVSS4_EQ3",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 3",
- "description": "This decision table models equivalence set 3 from CVSS v4.",
+ "definition": "This decision table models equivalence set 3 from CVSS v4.",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:VC:3.0.0": {
@@ -15151,23 +15151,23 @@
"key": "VC",
"version": "3.0.0",
"name": "Confidentiality Impact to the Vulnerable System",
- "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of confidentiality within the impacted component."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
@@ -15176,23 +15176,23 @@
"key": "VI",
"version": "3.0.0",
"name": "Integrity Impact to the Vulnerable System",
- "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
@@ -15201,23 +15201,23 @@
"key": "VA",
"version": "3.0.0",
"name": "Availability Impact to the Vulnerable System",
- "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no impact to availability within the Vulnerable System."
+ "definition": "There is no impact to availability within the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
@@ -15226,23 +15226,23 @@
"key": "EQ3",
"version": "1.0.0",
"name": "Equivalence Set 3",
- "description": "VC/VI/VA with 3 levels specified in Table 26",
+ "definition": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: VC:H and VI:H"
+ "definition": "0: VC:H and VI:H"
}
]
}
@@ -15426,7 +15426,7 @@
"key": "DT_CVSS4_EQ2",
"version": "1.0.0",
"name": "CVSS v4 Equivalence Set 2",
- "description": "This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).",
+ "definition": "This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:AC:3.0.1": {
@@ -15434,18 +15434,18 @@
"key": "AC",
"version": "3.0.1",
"name": "Attack Complexity",
- "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"schemaVersion": "2.0.0",
"values": [
{
"key": "H",
"name": "High",
- "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
{
"key": "L",
"name": "Low",
- "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
}
]
},
@@ -15454,18 +15454,18 @@
"key": "AT",
"version": "1.0.0",
"name": "Attack Requirements",
- "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Present",
- "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
{
"key": "N",
"name": "None",
- "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
}
]
},
@@ -15474,18 +15474,18 @@
"key": "EQ2",
"version": "1.0.0",
"name": "Equivalence Set 2",
- "description": "AC/AT with 2 levels specified in Table 25",
+ "definition": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (AC:L and AT:N)"
+ "definition": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
- "description": "0: AC:L and AT:N"
+ "definition": "0: AC:L and AT:N"
}
]
}
@@ -15527,7 +15527,7 @@
"key": "DT_CVSS_QSR",
"version": "4.0.0",
"name": "CVSS v4.0 Qualitative Severity Ratings",
- "description": "CVSS v4.0 using MacroVectors and Interpolation. See https://www.first.org/cvss/specification-document#New-Scoring-System-Development for details",
+ "definition": "CVSS v4.0 using MacroVectors and Interpolation. See https://www.first.org/cvss/specification-document#New-Scoring-System-Development for details",
"schemaVersion": "2.0.0",
"decision_points": {
"cvss:EQ1:1.0.0": {
@@ -15535,23 +15535,23 @@
"key": "EQ1",
"version": "1.0.0",
"name": "Equivalence Set 1",
- "description": "AV/PR/UI with 3 levels specified in Table 24",
+ "definition": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
- "description": "0: AV:N and PR:N and UI:N"
+ "definition": "0: AV:N and PR:N and UI:N"
}
]
},
@@ -15560,18 +15560,18 @@
"key": "EQ2",
"version": "1.0.0",
"name": "Equivalence Set 2",
- "description": "AC/AT with 2 levels specified in Table 25",
+ "definition": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (AC:L and AT:N)"
+ "definition": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
- "description": "0: AC:L and AT:N"
+ "definition": "0: AC:L and AT:N"
}
]
},
@@ -15580,23 +15580,23 @@
"key": "EQ3",
"version": "1.0.0",
"name": "Equivalence Set 3",
- "description": "VC/VI/VA with 3 levels specified in Table 26",
+ "definition": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: VC:H and VI:H"
+ "definition": "0: VC:H and VI:H"
}
]
},
@@ -15605,23 +15605,23 @@
"key": "EQ4",
"version": "1.0.0",
"name": "Equivalence Set 4",
- "description": "SC/SI/SA with 3 levels specified in Table 27",
+ "definition": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
"key": "M",
"name": "Medium",
- "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: MSI:S or MSA:S"
+ "definition": "0: MSI:S or MSA:S"
}
]
},
@@ -15630,23 +15630,23 @@
"key": "EQ5",
"version": "1.0.0",
"name": "Equivalence Set 5",
- "description": "E with 3 levels specified in Table 28",
+ "definition": "E with 3 levels specified in Table 28",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "2: E:U"
+ "definition": "2: E:U"
},
{
"key": "M",
"name": "Medium",
- "description": "1: E:P"
+ "definition": "1: E:P"
},
{
"key": "H",
"name": "High",
- "description": "0: E:A"
+ "definition": "0: E:A"
}
]
},
@@ -15655,18 +15655,18 @@
"key": "EQ6",
"version": "1.0.0",
"name": "Equivalence Set 6",
- "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
- "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
},
@@ -15675,33 +15675,33 @@
"key": "CVSS",
"version": "1.0.0",
"name": "CVSS Qualitative Severity Rating Scale",
- "description": "The CVSS Qualitative Severity Rating Scale group.",
+ "definition": "The CVSS Qualitative Severity Rating Scale group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "None (0.0)"
+ "definition": "None (0.0)"
},
{
"key": "L",
"name": "Low",
- "description": "Low (0.1-3.9)"
+ "definition": "Low (0.1-3.9)"
},
{
"key": "M",
"name": "Medium",
- "description": "Medium (4.0-6.9)"
+ "definition": "Medium (4.0-6.9)"
},
{
"key": "H",
"name": "High",
- "description": "High (7.0-8.9)"
+ "definition": "High (7.0-8.9)"
},
{
"key": "C",
"name": "Critical",
- "description": "Critical (9.0-10.0)"
+ "definition": "Critical (9.0-10.0)"
}
]
}
@@ -18644,7 +18644,7 @@
"key": "DT_COORD_PUBLISH",
"version": "1.0.0",
"name": "Coordinator Publish Decision Table",
- "description": "This decision table is used to determine the priority of a coordinator publish.",
+ "definition": "This decision table is used to determine the priority of a coordinator publish.",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:SINV:1.0.0": {
@@ -18652,23 +18652,23 @@
"key": "SINV",
"version": "1.0.0",
"name": "Supplier Involvement",
- "description": "What is the state of the supplier’s work on addressing the vulnerability?",
+ "definition": "What is the state of the supplier’s work on addressing the vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "FR",
"name": "Fix Ready",
- "description": "The supplier has provided a patch or fix."
+ "definition": "The supplier has provided a patch or fix."
},
{
"key": "C",
"name": "Cooperative",
- "description": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
},
{
"key": "UU",
"name": "Uncooperative/Unresponsive",
- "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
]
},
@@ -18677,23 +18677,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -18702,23 +18702,23 @@
"key": "PVA",
"version": "1.0.0",
"name": "Public Value Added",
- "description": "How much value would a publication from the coordinator benefit the broader community?",
+ "definition": "How much value would a publication from the coordinator benefit the broader community?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Limited",
- "description": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
},
{
"key": "A",
"name": "Ampliative",
- "description": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
},
{
"key": "P",
"name": "Precedence",
- "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
]
},
@@ -18727,18 +18727,18 @@
"key": "PUBLISH",
"version": "1.0.0",
"name": "Publish, Do Not Publish",
- "description": "The publish outcome group.",
+ "definition": "The publish outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Do Not Publish",
- "description": "Do Not Publish"
+ "definition": "Do Not Publish"
},
{
"key": "P",
"name": "Publish",
- "description": "Publish"
+ "definition": "Publish"
}
]
}
@@ -18922,7 +18922,7 @@
"key": "DT_COORD_TRIAGE",
"version": "1.0.0",
"name": "Coordinator Triage",
- "description": "Decision table for coordinator triage",
+ "definition": "Decision table for coordinator triage",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:RP:1.0.0": {
@@ -18930,18 +18930,18 @@
"key": "RP",
"version": "1.0.0",
"name": "Report Public",
- "description": "Is a viable report of the details of the vulnerability already publicly available?",
+ "definition": "Is a viable report of the details of the vulnerability already publicly available?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "Y",
"name": "Yes",
- "description": "A public report of the vulnerability exists."
+ "definition": "A public report of the vulnerability exists."
},
{
"key": "N",
"name": "No",
- "description": "No public report of the vulnerability exists."
+ "definition": "No public report of the vulnerability exists."
}
]
},
@@ -18950,18 +18950,18 @@
"key": "SCON",
"version": "1.0.0",
"name": "Supplier Contacted",
- "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+ "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "The supplier has not been contacted."
+ "definition": "The supplier has not been contacted."
},
{
"key": "Y",
"name": "Yes",
- "description": "The supplier has been contacted."
+ "definition": "The supplier has been contacted."
}
]
},
@@ -18970,18 +18970,18 @@
"key": "RC",
"version": "1.0.0",
"name": "Report Credibility",
- "description": "Is the report credible?",
+ "definition": "Is the report credible?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "NC",
"name": "Not Credible",
- "description": "The report is not credible."
+ "definition": "The report is not credible."
},
{
"key": "C",
"name": "Credible",
- "description": "The report is credible."
+ "definition": "The report is credible."
}
]
},
@@ -18990,18 +18990,18 @@
"key": "SC",
"version": "1.0.0",
"name": "Supplier Cardinality",
- "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+ "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "O",
"name": "One",
- "description": "There is only one supplier of the vulnerable component."
+ "definition": "There is only one supplier of the vulnerable component."
},
{
"key": "M",
"name": "Multiple",
- "description": "There are multiple suppliers of the vulnerable component."
+ "definition": "There are multiple suppliers of the vulnerable component."
}
]
},
@@ -19010,18 +19010,18 @@
"key": "SE",
"version": "1.0.0",
"name": "Supplier Engagement",
- "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
+ "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "A",
"name": "Active",
- "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
+ "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
{
"key": "U",
"name": "Unresponsive",
- "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
+ "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
]
},
@@ -19030,23 +19030,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
},
@@ -19055,18 +19055,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
},
@@ -19075,23 +19075,23 @@
"key": "COORDINATE",
"version": "1.0.1",
"name": "Decline, Track, Coordinate",
- "description": "The coordinate outcome group.",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Decline",
- "description": "Do not act on the report."
+ "definition": "Do not act on the report."
},
{
"key": "T",
"name": "Track",
- "description": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
+ "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
{
"key": "C",
"name": "Coordinate",
- "description": "Take action on the report."
+ "definition": "Take action on the report."
}
]
}
@@ -21033,7 +21033,7 @@
"key": "DT_DP",
"version": "1.0.0",
"name": "Deployer Patch Application Priority",
- "description": "Decision table for evaluating deployer's patch application priority in SSVC",
+ "definition": "Decision table for evaluating deployer's patch application priority in SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:E:1.1.0": {
@@ -21041,23 +21041,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -21066,23 +21066,23 @@
"key": "EXP",
"version": "1.0.1",
"name": "System Exposure",
- "description": "The Accessible Attack Surface of the Affected System or Service",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
- "description": "Local service or program; highly controlled network"
+ "definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
- "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "O",
"name": "Open",
- "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
},
@@ -21091,18 +21091,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
},
@@ -21111,28 +21111,28 @@
"key": "HI",
"version": "2.0.2",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
@@ -21141,28 +21141,28 @@
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
- "description": "The original SSVC outcome group.",
+ "definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
- "description": "Defer"
+ "definition": "Defer"
},
{
"key": "S",
"name": "Scheduled",
- "description": "Scheduled"
+ "definition": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
- "description": "Out-of-Cycle"
+ "definition": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
- "description": "Immediate"
+ "definition": "Immediate"
}
]
}
@@ -21688,7 +21688,7 @@
"key": "DT_HI",
"version": "1.0.0",
"name": "Human Impact",
- "description": "Human Impact decision table for SSVC",
+ "definition": "Human Impact decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:SI:2.0.0": {
@@ -21696,28 +21696,28 @@
"key": "SI",
"version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
"name": "Marginal",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
@@ -21726,28 +21726,28 @@
"key": "MI",
"version": "2.0.0",
"name": "Mission Impact",
- "description": "Impact on Mission Essential Functions of the Organization",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Degraded",
- "description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
- "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
- "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
- "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
},
@@ -21756,28 +21756,28 @@
"key": "HI",
"version": "2.0.2",
"name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
@@ -21879,7 +21879,7 @@
"key": "DT_PSI",
"version": "1.0.0",
"name": "Public Safety Impact",
- "description": "Public Safety Impact Decision Table",
+ "definition": "Public Safety Impact Decision Table",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:SI:2.0.0": {
@@ -21887,28 +21887,28 @@
"key": "SI",
"version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Negligible",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
"name": "Marginal",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "R",
"name": "Critical",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
@@ -21917,18 +21917,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
}
@@ -21966,7 +21966,7 @@
"key": "DT_SP",
"version": "1.0.0",
"name": "Supplier Patch Development Priority",
- "description": "Decision table for evaluating supplier patch development priority in SSVC",
+ "definition": "Decision table for evaluating supplier patch development priority in SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:E:1.1.0": {
@@ -21974,23 +21974,23 @@
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
- "description": "The present state of exploitation of the vulnerability.",
+ "definition": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
- "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
- "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
},
@@ -21999,23 +21999,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
},
@@ -22024,18 +22024,18 @@
"key": "TI",
"version": "1.0.0",
"name": "Technical Impact",
- "description": "The technical impact of the vulnerability.",
+ "definition": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Partial",
- "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
"key": "T",
"name": "Total",
- "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
},
@@ -22044,18 +22044,18 @@
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
- "description": "A coarse-grained representation of impact to public safety.",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
- "description": "Safety Impact:Negligible"
+ "definition": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
- "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
},
@@ -22064,28 +22064,28 @@
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
- "description": "The original SSVC outcome group.",
+ "definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
- "description": "Defer"
+ "definition": "Defer"
},
{
"key": "S",
"name": "Scheduled",
- "description": "Scheduled"
+ "definition": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
- "description": "Out-of-Cycle"
+ "definition": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
- "description": "Immediate"
+ "definition": "Immediate"
}
]
}
@@ -22359,7 +22359,7 @@
"key": "DT_U",
"version": "1.0.0",
"name": "Utility",
- "description": "Utility decision table for SSVC",
+ "definition": "Utility decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
"ssvc:A:2.0.0": {
@@ -22367,18 +22367,18 @@
"key": "A",
"version": "2.0.0",
"name": "Automatable",
- "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
- "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
},
{
"key": "Y",
"name": "Yes",
- "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
}
]
},
@@ -22387,18 +22387,18 @@
"key": "VD",
"version": "1.0.0",
"name": "Value Density",
- "description": "The concentration of value in the target",
+ "definition": "The concentration of value in the target",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Diffuse",
- "description": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
- "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
]
},
@@ -22407,23 +22407,23 @@
"key": "U",
"version": "1.0.1",
"name": "Utility",
- "description": "The Usefulness of the Exploit to the Adversary",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
- "description": "Automatable:No AND Value Density:Diffuse"
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
- "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
- "description": "Automatable:Yes AND Value Density:Concentrated"
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
}
diff --git a/data/schema/v2/Decision_Point-2-0-0.schema.json b/data/schema/v2/Decision_Point-2-0-0.schema.json
index c5bd948a..63e87423 100644
--- a/data/schema/v2/Decision_Point-2-0-0.schema.json
+++ b/data/schema/v2/Decision_Point-2-0-0.schema.json
@@ -28,15 +28,15 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
}
},
"required": [
"key",
"name",
- "description"
+ "definition"
],
"type": "object"
}
@@ -89,8 +89,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"schemaVersion": {
@@ -110,7 +110,7 @@
"namespace",
"key",
"name",
- "description",
+ "definition",
"schemaVersion",
"values"
]
diff --git a/data/schema/v2/Decision_Point_Group-2-0-0.schema.json b/data/schema/v2/Decision_Point_Group-2-0-0.schema.json
index 38bb0c0b..345b5e33 100644
--- a/data/schema/v2/Decision_Point_Group-2-0-0.schema.json
+++ b/data/schema/v2/Decision_Point_Group-2-0-0.schema.json
@@ -54,8 +54,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"schemaVersion": {
@@ -75,7 +75,7 @@
"namespace",
"key",
"name",
- "description",
+ "definition",
"schemaVersion",
"values"
],
@@ -106,15 +106,15 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
}
},
"required": [
"key",
"name",
- "description"
+ "definition"
],
"type": "object"
}
@@ -141,8 +141,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"decision_points": {
@@ -156,7 +156,7 @@
"required": [
"schemaVersion",
"name",
- "description",
+ "definition",
"decision_points"
]
}
diff --git a/data/schema/v2/Decision_Point_Value_Selection-2-0-0.schema.json b/data/schema/v2/Decision_Point_Value_Selection-2-0-0.schema.json
index 2bc4052d..3323fedc 100644
--- a/data/schema/v2/Decision_Point_Value_Selection-2-0-0.schema.json
+++ b/data/schema/v2/Decision_Point_Value_Selection-2-0-0.schema.json
@@ -14,8 +14,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"key": {
@@ -37,6 +37,7 @@
}
},
"required": [
+ "definition",
"key"
],
"type": "object"
@@ -114,8 +115,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"values": {
@@ -153,6 +154,7 @@
"namespace",
"key",
"version",
+ "definition",
"values"
],
"type": "object"
diff --git a/data/schema/v2/Decision_Table-2-0-0.schema.json b/data/schema/v2/Decision_Table-2-0-0.schema.json
index 95870b27..5c8a0bdb 100644
--- a/data/schema/v2/Decision_Table-2-0-0.schema.json
+++ b/data/schema/v2/Decision_Table-2-0-0.schema.json
@@ -54,8 +54,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"schemaVersion": {
@@ -75,7 +75,7 @@
"namespace",
"key",
"name",
- "description",
+ "definition",
"schemaVersion",
"values"
],
@@ -106,15 +106,15 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
}
},
"required": [
"key",
"name",
- "description"
+ "definition"
],
"type": "object"
}
@@ -167,8 +167,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"schemaVersion": {
@@ -207,7 +207,7 @@
"namespace",
"key",
"name",
- "description",
+ "definition",
"schemaVersion",
"decision_points",
"outcome"
diff --git a/data/schema/v2/Ssvc_Object_Registry-2-0-0.schema.json b/data/schema/v2/Ssvc_Object_Registry-2-0-0.schema.json
index 0b00cf09..24bdfaef 100644
--- a/data/schema/v2/Ssvc_Object_Registry-2-0-0.schema.json
+++ b/data/schema/v2/Ssvc_Object_Registry-2-0-0.schema.json
@@ -53,8 +53,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"schemaVersion": {
@@ -74,7 +74,7 @@
"namespace",
"key",
"name",
- "description",
+ "definition",
"schemaVersion",
"values"
],
@@ -105,15 +105,15 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
}
},
"required": [
"key",
"name",
- "description"
+ "definition"
],
"type": "object"
},
@@ -168,8 +168,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"schemaVersion": {
@@ -208,7 +208,7 @@
"namespace",
"key",
"name",
- "description",
+ "definition",
"schemaVersion",
"decision_points",
"outcome"
@@ -347,8 +347,8 @@
"title": "Name",
"type": "string"
},
- "description": {
- "title": "Description",
+ "definition": {
+ "title": "Definition",
"type": "string"
},
"schemaVersion": {
@@ -368,7 +368,7 @@
},
"required": [
"name",
- "description",
+ "definition",
"schemaVersion"
]
}
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 111d8937..8f043fac 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -32,8 +32,6 @@ services:
image: docs:latest
depends_on:
- dependencies
- volumes:
- - ..:/app
ports:
- "8000:8000"
@@ -45,7 +43,5 @@ services:
image: registry_api:latest
depends_on:
- dependencies
- volumes:
- - ..:/app
ports:
- "8001:8000"
\ No newline at end of file
diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py
index ae82e0fb..07e1f3c1 100644
--- a/src/ssvc/_mixins.py
+++ b/src/ssvc/_mixins.py
@@ -201,7 +201,7 @@ class _Base(BaseModel):
"""
name: str
- description: str
+ definition: str
class _KeyedBaseModel(_Base, _Keyed, BaseModel):
diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py
index f5ee3931..26429be6 100644
--- a/src/ssvc/decision_points/base.py
+++ b/src/ssvc/decision_points/base.py
@@ -157,27 +157,7 @@ def value_summaries(self) -> list[str]:
def main():
- opt_none = DecisionPointValue(
- name="None", key="N", description="No exploit available"
- )
- opt_poc = DecisionPointValue(
- name="PoC", key="P", description="Proof of concept exploit available"
- )
- opt_active = DecisionPointValue(
- name="Active", key="A", description="Active exploitation observed"
- )
- opts = [opt_none, opt_poc, opt_active]
-
- dp = DecisionPoint(
- _comment="This is an optional comment that will be included in the object.",
- values=opts,
- name="Exploitation",
- description="Is there an exploit available?",
- key="E",
- version="1.0.0",
- )
-
- print(dp.model_dump_json(indent=2))
+ print("Please use doctools.py for schema generation and unit tests for verification")
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cisa/in_kev.py b/src/ssvc/decision_points/cisa/in_kev.py
index 8d6b366e..6051b9f8 100644
--- a/src/ssvc/decision_points/cisa/in_kev.py
+++ b/src/ssvc/decision_points/cisa/in_kev.py
@@ -28,18 +28,18 @@
YES = DecisionPointValue(
name="Yes",
key="Y",
- description="Vulnerability is listed in KEV.",
+ definition="Vulnerability is listed in KEV.",
)
NO = DecisionPointValue(
name="No",
key="N",
- description="Vulnerability is not listed in KEV.",
+ definition="Vulnerability is not listed in KEV.",
)
IN_KEV_1 = CisaDecisionPoint(
name="In KEV",
- description="Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
+ definition="Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
key="KEV",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/cisa/mission_prevalence.py b/src/ssvc/decision_points/cisa/mission_prevalence.py
index 9e209c9e..24bb5474 100644
--- a/src/ssvc/decision_points/cisa/mission_prevalence.py
+++ b/src/ssvc/decision_points/cisa/mission_prevalence.py
@@ -31,26 +31,26 @@
MINIMAL = DecisionPointValue(
name="Minimal",
key="M",
- description="Neither Support nor Essential apply. "
+ definition="Neither Support nor Essential apply. "
"The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions.",
)
SUPPORT = DecisionPointValue(
name="Support",
key="S",
- description="The vulnerable component only supports MEFs for two or more entities.",
+ definition="The vulnerable component only supports MEFs for two or more entities.",
)
ESSENTIAL = DecisionPointValue(
name="Essential",
key="E",
- description="The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure.",
+ definition="The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure.",
)
MISSION_PREVALENCE = CisaDecisionPoint(
name="Mission Prevalence",
- description="Prevalence of the mission essential functions",
+ definition="Prevalence of the mission essential functions",
key="MP",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/_not_defined.py b/src/ssvc/decision_points/cvss/_not_defined.py
index 479c575b..c4031a1c 100644
--- a/src/ssvc/decision_points/cvss/_not_defined.py
+++ b/src/ssvc/decision_points/cvss/_not_defined.py
@@ -27,11 +27,11 @@
NOT_DEFINED_ND = DecisionPointValue(
name="Not Defined",
key="ND",
- description="This metric value is not defined. See CVSS documentation for details.",
+ definition="This metric value is not defined. See CVSS documentation for details.",
)
NOT_DEFINED_X = DecisionPointValue(
name="Not Defined",
key="X",
- description="This metric value is not defined. See CVSS documentation for details.",
+ definition="This metric value is not defined. See CVSS documentation for details.",
)
diff --git a/src/ssvc/decision_points/cvss/attack_complexity.py b/src/ssvc/decision_points/cvss/attack_complexity.py
index 9f268644..be80091a 100644
--- a/src/ssvc/decision_points/cvss/attack_complexity.py
+++ b/src/ssvc/decision_points/cvss/attack_complexity.py
@@ -28,34 +28,34 @@
_HIGH_3 = DecisionPointValue(
name="High",
key="H",
- description="A successful attack depends on conditions beyond the attacker's control.",
+ definition="A successful attack depends on conditions beyond the attacker's control.",
)
_LOW_3 = DecisionPointValue(
name="Low",
key="L",
- description="Specialized access conditions or extenuating circumstances do not exist. An attacker can expect "
+ definition="Specialized access conditions or extenuating circumstances do not exist. An attacker can expect "
"repeatable success against the vulnerable component.",
)
_HIGH_2 = DecisionPointValue(
- name="High", key="H", description="Specialized access conditions exist."
+ name="High", key="H", definition="Specialized access conditions exist."
)
_MEDIUM = DecisionPointValue(
name="Medium",
key="M",
- description="The access conditions are somewhat specialized.",
+ definition="The access conditions are somewhat specialized.",
)
_LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="Specialized access conditions or extenuating circumstances do not exist.",
+ definition="Specialized access conditions or extenuating circumstances do not exist.",
)
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="Specialized access conditions exist; for example: the system is exploitable during specific windows "
+ definition="Specialized access conditions exist; for example: the system is exploitable during specific windows "
"of time (a race condition), the system is exploitable under specific circumstances (nondefault "
"configurations), or the system is exploitable with victim interaction (vulnerability exploitable "
"only if user opens e-mail)",
@@ -63,12 +63,12 @@
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Specialized access conditions or extenuating circumstances do not exist; the system is always "
+ definition="Specialized access conditions or extenuating circumstances do not exist; the system is always "
"exploitable.",
)
ACCESS_COMPLEXITY_1 = CvssDecisionPoint(
name="Access Complexity",
- description="This metric measures the complexity of the attack required to exploit the vulnerability once an "
+ definition="This metric measures the complexity of the attack required to exploit the vulnerability once an "
"attacker has gained access to the target system.",
key="AC",
version="1.0.0",
@@ -80,7 +80,7 @@
ACCESS_COMPLEXITY_2 = CvssDecisionPoint(
name="Access Complexity",
- description="This metric measures the complexity of the attack required to exploit the vulnerability once an "
+ definition="This metric measures the complexity of the attack required to exploit the vulnerability once an "
"attacker has gained access to the target system.",
key="AC",
version="2.0.0",
@@ -93,7 +93,7 @@
ATTACK_COMPLEXITY_3 = CvssDecisionPoint(
name="Attack Complexity",
- description="This metric describes the conditions beyond the attacker's control that must exist in order to "
+ definition="This metric describes the conditions beyond the attacker's control that must exist in order to "
"exploit the vulnerability.",
key="AC",
version="3.0.0",
@@ -109,7 +109,7 @@
LOW_4 = DecisionPointValue(
name="Low",
key="L",
- description="The attacker must take no measurable action to exploit the vulnerability. The attack requires no "
+ definition="The attacker must take no measurable action to exploit the vulnerability. The attack requires no "
"target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable "
"success against the vulnerable system. ",
)
@@ -117,7 +117,7 @@
HIGH_4 = DecisionPointValue(
name="High",
key="H",
- description="The successful attack depends on the evasion or circumvention of security-enhancing "
+ definition="The successful attack depends on the evasion or circumvention of security-enhancing "
"techniques in place that would otherwise hinder the attack. These include: Evasion of exploit "
"mitigation techniques. The attacker must have additional methods available to bypass security "
"measures in place.",
@@ -125,7 +125,7 @@
ATTACK_COMPLEXITY_3_0_1 = CvssDecisionPoint(
name="Attack Complexity",
- description="This metric captures measurable actions that must be taken by the attacker to actively evade or "
+ definition="This metric captures measurable actions that must be taken by the attacker to actively evade or "
"circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
key="AC",
version="3.0.1",
diff --git a/src/ssvc/decision_points/cvss/attack_requirements.py b/src/ssvc/decision_points/cvss/attack_requirements.py
index e85b9e4f..d68e9f9b 100644
--- a/src/ssvc/decision_points/cvss/attack_requirements.py
+++ b/src/ssvc/decision_points/cvss/attack_requirements.py
@@ -28,7 +28,7 @@
_AT_NONE = DecisionPointValue(
name="None",
key="N",
- description="The successful attack does not depend on the deployment and execution conditions of the vulnerable "
+ definition="The successful attack does not depend on the deployment and execution conditions of the vulnerable "
"system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or "
"most instances of the vulnerability.",
)
@@ -37,7 +37,7 @@
_PRESENT = DecisionPointValue(
name="Present",
key="P",
- description="The successful attack depends on the presence of specific deployment and execution conditions of "
+ definition="The successful attack depends on the presence of specific deployment and execution conditions of "
"the vulnerable system that enable the attack.",
)
@@ -45,7 +45,7 @@
name="Attack Requirements",
key="AT",
version="1.0.0",
- description="This metric captures the prerequisite deployment and execution conditions or variables of the "
+ definition="This metric captures the prerequisite deployment and execution conditions or variables of the "
"vulnerable system that enable the attack.",
values=(
_PRESENT,
diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py
index 9bdb1e34..01c98107 100644
--- a/src/ssvc/decision_points/cvss/attack_vector.py
+++ b/src/ssvc/decision_points/cvss/attack_vector.py
@@ -28,19 +28,19 @@
_REMOTE = DecisionPointValue(
name="Remote",
key="R",
- description="The vulnerability is exploitable remotely.",
+ definition="The vulnerability is exploitable remotely.",
)
_LOCAL = DecisionPointValue(
name="Local",
key="L",
- description="The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated "
+ definition="The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated "
"login to the target system)",
)
ACCESS_VECTOR_1 = CvssDecisionPoint(
name="Access Vector",
- description="This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+ definition="This metric measures whether or not the vulnerability is exploitable locally or remotely.",
key="AV",
version="1.0.0",
values=(
@@ -55,7 +55,7 @@
_NETWORK = DecisionPointValue(
name="Network",
key="N",
- description="A vulnerability exploitable with network access means the vulnerable software is bound to the "
+ definition="A vulnerability exploitable with network access means the vulnerable software is bound to the "
"network stack and the attacker does not require local network access or local access. Such a "
"vulnerability is often termed 'remotely exploitable'.",
)
@@ -63,21 +63,21 @@
_ADJACENT = DecisionPointValue(
name="Adjacent Network",
key="A",
- description="A vulnerability exploitable with adjacent network access requires the attacker to have access to "
+ definition="A vulnerability exploitable with adjacent network access requires the attacker to have access to "
"either the broadcast or collision domain of the vulnerable software.",
)
_LOCAL_2 = DecisionPointValue(
name="Local",
key="L",
- description="A vulnerability exploitable with only local access requires the attacker to have either physical "
+ definition="A vulnerability exploitable with only local access requires the attacker to have either physical "
"access to the vulnerable system or a local (shell) account.",
)
ACCESS_VECTOR_2 = CvssDecisionPoint(
name="Access Vector",
- description="This metric reflects the context by which vulnerability exploitation is possible.",
+ definition="This metric reflects the context by which vulnerability exploitation is possible.",
key="AV",
version="2.0.0",
values=(
@@ -94,7 +94,7 @@
_NETWORK_2 = DecisionPointValue(
name="Network",
key="N",
- description="A vulnerability exploitable with network access means the vulnerable component is bound to the "
+ definition="A vulnerability exploitable with network access means the vulnerable component is bound to the "
"network stack and the attacker's path is through OSI layer 3 (the network layer). Such a "
"vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being "
"exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).",
@@ -103,7 +103,7 @@
_ADJACENT_2 = DecisionPointValue(
name="Adjacent",
key="A",
- description="A vulnerability exploitable with adjacent network access means the vulnerable component is bound to "
+ definition="A vulnerability exploitable with adjacent network access means the vulnerable component is bound to "
"the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, "
"IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer "
"3 boundary (e.g. a router).",
@@ -112,7 +112,7 @@
_LOCAL_3 = DecisionPointValue(
name="Local",
key="L",
- description="A vulnerability exploitable with Local access means that the vulnerable component is not bound to "
+ definition="A vulnerability exploitable with Local access means that the vulnerable component is not bound to "
"the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, "
"the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely "
"on User Interaction to execute a malicious file.",
@@ -121,14 +121,14 @@
_PHYSICAL_2 = DecisionPointValue(
name="Physical",
key="P",
- description="A vulnerability exploitable with Physical access requires the attacker to physically touch or "
+ definition="A vulnerability exploitable with Physical access requires the attacker to physically touch or "
"manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) "
"or persistent.",
)
ATTACK_VECTOR_3 = CvssDecisionPoint(
name="Attack Vector",
- description="This metric reflects the context by which vulnerability exploitation is possible. ",
+ definition="This metric reflects the context by which vulnerability exploitation is possible. ",
key="AV",
version="3.0.0",
values=(
@@ -147,7 +147,7 @@
_NETWORK_3 = DecisionPointValue(
name="Network",
key="N",
- description="The vulnerable system is bound to the network stack and the set of possible attackers extends beyond "
+ definition="The vulnerable system is bound to the network stack and the set of possible attackers extends beyond "
"the other options listed below, up to and including the entire Internet. Such a vulnerability is "
"often termed “remotely exploitable” and can be thought of as an attack being exploitable at the "
"protocol level one or more network hops away (e.g., across one or more routers).",
@@ -156,7 +156,7 @@
_ADJACENT_3 = DecisionPointValue(
name="Adjacent",
key="A",
- description="The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level "
+ definition="The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level "
"to a logically adjacent topology. This can mean an attack must be launched from the same shared "
"proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from "
"within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an "
@@ -166,7 +166,7 @@
_LOCAL_4 = DecisionPointValue(
name="Local",
key="L",
- description="The vulnerable system is not bound to the network stack and the attacker’s path is via "
+ definition="The vulnerable system is not bound to the network stack and the attacker’s path is via "
"read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the "
"target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the "
"attacker relies on User Interaction by another person to perform actions required to exploit the "
@@ -177,14 +177,14 @@
_PHYSICAL_3 = DecisionPointValue(
name="Physical",
key="P",
- description="The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical "
+ definition="The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical "
"interaction may be brief (e.g., evil maid attack1) or persistent.",
)
# updates descriptions of NETWORK, ADJACENT, LOCAL, and PHYSICAL values for CVSS Attack Vector
ATTACK_VECTOR_3_0_1 = CvssDecisionPoint(
name="Attack Vector",
- description="This metric reflects the context by which vulnerability exploitation is possible. This metric value "
+ definition="This metric reflects the context by which vulnerability exploitation is possible. This metric value "
"(and consequently the resulting severity) will be larger the more remote (logically, and physically) "
"an attacker can be in order to exploit the vulnerable system. The assumption is that the number of "
"potential attackers for a vulnerability that could be exploited from across a network is larger than "
diff --git a/src/ssvc/decision_points/cvss/authentication.py b/src/ssvc/decision_points/cvss/authentication.py
index 5f8eae2d..e52c28f8 100644
--- a/src/ssvc/decision_points/cvss/authentication.py
+++ b/src/ssvc/decision_points/cvss/authentication.py
@@ -29,36 +29,36 @@
_AUTH_NONE = DecisionPointValue(
name="None",
key="N",
- description="Authentication is not required to exploit the vulnerability.",
+ definition="Authentication is not required to exploit the vulnerability.",
)
_SINGLE = DecisionPointValue(
name="Single",
key="S",
- description="The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).",
+ definition="The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).",
)
_MULTIPLE = DecisionPointValue(
name="Multiple",
key="M",
- description="Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time.",
+ definition="Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time.",
)
_REQUIRED = DecisionPointValue(
name="Required",
key="R",
- description="Authentication is required to access and exploit the vulnerability.",
+ definition="Authentication is required to access and exploit the vulnerability.",
)
_NOT_REQUIRED = DecisionPointValue(
name="Not Required",
key="N",
- description="Authentication is not required to access or exploit the vulnerability.",
+ definition="Authentication is not required to access or exploit the vulnerability.",
)
AUTHENTICATION_1 = CvssDecisionPoint(
name="Authentication",
- description="This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
+ definition="This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
key="Au",
version="1.0.0",
values=(
@@ -72,7 +72,7 @@
AUTHENTICATION_2 = CvssDecisionPoint(
name="Authentication",
- description="This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
+ definition="This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
key="Au",
version="2.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/availability_impact.py b/src/ssvc/decision_points/cvss/availability_impact.py
index b7c5ed33..3b340c08 100644
--- a/src/ssvc/decision_points/cvss/availability_impact.py
+++ b/src/ssvc/decision_points/cvss/availability_impact.py
@@ -29,7 +29,7 @@
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="There is total loss of availability, resulting in the attacker being able to fully deny access to "
+ definition="There is total loss of availability, resulting in the attacker being able to fully deny access to "
"resources in the impacted component; this loss is either sustained (while the attacker continues to "
"deliver the attack) or persistent (the condition persists even after the attack has completed).",
)
@@ -37,36 +37,36 @@
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="There is reduced performance or interruptions in resource availability.",
+ definition="There is reduced performance or interruptions in resource availability.",
)
_NONE_2 = DecisionPointValue(
name="None",
key="N",
- description="There is no impact to the availability of the system.",
+ definition="There is no impact to the availability of the system.",
)
_COMPLETE = DecisionPointValue(
name="Complete",
key="C",
- description="Total shutdown of the affected resource. The attacker can render the resource completely unavailable.",
+ definition="Total shutdown of the affected resource. The attacker can render the resource completely unavailable.",
)
_PARTIAL = DecisionPointValue(
name="Partial",
key="P",
- description="Considerable lag in or interruptions in resource availability. For example, a network-based flood "
+ definition="Considerable lag in or interruptions in resource availability. For example, a network-based flood "
"attack that reduces available bandwidth to a web server farm to such an extent that only a small "
"number of connections successfully complete.",
)
_NONE_1 = DecisionPointValue(
- name="None", key="N", description="No impact on availability."
+ name="None", key="N", definition="No impact on availability."
)
AVAILABILITY_IMPACT_1 = CvssDecisionPoint(
name="Availability Impact",
- description="This metric measures the impact on availability a successful exploit of the vulnerability will have "
+ definition="This metric measures the impact on availability a successful exploit of the vulnerability will have "
"on the target system.",
key="A",
version="1.0.0",
@@ -82,7 +82,7 @@
AVAILABILITY_IMPACT_2 = CvssDecisionPoint(
name="Availability Impact",
- description="This metric measures the impact to availability of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to availability of a successfully exploited vulnerability.",
key="A",
version="2.0.0",
values=(
@@ -98,7 +98,7 @@
_HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="There is total loss of availability, resulting in the attacker being able to fully deny access to "
+ definition="There is total loss of availability, resulting in the attacker being able to fully deny access to "
"resources in the impacted component; this loss is either sustained (while the attacker continues to "
"deliver the attack) or persistent (the condition persists even after the attack has completed).",
)
@@ -106,7 +106,7 @@
_LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="There is reduced performance or interruptions in resource availability. Even if repeated "
+ definition="There is reduced performance or interruptions in resource availability. Even if repeated "
"exploitation of the vulnerability is possible, the attacker does not have the ability to completely "
"deny service to legitimate users. The resources in the Vulnerable System are either partially "
"available all of the time, or fully available only some of the time, but overall there is no direct, "
@@ -116,13 +116,13 @@
_NONE_3 = DecisionPointValue(
name="None",
key="N",
- description="There is no impact to availability within the Vulnerable System.",
+ definition="There is no impact to availability within the Vulnerable System.",
)
AVAILABILITY_IMPACT_3_0_0 = CvssDecisionPoint(
name="Availability Impact to the Vulnerable System",
- description="This metric measures the impact to the availability of the impacted system resulting from a "
+ definition="This metric measures the impact to the availability of the impacted system resulting from a "
"successfully exploited vulnerability.",
key="VA",
version="3.0.0",
diff --git a/src/ssvc/decision_points/cvss/availability_requirement.py b/src/ssvc/decision_points/cvss/availability_requirement.py
index 6b282cb8..7e0e1553 100644
--- a/src/ssvc/decision_points/cvss/availability_requirement.py
+++ b/src/ssvc/decision_points/cvss/availability_requirement.py
@@ -35,28 +35,28 @@
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="Loss of availability is likely to have a catastrophic adverse effect on the organization or "
+ definition="Loss of availability is likely to have a catastrophic adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_MEDIUM = DecisionPointValue(
name="Medium",
key="M",
- description="Loss of availability is likely to have a serious adverse effect on the organization or individuals "
+ definition="Loss of availability is likely to have a serious adverse effect on the organization or individuals "
"associated with the organization (e.g., employees, customers).",
)
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Loss of availability is likely to have only a limited adverse effect on the organization or "
+ definition="Loss of availability is likely to have only a limited adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
AVAILABILITY_REQUIREMENT_1 = CvssDecisionPoint(
name="Availability Requirement",
- description="This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to the availability of a successfully exploited vulnerability.",
key="AR",
version="1.0.0",
values=(
@@ -72,7 +72,7 @@
AVAILABILITY_REQUIREMENT_1_1 = CvssDecisionPoint(
name="Availability Requirement",
- description="This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to the availability of a successfully exploited vulnerability.",
key="AR",
version="1.1.0",
values=(
@@ -87,27 +87,27 @@
_HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="Loss of availability is likely to have a catastrophic adverse effect on the organization or "
+ definition="Loss of availability is likely to have a catastrophic adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_MEDIUM_2 = DecisionPointValue(
name="Medium",
key="M",
- description="Loss of availability is likely to have a serious adverse effect on the organization or "
+ definition="Loss of availability is likely to have a serious adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="Loss of availability is likely to have only a limited adverse effect on the organization or "
+ definition="Loss of availability is likely to have only a limited adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
AVAILABILITY_REQUIREMENT_1_1_1 = CvssDecisionPoint(
name="Availability Requirement",
- description="This metric enables the consumer to customize the assessment depending on the importance of the "
+ definition="This metric enables the consumer to customize the assessment depending on the importance of the "
"affected IT asset to the analyst’s organization, measured in terms of Availability.",
key="AR",
version="1.1.1",
diff --git a/src/ssvc/decision_points/cvss/collateral_damage_potential.py b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
index 3f4eb34c..7e11cbf7 100644
--- a/src/ssvc/decision_points/cvss/collateral_damage_potential.py
+++ b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
@@ -31,49 +31,49 @@
_MEDIUM_HIGH = DecisionPointValue(
name="Medium-High",
key="MH",
- description="A successful exploit of this vulnerability may result in significant physical or property damage or loss.",
+ definition="A successful exploit of this vulnerability may result in significant physical or property damage or loss.",
)
_LOW_MEDIUM = DecisionPointValue(
name="Low-Medium",
key="LM",
- description="A successful exploit of this vulnerability may result in moderate physical or property damage or loss.",
+ definition="A successful exploit of this vulnerability may result in moderate physical or property damage or loss.",
)
_CDP_NONE_2 = DecisionPointValue(
name="None",
key="N",
- description="There is no potential for loss of life, physical assets, productivity or revenue.",
+ definition="There is no potential for loss of life, physical assets, productivity or revenue.",
)
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area.",
+ definition="A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area.",
)
_MEDIUM = DecisionPointValue(
name="Medium",
key="M",
- description="A successful exploit of this vulnerability may result in significant physical or property damage or loss.",
+ definition="A successful exploit of this vulnerability may result in significant physical or property damage or loss.",
)
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed.",
+ definition="A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed.",
)
_CDP_NONE = DecisionPointValue(
name="None",
key="N",
- description="There is no potential for physical or property damage.",
+ definition="There is no potential for physical or property damage.",
)
COLLATERAL_DAMAGE_POTENTIAL_1 = CvssDecisionPoint(
name="Collateral Damage Potential",
- description="This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
+ definition="This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
key="CDP",
version="1.0.0",
values=(
@@ -89,7 +89,7 @@
COLLATERAL_DAMAGE_POTENTIAL_2 = CvssDecisionPoint(
name="Collateral Damage Potential",
- description="This metric measures the potential for loss of life or physical assets.",
+ definition="This metric measures the potential for loss of life or physical assets.",
key="CDP",
version="2.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/confidentiality_impact.py b/src/ssvc/decision_points/cvss/confidentiality_impact.py
index c59512be..d7fd2f7f 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_impact.py
@@ -28,7 +28,7 @@
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="There is total loss of confidentiality, resulting in all resources within the impacted component "
+ definition="There is total loss of confidentiality, resulting in all resources within the impacted component "
"being divulged to the attacker. Alternatively, access to only some restricted information is "
"obtained, but the disclosed information presents a direct, serious impact. For example, an attacker "
"steals the administrator's password, or private encryption keys of a web server.",
@@ -37,7 +37,7 @@
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="There is some loss of confidentiality. Access to some restricted information is obtained, "
+ definition="There is some loss of confidentiality. Access to some restricted information is obtained, "
"but the attacker does not have control over what information is obtained, or the amount or kind of "
"loss is constrained. The information disclosure does not cause a direct, serious loss to the "
"impacted component.",
@@ -46,13 +46,13 @@
_CI_NONE_2 = DecisionPointValue(
name="None",
key="N",
- description="There is no loss of confidentiality within the impacted component.",
+ definition="There is no loss of confidentiality within the impacted component.",
)
_COMPLETE = DecisionPointValue(
name="Complete",
key="C",
- description="A total compromise of critical system information. A complete loss of system protection resulting in "
+ definition="A total compromise of critical system information. A complete loss of system protection resulting in "
"all critical system files being revealed. The attacker has sovereign control to read all of the "
"system's data (memory, files, etc).",
)
@@ -60,7 +60,7 @@
_PARTIAL = DecisionPointValue(
name="Partial",
key="P",
- description="There is considerable informational disclosure. Access to critical system files is possible. There "
+ definition="There is considerable informational disclosure. Access to critical system files is possible. There "
"is a loss of important information, but the attacker doesn't have control over what is obtainable or "
"the scope of the loss is constrained.",
)
@@ -68,12 +68,12 @@
_CI_NONE = DecisionPointValue(
name="None",
key="N",
- description="No impact on confidentiality.",
+ definition="No impact on confidentiality.",
)
CONFIDENTIALITY_IMPACT_1 = CvssDecisionPoint(
name="Confidentiality Impact",
- description="This metric measures the impact on confidentiality of a successful exploit of the vulnerability on "
+ definition="This metric measures the impact on confidentiality of a successful exploit of the vulnerability on "
"the target system.",
key="C",
version="1.0.0",
@@ -89,7 +89,7 @@
CONFIDENTIALITY_IMPACT_2 = CvssDecisionPoint(
name="Confidentiality Impact",
- description="This metric measures the impact to the confidentiality of the information resources managed by a "
+ definition="This metric measures the impact to the confidentiality of the information resources managed by a "
"software component due to a successfully exploited vulnerability.",
key="C",
version="2.0.0",
@@ -107,7 +107,7 @@
_HIGH_1 = DecisionPointValue(
name="High",
key="H",
- description="There is total loss of confidentiality, resulting in all resources within the impacted component "
+ definition="There is total loss of confidentiality, resulting in all resources within the impacted component "
"being divulged to the attacker. Alternatively, access to only some restricted information is "
"obtained, but the disclosed information presents a direct, serious impact. For example, an attacker "
"steals the administrator's password, or private encryption keys of a web server.",
@@ -116,7 +116,7 @@
_LOW_1 = DecisionPointValue(
name="Low",
key="L",
- description="There is some loss of confidentiality. Access to some restricted information is obtained, "
+ definition="There is some loss of confidentiality. Access to some restricted information is obtained, "
"but the attacker does not have control over what information is obtained, or the amount or kind of "
"loss is constrained. The information disclosure does not cause a direct, serious loss to the "
"impacted component.",
@@ -125,12 +125,12 @@
_CI_NONE_3 = DecisionPointValue(
name="None",
key="N",
- description="There is no loss of confidentiality within the impacted component.",
+ definition="There is no loss of confidentiality within the impacted component.",
)
CONFIDENTIALITY_IMPACT_3_0_0 = CvssDecisionPoint(
name="Confidentiality Impact to the Vulnerable System",
- description="This metric measures the impact to the confidentiality of the information managed by the system due "
+ definition="This metric measures the impact to the confidentiality of the information managed by the system due "
"to a successfully exploited vulnerability. Confidentiality refers to limiting information access "
"and disclosure to only authorized users, as well as preventing access by, or disclosure to, "
"unauthorized ones.",
diff --git a/src/ssvc/decision_points/cvss/confidentiality_requirement.py b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
index a86e2558..a5b84b96 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_requirement.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
@@ -34,27 +34,27 @@
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or "
+ definition="Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_MEDIUM = DecisionPointValue(
name="Medium",
key="M",
- description="Loss of confidentiality is likely to have a serious adverse effect on the organization or "
+ definition="Loss of confidentiality is likely to have a serious adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Loss of confidentiality is likely to have only a limited adverse effect on the organization or "
+ definition="Loss of confidentiality is likely to have only a limited adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
CONFIDENTIALITY_REQUIREMENT_1 = CvssDecisionPoint(
name="Confidentiality Requirement",
- description="This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
key="CR",
version="1.0.0",
values=(
@@ -70,7 +70,7 @@
CONFIDENTIALITY_REQUIREMENT_1_1 = CvssDecisionPoint(
name="Confidentiality Requirement",
- description="This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
key="CR",
version="1.1.0",
values=(
@@ -85,27 +85,27 @@
_HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or "
+ definition="Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_MEDIUM_2 = DecisionPointValue(
name="Medium",
key="M",
- description="Loss of confidentiality is likely to have a serious adverse effect on the organization or "
+ definition="Loss of confidentiality is likely to have a serious adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="Loss of confidentiality is likely to have only a limited adverse effect on the organization or "
+ definition="Loss of confidentiality is likely to have only a limited adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
CONFIDENTIALITY_REQUIREMENT_1_1_1 = CvssDecisionPoint(
name="Confidentiality Requirement",
- description="This metric enables the consumer to customize the assessment depending on the importance of the "
+ definition="This metric enables the consumer to customize the assessment depending on the importance of the "
"affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
key="CR",
version="1.1.1",
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_1.py b/src/ssvc/decision_points/cvss/equivalence_set_1.py
index 41a7de9e..91af8d97 100644
--- a/src/ssvc/decision_points/cvss/equivalence_set_1.py
+++ b/src/ssvc/decision_points/cvss/equivalence_set_1.py
@@ -28,19 +28,19 @@
TWO = DecisionPointValue(
name="Low",
key="L",
- description="2: AV:P or not(AV:N or PR:N or UI:N)",
+ definition="2: AV:P or not(AV:N or PR:N or UI:N)",
)
ONE = DecisionPointValue(
name="Medium",
key="M",
- description="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P",
+ definition="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P",
)
ZERO = DecisionPointValue(
name="High",
key="H",
- description="0: AV:N and PR:N and UI:N",
+ definition="0: AV:N and PR:N and UI:N",
)
# EQ1 → AV/PR/UI with 3 levels specified in Table 24
@@ -51,7 +51,7 @@
EQ1 = CvssDecisionPoint(
name="Equivalence Set 1",
key="EQ1",
- description="AV/PR/UI with 3 levels specified in Table 24",
+ definition="AV/PR/UI with 3 levels specified in Table 24",
version="1.0.0",
values=(
TWO,
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_2.py b/src/ssvc/decision_points/cvss/equivalence_set_2.py
index 0e94a396..8772624d 100644
--- a/src/ssvc/decision_points/cvss/equivalence_set_2.py
+++ b/src/ssvc/decision_points/cvss/equivalence_set_2.py
@@ -32,18 +32,18 @@
ONE = DecisionPointValue(
name="Low",
key="L",
- description="1: not (AC:L and AT:N)",
+ definition="1: not (AC:L and AT:N)",
)
ZERO = DecisionPointValue(
name="High",
key="H",
- description="0: AC:L and AT:N",
+ definition="0: AC:L and AT:N",
)
EQ2 = CvssDecisionPoint(
name="Equivalence Set 2",
key="EQ2",
- description="AC/AT with 2 levels specified in Table 25",
+ definition="AC/AT with 2 levels specified in Table 25",
version="1.0.0",
values=(
ONE,
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_3.py b/src/ssvc/decision_points/cvss/equivalence_set_3.py
index 4b1f8492..5fbc4159 100644
--- a/src/ssvc/decision_points/cvss/equivalence_set_3.py
+++ b/src/ssvc/decision_points/cvss/equivalence_set_3.py
@@ -33,23 +33,23 @@
TWO = DecisionPointValue(
name="Low",
key="L",
- description="2: not (VC:H or VI:H or VA:H)",
+ definition="2: not (VC:H or VI:H or VA:H)",
)
ONE = DecisionPointValue(
name="Medium",
key="M",
- description="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)",
+ definition="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)",
)
ZERO = DecisionPointValue(
name="High",
key="H",
- description="0: VC:H and VI:H",
+ definition="0: VC:H and VI:H",
)
EQ3 = CvssDecisionPoint(
name="Equivalence Set 3",
key="EQ3",
- description="VC/VI/VA with 3 levels specified in Table 26",
+ definition="VC/VI/VA with 3 levels specified in Table 26",
version="1.0.0",
values=(
TWO,
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_4.py b/src/ssvc/decision_points/cvss/equivalence_set_4.py
index f57ed0a1..d980a100 100644
--- a/src/ssvc/decision_points/cvss/equivalence_set_4.py
+++ b/src/ssvc/decision_points/cvss/equivalence_set_4.py
@@ -32,22 +32,22 @@
TWO = DecisionPointValue(
name="Low",
key="L",
- description="2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)",
+ definition="2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)",
)
ONE = DecisionPointValue(
name="Medium",
key="M",
- description="1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)",
+ definition="1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)",
)
ZERO = DecisionPointValue(
name="High",
key="H",
- description="0: MSI:S or MSA:S",
+ definition="0: MSI:S or MSA:S",
)
EQ4 = CvssDecisionPoint(
name="Equivalence Set 4",
key="EQ4",
- description="SC/SI/SA with 3 levels specified in Table 27",
+ definition="SC/SI/SA with 3 levels specified in Table 27",
version="1.0.0",
values=(
TWO,
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_5.py b/src/ssvc/decision_points/cvss/equivalence_set_5.py
index fff4ebc9..6aeab253 100644
--- a/src/ssvc/decision_points/cvss/equivalence_set_5.py
+++ b/src/ssvc/decision_points/cvss/equivalence_set_5.py
@@ -32,22 +32,22 @@
TWO = DecisionPointValue(
name="Low",
key="L",
- description="2: E:U",
+ definition="2: E:U",
)
ONE = DecisionPointValue(
name="Medium",
key="M",
- description="1: E:P",
+ definition="1: E:P",
)
ZERO = DecisionPointValue(
name="High",
key="H",
- description="0: E:A",
+ definition="0: E:A",
)
EQ5 = CvssDecisionPoint(
name="Equivalence Set 5",
key="EQ5",
- description="E with 3 levels specified in Table 28",
+ definition="E with 3 levels specified in Table 28",
version="1.0.0",
values=(
TWO,
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_6.py b/src/ssvc/decision_points/cvss/equivalence_set_6.py
index eecb8d69..07287f50 100644
--- a/src/ssvc/decision_points/cvss/equivalence_set_6.py
+++ b/src/ssvc/decision_points/cvss/equivalence_set_6.py
@@ -31,17 +31,17 @@
ONE = DecisionPointValue(
name="Low",
key="L",
- description="1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)",
+ definition="1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)",
)
ZERO = DecisionPointValue(
name="High",
key="H",
- description="0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)",
+ definition="0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)",
)
EQ6 = CvssDecisionPoint(
name="Equivalence Set 6",
key="EQ6",
- description="VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ definition="VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
version="1.0.0",
values=(
ONE,
diff --git a/src/ssvc/decision_points/cvss/exploit_maturity.py b/src/ssvc/decision_points/cvss/exploit_maturity.py
index e19464fe..d98e8b0e 100644
--- a/src/ssvc/decision_points/cvss/exploit_maturity.py
+++ b/src/ssvc/decision_points/cvss/exploit_maturity.py
@@ -34,7 +34,7 @@
_HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely "
+ definition="Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely "
"available. Exploit code works in every situation, or is actively being delivered via an autonomous "
"agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or "
"exploitation attempts. Exploit development has reached the level of reliable, widely-available, "
@@ -44,14 +44,14 @@
_FUNCTIONAL_2 = DecisionPointValue(
name="Functional",
key="F",
- description="Functional exploit code is available. The code works in most situations where the vulnerability "
+ definition="Functional exploit code is available. The code works in most situations where the vulnerability "
"exists.",
)
_PROOF_OF_CONCEPT_2 = DecisionPointValue(
name="Proof-of-Concept",
key="POC",
- description="Proof-of-concept exploit code is available, or an attack demonstration is not practical for most "
+ definition="Proof-of-concept exploit code is available, or an attack demonstration is not practical for most "
"systems. The code or technique is not functional in all situations and may require substantial "
"modification by a skilled attacker.",
)
@@ -59,13 +59,13 @@
_UNPROVEN_2 = DecisionPointValue(
name="Unproven",
key="U",
- description="No exploit code is available, or an exploit is theoretical.",
+ definition="No exploit code is available, or an exploit is theoretical.",
)
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is "
+ definition="Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is "
"required (manual trigger) and the details for the manual technique are widely available. The code "
"works in every situation where the vulnerability is exploitable and/or is actively being delivered "
"via a mobile autonomous agent (a worm or virus).",
@@ -74,14 +74,14 @@
_FUNCTIONAL = DecisionPointValue(
name="Functional",
key="F",
- description="Functional exploit code is available. The code works in most situations where the vulnerability is "
+ definition="Functional exploit code is available. The code works in most situations where the vulnerability is "
"exploitable.",
)
_PROOF_OF_CONCEPT = DecisionPointValue(
name="Proof of Concept",
key="P",
- description="Proof of concept exploit code or an attack demonstration that is not practically applicable to "
+ definition="Proof of concept exploit code or an attack demonstration that is not practically applicable to "
"deployed systems is available. The code or technique is not functional in all situations and may "
"require substantial hand tuning by a skilled attacker for use against deployed systems.",
)
@@ -89,12 +89,12 @@
_UNPROVEN = DecisionPointValue(
name="Unproven",
key="U",
- description="No exploit code is yet available or an exploit method is entirely theoretical.",
+ definition="No exploit code is yet available or an exploit method is entirely theoretical.",
)
EXPLOITABILITY_1 = CvssDecisionPoint(
name="Exploitability",
- description="This metric measures the current state of exploit technique or code availability and suggests a "
+ definition="This metric measures the current state of exploit technique or code availability and suggests a "
"likelihood of exploitation.",
key="E",
version="1.0.0",
@@ -111,7 +111,7 @@
EXPLOITABILITY_1_1 = CvssDecisionPoint(
name="Exploitability",
- description="This metric measures the current state of exploit technique or code availability and suggests a "
+ definition="This metric measures the current state of exploit technique or code availability and suggests a "
"likelihood of exploitation.",
key="E",
version="1.1.0",
@@ -130,7 +130,7 @@
EXPLOIT_CODE_MATURITY_1_2 = CvssDecisionPoint(
name="Exploit Code Maturity",
- description="measures the likelihood of the vulnerability being attacked, and is typically based on the current "
+ definition="measures the likelihood of the vulnerability being attacked, and is typically based on the current "
"state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
key="E",
version="1.2.0",
@@ -150,7 +150,7 @@
_ATTACKED = DecisionPointValue(
name="Attacked",
key="A",
- description="Based on available threat intelligence either of the following must apply: Attacks targeting "
+ definition="Based on available threat intelligence either of the following must apply: Attacks targeting "
"this vulnerability (attempted or successful) have been reported Solutions to simplify attempts "
"to exploit the vulnerability are publicly or privately available (such as exploit toolkits)",
)
@@ -158,7 +158,7 @@
_PROOF_OF_CONCEPT_3 = DecisionPointValue(
name="Proof-of-Concept",
key="P",
- description="Based on available threat intelligence each of the following must apply: Proof-of-concept exploit "
+ definition="Based on available threat intelligence each of the following must apply: Proof-of-concept exploit "
"code is publicly available No knowledge of reported attempts to exploit this vulnerability No "
"knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability "
"(i.e., the “Attacked” value does not apply)",
@@ -167,7 +167,7 @@
_UNREPORTED = DecisionPointValue(
name="Unreported",
key="U",
- description="Based on available threat intelligence each of the following must apply: No knowledge of publicly "
+ definition="Based on available threat intelligence each of the following must apply: No knowledge of publicly "
"available proof-of-concept exploit code No knowledge of reported attempts to exploit this "
"vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit "
"the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)",
@@ -176,7 +176,7 @@
EXPLOIT_MATURITY_2 = CvssDecisionPoint(
name="Exploit Maturity",
key="E",
- description="This metric measures the likelihood of the vulnerability being attacked, and is based on the current "
+ definition="This metric measures the likelihood of the vulnerability being attacked, and is based on the current "
"state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
version="2.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/helpers.py b/src/ssvc/decision_points/cvss/helpers.py
index 46cddec0..8ce75663 100644
--- a/src/ssvc/decision_points/cvss/helpers.py
+++ b/src/ssvc/decision_points/cvss/helpers.py
@@ -97,7 +97,7 @@ def _modify_4(dp: DecisionPoint):
for v in _dp_dict["values"]:
if v["key"] == "N":
v["name"] = "Negligible"
- v["description"] = v["description"].replace(
+ v["definition"] = v["definition"].replace(
" no ", " negligible "
)
# we need to bump the version for this change
@@ -112,7 +112,7 @@ def _modify_4(dp: DecisionPoint):
_SAFETY = DecisionPointValue(
name="Safety",
key="S",
- description="The Safety metric value measures the impact regarding the Safety of a human actor or "
+ definition="The Safety metric value measures the impact regarding the Safety of a human actor or "
"participant that can be predictably injured as a result of the vulnerability being exploited.",
)
values = list(_dp_dict["values"])
@@ -139,8 +139,8 @@ def no_x(dp: CvssDecisionPoint) -> CvssDecisionPoint:
key=f"{dp.key}_NoX",
version=dp.version,
name=f"{dp.name} (without Not Defined)",
- description=(
- f"{dp.description} This version does not include the Not Defined (X) option."
+ definition=(
+ f"{dp.definition} This version does not include the Not Defined (X) option."
),
values=tuple([v for v in dp.values if v.key != "X"]),
)
diff --git a/src/ssvc/decision_points/cvss/impact_bias.py b/src/ssvc/decision_points/cvss/impact_bias.py
index bf9b4a92..8b8c6d5e 100644
--- a/src/ssvc/decision_points/cvss/impact_bias.py
+++ b/src/ssvc/decision_points/cvss/impact_bias.py
@@ -28,30 +28,30 @@
_AVAILABILITY = DecisionPointValue(
name="Availability",
key="A",
- description="Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact.",
+ definition="Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact.",
)
_INTEGRITY = DecisionPointValue(
name="Integrity",
key="I",
- description="Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact.",
+ definition="Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact.",
)
_CONFIDENTIALITY = DecisionPointValue(
name="Confidentiality",
key="C",
- description="Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact.",
+ definition="Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact.",
)
_NORMAL = DecisionPointValue(
name="Normal",
key="N",
- description="Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight.",
+ definition="Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight.",
)
IMPACT_BIAS_1 = CvssDecisionPoint(
name="Impact Bias",
- description="This metric measures the impact bias of the vulnerability.",
+ definition="This metric measures the impact bias of the vulnerability.",
key="IB",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/integrity_impact.py b/src/ssvc/decision_points/cvss/integrity_impact.py
index 1d45a906..d27d5618 100644
--- a/src/ssvc/decision_points/cvss/integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/integrity_impact.py
@@ -30,13 +30,13 @@
_II_HIGH = DecisionPointValue(
name="High",
key="H",
- description="There is a total loss of integrity, or a complete loss of protection.",
+ definition="There is a total loss of integrity, or a complete loss of protection.",
)
_II_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Modification of data is possible, but the attacker does not have control over the consequence of a "
+ definition="Modification of data is possible, but the attacker does not have control over the consequence of a "
"modification, or the amount of modification is constrained. The data modification does not have a "
"direct, serious impact on the impacted component.",
)
@@ -44,31 +44,31 @@
_II_NONE_2 = DecisionPointValue(
name="None",
key="N",
- description="There is no impact to the integrity of the system.",
+ definition="There is no impact to the integrity of the system.",
)
_COMPLETE = DecisionPointValue(
name="Complete",
key="C",
- description="A total compromise of system integrity. There is a complete loss of system protection resulting in "
+ definition="A total compromise of system integrity. There is a complete loss of system protection resulting in "
"the entire system being compromised. The attacker has sovereign control to modify any system files.",
)
_PARTIAL = DecisionPointValue(
name="Partial",
key="P",
- description="Considerable breach in integrity. Modification of critical system files or information is possible, "
+ definition="Considerable breach in integrity. Modification of critical system files or information is possible, "
"but the attacker does not have control over what can be modified, or the scope of what the attacker "
"can affect is constrained. For example, key system or program files may be overwritten or modified, "
"but at random or in a limited context or scope.",
)
_II_NONE = DecisionPointValue(
- name="None", key="N", description="No impact on integrity."
+ name="None", key="N", definition="No impact on integrity."
)
INTEGRITY_IMPACT_1 = CvssDecisionPoint(
name="Integrity Impact",
- description="This metric measures the impact on integrity a successful exploit of the vulnerability will have on "
+ definition="This metric measures the impact on integrity a successful exploit of the vulnerability will have on "
"the target system.",
key="I",
version="1.0.0",
@@ -84,7 +84,7 @@
INTEGRITY_IMPACT_2 = CvssDecisionPoint(
name="Integrity Impact",
- description="This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to integrity of a successfully exploited vulnerability.",
key="I",
version="2.0.0",
values=(
@@ -100,13 +100,13 @@
_II_HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="There is a total loss of integrity, or a complete loss of protection.",
+ definition="There is a total loss of integrity, or a complete loss of protection.",
)
_II_LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="Modification of data is possible, but the attacker does not have control over the consequence of a "
+ definition="Modification of data is possible, but the attacker does not have control over the consequence of a "
"modification, or the amount of modification is limited. The data modification does not have a direct, "
"serious impact to the Vulnerable System.",
)
@@ -115,13 +115,13 @@
_II_NONE_3 = DecisionPointValue(
name="None",
key="N",
- description="There is no loss of integrity within the Vulnerable System.",
+ definition="There is no loss of integrity within the Vulnerable System.",
)
INTEGRITY_IMPACT_3_0_0 = CvssDecisionPoint(
name="Integrity Impact to the Vulnerable System",
- description="This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to integrity of a successfully exploited vulnerability.",
key="VI",
version="3.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/integrity_requirement.py b/src/ssvc/decision_points/cvss/integrity_requirement.py
index 3611465f..9dc2a3ee 100644
--- a/src/ssvc/decision_points/cvss/integrity_requirement.py
+++ b/src/ssvc/decision_points/cvss/integrity_requirement.py
@@ -34,27 +34,27 @@
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals "
+ definition="Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals "
"associated with the organization (e.g., employees, customers).",
)
_MEDIUM = DecisionPointValue(
name="Medium",
key="M",
- description="Loss of integrity is likely to have a serious adverse effect on the organization or individuals "
+ definition="Loss of integrity is likely to have a serious adverse effect on the organization or individuals "
"associated with the organization (e.g., employees, customers).",
)
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Loss of integrity is likely to have only a limited adverse effect on the organization or individuals "
+ definition="Loss of integrity is likely to have only a limited adverse effect on the organization or individuals "
"associated with the organization (e.g., employees, customers).",
)
INTEGRITY_REQUIREMENT_1 = CvssDecisionPoint(
name="Integrity Requirement",
- description="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
key="IR",
version="1.0.0",
values=(
@@ -70,7 +70,7 @@
INTEGRITY_REQUIREMENT_1_1 = CvssDecisionPoint(
name="Integrity Requirement",
- description="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ definition="This metric measures the impact to the integrity of a successfully exploited vulnerability.",
key="IR",
version="1.1.0",
values=(
@@ -85,27 +85,27 @@
_HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="Loss of integrity is likely to have a catastrophic adverse effect on the organization or "
+ definition="Loss of integrity is likely to have a catastrophic adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_MEDIUM_2 = DecisionPointValue(
name="Medium",
key="M",
- description="Loss of integrity is likely to have a serious adverse effect on the organization or "
+ definition="Loss of integrity is likely to have a serious adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
_LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="Loss of integrity is likely to have only a limited adverse effect on the organization or "
+ definition="Loss of integrity is likely to have only a limited adverse effect on the organization or "
"individuals associated with the organization (e.g., employees, customers).",
)
INTEGRITY_REQUIREMENT_1_1_1 = CvssDecisionPoint(
name="Integrity Requirement",
- description="This metric enables the consumer to customize the assessment depending on the importance of the "
+ definition="This metric enables the consumer to customize the assessment depending on the importance of the "
"affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
key="IR",
version="1.1.1",
diff --git a/src/ssvc/decision_points/cvss/privileges_required.py b/src/ssvc/decision_points/cvss/privileges_required.py
index 92ab7667..52669a26 100644
--- a/src/ssvc/decision_points/cvss/privileges_required.py
+++ b/src/ssvc/decision_points/cvss/privileges_required.py
@@ -28,7 +28,7 @@
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. "
+ definition="The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. "
"administrative) control over the vulnerable component that could affect component-wide settings and "
"files.",
)
@@ -36,7 +36,7 @@
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that "
+ definition="The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that "
"could normally affect only settings and files owned by a user. Alternatively, an attacker with Low "
"privileges may have the ability to cause an impact only to non-sensitive resources.",
)
@@ -44,7 +44,7 @@
_PR_NONE = DecisionPointValue(
name="None",
key="N",
- description="The attacker is unauthorized prior to attack, and therefore does not require any access to settings "
+ definition="The attacker is unauthorized prior to attack, and therefore does not require any access to settings "
"or files to carry out an attack.",
)
@@ -53,7 +53,7 @@
# therefore High < Low < None
PRIVILEGES_REQUIRED_1 = CvssDecisionPoint(
name="Privileges Required",
- description="This metric describes the level of privileges an attacker must possess before successfully "
+ definition="This metric describes the level of privileges an attacker must possess before successfully "
"exploiting the vulnerability.",
key="PR",
version="1.0.0",
@@ -71,14 +71,14 @@
_PR_NONE_2 = DecisionPointValue(
name="None",
key="N",
- description="The attacker is unauthorized prior to attack, and therefore does not require any access to settings "
+ definition="The attacker is unauthorized prior to attack, and therefore does not require any access to settings "
"or files to carry out an attack.",
)
_LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that "
+ definition="The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that "
"are typically limited to settings and resources owned by a single low-privileged user. Alternatively, "
"an attacker with Low privileges has the ability to access only non-sensitive resources.",
)
@@ -86,14 +86,14 @@
_HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., "
+ definition="The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., "
"administrative) control over the vulnerable system allowing full access to the vulnerable system’s "
"settings and files.",
)
PRIVILEGES_REQUIRED_1_0_1 = CvssDecisionPoint(
name="Privileges Required",
- description="This metric describes the level of privileges an attacker must possess prior to successfully "
+ definition="This metric describes the level of privileges an attacker must possess prior to successfully "
"exploiting the vulnerability. The method by which the attacker obtains privileged credentials "
"prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, "
"self-service provisioned accounts do not constitute a privilege requirement if the attacker can "
diff --git a/src/ssvc/decision_points/cvss/qualitative_severity.py b/src/ssvc/decision_points/cvss/qualitative_severity.py
index 553fef6b..f9ea9686 100644
--- a/src/ssvc/decision_points/cvss/qualitative_severity.py
+++ b/src/ssvc/decision_points/cvss/qualitative_severity.py
@@ -28,34 +28,34 @@
QS_NONE = DecisionPointValue(
name="None",
key="N",
- description="No severity rating (0.0)",
+ definition="No severity rating (0.0)",
)
LOW = DecisionPointValue(
name="Low",
key="L",
- description="Low (0.1 - 3.9)",
+ definition="Low (0.1 - 3.9)",
)
MEDIUM = DecisionPointValue(
name="Medium",
key="M",
- description="Medium (4.0 - 6.9)",
+ definition="Medium (4.0 - 6.9)",
)
HIGH = DecisionPointValue(
name="High",
key="H",
- description="High (7.0 - 8.9)",
+ definition="High (7.0 - 8.9)",
)
CRITICAL = DecisionPointValue(
name="Critical",
key="C",
- description="Critical (9.0 - 10.0)",
+ definition="Critical (9.0 - 10.0)",
)
QUALITATIVE_SEVERITY = CvssDecisionPoint(
name="CVSS Qualitative Severity Rating Scale",
key="QS",
- description="The CVSS Qualitative Severity Rating Scale provides "
+ definition="The CVSS Qualitative Severity Rating Scale provides "
"a categorical representation of a CVSS Score.",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/remediation_level.py b/src/ssvc/decision_points/cvss/remediation_level.py
index 090d3eae..9b3a8f69 100644
--- a/src/ssvc/decision_points/cvss/remediation_level.py
+++ b/src/ssvc/decision_points/cvss/remediation_level.py
@@ -31,13 +31,13 @@
_UNAVAILABLE = DecisionPointValue(
name="Unavailable",
key="U",
- description="There is either no solution available or it is impossible to apply.",
+ definition="There is either no solution available or it is impossible to apply.",
)
_WORKAROUND = DecisionPointValue(
name="Workaround",
key="W",
- description="There is an unofficial, non-vendor solution available. In some cases, users of the affected "
+ definition="There is an unofficial, non-vendor solution available. In some cases, users of the affected "
"technology will create a patch of their own or provide steps to work around or otherwise mitigate "
"against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in "
"plugging the hole for the mean time and no official remediation is available, this value can be set.",
@@ -46,20 +46,20 @@
_TEMPORARY_FIX = DecisionPointValue(
name="Temporary Fix",
key="TF",
- description="There is an official but temporary fix available. This includes instances where the vendor issues a "
+ definition="There is an official but temporary fix available. This includes instances where the vendor issues a "
"temporary hotfix, tool or official workaround.",
)
_OFFICIAL_FIX = DecisionPointValue(
name="Official Fix",
key="OF",
- description="A complete vendor solution is available. Either the vendor has issued the final, official patch "
+ definition="A complete vendor solution is available. Either the vendor has issued the final, official patch "
"which eliminates the vulnerability or an upgrade that is not vulnerable is available.",
)
REMEDIATION_LEVEL_1 = CvssDecisionPoint(
name="Remediation Level",
- description="This metric measures the remediation status of a vulnerability.",
+ definition="This metric measures the remediation status of a vulnerability.",
key="RL",
version="1.0.0",
values=(
@@ -75,7 +75,7 @@
REMEDIATION_LEVEL_1_1 = CvssDecisionPoint(
name="Remediation Level",
- description="This metric measures the remediation status of a vulnerability.",
+ definition="This metric measures the remediation status of a vulnerability.",
key="RL",
version="1.1.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/report_confidence.py b/src/ssvc/decision_points/cvss/report_confidence.py
index 5501363d..12731de4 100644
--- a/src/ssvc/decision_points/cvss/report_confidence.py
+++ b/src/ssvc/decision_points/cvss/report_confidence.py
@@ -33,7 +33,7 @@
_CONFIRMED_2 = DecisionPointValue(
name="Confirmed",
key="C",
- description="Detailed reports exist, or functional reproduction is possible (functional exploits may provide "
+ definition="Detailed reports exist, or functional reproduction is possible (functional exploits may provide "
"this). Source code is available to independently verify the assertions of the research, "
"or the author or vendor of the affected code has confirmed the presence of the vulnerability.",
)
@@ -41,7 +41,7 @@
_REASONABLE = DecisionPointValue(
name="Reasonable",
key="R",
- description="Significant details are published, but researchers either do not have full confidence in the root "
+ definition="Significant details are published, but researchers either do not have full confidence in the root "
"cause, or do not have access to source code to fully confirm all of the interactions that may lead "
"to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one "
"impact is able to be verified (proof-of-concept exploits may provide this).",
@@ -50,7 +50,7 @@
_UNKNOWN = DecisionPointValue(
name="Unknown",
key="U",
- description="There are reports of impacts that indicate a vulnerability is present. The reports indicate that the "
+ definition="There are reports of impacts that indicate a vulnerability is present. The reports indicate that the "
"cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the "
"vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little "
"confidence in the validity of the reports or whether a static Base score can be applied given the "
@@ -60,7 +60,7 @@
_CONFIRMED = DecisionPointValue(
name="Confirmed",
key="C",
- description="Vendor or author of the affected technology has acknowledged that the vulnerability exists. This "
+ definition="Vendor or author of the affected technology has acknowledged that the vulnerability exists. This "
"value may also be set when existence of a vulnerability is confirmed with absolute confidence "
"through some other event, such as publication of functional proof of concept exploit code or "
"widespread exploitation.",
@@ -69,7 +69,7 @@
_UNCORROBORATED = DecisionPointValue(
name="Uncorroborated",
key="UR",
- description="Multiple non-official sources; possibily including independent security companies or research "
+ definition="Multiple non-official sources; possibily including independent security companies or research "
"organizations. At this point there may be conflicting technical details or some other lingering "
"ambiguity.",
)
@@ -77,13 +77,13 @@
_UNCONFIRMED = DecisionPointValue(
name="Unconfirmed",
key="UC",
- description="A single unconfirmed source or possibly several conflicting reports. There is little confidence in "
+ definition="A single unconfirmed source or possibly several conflicting reports. There is little confidence in "
"the validity of the report.",
)
REPORT_CONFIDENCE_1 = CvssDecisionPoint(
name="Report Confidence",
- description="This metric measures the degree of confidence in the existence of the vulnerability and the "
+ definition="This metric measures the degree of confidence in the existence of the vulnerability and the "
"credibility of the known technical details.",
key="RC",
version="1.0.0",
@@ -99,7 +99,7 @@
REPORT_CONFIDENCE_1_1 = CvssDecisionPoint(
name="Report Confidence",
- description="This metric measures the degree of confidence in the existence of the vulnerability and the "
+ definition="This metric measures the degree of confidence in the existence of the vulnerability and the "
"credibility of the known technical details.",
key="RC",
version="1.1.0",
@@ -116,7 +116,7 @@
REPORT_CONFIDENCE_2 = CvssDecisionPoint(
name="Report Confidence",
- description="This metric measures the degree of confidence in the existence of the vulnerability and the "
+ definition="This metric measures the degree of confidence in the existence of the vulnerability and the "
"credibility of the known technical details.",
key="RC",
version="2.0.0",
diff --git a/src/ssvc/decision_points/cvss/scope.py b/src/ssvc/decision_points/cvss/scope.py
index ecf89588..74ed3b76 100644
--- a/src/ssvc/decision_points/cvss/scope.py
+++ b/src/ssvc/decision_points/cvss/scope.py
@@ -29,20 +29,20 @@
_CHANGED = DecisionPointValue(
name="Changed",
key="C",
- description="An exploited vulnerability can affect resources beyond the authorization privileges intended by the "
+ definition="An exploited vulnerability can affect resources beyond the authorization privileges intended by the "
"vulnerable component. In this case the vulnerable component and the impacted component are different.",
)
_UNCHANGED = DecisionPointValue(
name="Unchanged",
key="U",
- description="An exploited vulnerability can only affect resources managed by the same authority. In this case the "
+ definition="An exploited vulnerability can only affect resources managed by the same authority. In this case the "
"vulnerable component and the impacted component are the same.",
)
SCOPE_1 = CvssDecisionPoint(
name="Scope",
- description="the ability for a vulnerability in one software component to impact resources beyond its means, "
+ definition="the ability for a vulnerability in one software component to impact resources beyond its means, "
"or privileges",
key="S",
version="1.0.0",
diff --git a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
index aa73c348..3e15615f 100644
--- a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
@@ -28,7 +28,7 @@
_SA_HIGH = DecisionPointValue(
name="High",
key="H",
- description="There is a total loss of availability, resulting in the attacker being able to fully deny access to "
+ definition="There is a total loss of availability, resulting in the attacker being able to fully deny access to "
"resources in the Subsequent System; this loss is either sustained (while the attacker continues to "
"deliver the attack) or persistent (the condition persists even after the attack has completed).",
)
@@ -36,7 +36,7 @@
_SA_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Performance is reduced or there are interruptions in resource availability. Even if repeated "
+ definition="Performance is reduced or there are interruptions in resource availability. Even if repeated "
"exploitation of the vulnerability is possible, the attacker does not have the ability to completely "
"deny service to legitimate users.",
)
@@ -44,14 +44,14 @@
_SA_NONE = DecisionPointValue(
name="None",
key="N",
- description="There is no impact to availability within the Subsequent System or all availability impact is "
+ definition="There is no impact to availability within the Subsequent System or all availability impact is "
"constrained to the Vulnerable System.",
)
SUBSEQUENT_AVAILABILITY_IMPACT_1 = CvssDecisionPoint(
name="Availability Impact to the Subsequent System",
- description="This metric measures the impact on availability a successful exploit of the vulnerability will have "
+ definition="This metric measures the impact on availability a successful exploit of the vulnerability will have "
"on the Subsequent System.",
key="SA",
version="1.0.0",
diff --git a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
index d61d91fc..0025c8fb 100644
--- a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
@@ -28,14 +28,14 @@
NEGLIGIBLE = DecisionPointValue(
name="Negligible",
key="N",
- description="There is no loss of confidentiality within the Subsequent System or all confidentiality impact is "
+ definition="There is no loss of confidentiality within the Subsequent System or all confidentiality impact is "
"constrained to the Vulnerable System.",
)
LOW = DecisionPointValue(
name="Low",
key="L",
- description="There is some loss of confidentiality. Access to some restricted information is obtained, but the "
+ definition="There is some loss of confidentiality. Access to some restricted information is obtained, but the "
"attacker does not have control over what information is obtained, or the amount or kind of loss is "
"limited. The information disclosure does not cause a direct, serious loss to the Subsequent System.",
)
@@ -43,7 +43,7 @@
HIGH = DecisionPointValue(
name="High",
key="H",
- description="There is a total loss of confidentiality, resulting in all resources within the Subsequent System "
+ definition="There is a total loss of confidentiality, resulting in all resources within the Subsequent System "
"being divulged to the attacker. Alternatively, access to only some restricted information is obtained, "
"but the disclosed information presents a direct, serious impact.",
)
@@ -51,7 +51,7 @@
SUBSEQUENT_CONFIDENTIALITY_IMPACT_1 = CvssDecisionPoint(
name="Confidentiality Impact to the Subsequent System",
key="SC",
- description="This metric measures the impact to the confidentiality of the information managed by the system due "
+ definition="This metric measures the impact to the confidentiality of the information managed by the system due "
"to a successfully exploited vulnerability. Confidentiality refers to limiting information access and "
"disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized "
"ones. The resulting score is greatest when the loss to the system is highest.",
diff --git a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
index dbf53244..cbcddf59 100644
--- a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
@@ -28,7 +28,7 @@
SI_HIGH = DecisionPointValue(
name="High",
key="H",
- description="There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able "
+ definition="There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able "
"to modify any/all files protected by the Subsequent System. Alternatively, only some files can be "
"modified, but malicious modification would present a direct, serious consequence to the Subsequent "
"System.",
@@ -37,7 +37,7 @@
SI_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Modification of data is possible, but the attacker does not have control over the consequence of a "
+ definition="Modification of data is possible, but the attacker does not have control over the consequence of a "
"modification, or the amount of modification is limited. The data modification does not have a direct, "
"serious impact to the Subsequent System.",
)
@@ -45,14 +45,14 @@
SI_NONE = DecisionPointValue(
name="None",
key="N",
- description="There is no loss of integrity within the Subsequent System or all integrity impact is constrained to "
+ definition="There is no loss of integrity within the Subsequent System or all integrity impact is constrained to "
"the Vulnerable System.",
)
SUBSEQUENT_INTEGRITY_IMPACT_1 = CvssDecisionPoint(
name="Integrity Impact to the Subsequent System",
key="SI",
- description="This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity "
+ definition="This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity "
"refers to the trustworthiness and veracity of information. Integrity of a system is impacted when "
"an attacker causes unauthorized modification of system data. Integrity is also impacted when a "
"system user can repudiate critical actions taken in the context of the system (e.g. due to "
diff --git a/src/ssvc/decision_points/cvss/supplemental/automatable.py b/src/ssvc/decision_points/cvss/supplemental/automatable.py
index 5d430ca5..469421ba 100644
--- a/src/ssvc/decision_points/cvss/supplemental/automatable.py
+++ b/src/ssvc/decision_points/cvss/supplemental/automatable.py
@@ -29,19 +29,19 @@
NO = DecisionPointValue(
name="No",
key="N",
- description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for "
+ definition="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for "
"some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.",
)
YES = DecisionPointValue(
name="Yes",
key="Y",
- description="Attackers can reliably automate all 4 steps of the kill chain. These steps are "
+ definition="Attackers can reliably automate all 4 steps of the kill chain. These steps are "
"reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is "
'"wormable").',
)
AUTOMATABLE_1 = CvssDecisionPoint(
name="Automatable",
- description='The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation '
+ definition='The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation '
'events for this vulnerability across multiple targets?" based on steps 1-4 of the kill chain.',
key="AU",
version="1.0.0",
diff --git a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
index 97968101..051a3ef8 100644
--- a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
+++ b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
@@ -29,26 +29,26 @@
RED = DecisionPointValue(
name="Red",
key="R",
- description="Provider has assessed the impact of this vulnerability as having the highest urgency.",
+ definition="Provider has assessed the impact of this vulnerability as having the highest urgency.",
)
AMBER = DecisionPointValue(
name="Amber",
key="A",
- description="Provider has assessed the impact of this vulnerability as having a moderate urgency.",
+ definition="Provider has assessed the impact of this vulnerability as having a moderate urgency.",
)
GREEN = DecisionPointValue(
name="Green",
key="G",
- description="Provider has assessed the impact of this vulnerability as having a reduced urgency.",
+ definition="Provider has assessed the impact of this vulnerability as having a reduced urgency.",
)
CLEAR = DecisionPointValue(
name="Clear",
key="C",
- description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).",
+ definition="Provider has assessed the impact of this vulnerability as having no urgency (Informational).",
)
PROVIDER_URGENCY_1 = CvssDecisionPoint(
name="Provider Urgency",
- description="Many vendors currently provide supplemental severity ratings to consumers via product security "
+ definition="Many vendors currently provide supplemental severity ratings to consumers via product security "
"advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document "
"in their advisories. To facilitate a standardized method to incorporate additional provider-supplied "
'assessment, an optional "pass-through" Supplemental Metric called Provider Urgency is available.',
diff --git a/src/ssvc/decision_points/cvss/supplemental/recovery.py b/src/ssvc/decision_points/cvss/supplemental/recovery.py
index eaa58959..9f027dc9 100644
--- a/src/ssvc/decision_points/cvss/supplemental/recovery.py
+++ b/src/ssvc/decision_points/cvss/supplemental/recovery.py
@@ -29,22 +29,22 @@
AUTOMATIC = DecisionPointValue(
name="Automatic",
key="A",
- description="The system recovers services automatically after an attack has been performed.",
+ definition="The system recovers services automatically after an attack has been performed.",
)
USER = DecisionPointValue(
name="User",
key="U",
- description="The system requires manual intervention by the user to recover services, after an attack has "
+ definition="The system requires manual intervention by the user to recover services, after an attack has "
"been performed.",
)
IRRECOVERABLE = DecisionPointValue(
name="Irrecoverable",
key="I",
- description="The system services are irrecoverable by the user, after an attack has been performed.",
+ definition="The system services are irrecoverable by the user, after an attack has been performed.",
)
RECOVERY_1 = CvssDecisionPoint(
name="Recovery",
- description="The Recovery metric describes the resilience of a system to recover services, in terms of performance "
+ definition="The Recovery metric describes the resilience of a system to recover services, in terms of performance "
"and availability, after an attack has been performed.",
key="R",
version="1.0.0",
diff --git a/src/ssvc/decision_points/cvss/supplemental/safety.py b/src/ssvc/decision_points/cvss/supplemental/safety.py
index c05d62cf..a330fb61 100644
--- a/src/ssvc/decision_points/cvss/supplemental/safety.py
+++ b/src/ssvc/decision_points/cvss/supplemental/safety.py
@@ -30,18 +30,18 @@
PRESENT = DecisionPointValue(
name="Present",
key="P",
- description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of "
+ definition="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of "
'"marginal," "critical," or "catastrophic."',
)
NEGLIGIBLE = DecisionPointValue(
name="Negligible",
key="N",
- description="Consequences of the vulnerability meet definition of IEC 61508 consequence category "
+ definition="Consequences of the vulnerability meet definition of IEC 61508 consequence category "
'"negligible."',
)
SAFETY_1 = CvssDecisionPoint(
name="Safety",
- description="The Safety decision point is a measure of the potential for harm to humans or the environment.",
+ definition="The Safety decision point is a measure of the potential for harm to humans or the environment.",
key="SF",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/cvss/supplemental/value_density.py b/src/ssvc/decision_points/cvss/supplemental/value_density.py
index 784b0bca..43b1d786 100644
--- a/src/ssvc/decision_points/cvss/supplemental/value_density.py
+++ b/src/ssvc/decision_points/cvss/supplemental/value_density.py
@@ -29,18 +29,18 @@
DIFFUSE = DecisionPointValue(
name="Diffuse",
key="D",
- description="The vulnerable system has limited resources. That is, the resources that the attacker will "
+ definition="The vulnerable system has limited resources. That is, the resources that the attacker will "
"gain control over with a single exploitation event are relatively small.",
)
CONCENTRATED = DecisionPointValue(
name="Concentrated",
key="C",
- description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct "
+ definition="The vulnerable system is rich in resources. Heuristically, such systems are often the direct "
'responsibility of "system operators" rather than users.',
)
VALUE_DENSITY_1 = CvssDecisionPoint(
name="Value Density",
- description="Value Density describes the resources that the attacker will gain control over with a single "
+ definition="Value Density describes the resources that the attacker will gain control over with a single "
"exploitation event. It has two possible values, diffuse and concentrated.",
key="V",
version="1.0.0",
diff --git a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
index b19f1799..2b466d18 100644
--- a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
+++ b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
@@ -29,18 +29,18 @@
LOW = DecisionPointValue(
name="Low",
key="L",
- description="The effort required to respond to a vulnerability is low/trivial.",
+ definition="The effort required to respond to a vulnerability is low/trivial.",
)
MODERATE = DecisionPointValue(
name="Moderate",
key="M",
- description="The actions required to respond to a vulnerability require some effort on behalf of the "
+ definition="The actions required to respond to a vulnerability require some effort on behalf of the "
"consumer and could cause minimal service impact to implement.",
)
HIGH = DecisionPointValue(
name="High",
key="H",
- description="The actions required to respond to a vulnerability are significant and/or difficult, and may "
+ definition="The actions required to respond to a vulnerability are significant and/or difficult, and may "
"possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling "
"purposes including honoring any embargo on deployment of the selected response. Alternatively, response "
"to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability "
@@ -49,7 +49,7 @@
)
VULNERABILITY_RESPONSE_EFFORT_1 = CvssDecisionPoint(
name="Vulnerability Response Effort",
- description="The intention of the Vulnerability Response Effort metric is to provide supplemental information on "
+ definition="The intention of the Vulnerability Response Effort metric is to provide supplemental information on "
"how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed "
"products and services in their infrastructure. The consumer can then take this additional information on effort "
"required into consideration when applying mitigations and/or scheduling remediation.",
diff --git a/src/ssvc/decision_points/cvss/target_distribution.py b/src/ssvc/decision_points/cvss/target_distribution.py
index 5cd78d88..7e07a66e 100644
--- a/src/ssvc/decision_points/cvss/target_distribution.py
+++ b/src/ssvc/decision_points/cvss/target_distribution.py
@@ -31,34 +31,34 @@
_HIGH = DecisionPointValue(
name="High",
key="H",
- description="Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total "
+ definition="Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total "
"environment is considered at risk.",
)
_MEDIUM = DecisionPointValue(
name="Medium",
key="M",
- description="Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total "
+ definition="Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total "
"environment is at risk.",
)
_LOW = DecisionPointValue(
name="Low",
key="L",
- description="Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total "
+ definition="Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total "
"environment is at risk.",
)
_TD_NONE = DecisionPointValue(
name="None",
key="N",
- description="No target systems exist, or targets are so highly specialized that they only exist in a laboratory "
+ definition="No target systems exist, or targets are so highly specialized that they only exist in a laboratory "
"setting. Effectively 0% of the environment is at risk.",
)
TARGET_DISTRIBUTION_1 = CvssDecisionPoint(
name="Target Distribution",
- description="This metric measures the relative size of the field of target systems susceptible to the "
+ definition="This metric measures the relative size of the field of target systems susceptible to the "
"vulnerability. It is meant as an environment-specific indicator in order to approximate the "
"percentage of systems within the environment that could be affected by the vulnerability.",
key="TD",
@@ -76,7 +76,7 @@
TARGET_DISTRIBUTION_1_1 = CvssDecisionPoint(
name="Target Distribution",
- description="This metric measures the relative size of the field of target systems susceptible to the "
+ definition="This metric measures the relative size of the field of target systems susceptible to the "
"vulnerability. It is meant as an environment-specific indicator in order to approximate the "
"percentage of systems within the environment that could be affected by the vulnerability.",
key="TD",
diff --git a/src/ssvc/decision_points/cvss/user_interaction.py b/src/ssvc/decision_points/cvss/user_interaction.py
index a5e24477..b09afe0b 100644
--- a/src/ssvc/decision_points/cvss/user_interaction.py
+++ b/src/ssvc/decision_points/cvss/user_interaction.py
@@ -29,20 +29,20 @@
_REQUIRED = DecisionPointValue(
name="Required",
key="R",
- description="Successful exploitation of this vulnerability requires a user to take some action before the "
+ definition="Successful exploitation of this vulnerability requires a user to take some action before the "
"vulnerability can be exploited.",
)
_UI_NONE = DecisionPointValue(
name="None",
key="N",
- description="The vulnerable system can be exploited without interaction from any user.",
+ definition="The vulnerable system can be exploited without interaction from any user.",
)
USER_INTERACTION_1 = CvssDecisionPoint(
name="User Interaction",
- description="This metric captures the requirement for a user, other than the attacker, to participate in the "
+ definition="This metric captures the requirement for a user, other than the attacker, to participate in the "
"successful compromise of the vulnerable component.",
key="UI",
version="1.0.0",
@@ -58,14 +58,14 @@
_UI_NONE_2 = DecisionPointValue(
name="None",
key="N",
- description="The vulnerable system can be exploited without interaction from any human user, other than the "
+ definition="The vulnerable system can be exploited without interaction from any human user, other than the "
"attacker.",
)
_PASSIVE = DecisionPointValue(
name="Passive",
key="P",
- description="Successful exploitation of this vulnerability requires limited interaction by the targeted user with "
+ definition="Successful exploitation of this vulnerability requires limited interaction by the targeted user with "
"the vulnerable system and the attacker’s payload. These interactions would be considered involuntary "
"and do not require that the user actively subvert protections built into the vulnerable system.",
)
@@ -73,7 +73,7 @@
_ACTIVE = DecisionPointValue(
name="Active",
key="A",
- description="Successful exploitation of this vulnerability requires a targeted user to perform specific, "
+ definition="Successful exploitation of this vulnerability requires a targeted user to perform specific, "
"conscious interactions with the vulnerable system and the attacker’s payload, or the user’s "
"interactions would actively subvert protection mechanisms which would lead to exploitation of the "
"vulnerability.",
@@ -82,7 +82,7 @@
USER_INTERACTION_2 = CvssDecisionPoint(
name="User Interaction",
key="UI",
- description="This metric captures the requirement for a human user, other than the attacker, to participate "
+ definition="This metric captures the requirement for a human user, other than the attacker, to participate "
"in the successful compromise of the vulnerable system. This metric determines whether the "
"vulnerability can be exploited solely at the will of the attacker, or whether a separate user "
"(or user-initiated process) must participate in some manner. The resulting score is greatest "
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index 5ecec020..71d54874 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -73,8 +73,8 @@ def dp_diff(dp1: DecisionPoint, dp2: DecisionPoint) -> list[str]:
maybe_minor = True
# did the description change?
- desc1 = dp1.description.strip()
- desc2 = dp2.description.strip()
+ desc1 = dp1.definition.strip()
+ desc2 = dp2.definition.strip()
if desc1 != desc2:
diffs.append(f"(patch) {dp2.name} v{dp2.version} description changed")
@@ -152,13 +152,13 @@ def dp_diff(dp1: DecisionPoint, dp2: DecisionPoint) -> list[str]:
# did the value descriptions change?
for name in intersection:
v1 = {
- value["name"]: value["description"]
+ value["name"]: value["definition"]
for value in dp1.model_dump()["values"]
}
v1 = v1[name]
v2 = {
- value["name"]: value["description"]
+ value["name"]: value["definition"]
for value in dp2.model_dump()["values"]
}
v2 = v2[name]
diff --git a/src/ssvc/decision_points/ssvc/automatable.py b/src/ssvc/decision_points/ssvc/automatable.py
index 3ebe61ff..c49506c1 100644
--- a/src/ssvc/decision_points/ssvc/automatable.py
+++ b/src/ssvc/decision_points/ssvc/automatable.py
@@ -29,19 +29,19 @@
RAPID = DecisionPointValue(
name="Rapid",
key="R",
- description="Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote "
+ definition="Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote "
"code execution or command injection, the default response should be rapid.",
)
SLOW = DecisionPointValue(
name="Slow",
key="S",
- description="Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. "
+ definition="Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. "
"These steps are reconnaissance, weaponization, delivery, and exploitation.",
)
VIRULENCE_1 = SsvcDecisionPoint(
name="Virulence",
- description="The speed at which the vulnerability can be exploited.",
+ definition="The speed at which the vulnerability can be exploited.",
key="V",
version="1.0.0",
values=(
@@ -54,19 +54,19 @@
AUT_NO = DecisionPointValue(
name="No",
key="N",
- description="Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. "
+ definition="Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. "
"These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation.",
)
AUT_YES = DecisionPointValue(
name="Yes",
key="Y",
- description="Attackers can reliably automate steps 1-4 of the kill chain.",
+ definition="Attackers can reliably automate steps 1-4 of the kill chain.",
)
AUTOMATABLE_2 = SsvcDecisionPoint(
name="Automatable",
- description="Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ definition="Can an attacker reliably automate creating exploitation events for this vulnerability?",
key="A",
version="2.0.0",
values=(AUT_NO, AUT_YES),
diff --git a/src/ssvc/decision_points/ssvc/critical_software.py b/src/ssvc/decision_points/ssvc/critical_software.py
index 6fad730c..1e12e9c6 100644
--- a/src/ssvc/decision_points/ssvc/critical_software.py
+++ b/src/ssvc/decision_points/ssvc/critical_software.py
@@ -29,18 +29,18 @@
YES = DecisionPointValue(
name="Yes",
key="Y",
- description="System meets a critical software definition.",
+ definition="System meets a critical software definition.",
)
NO = DecisionPointValue(
name="No",
key="N",
- description="System does not meet a critical software definition.",
+ definition="System does not meet a critical software definition.",
)
CRITICAL_SOFTWARE_1 = SsvcDecisionPoint(
name="Critical Software",
- description="Denotes whether a system meets a critical software definition.",
+ definition="Denotes whether a system meets a critical software definition.",
key="CS",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/exploitation.py b/src/ssvc/decision_points/ssvc/exploitation.py
index c4a4ccc8..faade969 100644
--- a/src/ssvc/decision_points/ssvc/exploitation.py
+++ b/src/ssvc/decision_points/ssvc/exploitation.py
@@ -28,14 +28,14 @@
ACTIVE = DecisionPointValue(
name="Active",
key="A",
- description="Shared, observable, reliable evidence that the exploit is being"
+ definition="Shared, observable, reliable evidence that the exploit is being"
" used in the wild by real attackers; there is credible public reporting.",
)
POC_1 = DecisionPointValue(
name="PoC",
key="P",
- description="One of the following cases is true: (1) private evidence of exploitation is attested but not shared; "
+ definition="One of the following cases is true: (1) private evidence of exploitation is attested but not shared; "
"(2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit"
" or ExploitDB; or (4) the vulnerability has a well-known method of exploitation.",
)
@@ -43,13 +43,13 @@
POC_2 = DecisionPointValue(
name="Public PoC",
key="P",
- description="One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.",
+ definition="One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.",
)
EXP_NONE = DecisionPointValue(
name="None",
key="N",
- description="There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.",
+ definition="There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.",
)
@@ -59,7 +59,7 @@ def _strip_spaces(s):
EXPLOITATION_1 = SsvcDecisionPoint(
name="Exploitation",
- description="The present state of exploitation of the vulnerability.",
+ definition="The present state of exploitation of the vulnerability.",
key="E",
version="1.0.0",
values=(
@@ -71,7 +71,7 @@ def _strip_spaces(s):
EXPLOITATION_1_1_0 = SsvcDecisionPoint(
name="Exploitation",
- description="The present state of exploitation of the vulnerability.",
+ definition="The present state of exploitation of the vulnerability.",
key="E",
version="1.1.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/high_value_asset.py b/src/ssvc/decision_points/ssvc/high_value_asset.py
index 3612b094..32ce690a 100644
--- a/src/ssvc/decision_points/ssvc/high_value_asset.py
+++ b/src/ssvc/decision_points/ssvc/high_value_asset.py
@@ -29,18 +29,18 @@
YES = DecisionPointValue(
name="Yes",
key="Y",
- description="System meets a high value asset definition.",
+ definition="System meets a high value asset definition.",
)
NO = DecisionPointValue(
name="No",
key="N",
- description="System does not meet a high value asset definition.",
+ definition="System does not meet a high value asset definition.",
)
HIGH_VALUE_ASSET_1 = SsvcDecisionPoint(
name="High Value Asset",
- description="Denotes whether a system meets a high value asset definition.",
+ definition="Denotes whether a system meets a high value asset definition.",
key="HVA",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/human_impact.py b/src/ssvc/decision_points/ssvc/human_impact.py
index b22819e0..b79b8501 100644
--- a/src/ssvc/decision_points/ssvc/human_impact.py
+++ b/src/ssvc/decision_points/ssvc/human_impact.py
@@ -29,88 +29,88 @@
LOW_1 = DecisionPointValue(
name="Low",
key="L",
- description="Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal",
+ definition="Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal",
)
LOW_2 = DecisionPointValue(
name="Low",
key="L",
- description="Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)",
+ definition="Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)",
)
LOW_3 = DecisionPointValue(
name="Low",
key="L",
- description="Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)",
+ definition="Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)",
)
LOW_4 = DecisionPointValue(
name="Low",
key="L",
- description="Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)",
+ definition="Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)",
)
MEDIUM_1 = DecisionPointValue(
name="Medium",
key="M",
- description="Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)",
+ definition="Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)",
)
MEDIUM_2 = DecisionPointValue(
name="Medium",
key="M",
- description="(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))",
+ definition="(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))",
)
MEDIUM_3 = DecisionPointValue(
name="Medium",
key="M",
- description="(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))",
+ definition="(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))",
)
MEDIUM_4 = DecisionPointValue(
name="Medium",
key="M",
- description="(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))",
+ definition="(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))",
)
HIGH_1 = DecisionPointValue(
name="High",
key="H",
- description="Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)",
+ definition="Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)",
)
HIGH_2 = DecisionPointValue(
name="High",
key="H",
- description="(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)",
+ definition="(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)",
)
HIGH_3 = DecisionPointValue(
name="High",
key="H",
- description="(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)",
+ definition="(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)",
)
HIGH_4 = DecisionPointValue(
name="High",
key="H",
- description="(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)",
+ definition="(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)",
)
VERY_HIGH_1 = DecisionPointValue(
name="Very High",
key="VH",
- description="Safety Impact:Catastrophic OR Mission Impact:Mission Failure",
+ definition="Safety Impact:Catastrophic OR Mission Impact:Mission Failure",
)
MISSION_AND_WELL_BEING_IMPACT_1 = SsvcDecisionPoint(
name="Mission and Well-Being Impact",
- description="Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
+ definition="Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
key="MWI",
version="1.0.0",
values=(
@@ -123,7 +123,7 @@
HUMAN_IMPACT_2 = SsvcDecisionPoint(
name="Human Impact",
- description="Human Impact is a combination of Safety and Mission impacts.",
+ definition="Human Impact is a combination of Safety and Mission impacts.",
key="HI",
version="2.0.0",
values=(
@@ -136,7 +136,7 @@
HUMAN_IMPACT_2_0_1 = SsvcDecisionPoint(
name="Human Impact",
- description="Human Impact is a combination of Safety and Mission impacts.",
+ definition="Human Impact is a combination of Safety and Mission impacts.",
key="HI",
version="2.0.1",
values=(
@@ -149,7 +149,7 @@
HUMAN_IMPACT_2_0_2 = SsvcDecisionPoint(
name="Human Impact",
- description="Human Impact is a combination of Safety and Mission impacts.",
+ definition="Human Impact is a combination of Safety and Mission impacts.",
key="HI",
version="2.0.2",
values=(
diff --git a/src/ssvc/decision_points/ssvc/mission_impact.py b/src/ssvc/decision_points/ssvc/mission_impact.py
index 9faad217..12273a35 100644
--- a/src/ssvc/decision_points/ssvc/mission_impact.py
+++ b/src/ssvc/decision_points/ssvc/mission_impact.py
@@ -30,43 +30,43 @@
MISSION_FAILURE = DecisionPointValue(
name="Mission Failure",
key="MF",
- description="Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails",
+ definition="Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails",
)
MEF_FAILURE = DecisionPointValue(
name="MEF Failure",
key="MEF",
- description="Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time",
+ definition="Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time",
)
MEF_CRIPPLED = DecisionPointValue(
name="MEF Support Crippled",
key="MSC",
- description="Activities that directly support essential functions are crippled; essential functions continue for a time",
+ definition="Activities that directly support essential functions are crippled; essential functions continue for a time",
)
MI_NED = DecisionPointValue(
name="Non-Essential Degraded",
key="NED",
- description="Degradation of non-essential functions; chronic degradation would eventually harm essential functions",
+ definition="Degradation of non-essential functions; chronic degradation would eventually harm essential functions",
)
MI_NONE = DecisionPointValue(
- name="None", key="N", description="Little to no impact"
+ name="None", key="N", definition="Little to no impact"
)
# combine MI_NONE and MI_NED into a single value
DEGRADED = DecisionPointValue(
name="Degraded",
key="D",
- description="Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions",
+ definition="Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions",
)
MISSION_IMPACT_1 = SsvcDecisionPoint(
name="Mission Impact",
- description="Impact on Mission Essential Functions of the Organization",
+ definition="Impact on Mission Essential Functions of the Organization",
key="MI",
version="1.0.0",
values=(
@@ -81,7 +81,7 @@
# SSVC v2.1 combined None and Non-Essential Degraded into a single value
MISSION_IMPACT_2 = SsvcDecisionPoint(
name="Mission Impact",
- description="Impact on Mission Essential Functions of the Organization",
+ definition="Impact on Mission Essential Functions of the Organization",
key="MI",
version="2.0.0",
values=(DEGRADED, MEF_CRIPPLED, MEF_FAILURE, MISSION_FAILURE),
diff --git a/src/ssvc/decision_points/ssvc/public_safety_impact.py b/src/ssvc/decision_points/ssvc/public_safety_impact.py
index 46f22a94..e8b06704 100644
--- a/src/ssvc/decision_points/ssvc/public_safety_impact.py
+++ b/src/ssvc/decision_points/ssvc/public_safety_impact.py
@@ -29,13 +29,13 @@
MINIMAL_1 = DecisionPointValue(
name="Minimal",
- description="The effect is below the threshold for all aspects described in material. ",
+ definition="The effect is below the threshold for all aspects described in material. ",
key="M",
)
MATERIAL = DecisionPointValue(
name="Material",
- description="Any one or more of these conditions hold. "
+ definition="Any one or more of these conditions hold. "
"Physical harm: Does one or more of the following: "
"(a) Causes physical distress or injury to system users. "
"(b) Introduces occupational safety hazards. "
@@ -50,7 +50,7 @@
MATERIAL_1 = DecisionPointValue(
name="Material",
- description="Any one or more of these conditions hold. "
+ definition="Any one or more of these conditions hold. "
"Physical harm: Does one or more of the following: "
"(a) Causes physical distress or injury to system users. "
"(b) Introduces occupational safety hazards. "
@@ -66,7 +66,7 @@
IRREVERSIBLE = DecisionPointValue(
name="Irreversible",
- description="Any one or more of these conditions hold. "
+ definition="Any one or more of these conditions hold. "
"Physical harm: One or both of the following are true: (a) Multiple fatalities are likely."
"(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. "
" Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small "
@@ -79,22 +79,22 @@
SIGNIFICANT = DecisionPointValue(
name="Significant",
- description="Safety Impact:(Major OR Hazardous OR Catastrophic)",
+ definition="Safety Impact:(Major OR Hazardous OR Catastrophic)",
key="S",
)
MINIMAL_2 = DecisionPointValue(
- name="Minimal", description="Safety Impact:(None OR Minor)", key="M"
+ name="Minimal", definition="Safety Impact:(None OR Minor)", key="M"
)
SIGNIFICANT_1 = DecisionPointValue(
name="Significant",
- description="Safety Impact:(Marginal OR Critical OR Catastrophic)",
+ definition="Safety Impact:(Marginal OR Critical OR Catastrophic)",
key="S",
)
MINIMAL_3 = DecisionPointValue(
- name="Minimal", description="Safety Impact:Negligible", key="M"
+ name="Minimal", definition="Safety Impact:Negligible", key="M"
)
# This version is deprecated because it had two values with the same key.
@@ -113,7 +113,7 @@
PUBLIC_WELL_BEING_IMPACT_1_1 = SsvcDecisionPoint(
name="Public Well-Being Impact",
- description="A coarse-grained representation of impact to public well-being.",
+ definition="A coarse-grained representation of impact to public well-being.",
key="PWI",
version="1.1.0",
values=(
@@ -126,7 +126,7 @@
PUBLIC_SAFETY_IMPACT_2 = SsvcDecisionPoint(
name="Public Safety Impact",
- description="A coarse-grained representation of impact to public safety.",
+ definition="A coarse-grained representation of impact to public safety.",
key="PSI",
version="2.0.0",
values=(
@@ -137,7 +137,7 @@
PUBLIC_SAFETY_IMPACT_2_0_1 = SsvcDecisionPoint(
name="Public Safety Impact",
- description="A coarse-grained representation of impact to public safety.",
+ definition="A coarse-grained representation of impact to public safety.",
key="PSI",
version="2.0.1",
values=(
diff --git a/src/ssvc/decision_points/ssvc/public_value_added.py b/src/ssvc/decision_points/ssvc/public_value_added.py
index eac5543b..dd8403a7 100644
--- a/src/ssvc/decision_points/ssvc/public_value_added.py
+++ b/src/ssvc/decision_points/ssvc/public_value_added.py
@@ -30,24 +30,24 @@
LIMITED = DecisionPointValue(
name="Limited",
key="L",
- description="Minimal value added to the existing public information because existing information is already high quality and in multiple outlets.",
+ definition="Minimal value added to the existing public information because existing information is already high quality and in multiple outlets.",
)
AMPLIATIVE = DecisionPointValue(
name="Ampliative",
key="A",
- description="Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc.",
+ definition="Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc.",
)
PRECEDENCE = DecisionPointValue(
name="Precedence",
key="P",
- description="The publication would be the first publicly available, or be coincident with the first publicly available.",
+ definition="The publication would be the first publicly available, or be coincident with the first publicly available.",
)
PUBLIC_VALUE_ADDED_1 = SsvcDecisionPoint(
name="Public Value Added",
- description="How much value would a publication from the coordinator benefit the broader community?",
+ definition="How much value would a publication from the coordinator benefit the broader community?",
key="PVA",
version="1.0.0",
values=(LIMITED, AMPLIATIVE, PRECEDENCE),
diff --git a/src/ssvc/decision_points/ssvc/report_credibility.py b/src/ssvc/decision_points/ssvc/report_credibility.py
index e74218ce..2391a1c3 100644
--- a/src/ssvc/decision_points/ssvc/report_credibility.py
+++ b/src/ssvc/decision_points/ssvc/report_credibility.py
@@ -30,18 +30,18 @@
NOT_CREDIBLE = DecisionPointValue(
name="Not Credible",
key="NC",
- description="The report is not credible.",
+ definition="The report is not credible.",
)
CREDIBLE = DecisionPointValue(
name="Credible",
key="C",
- description="The report is credible.",
+ definition="The report is credible.",
)
REPORT_CREDIBILITY_1 = SsvcDecisionPoint(
name="Report Credibility",
- description="Is the report credible?",
+ definition="Is the report credible?",
key="RC",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/report_public.py b/src/ssvc/decision_points/ssvc/report_public.py
index 73cccfee..7ffe3198 100644
--- a/src/ssvc/decision_points/ssvc/report_public.py
+++ b/src/ssvc/decision_points/ssvc/report_public.py
@@ -29,18 +29,18 @@
YES = DecisionPointValue(
name="Yes",
key="Y",
- description="A public report of the vulnerability exists.",
+ definition="A public report of the vulnerability exists.",
)
NO = DecisionPointValue(
name="No",
key="N",
- description="No public report of the vulnerability exists.",
+ definition="No public report of the vulnerability exists.",
)
REPORT_PUBLIC_1 = SsvcDecisionPoint(
name="Report Public",
- description="Is a viable report of the details of the vulnerability already publicly available?",
+ definition="Is a viable report of the details of the vulnerability already publicly available?",
key="RP",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/safety_impact.py b/src/ssvc/decision_points/ssvc/safety_impact.py
index 5db63999..bbe794bc 100644
--- a/src/ssvc/decision_points/ssvc/safety_impact.py
+++ b/src/ssvc/decision_points/ssvc/safety_impact.py
@@ -30,7 +30,7 @@
CATASTROPHIC = DecisionPointValue(
name="Catastrophic",
key="C",
- description="Any one or more of these conditions hold. "
+ definition="Any one or more of these conditions hold. "
"Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) "
"Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). "
"System resiliency: Total loss of whole cyber-physical system, of which the software is a part. "
@@ -42,7 +42,7 @@
HAZARDOUS = DecisionPointValue(
name="Hazardous",
key="H",
- description="Any one or more of these conditions hold. "
+ definition="Any one or more of these conditions hold. "
"Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. "
"Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. "
"System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. "
@@ -54,7 +54,7 @@
MAJOR = DecisionPointValue(
name="Major",
key="J",
- description="Any one or more of these conditions hold. "
+ definition="Any one or more of these conditions hold. "
"Physical harm: Physical distress and injuries for users (not operators) of the system. "
"Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the "
"vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. "
@@ -67,7 +67,7 @@
MINOR = DecisionPointValue(
name="Minor",
key="M",
- description="Any one or more of these conditions hold. "
+ definition="Any one or more of these conditions hold. "
"Physical harm: Physical discomfort for users (not operators) of the system. "
"Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the "
"vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. "
@@ -80,7 +80,7 @@
SAF_NONE = DecisionPointValue(
name="None",
key="N",
- description="The effect is below the threshold for all aspects described in Minor.",
+ definition="The effect is below the threshold for all aspects described in Minor.",
)
## Based on the IEC 61508 standard
@@ -89,7 +89,7 @@
CATASTROPHIC_2 = DecisionPointValue(
name="Catastrophic",
key="C",
- description="Any one or more of these conditions hold.
"
+ definition="Any one or more of these conditions hold.
"
"- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
"
"- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
"
"- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
"
@@ -101,7 +101,7 @@
CRITICAL = DecisionPointValue(
name="Critical",
key="R",
- description="Any one or more of these conditions hold.
"
+ definition="Any one or more of these conditions hold.
"
"- *Physical harm*: Loss of life (IEC 61508 Critical).
"
"- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
"
"- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
"
@@ -113,7 +113,7 @@
MARGINAL = DecisionPointValue(
name="Marginal",
key="M",
- description="Any one or more of these conditions hold.
"
+ definition="Any one or more of these conditions hold.
"
"- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
"
"- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the "
"vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
"
@@ -126,7 +126,7 @@
NEGLIGIBLE = DecisionPointValue(
name="Negligible",
key="N",
- description="Any one or more of these conditions hold.
"
+ definition="Any one or more of these conditions hold.
"
"- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
"
"- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the "
"vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
"
@@ -139,7 +139,7 @@
SAFETY_IMPACT_1 = SsvcDecisionPoint(
name="Safety Impact",
- description="The safety impact of the vulnerability.",
+ definition="The safety impact of the vulnerability.",
key="SI",
version="1.0.0",
values=(
@@ -154,7 +154,7 @@
SAFETY_IMPACT_2 = SsvcDecisionPoint(
name="Safety Impact",
- description="The safety impact of the vulnerability. (based on IEC 61508)",
+ definition="The safety impact of the vulnerability. (based on IEC 61508)",
key="SI",
version="2.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/supplier_cardinality.py b/src/ssvc/decision_points/ssvc/supplier_cardinality.py
index c78167f6..ed1653f3 100644
--- a/src/ssvc/decision_points/ssvc/supplier_cardinality.py
+++ b/src/ssvc/decision_points/ssvc/supplier_cardinality.py
@@ -29,18 +29,18 @@
MULTIPLE = DecisionPointValue(
name="Multiple",
key="M",
- description="There are multiple suppliers of the vulnerable component.",
+ definition="There are multiple suppliers of the vulnerable component.",
)
ONE = DecisionPointValue(
name="One",
key="O",
- description="There is only one supplier of the vulnerable component.",
+ definition="There is only one supplier of the vulnerable component.",
)
SUPPLIER_CARDINALITY_1 = SsvcDecisionPoint(
name="Supplier Cardinality",
- description="How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+ definition="How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
key="SC",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/supplier_contacted.py b/src/ssvc/decision_points/ssvc/supplier_contacted.py
index 2b6d16d9..1a19b4ee 100644
--- a/src/ssvc/decision_points/ssvc/supplier_contacted.py
+++ b/src/ssvc/decision_points/ssvc/supplier_contacted.py
@@ -28,18 +28,18 @@
YES = DecisionPointValue(
name="Yes",
key="Y",
- description="The supplier has been contacted.",
+ definition="The supplier has been contacted.",
)
NO = DecisionPointValue(
name="No",
key="N",
- description="The supplier has not been contacted.",
+ definition="The supplier has not been contacted.",
)
SUPPLIER_CONTACTED_1 = SsvcDecisionPoint(
name="Supplier Contacted",
- description="Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+ definition="Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
key="SCON",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/supplier_engagement.py b/src/ssvc/decision_points/ssvc/supplier_engagement.py
index ed9660fb..ae0a2d3d 100644
--- a/src/ssvc/decision_points/ssvc/supplier_engagement.py
+++ b/src/ssvc/decision_points/ssvc/supplier_engagement.py
@@ -30,18 +30,18 @@
UNRESPONSIVE = DecisionPointValue(
name="Unresponsive",
key="U",
- description="The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort.",
+ definition="The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort.",
)
ACTIVE = DecisionPointValue(
name="Active",
key="A",
- description="The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort.",
+ definition="The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort.",
)
SUPPLIER_ENGAGEMENT_1 = SsvcDecisionPoint(
name="Supplier Engagement",
- description="Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
+ definition="Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
key="SE",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/supplier_involvement.py b/src/ssvc/decision_points/ssvc/supplier_involvement.py
index 253620d9..f3e131c5 100644
--- a/src/ssvc/decision_points/ssvc/supplier_involvement.py
+++ b/src/ssvc/decision_points/ssvc/supplier_involvement.py
@@ -29,24 +29,24 @@
UNCOOPERATIVE = DecisionPointValue(
name="Uncooperative/Unresponsive",
key="UU",
- description="The supplier has not responded, declined to generate a remediation, or no longer exists.",
+ definition="The supplier has not responded, declined to generate a remediation, or no longer exists.",
)
COOPERATIVE = DecisionPointValue(
name="Cooperative",
key="C",
- description="The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time.",
+ definition="The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time.",
)
FIX_READY = DecisionPointValue(
name="Fix Ready",
key="FR",
- description="The supplier has provided a patch or fix.",
+ definition="The supplier has provided a patch or fix.",
)
SUPPLIER_INVOLVEMENT_1 = SsvcDecisionPoint(
name="Supplier Involvement",
- description="What is the state of the supplier’s work on addressing the vulnerability?",
+ definition="What is the state of the supplier’s work on addressing the vulnerability?",
key="SINV",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/system_exposure.py b/src/ssvc/decision_points/ssvc/system_exposure.py
index 06b87b82..0c23cfc6 100644
--- a/src/ssvc/decision_points/ssvc/system_exposure.py
+++ b/src/ssvc/decision_points/ssvc/system_exposure.py
@@ -29,14 +29,14 @@
EXP_UNAVOIDABLE = DecisionPointValue(
name="Unavoidable",
key="U",
- description="Internet or another widely accessible network where access cannot plausibly be restricted or "
+ definition="Internet or another widely accessible network where access cannot plausibly be restricted or "
"controlled (e.g., DNS servers, web servers, VOIP servers, email servers)",
)
EXP_CONTROLLED = DecisionPointValue(
name="Controlled",
key="C",
- description="Networked service with some access restrictions or mitigations already in place (whether locally or on the network). "
+ definition="Networked service with some access restrictions or mitigations already in place (whether locally or on the network). "
"A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable "
"both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be "
"exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the "
@@ -47,13 +47,13 @@
EXP_SMALL = DecisionPointValue(
name="Small",
key="S",
- description="Local service or program; highly controlled network",
+ definition="Local service or program; highly controlled network",
)
SYSTEM_EXPOSURE_1 = SsvcDecisionPoint(
name="System Exposure",
- description="The Accessible Attack Surface of the Affected System or Service",
+ definition="The Accessible Attack Surface of the Affected System or Service",
key="EXP",
version="1.0.0",
values=(
@@ -67,14 +67,14 @@
EXP_OPEN = DecisionPointValue(
name="Open",
key="O",
- description="Internet or another widely accessible network where access cannot plausibly be restricted or "
+ definition="Internet or another widely accessible network where access cannot plausibly be restricted or "
"controlled (e.g., DNS servers, web servers, VOIP servers, email servers)",
)
SYSTEM_EXPOSURE_1_0_1 = SsvcDecisionPoint(
name="System Exposure",
- description="The Accessible Attack Surface of the Affected System or Service",
+ definition="The Accessible Attack Surface of the Affected System or Service",
key="EXP",
version="1.0.1",
values=(
diff --git a/src/ssvc/decision_points/ssvc/technical_impact.py b/src/ssvc/decision_points/ssvc/technical_impact.py
index e2bd46dd..742f0a16 100644
--- a/src/ssvc/decision_points/ssvc/technical_impact.py
+++ b/src/ssvc/decision_points/ssvc/technical_impact.py
@@ -30,18 +30,18 @@
TOTAL = DecisionPointValue(
name="Total",
key="T",
- description="The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.",
+ definition="The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.",
)
PARTIAL = DecisionPointValue(
name="Partial",
key="P",
- description="The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control.",
+ definition="The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control.",
)
TECHNICAL_IMPACT_1 = SsvcDecisionPoint(
name="Technical Impact",
- description="The technical impact of the vulnerability.",
+ definition="The technical impact of the vulnerability.",
key="TI",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_points/ssvc/utility.py b/src/ssvc/decision_points/ssvc/utility.py
index f83518c3..d7a774c6 100644
--- a/src/ssvc/decision_points/ssvc/utility.py
+++ b/src/ssvc/decision_points/ssvc/utility.py
@@ -30,42 +30,42 @@
SUPER_EFFECTIVE_2 = DecisionPointValue(
name="Super Effective",
key="S",
- description="Automatable:Yes AND Value Density:Concentrated",
+ definition="Automatable:Yes AND Value Density:Concentrated",
)
EFFICIENT_2 = DecisionPointValue(
name="Efficient",
key="E",
- description="(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)",
+ definition="(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)",
)
LABORIOUS_2 = DecisionPointValue(
name="Laborious",
key="L",
- description="Automatable:No AND Value Density:Diffuse",
+ definition="Automatable:No AND Value Density:Diffuse",
)
SUPER_EFFECTIVE = DecisionPointValue(
name="Super Effective",
key="S",
- description="Virulence:Rapid and Value Density:Concentrated",
+ definition="Virulence:Rapid and Value Density:Concentrated",
)
EFFICIENT = DecisionPointValue(
name="Efficient",
key="E",
- description="Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated",
+ definition="Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated",
)
LABORIOUS = DecisionPointValue(
name="Laborious",
key="L",
- description="Virulence:Slow and Value Density:Diffuse",
+ definition="Virulence:Slow and Value Density:Diffuse",
)
UTILITY_1 = SsvcDecisionPoint(
name="Utility",
- description="The Usefulness of the Exploit to the Adversary",
+ definition="The Usefulness of the Exploit to the Adversary",
key="U",
version="1.0.0",
values=(
@@ -77,7 +77,7 @@
UTILITY_1_0_1 = SsvcDecisionPoint(
name="Utility",
- description="The Usefulness of the Exploit to the Adversary",
+ definition="The Usefulness of the Exploit to the Adversary",
key="U",
version="1.0.1",
values=(
diff --git a/src/ssvc/decision_points/ssvc/value_density.py b/src/ssvc/decision_points/ssvc/value_density.py
index 610291a8..6cecd8cf 100644
--- a/src/ssvc/decision_points/ssvc/value_density.py
+++ b/src/ssvc/decision_points/ssvc/value_density.py
@@ -29,18 +29,18 @@
CONCENTRATED = DecisionPointValue(
name="Concentrated",
key="C",
- description="The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users.",
+ definition="The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users.",
)
DIFFUSE = DecisionPointValue(
name="Diffuse",
key="D",
- description="The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small.",
+ definition="The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small.",
)
VALUE_DENSITY_1 = SsvcDecisionPoint(
name="Value Density",
- description="The concentration of value in the target",
+ definition="The concentration of value in the target",
key="VD",
version="1.0.0",
values=(
diff --git a/src/ssvc/decision_tables/base.py b/src/ssvc/decision_tables/base.py
index 1417b56d..9ef5d445 100644
--- a/src/ssvc/decision_tables/base.py
+++ b/src/ssvc/decision_tables/base.py
@@ -714,70 +714,3 @@ def check_topological_order(dt: DecisionTable) -> list[dict]:
return check_topological_order(
df, target=target, target_value_order=target_value_order
)
-
-
-def main() -> None:
- from ssvc.dp_groups.ssvc.coordinator_publication import LATEST as dpg
- from ssvc.outcomes.basic.mscw import LATEST as outcomes
- import os
- import json
-
- rootlogger = logging.getLogger()
- rootlogger.setLevel(logging.DEBUG)
- hdlr = logging.StreamHandler()
- rootlogger.addHandler(hdlr)
-
- dpg.add(outcomes)
-
- table = DecisionTable(
- name="Test Table",
- description="A test decision table",
- namespace="x_example.test#test-table",
- decision_points=dpg.decision_points,
- outcome=outcomes.id,
- )
-
- csv_str = decision_table_to_csv(table, index=False)
- print("## Shortform CSV representation of the decision table:")
- print()
- print("```csv")
- print(csv_str)
- print("```")
-
- converted_df = decision_table_to_longform_df(table)
- print("## Longform DataFrame representation of the decision table:")
- print()
- print("```csv")
- print(converted_df.to_csv(index=True, index_label="row"))
- print("```")
-
- print(feature_importance(table))
- print(interpret_feature_importance(table))
- print(check_topological_order(table))
-
- print("## JSON representation of the decision table:")
- print()
- print("```json")
- print(table.model_dump_json(indent=2))
- print("```")
-
- print("## Obfuscated JSON representation of the decision table:")
- obfuscated = table.obfuscate()
- print(obfuscated.model_dump_json(indent=2))
-
- # write json schema to file
- file_loc = os.path.dirname(__file__)
-
- schemafile = "../../../data/schema/v2/Decision_Table-2-0-0.schema.json"
- schemafile = os.path.abspath(os.path.join(file_loc, schemafile))
- print("Writing JSON schema to file:", schemafile)
-
- if not os.path.exists(os.path.dirname(schemafile)):
- os.makedirs(os.path.dirname(schemafile))
-
- with open(schemafile, "w") as f:
- json.dump(DecisionTable.model_json_schema(), f, indent=2)
-
-
-if __name__ == "__main__":
- main()
diff --git a/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py b/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py
index 39666a4d..449b6a1d 100644
--- a/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py
+++ b/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py
@@ -44,7 +44,7 @@
key="CO",
version="2.0.3",
name="CISA Coordinator",
- description="CISA Coordinator decision table for SSVC",
+ definition="CISA Coordinator decision table for SSVC",
outcome=Priority.id,
decision_points={
dp.id: dp
diff --git a/src/ssvc/decision_tables/cvss/equivalence_set_five.py b/src/ssvc/decision_tables/cvss/equivalence_set_five.py
index 0eb8463b..15ba75d6 100644
--- a/src/ssvc/decision_tables/cvss/equivalence_set_five.py
+++ b/src/ssvc/decision_tables/cvss/equivalence_set_five.py
@@ -41,7 +41,7 @@
key="CVSS_EQ5",
version="1.0.0",
name="CVSS v4 Equivalence Set 5",
- description="CVSS Equivalence Set 5 Decision Table",
+ definition="CVSS Equivalence Set 5 Decision Table",
decision_points={dp.id: dp for dp in [E, EQ5]},
outcome=EQ5.id,
mapping=[
diff --git a/src/ssvc/decision_tables/cvss/equivalence_set_four.py b/src/ssvc/decision_tables/cvss/equivalence_set_four.py
index 554e9b35..e2523034 100644
--- a/src/ssvc/decision_tables/cvss/equivalence_set_four.py
+++ b/src/ssvc/decision_tables/cvss/equivalence_set_four.py
@@ -48,7 +48,7 @@
key="CVSS4_EQ4",
version="1.0.0",
name="CVSS v4 Equivalence Set 4",
- description="This decision table models equivalence set 4 from CVSS v4.",
+ definition="This decision table models equivalence set 4 from CVSS v4.",
decision_points={dp.id: dp for dp in (SC, MSI, MSA, EQ4)},
outcome=EQ4.id,
mapping=[
diff --git a/src/ssvc/decision_tables/cvss/equivalence_set_one.py b/src/ssvc/decision_tables/cvss/equivalence_set_one.py
index 41b227d7..3c35c51b 100644
--- a/src/ssvc/decision_tables/cvss/equivalence_set_one.py
+++ b/src/ssvc/decision_tables/cvss/equivalence_set_one.py
@@ -43,7 +43,7 @@
key="CVSS4_EQ1",
version="1.0.0",
name="CVSS v4 Equivalence Set 1",
- description="This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).",
+ definition="This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).",
decision_points={dp.id: dp for dp in (AV, PR, UI, EQ1)},
outcome=EQ1.id,
mapping=[
diff --git a/src/ssvc/decision_tables/cvss/equivalence_set_six.py b/src/ssvc/decision_tables/cvss/equivalence_set_six.py
index c5fc4a96..97a28c2f 100644
--- a/src/ssvc/decision_tables/cvss/equivalence_set_six.py
+++ b/src/ssvc/decision_tables/cvss/equivalence_set_six.py
@@ -58,7 +58,7 @@
key="CVSS4_EQ6",
version="1.0.0",
name="CVSS v4 Equivalence Set 6",
- description="This decision table models equivalence set 6 from CVSS v4.",
+ definition="This decision table models equivalence set 6 from CVSS v4.",
decision_points={dp.id: dp for dp in (CR, VC, IR, VI, AR, VA, EQ6)},
outcome=EQ6.id,
mapping=[
diff --git a/src/ssvc/decision_tables/cvss/equivalence_set_three.py b/src/ssvc/decision_tables/cvss/equivalence_set_three.py
index e6b2757c..a7d878bd 100644
--- a/src/ssvc/decision_tables/cvss/equivalence_set_three.py
+++ b/src/ssvc/decision_tables/cvss/equivalence_set_three.py
@@ -47,7 +47,7 @@
key="CVSS4_EQ3",
version="1.0.0",
name="CVSS v4 Equivalence Set 3",
- description="This decision table models equivalence set 3 from CVSS v4.",
+ definition="This decision table models equivalence set 3 from CVSS v4.",
decision_points={dp.id: dp for dp in (VC, VI, VA, EQ3)},
outcome=EQ3.id,
mapping=[
diff --git a/src/ssvc/decision_tables/cvss/equivalence_set_two.py b/src/ssvc/decision_tables/cvss/equivalence_set_two.py
index 38a748c2..eb42a352 100644
--- a/src/ssvc/decision_tables/cvss/equivalence_set_two.py
+++ b/src/ssvc/decision_tables/cvss/equivalence_set_two.py
@@ -44,7 +44,7 @@
key="CVSS4_EQ2",
version="1.0.0",
name="CVSS v4 Equivalence Set 2",
- description="This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).",
+ definition="This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).",
decision_points={dp.id: dp for dp in (AC, AT, EQ2)},
outcome=EQ2.id,
mapping=[
diff --git a/src/ssvc/decision_tables/cvss/qualitative_severity.py b/src/ssvc/decision_tables/cvss/qualitative_severity.py
index 9e6f21f1..e808b302 100644
--- a/src/ssvc/decision_tables/cvss/qualitative_severity.py
+++ b/src/ssvc/decision_tables/cvss/qualitative_severity.py
@@ -39,7 +39,7 @@
key="CVSS_QSR",
version="4.0.0",
namespace="cvss",
- description="CVSS v4.0 using MacroVectors and Interpolation. See https://www.first.org/cvss/specification-document#New-Scoring-System-Development for details",
+ definition="CVSS v4.0 using MacroVectors and Interpolation. See https://www.first.org/cvss/specification-document#New-Scoring-System-Development for details",
decision_points=dp_dict,
outcome=LMHC.id,
mapping=[
diff --git a/src/ssvc/decision_tables/ssvc/coord_pub_dt.py b/src/ssvc/decision_tables/ssvc/coord_pub_dt.py
index 9a9697ea..6c204919 100644
--- a/src/ssvc/decision_tables/ssvc/coord_pub_dt.py
+++ b/src/ssvc/decision_tables/ssvc/coord_pub_dt.py
@@ -39,7 +39,7 @@
key="COORD_PUBLISH",
version="1.0.0",
name="Coordinator Publish Decision Table",
- description="This decision table is used to determine the priority of a coordinator publish.",
+ definition="This decision table is used to determine the priority of a coordinator publish.",
decision_points={
dp.id: dp
for dp in [
diff --git a/src/ssvc/decision_tables/ssvc/coord_triage.py b/src/ssvc/decision_tables/ssvc/coord_triage.py
index ce8a7131..3e621a70 100644
--- a/src/ssvc/decision_tables/ssvc/coord_triage.py
+++ b/src/ssvc/decision_tables/ssvc/coord_triage.py
@@ -49,7 +49,7 @@
key="COORD_TRIAGE",
version="1.0.0",
name="Coordinator Triage",
- description="Decision table for coordinator triage",
+ definition="Decision table for coordinator triage",
decision_points={
dp.id: dp
for dp in [
diff --git a/src/ssvc/decision_tables/ssvc/deployer_dt.py b/src/ssvc/decision_tables/ssvc/deployer_dt.py
index 0d19c1f5..dfac0231 100644
--- a/src/ssvc/decision_tables/ssvc/deployer_dt.py
+++ b/src/ssvc/decision_tables/ssvc/deployer_dt.py
@@ -44,7 +44,7 @@
key="DP",
version="1.0.0",
name="Deployer Patch Application Priority",
- description="Decision table for evaluating deployer's patch application priority in SSVC",
+ definition="Decision table for evaluating deployer's patch application priority in SSVC",
decision_points={
dp.id: dp
for dp in [Exploitation, Exposure, Automatable, HumanImpact, DSOI]
diff --git a/src/ssvc/decision_tables/ssvc/human_impact.py b/src/ssvc/decision_tables/ssvc/human_impact.py
index 9ba1e432..9a8fb056 100644
--- a/src/ssvc/decision_tables/ssvc/human_impact.py
+++ b/src/ssvc/decision_tables/ssvc/human_impact.py
@@ -42,7 +42,7 @@
key="HI",
version="1.0.0",
name="Human Impact",
- description="Human Impact decision table for SSVC",
+ definition="Human Impact decision table for SSVC",
decision_points={
dp.id: dp for dp in [SituatedSafetyImpact, MissionImpact, HumanImpact]
},
diff --git a/src/ssvc/decision_tables/ssvc/public_safety_impact.py b/src/ssvc/decision_tables/ssvc/public_safety_impact.py
index a93f1c93..af6ffb6c 100644
--- a/src/ssvc/decision_tables/ssvc/public_safety_impact.py
+++ b/src/ssvc/decision_tables/ssvc/public_safety_impact.py
@@ -53,7 +53,7 @@
key="DT_PSI",
version="1.0.0",
name="Public Safety Impact",
- description="Public Safety Impact Decision Table",
+ definition="Public Safety Impact Decision Table",
decision_points={dp.id: dp for dp in [SI, PSI]},
outcome=PSI.id,
mapping=[
diff --git a/src/ssvc/decision_tables/ssvc/supplier_dt.py b/src/ssvc/decision_tables/ssvc/supplier_dt.py
index e91cb77e..9f6c2514 100644
--- a/src/ssvc/decision_tables/ssvc/supplier_dt.py
+++ b/src/ssvc/decision_tables/ssvc/supplier_dt.py
@@ -44,7 +44,7 @@
key="SP",
version="1.0.0",
name="Supplier Patch Development Priority",
- description="Decision table for evaluating supplier patch development priority in SSVC",
+ definition="Decision table for evaluating supplier patch development priority in SSVC",
decision_points={
dp.id: dp
for dp in [
diff --git a/src/ssvc/decision_tables/ssvc/utility.py b/src/ssvc/decision_tables/ssvc/utility.py
index fb51aac1..830003ed 100644
--- a/src/ssvc/decision_tables/ssvc/utility.py
+++ b/src/ssvc/decision_tables/ssvc/utility.py
@@ -37,7 +37,7 @@
key="U",
version="1.0.0",
name="Utility",
- description="Utility decision table for SSVC",
+ definition="Utility decision table for SSVC",
decision_points={dp.id: dp for dp in [Automatable, ValueDensity, Utility]},
outcome=Utility.id,
mapping=[
diff --git a/src/ssvc/doc_helpers.py b/src/ssvc/doc_helpers.py
index a78a6fee..0f842352 100644
--- a/src/ssvc/doc_helpers.py
+++ b/src/ssvc/doc_helpers.py
@@ -25,7 +25,7 @@
from ssvc.decision_points.ssvc.base import SsvcDecisionPoint
-MD_TABLE_ROW_TEMPLATE = "| {value.name} ({value.key}) | {value.description} |"
+MD_TABLE_ROW_TEMPLATE = "| {value.name} ({value.key}) | {value.definition} |"
def markdown_table(dp: SsvcDecisionPoint, indent: int = 0) -> str:
@@ -41,7 +41,7 @@ def markdown_table(dp: SsvcDecisionPoint, indent: int = 0) -> str:
rows = []
# prepend the header
_indent = " " * indent
- rows.append(f"{_indent}{dp.description}")
+ rows.append(f"{_indent}{dp.definition}")
rows.append("")
rows.append(f"{_indent}| Value | Definition |")
rows.append(f"{_indent}|:-----|:-----------|")
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index e345adb0..651ff7f2 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -159,7 +159,7 @@
CVSSv1_B = DecisionPointGroup(
name="CVSS",
version="1.0.0",
- description="CVSS v1 decision points",
+ definition="CVSS v1 decision points",
decision_points=tuple(BASE_1),
)
"""CVSS v1 Base Metrics"""
@@ -167,7 +167,7 @@
CVSSv1_BT = DecisionPointGroup(
name="CVSS",
version="1.0.0",
- description="CVSS v1 decision points",
+ definition="CVSS v1 decision points",
decision_points=tuple(BASE_1 + TEMPORAL_1),
)
"""CVSS v1 Base and Temporal Metrics"""
@@ -175,7 +175,7 @@
CVSSv1_BTE = DecisionPointGroup(
name="CVSS",
version="1.0.0",
- description="CVSS v1 decision points",
+ definition="CVSS v1 decision points",
decision_points=tuple(BASE_1 + TEMPORAL_1 + ENVIRONMENTAL_1),
)
"""CVSS v1 Base, Temporal, and Environmental Metrics"""
@@ -212,7 +212,7 @@
CVSSv2_B = DecisionPointGroup(
name="CVSS Version 2 Base Metrics",
- description="Base metrics for CVSS v2",
+ definition="Base metrics for CVSS v2",
version="2.0.0",
decision_points=tuple(BASE_2),
)
@@ -220,7 +220,7 @@
CVSSv2_BT = DecisionPointGroup(
name="CVSS Version 2 Base and Temporal Metrics",
- description="Base and Temporal metrics for CVSS v2",
+ definition="Base and Temporal metrics for CVSS v2",
version="2.0.0",
decision_points=tuple(BASE_2 + TEMPORAL_2),
)
@@ -228,7 +228,7 @@
CVSSv2_BTE = DecisionPointGroup(
name="CVSS Version 2 Base, Temporal, and Environmental Metrics",
- description="Base, Temporal, and Environmental metrics for CVSS v2",
+ definition="Base, Temporal, and Environmental metrics for CVSS v2",
version="2.0.0",
decision_points=tuple(BASE_2 + TEMPORAL_2 + ENVIRONMENTAL_2),
)
@@ -266,7 +266,7 @@
CVSSv3_B = DecisionPointGroup(
name="CVSS Version 3 Base Metrics",
- description="Base metrics for CVSS v3",
+ definition="Base metrics for CVSS v3",
version="3.0.0",
decision_points=tuple(BASE_3),
)
@@ -274,7 +274,7 @@
CVSSv3_BT = DecisionPointGroup(
name="CVSS Version 3 Base and Temporal Metrics",
- description="Base and Temporal metrics for CVSS v3",
+ definition="Base and Temporal metrics for CVSS v3",
version="3.0.0",
decision_points=tuple(BASE_3 + TEMPORAL_3),
)
@@ -282,7 +282,7 @@
CVSSv3_BTE = DecisionPointGroup(
name="CVSS Version 3 Base, Temporal, and Environmental Metrics",
- description="Base, Temporal, and Environmental metrics for CVSS v3",
+ definition="Base, Temporal, and Environmental metrics for CVSS v3",
version="3.0.0",
decision_points=tuple(BASE_3 + TEMPORAL_3 + ENVIRONMENTAL_3),
)
@@ -340,7 +340,7 @@
# CVSS-B Base metrics
CVSSv4_B = DecisionPointGroup(
name="CVSSv4 Base Metrics",
- description="Base metrics for CVSS v4",
+ definition="Base metrics for CVSS v4",
version="4.0.0",
decision_points=tuple(BASE_4),
)
@@ -349,7 +349,7 @@
# CVSS-BE Base and Environmental metrics
CVSSv4_BE = DecisionPointGroup(
name="CVSSv4 Base and Environmental Metrics",
- description="Base and Environmental metrics for CVSS v4",
+ definition="Base and Environmental metrics for CVSS v4",
version="4.0.0",
decision_points=tuple(BASE_4 + ENVIRONMENTAL_4),
)
@@ -358,7 +358,7 @@
# CVSS-BT Base and Threat metrics
CVSSv4_BT = DecisionPointGroup(
name="CVSSv4 Base and Threat Metrics",
- description="Base and Threat metrics for CVSS v4",
+ definition="Base and Threat metrics for CVSS v4",
version="4.0.0",
decision_points=tuple(BASE_4 + THREAT_4),
)
@@ -367,7 +367,7 @@
# CVSS-BTE
CVSSv4_BTE = DecisionPointGroup(
name="CVSSv4 Base, Threat, and Environmental Metrics",
- description="Base, Threat, and Environmental metrics for CVSS v4",
+ definition="Base, Threat, and Environmental metrics for CVSS v4",
version="4.0.0",
decision_points=tuple(BASE_4 + THREAT_4 + ENVIRONMENTAL_4),
)
@@ -375,7 +375,7 @@
CVSSv4 = DecisionPointGroup(
name="CVSSv4",
- description="All decision points for CVSS v4 (including supplemental metrics)",
+ definition="All decision points for CVSS v4 (including supplemental metrics)",
version="4.0.0",
decision_points=tuple(
BASE_4 + THREAT_4 + ENVIRONMENTAL_4 + SUPPLEMENTAL_4
@@ -385,7 +385,7 @@
CVSSv4_Equivalence_Sets = DecisionPointGroup(
name="CVSSv4 EQ Sets",
- description="Equivalence Sets for CVSS v4",
+ definition="Equivalence Sets for CVSS v4",
version="4.0.0",
decision_points=(
EQ1,
diff --git a/src/ssvc/dp_groups/ssvc/collections.py b/src/ssvc/dp_groups/ssvc/collections.py
index 05f20da0..e0570d10 100644
--- a/src/ssvc/dp_groups/ssvc/collections.py
+++ b/src/ssvc/dp_groups/ssvc/collections.py
@@ -40,7 +40,7 @@
SSVCv1 = DecisionPointGroup(
name="SSVCv1",
- description="The first version of the SSVC.",
+ definition="The first version of the SSVC.",
version="1.0.0",
decision_points=get_all_decision_points_from(
PATCH_APPLIER_1, PATCH_DEVELOPER_1
@@ -50,7 +50,7 @@
SSVCv2 = DecisionPointGroup(
name="SSVCv2",
- description="The second version of the SSVC.",
+ definition="The second version of the SSVC.",
version="2.0.0",
decision_points=get_all_decision_points_from(
COORDINATOR_PUBLICATION_1, COORDINATOR_TRIAGE_1, DEPLOYER_2, SUPPLIER_2
@@ -60,7 +60,7 @@
SSVCv2_1 = DecisionPointGroup(
name="SSVCv2.1",
- description="The second version of the SSVC.",
+ definition="The second version of the SSVC.",
version="2.1.0",
decision_points=get_all_decision_points_from(
COORDINATOR_PUBLICATION_1, COORDINATOR_TRIAGE_1, DEPLOYER_3, SUPPLIER_2
diff --git a/src/ssvc/dp_groups/ssvc/coordinator_publication.py b/src/ssvc/dp_groups/ssvc/coordinator_publication.py
index 1a90aad1..2881a0eb 100644
--- a/src/ssvc/dp_groups/ssvc/coordinator_publication.py
+++ b/src/ssvc/dp_groups/ssvc/coordinator_publication.py
@@ -33,7 +33,7 @@
COORDINATOR_PUBLICATION_1 = DecisionPointGroup(
name="Coordinator Publication",
- description="The decision points used by the coordinator during publication.",
+ definition="The decision points used by the coordinator during publication.",
version="1.0.0",
decision_points=(
SUPPLIER_INVOLVEMENT_1,
diff --git a/src/ssvc/dp_groups/ssvc/coordinator_triage.py b/src/ssvc/dp_groups/ssvc/coordinator_triage.py
index fa0f1e8d..b24a5e74 100644
--- a/src/ssvc/dp_groups/ssvc/coordinator_triage.py
+++ b/src/ssvc/dp_groups/ssvc/coordinator_triage.py
@@ -41,7 +41,7 @@
COORDINATOR_TRIAGE_1 = DecisionPointGroup(
name="Coordinator Triage",
- description="The decision points used by the coordinator during triage.",
+ definition="The decision points used by the coordinator during triage.",
version="1.0.0",
decision_points=(
REPORT_PUBLIC_1,
diff --git a/src/ssvc/dp_groups/ssvc/deployer.py b/src/ssvc/dp_groups/ssvc/deployer.py
index 4473746c..80654d15 100644
--- a/src/ssvc/dp_groups/ssvc/deployer.py
+++ b/src/ssvc/dp_groups/ssvc/deployer.py
@@ -42,7 +42,7 @@
PATCH_APPLIER_1 = DecisionPointGroup(
name="SSVC Patch Applier",
- description="The decision points used by the patch applier.",
+ definition="The decision points used by the patch applier.",
version="1.0.0",
decision_points=(
EXPLOITATION_1,
@@ -68,7 +68,7 @@
# SSVC v2
DEPLOYER_2 = DecisionPointGroup(
name="SSVC Deployer",
- description="The decision points used by the deployer.",
+ definition="The decision points used by the deployer.",
version="2.0.0",
decision_points=(
EXPLOITATION_1,
@@ -102,7 +102,7 @@
DEPLOYER_3 = DecisionPointGroup(
name="SSVC Deployer",
- description="The decision points used by the deployer.",
+ definition="The decision points used by the deployer.",
version="3.0.0",
decision_points=(
EXPLOITATION_1,
diff --git a/src/ssvc/dp_groups/ssvc/supplier.py b/src/ssvc/dp_groups/ssvc/supplier.py
index f7a73c13..28557a2e 100644
--- a/src/ssvc/dp_groups/ssvc/supplier.py
+++ b/src/ssvc/dp_groups/ssvc/supplier.py
@@ -34,7 +34,7 @@
PATCH_DEVELOPER_1 = DecisionPointGroup(
name="SSVC Patch Developer",
- description="The decision points used by the patch developer.",
+ definition="The decision points used by the patch developer.",
version="1.0.0",
decision_points=(
EXPLOITATION_1,
@@ -64,7 +64,7 @@
# SSVC v2 renamed to SSVC Supplier
SUPPLIER_2 = DecisionPointGroup(
name="SSVC Supplier",
- description="The decision points used by the supplier.",
+ definition="The decision points used by the supplier.",
version="2.0.0",
decision_points=(
EXPLOITATION_1,
diff --git a/src/ssvc/outcomes/basic/ike.py b/src/ssvc/outcomes/basic/ike.py
index e18f3c7e..1f669d78 100644
--- a/src/ssvc/outcomes/basic/ike.py
+++ b/src/ssvc/outcomes/basic/ike.py
@@ -29,22 +29,18 @@
from ssvc.decision_points.helpers import print_versions_and_diffs
from ssvc.namespaces import NameSpace
-_DELETE = DecisionPointValue(name="Delete", key="D", description="Delete")
+_DELETE = DecisionPointValue(name="Delete", key="D", definition="Delete")
-_DELEGATE = DecisionPointValue(
- name="Delegate", key="G", description="Delegate"
-)
+_DELEGATE = DecisionPointValue(name="Delegate", key="G", definition="Delegate")
-_SCHEDULE = DecisionPointValue(
- name="Schedule", key="S", description="Schedule"
-)
+_SCHEDULE = DecisionPointValue(name="Schedule", key="S", definition="Schedule")
-_DO = DecisionPointValue(name="Do", key="O", description="Do")
+_DO = DecisionPointValue(name="Do", key="O", definition="Do")
EISENHOWER = DecisionPoint(
name="Do, Schedule, Delegate, Delete",
key="IKE",
- description="The Eisenhower outcome group.",
+ definition="The Eisenhower outcome group.",
namespace=NameSpace.BASIC,
version="1.0.0",
values=(
diff --git a/src/ssvc/outcomes/basic/lmh.py b/src/ssvc/outcomes/basic/lmh.py
index 943b91d6..e9cf759f 100644
--- a/src/ssvc/outcomes/basic/lmh.py
+++ b/src/ssvc/outcomes/basic/lmh.py
@@ -25,14 +25,14 @@
from ssvc.decision_points.helpers import print_versions_and_diffs
from ssvc.namespaces import NameSpace
-_LOW = DecisionPointValue(name="Low", key="L", description="Low")
-_MEDIUM = DecisionPointValue(name="Medium", key="M", description="Medium")
-_HIGH = DecisionPointValue(name="High", key="H", description="High")
+_LOW = DecisionPointValue(name="Low", key="L", definition="Low")
+_MEDIUM = DecisionPointValue(name="Medium", key="M", definition="Medium")
+_HIGH = DecisionPointValue(name="High", key="H", definition="High")
V1_0_0 = DecisionPoint(
name="LowMediumHigh",
key="LMH",
- description="A Low/Medium/High decision point / outcome group.",
+ definition="A Low/Medium/High decision point / outcome group.",
version="1.0.0",
namespace=NameSpace.BASIC,
values=(
diff --git a/src/ssvc/outcomes/basic/mscw.py b/src/ssvc/outcomes/basic/mscw.py
index 45cb4501..f3d44346 100644
--- a/src/ssvc/outcomes/basic/mscw.py
+++ b/src/ssvc/outcomes/basic/mscw.py
@@ -28,18 +28,18 @@
from ssvc.decision_points.helpers import print_versions_and_diffs
from ssvc.namespaces import NameSpace
-_WONT = DecisionPointValue(name="Won't", key="W", description="Won't")
+_WONT = DecisionPointValue(name="Won't", key="W", definition="Won't")
-_COULD = DecisionPointValue(name="Could", key="C", description="Could")
+_COULD = DecisionPointValue(name="Could", key="C", definition="Could")
-_SHOULD = DecisionPointValue(name="Should", key="S", description="Should")
+_SHOULD = DecisionPointValue(name="Should", key="S", definition="Should")
-_MUST = DecisionPointValue(name="Must", key="M", description="Must")
+_MUST = DecisionPointValue(name="Must", key="M", definition="Must")
MSCW = DecisionPoint(
name="MoSCoW",
key="MSCW",
- description="The MoSCoW (Must, Should, Could, Won't) outcome group.",
+ definition="The MoSCoW (Must, Should, Could, Won't) outcome group.",
version="1.0.0",
namespace=NameSpace.BASIC,
values=(
diff --git a/src/ssvc/outcomes/basic/value_complexity.py b/src/ssvc/outcomes/basic/value_complexity.py
index 4d88f335..d197338d 100644
--- a/src/ssvc/outcomes/basic/value_complexity.py
+++ b/src/ssvc/outcomes/basic/value_complexity.py
@@ -29,24 +29,20 @@
from ssvc.decision_points.helpers import print_versions_and_diffs
from ssvc.namespaces import NameSpace
-_DROP = DecisionPointValue(name="Drop", key="D", description="Drop")
+_DROP = DecisionPointValue(name="Drop", key="D", definition="Drop")
_RECONSIDER = DecisionPointValue(
- name="Reconsider Later", key="R", description="Reconsider Later"
+ name="Reconsider Later", key="R", definition="Reconsider Later"
)
-_EASY_WIN = DecisionPointValue(
- name="Easy Win", key="E", description="Easy Win"
-)
+_EASY_WIN = DecisionPointValue(name="Easy Win", key="E", definition="Easy Win")
-_DO_FIRST = DecisionPointValue(
- name="Do First", key="F", description="Do First"
-)
+_DO_FIRST = DecisionPointValue(name="Do First", key="F", definition="Do First")
VALUE_COMPLEXITY = DecisionPoint(
name="Value, Complexity",
key="VALUE_COMPLEXITY",
- description="The Value/Complexity outcome group.",
+ definition="The Value/Complexity outcome group.",
version="1.0.0",
namespace=NameSpace.BASIC,
values=(
diff --git a/src/ssvc/outcomes/basic/yn.py b/src/ssvc/outcomes/basic/yn.py
index 62b7d9c1..a947dd9c 100644
--- a/src/ssvc/outcomes/basic/yn.py
+++ b/src/ssvc/outcomes/basic/yn.py
@@ -25,14 +25,14 @@
from ssvc.decision_points.helpers import print_versions_and_diffs
from ssvc.namespaces import NameSpace
-_NO = DecisionPointValue(name="No", key="N", description="No")
+_NO = DecisionPointValue(name="No", key="N", definition="No")
-_YES = DecisionPointValue(name="Yes", key="Y", description="Yes")
+_YES = DecisionPointValue(name="Yes", key="Y", definition="Yes")
YES_NO = DecisionPoint(
name="YesNo",
key="YN",
- description="A Yes/No decision point / outcome group.",
+ definition="A Yes/No decision point / outcome group.",
version="1.0.0",
namespace=NameSpace.BASIC,
values=(
diff --git a/src/ssvc/outcomes/cisa/scoring.py b/src/ssvc/outcomes/cisa/scoring.py
index 3097061a..fedbca80 100644
--- a/src/ssvc/outcomes/cisa/scoring.py
+++ b/src/ssvc/outcomes/cisa/scoring.py
@@ -27,7 +27,7 @@
_TRACK = DecisionPointValue(
name="Track",
key="T",
- description="The vulnerability does not require action at this time. "
+ definition="The vulnerability does not require action at this time. "
"The organization would continue to track the vulnerability and reassess it if new information becomes available. "
"CISA recommends remediating Track vulnerabilities within standard update timelines.",
)
@@ -35,14 +35,14 @@
_TRACK_STAR = DecisionPointValue(
name="Track*",
key="T*",
- description="The vulnerability contains specific characteristics that may require closer monitoring for changes. "
+ definition="The vulnerability contains specific characteristics that may require closer monitoring for changes. "
"CISA recommends remediating Track* vulnerabilities within standard update timelines.",
)
_ATTEND = DecisionPointValue(
name="Attend",
key="AT",
- description="The vulnerability requires attention from the organization's internal, supervisory-level individuals. "
+ definition="The vulnerability requires attention from the organization's internal, supervisory-level individuals. "
"Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. "
"CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.",
)
@@ -50,7 +50,7 @@
_ACT = DecisionPointValue(
name="Act",
key="AC",
- description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. "
+ definition="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. "
"Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. "
"Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. "
"CISA recommends remediating Act vulnerabilities as soon as possible.",
@@ -59,7 +59,7 @@
CISA = CisaDecisionPoint(
name="CISA Levels",
key="CISA",
- description="The CISA outcome group. "
+ definition="The CISA outcome group. "
"CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
version="1.1.0",
values=(
diff --git a/src/ssvc/outcomes/cvss/lmhc.py b/src/ssvc/outcomes/cvss/lmhc.py
index fae0aeec..e3c5ef79 100644
--- a/src/ssvc/outcomes/cvss/lmhc.py
+++ b/src/ssvc/outcomes/cvss/lmhc.py
@@ -20,24 +20,24 @@
from ssvc.decision_points.cvss.base import CvssDecisionPoint
from ssvc.decision_points.helpers import print_versions_and_diffs
-_NONE = DecisionPointValue(name="None", key="N", description="None (0.0)")
+_NONE = DecisionPointValue(name="None", key="N", definition="None (0.0)")
-_LOW = DecisionPointValue(name="Low", key="L", description="Low (0.1-3.9)")
+_LOW = DecisionPointValue(name="Low", key="L", definition="Low (0.1-3.9)")
_MEDIUM = DecisionPointValue(
- name="Medium", key="M", description="Medium (4.0-6.9)"
+ name="Medium", key="M", definition="Medium (4.0-6.9)"
)
-_HIGH = DecisionPointValue(name="High", key="H", description="High (7.0-8.9)")
+_HIGH = DecisionPointValue(name="High", key="H", definition="High (7.0-8.9)")
_CRITICAL = DecisionPointValue(
- name="Critical", key="C", description="Critical (9.0-10.0)"
+ name="Critical", key="C", definition="Critical (9.0-10.0)"
)
LMHC = CvssDecisionPoint(
name="CVSS Qualitative Severity Rating Scale",
key="CVSS",
- description="The CVSS Qualitative Severity Rating Scale group.",
+ definition="The CVSS Qualitative Severity Rating Scale group.",
version="1.0.0",
values=(
_NONE,
diff --git a/src/ssvc/outcomes/ssvc/coordinate.py b/src/ssvc/outcomes/ssvc/coordinate.py
index 4a6705ff..f0dd396b 100644
--- a/src/ssvc/outcomes/ssvc/coordinate.py
+++ b/src/ssvc/outcomes/ssvc/coordinate.py
@@ -20,33 +20,33 @@
from ssvc.decision_points.helpers import print_versions_and_diffs
from ssvc.decision_points.ssvc.base import SsvcDecisionPoint
-_DECLINE = DecisionPointValue(name="Decline", key="D", description="Decline")
+_DECLINE = DecisionPointValue(name="Decline", key="D", definition="Decline")
-_TRACK = DecisionPointValue(name="Track", key="T", description="Track")
+_TRACK = DecisionPointValue(name="Track", key="T", definition="Track")
_COORDINATE = DecisionPointValue(
- name="Coordinate", key="C", description="Coordinate"
+ name="Coordinate", key="C", definition="Coordinate"
)
_DECLINE_2 = DecisionPointValue(
- name="Decline", key="D", description="Do not act on the report."
+ name="Decline", key="D", definition="Do not act on the report."
)
_TRACK_2 = DecisionPointValue(
name="Track",
key="T",
- description="Receive information about the vulnerability and monitor for status changes but do not take any overt actions.",
+ definition="Receive information about the vulnerability and monitor for status changes but do not take any overt actions.",
)
_COORDINATE_2 = DecisionPointValue(
name="Coordinate",
key="C",
- description="Take action on the report.",
+ definition="Take action on the report.",
)
COORDINATE = SsvcDecisionPoint(
name="Decline, Track, Coordinate",
key="COORDINATE",
- description="The coordinate outcome group.",
+ definition="The coordinate outcome group.",
version="1.0.0",
values=(
_DECLINE,
@@ -62,7 +62,7 @@
COORDINATE_1_0_1 = SsvcDecisionPoint(
name="Decline, Track, Coordinate",
key="COORDINATE",
- description="The coordinate outcome group.",
+ definition="The coordinate outcome group.",
version="1.0.1",
values=(
_DECLINE_2,
diff --git a/src/ssvc/outcomes/ssvc/dsoi.py b/src/ssvc/outcomes/ssvc/dsoi.py
index 0f6cc8f5..fbfc407a 100644
--- a/src/ssvc/outcomes/ssvc/dsoi.py
+++ b/src/ssvc/outcomes/ssvc/dsoi.py
@@ -25,24 +25,24 @@
from ssvc.decision_points.helpers import print_versions_and_diffs
from ssvc.decision_points.ssvc.base import SsvcDecisionPoint
-_DEFER = DecisionPointValue(name="Defer", key="D", description="Defer")
+_DEFER = DecisionPointValue(name="Defer", key="D", definition="Defer")
_SCHEDULED = DecisionPointValue(
- name="Scheduled", key="S", description="Scheduled"
+ name="Scheduled", key="S", definition="Scheduled"
)
_OUT_OF_CYCLE = DecisionPointValue(
- name="Out-of-Cycle", key="O", description="Out-of-Cycle"
+ name="Out-of-Cycle", key="O", definition="Out-of-Cycle"
)
_IMMEDIATE = DecisionPointValue(
- name="Immediate", key="I", description="Immediate"
+ name="Immediate", key="I", definition="Immediate"
)
DSOI = SsvcDecisionPoint(
name="Defer, Scheduled, Out-of-Cycle, Immediate",
key="DSOI",
- description="The original SSVC outcome group.",
+ definition="The original SSVC outcome group.",
version="1.0.0",
values=(
_DEFER,
diff --git a/src/ssvc/outcomes/ssvc/publish.py b/src/ssvc/outcomes/ssvc/publish.py
index bcc2eb13..ae93bd55 100644
--- a/src/ssvc/outcomes/ssvc/publish.py
+++ b/src/ssvc/outcomes/ssvc/publish.py
@@ -24,15 +24,15 @@
from ssvc.decision_points.ssvc.base import SsvcDecisionPoint
_DO_NOT_PUBLISH = DecisionPointValue(
- name="Do Not Publish", key="N", description="Do Not Publish"
+ name="Do Not Publish", key="N", definition="Do Not Publish"
)
-_PUBLISH = DecisionPointValue(name="Publish", key="P", description="Publish")
+_PUBLISH = DecisionPointValue(name="Publish", key="P", definition="Publish")
PUBLISH = SsvcDecisionPoint(
name="Publish, Do Not Publish",
key="PUBLISH",
- description="The publish outcome group.",
+ definition="The publish outcome group.",
version="1.0.0",
values=(
_DO_NOT_PUBLISH,
diff --git a/src/ssvc/outcomes/x_com_yahooinc/paranoids.py b/src/ssvc/outcomes/x_com_yahooinc/paranoids.py
index 524cf2c5..55009742 100644
--- a/src/ssvc/outcomes/x_com_yahooinc/paranoids.py
+++ b/src/ssvc/outcomes/x_com_yahooinc/paranoids.py
@@ -29,26 +29,26 @@
)
from ssvc.decision_points.helpers import print_versions_and_diffs
-_TRACK_5 = DecisionPointValue(name="Track 5", key="5", description="Track")
+_TRACK_5 = DecisionPointValue(name="Track 5", key="5", definition="Track")
_TRACK_CLOSELY_4 = DecisionPointValue(
- name="Track Closely 4", key="4", description="Track Closely"
+ name="Track Closely 4", key="4", definition="Track Closely"
)
-_ATTEND_3 = DecisionPointValue(name="Attend 3", key="3", description="Attend")
+_ATTEND_3 = DecisionPointValue(name="Attend 3", key="3", definition="Attend")
-_ATTEND_2 = DecisionPointValue(name="Attend 2", key="2", description="Attend")
+_ATTEND_2 = DecisionPointValue(name="Attend 2", key="2", definition="Attend")
-_ACT_1 = DecisionPointValue(name="Act 1", key="1", description="Act")
+_ACT_1 = DecisionPointValue(name="Act 1", key="1", definition="Act")
_ACT_ASAP_0 = DecisionPointValue(
- name="Act ASAP 0", key="0", description="Act ASAP"
+ name="Act ASAP 0", key="0", definition="Act ASAP"
)
THE_PARANOIDS = DecisionPoint(
name="theParanoids",
key="PARANOIDS",
- description="PrioritizedRiskRemediation outcome group based on TheParanoids.",
+ definition="PrioritizedRiskRemediation outcome group based on TheParanoids.",
namespace="x_com.yahooinc#prioritized-risk-remediation",
version="1.0.0",
values=(
diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py
index b62302e8..7f4dba3e 100644
--- a/src/ssvc/policy_generator.py
+++ b/src/ssvc/policy_generator.py
@@ -360,7 +360,7 @@ def main():
dpg = DecisionPointGroup(
name="Dummy Decision Point Group",
- description="Dummy decision point group",
+ definition="Dummy decision point group",
version="1.0.0",
decision_points=(
EXPLOITATION_1,
diff --git a/src/ssvc/registry/__init__.py b/src/ssvc/registry/__init__.py
index eb203c91..612c34e7 100644
--- a/src/ssvc/registry/__init__.py
+++ b/src/ssvc/registry/__init__.py
@@ -40,7 +40,7 @@ def get_registry() -> "SsvcObjectRegistry":
if _REGISTRY is None:
_REGISTRY = SsvcObjectRegistry(
name="SSVC Object Registry",
- description="A registry for SSVC objects organized by type, namespace, key, and version.",
+ definition="A registry for SSVC objects organized by type, namespace, key, and version.",
)
return _REGISTRY
diff --git a/src/ssvc/registry/base.py b/src/ssvc/registry/base.py
index afc00faf..617180cb 100644
--- a/src/ssvc/registry/base.py
+++ b/src/ssvc/registry/base.py
@@ -354,9 +354,9 @@ def _compare(new: _RegisterableClass, existing: _RegisterableClass) -> None:
else:
should_be_version = True
- if existing.description != new.description:
+ if existing.definition != new.definition:
diffs.append(
- f"Description mismatch: {existing.description} != {new.description}"
+ f"Description mismatch: {existing.definition} != {new.definition}"
)
if hasattr(existing, "values") and hasattr(new, "values"):
diff --git a/src/ssvc/selection.py b/src/ssvc/selection.py
index 6e8a09cd..440834eb 100644
--- a/src/ssvc/selection.py
+++ b/src/ssvc/selection.py
@@ -64,7 +64,7 @@ def set_optional_fields(cls, data):
if "name" not in data:
data["name"] = ""
if "description" not in data:
- data["description"] = ""
+ data["definition"] = ""
return data
@@ -76,8 +76,8 @@ def validate_values(cls, data):
"""
if not data.name:
data.name = None
- if not data.description:
- data.description = None
+ if not data.definition:
+ data.definition = None
return data
@@ -141,15 +141,15 @@ def set_optional_fields(cls, data):
if "name" not in data:
data["name"] = ""
if "description" not in data:
- data["description"] = ""
+ data["definition"] = ""
return data
@model_validator(mode="after")
def validate_values(cls, data):
if not data.name:
data.name = None
- if not data.description:
- data.description = None
+ if not data.definition:
+ data.definition = None
return data
def model_json_schema(cls, **kwargs):
@@ -360,56 +360,7 @@ def model_json_schema(cls, **kwargs):
def main() -> None:
- """
- Prints example selections and their schema in JSON format.
-
- Returns:
- None
- """
- from ssvc.decision_points.ssvc.automatable import LATEST as dp1
- from ssvc.decision_points.ssvc.safety_impact import LATEST as dp2
- import json
-
- a1 = Selection.from_decision_point(dp1)
- a2 = Selection.from_decision_point(dp2)
- selections = SelectionList(
- schemaVersion=SCHEMA_VERSION,
- selections=[a1, a2],
- timestamp=datetime.now(),
- target_ids=["CVE-1900-0001", "GHSA-0123-4567-89ab"],
- references=[
- Reference(
- uri="https://example.com/report",
- summary="A report on which the selections were based",
- )
- ],
- )
-
- print(
- selections.model_dump_json(
- indent=2, exclude_none=True, exclude_unset=True
- )
- )
-
- print("# Schema for SelectionList")
- schema = SelectionList.model_json_schema()
-
- print(json.dumps(schema, indent=2))
-
- # find local path to this file
- import os
-
- current_dir = os.path.dirname(os.path.abspath(__file__))
- # construct the path to the schema file
- schema_path = (
- "../../data/schema/v2/Decision_Point_Value_Selection-2-0-0.schema.json"
- )
- schema_path = os.path.abspath(os.path.join(current_dir, schema_path))
-
- with open(schema_path, "w") as f:
- print(f"Writing schema to {schema_path}")
- json.dump(schema, f, indent=2)
- f.write("\n") # Ensure the file ends with a newline
+ print("Please use doctools.py for schema generation and unit tests for verification")
if __name__ == "__main__":
diff --git a/src/test/api/routers/test_decision_point.py b/src/test/api/routers/test_decision_point.py
index efbdc7a1..6132f0f7 100644
--- a/src/test/api/routers/test_decision_point.py
+++ b/src/test/api/routers/test_decision_point.py
@@ -33,7 +33,7 @@ def setUp(self):
# create a new registry for testing
self.r = SsvcObjectRegistry(
- name="test registry", description="test registry"
+ name="test registry", definition="test registry"
)
self.r.reset(force=True)
# make sure it's empty
@@ -47,10 +47,10 @@ def setUp(self):
key="A",
version="1.0.0",
name="Test Decision Point",
- description="This is a test decision point.",
+ definition="This is a test decision point.",
values=(
- DecisionPointValue(name="value1", description=".", key="K1"),
- DecisionPointValue(name="value2", description=".", key="K2"),
+ DecisionPointValue(name="value1", definition=".", key="K1"),
+ DecisionPointValue(name="value2", definition=".", key="K2"),
),
registered=False,
)
diff --git a/src/test/api/routers/test_decision_points.py b/src/test/api/routers/test_decision_points.py
index 843fd95e..9aad4442 100644
--- a/src/test/api/routers/test_decision_points.py
+++ b/src/test/api/routers/test_decision_points.py
@@ -37,17 +37,17 @@ def setUp(self):
key="key1",
version="1.0.0",
name="Test DP",
- description="desc",
+ definition="desc",
values=(
DecisionPointValue(
key="value1",
name="Value 1",
- description="Description for value 1",
+ definition="Description for value 1",
),
DecisionPointValue(
key="value2",
name="Value 2",
- description="Description for value 2",
+ definition="Description for value 2",
),
),
)
diff --git a/src/test/api/routers/test_decision_table.py b/src/test/api/routers/test_decision_table.py
index b605120f..f4a3c777 100644
--- a/src/test/api/routers/test_decision_table.py
+++ b/src/test/api/routers/test_decision_table.py
@@ -34,7 +34,7 @@ def setUp(self):
# create a new registry for testing
self.r = SsvcObjectRegistry(
- name="test registry", description="test registry"
+ name="test registry", definition="test registry"
)
self.r.reset(force=True)
# make sure it's empty
@@ -48,11 +48,11 @@ def setUp(self):
key="A",
version="1.0.0",
name="Test Decision Point",
- description="This is a test decision point.",
+ definition="This is a test decision point.",
values=(
- DecisionPointValue(name="value1", description=".", key="K1"),
- DecisionPointValue(name="value2", description=".", key="K2"),
- DecisionPointValue(name="value3", description=".", key="K3"),
+ DecisionPointValue(name="value1", definition=".", key="K1"),
+ DecisionPointValue(name="value2", definition=".", key="K2"),
+ DecisionPointValue(name="value3", definition=".", key="K3"),
),
registered=False,
)
@@ -61,10 +61,10 @@ def setUp(self):
key="B",
version="1.0.0",
name="Test Decision Point",
- description="This is a test decision point.",
+ definition="This is a test decision point.",
values=(
- DecisionPointValue(name="value1", description=".", key="K1"),
- DecisionPointValue(name="value2", description=".", key="K2"),
+ DecisionPointValue(name="value1", definition=".", key="K1"),
+ DecisionPointValue(name="value2", definition=".", key="K2"),
),
registered=False,
)
@@ -73,7 +73,7 @@ def setUp(self):
key="DT_1",
version="1.0.0",
name="Test Decision Table",
- description="This is a test decision table.",
+ definition="This is a test decision table.",
decision_points={dp.id: dp for dp in (self.dp1, self.dp2)},
outcome=self.dp2.id,
registered=False,
diff --git a/src/test/api/routers/test_decision_tables.py b/src/test/api/routers/test_decision_tables.py
index 46159b5b..7330f3a7 100644
--- a/src/test/api/routers/test_decision_tables.py
+++ b/src/test/api/routers/test_decision_tables.py
@@ -37,7 +37,7 @@ def setUp(self):
# create a new registry for testing
self.r = SsvcObjectRegistry(
- name="test registry", description="test registry"
+ name="test registry", definition="test registry"
)
self.r.reset(force=True)
# make sure it's empty
@@ -50,11 +50,11 @@ def setUp(self):
key="A",
version="1.0.0",
name="Test Decision Point",
- description="This is a test decision point.",
+ definition="This is a test decision point.",
values=(
- DecisionPointValue(name="value1", description=".", key="K1"),
- DecisionPointValue(name="value2", description=".", key="K2"),
- DecisionPointValue(name="value3", description=".", key="K3"),
+ DecisionPointValue(name="value1", definition=".", key="K1"),
+ DecisionPointValue(name="value2", definition=".", key="K2"),
+ DecisionPointValue(name="value3", definition=".", key="K3"),
),
registered=False,
)
@@ -63,10 +63,10 @@ def setUp(self):
key="B",
version="1.0.0",
name="Test Decision Point",
- description="This is a test decision point.",
+ definition="This is a test decision point.",
values=(
- DecisionPointValue(name="value1", description=".", key="K1"),
- DecisionPointValue(name="value2", description=".", key="K2"),
+ DecisionPointValue(name="value1", definition=".", key="K1"),
+ DecisionPointValue(name="value2", definition=".", key="K2"),
),
registered=False,
)
@@ -75,7 +75,7 @@ def setUp(self):
key="DT_1",
version="1.0.0",
name="Test Decision Table",
- description="This is a test decision table.",
+ definition="This is a test decision table.",
decision_points={dp.id: dp for dp in (self.dp1, self.dp2)},
outcome=self.dp2.id,
registered=False,
diff --git a/src/test/api/routers/test_objects.py b/src/test/api/routers/test_objects.py
index 5f6e2035..ca2386dd 100644
--- a/src/test/api/routers/test_objects.py
+++ b/src/test/api/routers/test_objects.py
@@ -41,17 +41,17 @@ def setUp(self):
key="key1",
version="1.0.0",
name="Test DP 1",
- description="desc1",
+ definition="desc1",
values=(
DecisionPointValue(
key="value1",
name="Value 1",
- description="Description for value 1",
+ definition="Description for value 1",
),
DecisionPointValue(
key="value2",
name="Value 2",
- description="Description for value 2",
+ definition="Description for value 2",
),
),
)
@@ -60,17 +60,17 @@ def setUp(self):
key="key2",
version="1.0.0",
name="Test DP 2",
- description="desc2",
+ definition="desc2",
values=(
DecisionPointValue(
key="value1",
name="Value 1",
- description="Description for value 1",
+ definition="Description for value 1",
),
DecisionPointValue(
key="value2",
name="Value 2",
- description="Description for value 2",
+ definition="Description for value 2",
),
),
)
@@ -79,22 +79,22 @@ def setUp(self):
key="key3",
version="1.0.0",
name="Test DP 3",
- description="desc3",
+ definition="desc3",
values=(
DecisionPointValue(
key="value1",
name="Value 1",
- description="Description for value 1",
+ definition="Description for value 1",
),
DecisionPointValue(
key="value2",
name="Value 2",
- description="Description for value 2",
+ definition="Description for value 2",
),
DecisionPointValue(
key="value3",
name="Value 3",
- description="Description for value 3",
+ definition="Description for value 3",
),
),
)
@@ -103,7 +103,7 @@ def setUp(self):
key="key2",
version="2.0.0",
name="Test DT",
- description="desc",
+ definition="desc",
decision_points={
dp.id: dp for dp in (self.dp1, self.dp2, self.dp3)
},
@@ -139,7 +139,7 @@ def test_get_decision_table_success(self, mock_lookup):
self.assertEqual(response.json()["key"], dt.key)
self.assertEqual(response.json()["version"], dt.version)
self.assertEqual(response.json()["name"], dt.name)
- self.assertEqual(response.json()["description"], dt.description)
+ self.assertEqual(response.json()["definition"], dt.definition)
@patch("ssvc.api.routers.objects.lookup_by_id")
def test_get_decision_table_not_found(self, mock_lookup):
diff --git a/src/test/decision_points/test_cvss_helpers.py b/src/test/decision_points/test_cvss_helpers.py
index 52eabd18..2937eac4 100644
--- a/src/test/decision_points/test_cvss_helpers.py
+++ b/src/test/decision_points/test_cvss_helpers.py
@@ -30,24 +30,24 @@ def fake_ms_impacts() -> list[CvssDecisionPoint]:
for key in ["MSC", "MSI", "MSA"]:
dp = CvssDecisionPoint(
name=f"{key} test",
- description=f"{key} test",
+ definition=f"{key} test",
version="1.0.0",
key=key,
values=(
DecisionPointValue(
name="None",
key="N",
- description="No impact",
+ definition="No impact",
),
DecisionPointValue(
name="Low",
key="L",
- description="Low impact",
+ definition="Low impact",
),
DecisionPointValue(
name="High",
key="H",
- description="High impact",
+ definition="High impact",
),
),
)
@@ -66,18 +66,18 @@ def setUp(self) -> None:
for i in range(3):
dp = CvssDecisionPoint(
name=f"test_{i}",
- description=f"test_{i}",
+ definition=f"test_{i}",
version="1.0.0",
key=f"TDP{i}",
values=(
DecisionPointValue(
name=f"yes_{i}",
- description=f"yes_{i}",
+ definition=f"yes_{i}",
key=f"Y{i}",
),
DecisionPointValue(
name=f"no_{i}",
- description=f"no_{i}",
+ definition=f"no_{i}",
key=f"N{i}",
),
),
diff --git a/src/test/decision_points/test_dp_base.py b/src/test/decision_points/test_dp_base.py
index 20807d60..36e08f23 100644
--- a/src/test/decision_points/test_dp_base.py
+++ b/src/test/decision_points/test_dp_base.py
@@ -42,14 +42,14 @@ def setUp(self) -> None:
for i in range(3):
self.values.append(
base.DecisionPointValue(
- name=f"foo{i}", key=f"bar{i}", description=f"baz{i}"
+ name=f"foo{i}", key=f"bar{i}", definition=f"baz{i}"
)
)
self.dp = ssvc.decision_points.ssvc.base.SsvcDecisionPoint(
name="foo",
key="bar",
- description="baz",
+ definition="baz",
version="1.0.0",
namespace="test",
values=tuple(self.values),
@@ -83,7 +83,7 @@ def test_registry(self):
dp = ssvc.decision_points.ssvc.base.SsvcDecisionPoint(
name="testdp",
key="asdfasdf",
- description="asdfasdf",
+ definition="asdfasdf",
version="1.33.1",
namespace="test",
values=tuple(self.values),
@@ -104,7 +104,7 @@ def test_ssvc_value(self):
# should have name, key, description
self.assertEqual(obj.name, f"foo{i}")
self.assertEqual(obj.key, f"bar{i}")
- self.assertEqual(obj.description, f"baz{i}")
+ self.assertEqual(obj.definition, f"baz{i}")
# should not have namespace, version
self.assertFalse(hasattr(obj, "namespace"))
@@ -115,7 +115,7 @@ def test_ssvc_decision_point(self):
# should have name, key, description, values, version, namespace
self.assertEqual(obj.name, "foo")
self.assertEqual(obj.key, "bar")
- self.assertEqual(obj.description, "baz")
+ self.assertEqual(obj.definition, "baz")
self.assertEqual(obj.version, "1.0.0")
self.assertEqual(obj.namespace, "test")
self.assertEqual(len(self.values), len(obj.values))
diff --git a/src/test/decision_points/test_dp_helpers.py b/src/test/decision_points/test_dp_helpers.py
index 40b47276..a07f2df0 100644
--- a/src/test/decision_points/test_dp_helpers.py
+++ b/src/test/decision_points/test_dp_helpers.py
@@ -29,19 +29,19 @@ def setUp(self) -> None:
self.dp1 = DecisionPoint(
name="Test DP",
key="test_dp",
- description="This is a test decision point",
+ definition="This is a test decision point",
version="1.0.0",
namespace="test",
values=(
DecisionPointValue(
name="Yes",
key="yes",
- description="Yes",
+ definition="Yes",
),
DecisionPointValue(
name="No",
key="no",
- description="No",
+ definition="No",
),
),
)
@@ -54,7 +54,7 @@ def test_maybe_new_obj(self):
# if name, key, and description are the same, then it's not a new object
self.assertEqual(self.dp1.name, self.dp2.name)
self.assertEqual(self.dp1.key, self.dp2.key)
- self.assertEqual(self.dp1.description, self.dp2.description)
+ self.assertEqual(self.dp1.definition, self.dp2.definition)
results = dp_diff(self.dp1, self.dp2)
text = "\n".join(results)
@@ -71,7 +71,7 @@ def test_maybe_new_obj(self):
text = "\n".join(results)
self.assertNotIn("new object", text)
- self.dp2.description = "This is a new test decision point"
+ self.dp2.definition = "This is a new test decision point"
results = dp_diff(self.dp1, self.dp2)
text = "\n".join(results)
@@ -101,7 +101,7 @@ def test_major_version(self):
DecisionPointValue(
name="Maybe",
key="maybe",
- description="Maybe",
+ definition="Maybe",
)
)
self.dp2.values = tuple(vals)
@@ -120,7 +120,7 @@ def test_minor_version_when_new_option_added(self):
DecisionPointValue(
name="Maybe",
key="maybe",
- description="Maybe",
+ definition="Maybe",
)
)
self.dp2.values = tuple(vals)
@@ -165,7 +165,7 @@ def test_patch_version_when_description_changes(self):
# * the decision point description changes in a way that does not affect
# semantics, _OR_
- self.dp2.description = "This is a new test decision point"
+ self.dp2.definition = "This is a new test decision point"
results = dp_diff(self.dp1, self.dp2)
text = "\n".join(results)
self.assertIn("patch", text)
@@ -173,7 +173,7 @@ def test_patch_version_when_description_changes(self):
def test_patch_version_when_value_description_changes(self):
# * a value description changes in a way that does not affect semantics
self.dp2.values = deepcopy(self.dp1.values)
- self.dp2.values[0].description = "New Yes"
+ self.dp2.values[0].definition = "New Yes"
results = dp_diff(self.dp1, self.dp2)
text = "\n".join(results)
self.assertIn("patch", text)
diff --git a/src/test/decision_tables/test_base.py b/src/test/decision_tables/test_base.py
index d52172cb..e494a9cc 100644
--- a/src/test/decision_tables/test_base.py
+++ b/src/test/decision_tables/test_base.py
@@ -43,29 +43,29 @@ def setUp(self):
# Create dummy decision point values
self.dp1v1 = DecisionPointValue(
- name="a", key="a", description="A value"
+ name="a", key="a", definition="A value"
)
self.dp1v2 = DecisionPointValue(
- name="b", key="b", description="B value"
+ name="b", key="b", definition="B value"
)
self.dp2v1 = DecisionPointValue(
- name="x", key="x", description="X value"
+ name="x", key="x", definition="X value"
)
self.dp2v2 = DecisionPointValue(
- name="y", key="y", description="Y value"
+ name="y", key="y", definition="Y value"
)
self.dp2v3 = DecisionPointValue(
- name="z", key="z", description="Z value"
+ name="z", key="z", definition="Z value"
)
self.dp2v4 = DecisionPointValue(
- name="w", key="w", description="W value"
+ name="w", key="w", definition="W value"
)
# Create dummy decision points and group
self.dp1 = DecisionPoint(
name="dp1",
- description="description for dp1",
+ definition="description for dp1",
version="1.0.0",
namespace="test",
key="dp1",
@@ -73,7 +73,7 @@ def setUp(self):
)
self.dp2 = DecisionPoint(
name="dp2",
- description="description for dp2",
+ definition="description for dp2",
version="1.0.0",
namespace="test",
key="dp2",
@@ -81,18 +81,18 @@ def setUp(self):
)
# Create dummy outcome group
self.ogv1 = DecisionPointValue(
- name="o1", key="o1", description="Outcome 1"
+ name="o1", key="o1", definition="Outcome 1"
)
self.ogv2 = DecisionPointValue(
- name="o2", key="o2", description="Outcome 2"
+ name="o2", key="o2", definition="Outcome 2"
)
self.ogv3 = DecisionPointValue(
- name="o3", key="o3", description="Outcome 3"
+ name="o3", key="o3", definition="Outcome 3"
)
self.og = OutcomeGroup(
name="outcome",
- description="description for outcome",
+ definition="description for outcome",
version="1.0.0",
namespace="test",
key="outcome",
@@ -106,7 +106,7 @@ def setUp(self):
key="TEST",
namespace="test",
name="Test Table",
- description="Describes the test table",
+ definition="Describes the test table",
decision_points=self.dpdict,
outcome=self.og.id,
)
@@ -355,7 +355,7 @@ def test_single_dp_dt(self):
# Create a DecisionTable with a single DecisionPoint
dp_in = DecisionPoint(
name="dp_in",
- description="A single decision point",
+ definition="A single decision point",
version="1.0.0",
namespace="test",
key="dp",
@@ -366,7 +366,7 @@ def test_single_dp_dt(self):
namespace="test",
key="outcome",
name="Outcome",
- description="Outcome for single DP test",
+ definition="Outcome for single DP test",
version="1.0.0",
values=(self.ogv1, self.ogv2, self.ogv3),
registered=False,
@@ -376,7 +376,7 @@ def test_single_dp_dt(self):
key="SINGLE_TEST",
namespace="test",
name="Single DP Test Table",
- description="Describes the single DP test table",
+ definition="Describes the single DP test table",
decision_points={dp.id: dp for dp in [dp_in, dp_out]},
outcome=dp_out.id,
registered=False,
diff --git a/src/test/dp_groups/test_dp_groups.py b/src/test/dp_groups/test_dp_groups.py
index 0894609e..4fe6c24f 100644
--- a/src/test/dp_groups/test_dp_groups.py
+++ b/src/test/dp_groups/test_dp_groups.py
@@ -32,17 +32,17 @@ def setUp(self) -> None:
name=f"Decision Point {i}",
key=f"DP_{i}",
namespace="test",
- description=f"Description of Decision Point {i}",
+ definition=f"Description of Decision Point {i}",
version="1.0.0",
values=(
DecisionPointValue(
- name="foo", key="FOO", description="foo"
+ name="foo", key="FOO", definition="foo"
),
DecisionPointValue(
- name="bar", key="BAR", description="bar"
+ name="bar", key="BAR", definition="bar"
),
DecisionPointValue(
- name="baz", key="BAZ", description="baz"
+ name="baz", key="BAZ", definition="baz"
),
),
)
@@ -56,7 +56,7 @@ def test_iter(self):
# add them to a decision point group
g = dpg.DecisionPointGroup(
name="Test Group",
- description="Test Group",
+ definition="Test Group",
decision_points=self.dps,
)
@@ -70,7 +70,7 @@ def test_len(self):
# add them to a decision point group
g = dpg.DecisionPointGroup(
name="Test Group",
- description="Test Group",
+ definition="Test Group",
decision_points=self.dps,
)
@@ -82,7 +82,7 @@ def test_json_roundtrip(self):
# add them to a decision point group
g = dpg.DecisionPointGroup(
name="Test Group",
- description="Test Group",
+ definition="Test Group",
decision_points=self.dps,
)
@@ -98,7 +98,7 @@ def test_decision_points_dict(self):
# add them to a decision point group
g = dpg.DecisionPointGroup(
name="Test Group",
- description="Test Group",
+ definition="Test Group",
decision_points=self.dps,
)
diff --git a/src/test/outcomes/test_outcomes.py b/src/test/outcomes/test_outcomes.py
index ee58e507..79b8545e 100644
--- a/src/test/outcomes/test_outcomes.py
+++ b/src/test/outcomes/test_outcomes.py
@@ -27,27 +27,27 @@
class MyTestCase(unittest.TestCase):
def test_outcome_value(self):
for x in ALPHABET:
- ov = OutcomeValue(key=x, name=x, description=x)
+ ov = OutcomeValue(key=x, name=x, definition=x)
self.assertEqual(ov.key, x)
self.assertEqual(ov.name, x)
- self.assertEqual(ov.description, x)
+ self.assertEqual(ov.definition, x)
def test_outcome_group(self):
values = []
for x in ALPHABET:
- values.append(OutcomeValue(key=x, name=x, description=x))
+ values.append(OutcomeValue(key=x, name=x, definition=x))
og = OutcomeGroup(
name="Outcome Group",
key="OGX",
- description="an outcome group",
+ definition="an outcome group",
namespace="test",
values=tuple(values),
)
self.assertEqual(og.name, "Outcome Group")
self.assertEqual(og.key, "OGX")
- self.assertEqual(og.description, "an outcome group")
+ self.assertEqual(og.definition, "an outcome group")
self.assertEqual(len(og), len(ALPHABET))
@@ -55,7 +55,7 @@ def test_outcome_group(self):
for i, letter in enumerate(ALPHABET):
self.assertEqual(og_outcomes[i].key, letter)
self.assertEqual(og_outcomes[i].name, letter)
- self.assertEqual(og_outcomes[i].description, letter)
+ self.assertEqual(og_outcomes[i].definition, letter)
if __name__ == "__main__":
diff --git a/src/test/registry/test_base.py b/src/test/registry/test_base.py
index 793a99fa..9f28ea61 100644
--- a/src/test/registry/test_base.py
+++ b/src/test/registry/test_base.py
@@ -33,7 +33,7 @@
class RegistryTestCase(unittest.TestCase):
def setUp(self):
self.registry = base.SsvcObjectRegistry(
- name="test_registry", description="A test registry"
+ name="test_registry", definition="A test registry"
)
main_reg = get_registry()
main_reg.reset(
@@ -45,7 +45,7 @@ def tearDown(self):
def test_empty_init(self):
self.assertEqual(self.registry.name, "test_registry")
- self.assertEqual(self.registry.description, "A test registry")
+ self.assertEqual(self.registry.definition, "A test registry")
self.assertFalse(self.registry.types)
def test_lookup_type(self):
@@ -71,16 +71,12 @@ class Dummy:
# test with a known type
obj = DecisionPoint(
name="TestDP",
- description="A test decision point",
+ definition="A test decision point",
namespace="test",
key="TEST",
values=[
- DecisionPointValue(
- key="A", name="AAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
- ),
+ DecisionPointValue(key="A", name="AAA", definition="Option A"),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
],
registered=False,
)
@@ -91,19 +87,13 @@ class DpSubclass(DecisionPoint):
obj2 = DpSubclass(
name="TestDP2",
- description="Another test decision point",
+ definition="Another test decision point",
namespace="test",
key="TEST2",
values=[
- DecisionPointValue(
- key="A", name="AAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
- ),
- DecisionPointValue(
- key="C", name="CCC", description="Option C"
- ),
+ DecisionPointValue(key="A", name="AAA", definition="Option A"),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
+ DecisionPointValue(key="C", name="CCC", definition="Option C"),
],
registered=False,
)
@@ -114,17 +104,13 @@ def test_valued_version(self):
dp = DecisionPoint(
name="TestDP",
- description="A test decision point",
+ definition="A test decision point",
namespace="test",
version="2.0.0",
key="TEST",
values=[
- DecisionPointValue(
- key="A", name="AAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
- ),
+ DecisionPointValue(key="A", name="AAA", definition="Option A"),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
],
registered=False,
)
@@ -142,23 +128,13 @@ def test_nonvalued_version(self):
key="TEST",
version="2.0.0",
name="TestDP",
- description="A test decision point",
+ definition="A test decision point",
values=(
- DecisionPointValue(
- key="A", name="AAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
- ),
- DecisionPointValue(
- key="C", name="CCC", description="Option C"
- ),
- DecisionPointValue(
- key="D", name="DDD", description="Option D"
- ),
- DecisionPointValue(
- key="E", name="EEE", description="Option E"
- ),
+ DecisionPointValue(key="A", name="AAA", definition="Option A"),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
+ DecisionPointValue(key="C", name="CCC", definition="Option C"),
+ DecisionPointValue(key="D", name="DDD", definition="Option D"),
+ DecisionPointValue(key="E", name="EEE", definition="Option E"),
),
registered=False,
)
@@ -167,17 +143,11 @@ def test_nonvalued_version(self):
key="TEST2",
version="2.0.0",
name="TestDP",
- description="A test decision point",
+ definition="A test decision point",
values=(
- DecisionPointValue(
- key="A", name="AAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
- ),
- DecisionPointValue(
- key="C", name="CCC", description="Option C"
- ),
+ DecisionPointValue(key="A", name="AAA", definition="Option A"),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
+ DecisionPointValue(key="C", name="CCC", definition="Option C"),
),
registered=False,
)
@@ -187,10 +157,10 @@ def test_nonvalued_version(self):
key="TEST3",
version="2.0.0",
name="TestDP2",
- description="A test decision point",
+ definition="A test decision point",
values=(
- DecisionPointValue(key="A", name="A", description="Outcome A"),
- DecisionPointValue(key="B", name="B", description="Outcome B"),
+ DecisionPointValue(key="A", name="A", definition="Outcome A"),
+ DecisionPointValue(key="B", name="B", definition="Outcome B"),
),
registered=False,
)
@@ -200,7 +170,7 @@ def test_nonvalued_version(self):
key="TEST_DT",
version="2.0.0",
name="TestDT",
- description="A test decision table",
+ definition="A test decision table",
decision_points={dp.id: dp for dp in [dp1, dp2, dp3]},
outcome=dp3.id,
)
@@ -227,7 +197,7 @@ def test_key(self, mock_valued_version, mock_nonvalued_version):
mockobj1.namespace = "test"
mockobj1.version = "1.0.0"
mockobj1.name = "Test Object"
- mockobj1.description = "A test object"
+ mockobj1.definition = "A test object"
mockobj1.id = "test-id"
mockobj1.model_dump_json.return_value = "{}"
mockobj1.values = []
@@ -240,7 +210,7 @@ def test_key(self, mock_valued_version, mock_nonvalued_version):
mockobj2.version = "2.0.0"
mockobj2.namespace = "test"
mockobj2.name = "Test Object"
- mockobj2.description = "A test object"
+ mockobj2.definition = "A test object"
mockobj2.id = "test-id"
mockobj2.model_dump_json.return_value = "{}"
mockobj2.values = []
@@ -268,16 +238,12 @@ def test__insert(self):
dp = DecisionPoint(
name="TestDP",
- description="A test decision point",
+ definition="A test decision point",
namespace="test",
key="TEST",
values=[
- DecisionPointValue(
- key="A", name="AAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
- ),
+ DecisionPointValue(key="A", name="AAA", definition="Option A"),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
],
registered=False,
)
@@ -302,32 +268,26 @@ def test__compare(self):
dp1 = DecisionPoint(
name="TestDP",
- description="A test decision point",
+ definition="A test decision point",
namespace="test",
key="TEST",
values=[
- DecisionPointValue(
- key="A", name="AAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
- ),
+ DecisionPointValue(key="A", name="AAA", definition="Option A"),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
],
registered=False,
)
dp2 = DecisionPoint(
name="TestDP2",
- description="A test decision point",
+ definition="A test decision point",
namespace="test",
key="TEST",
values=[
DecisionPointValue(
- key="AA", name="AAAA", description="Option A"
- ),
- DecisionPointValue(
- key="B", name="BBB", description="Option B"
+ key="AA", name="AAAA", definition="Option A"
),
+ DecisionPointValue(key="B", name="BBB", definition="Option B"),
],
registered=False,
)
@@ -356,16 +316,16 @@ def test_lookup_latest(self):
dp = DecisionPoint(
name="TestDP",
- description="A test decision point",
+ definition="A test decision point",
namespace="test",
key="TEST",
version=version,
values=[
DecisionPointValue(
- key="A", name=f"AAA{v}", description="Option A"
+ key="A", name=f"AAA{v}", definition="Option A"
),
DecisionPointValue(
- key="B", name="BBB", description="Option B"
+ key="B", name="BBB", definition="Option B"
),
],
registered=False,
diff --git a/src/test/test_doc_helpers.py b/src/test/test_doc_helpers.py
index 08309a07..3a139210 100644
--- a/src/test/test_doc_helpers.py
+++ b/src/test/test_doc_helpers.py
@@ -28,15 +28,15 @@ def setUp(self):
self.dp = DecisionPoint(
namespace="test",
name="test name",
- description="test description",
+ definition="test description",
key="TK",
version="1.0.0",
values=(
DecisionPointValue(
- name="A", key="A", description="A Definition"
+ name="A", key="A", definition="A Definition"
),
DecisionPointValue(
- name="B", key="B", description="B Definition"
+ name="B", key="B", definition="B Definition"
),
),
)
@@ -84,7 +84,7 @@ def test_example_block(self):
for value in self.dp.values:
self.assertIn(value.name, result)
- self.assertIn(value.description, result)
+ self.assertIn(value.definition, result)
if __name__ == "__main__":
diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py
index 49d579bf..895da687 100644
--- a/src/test/test_doctools.py
+++ b/src/test/test_doctools.py
@@ -36,10 +36,10 @@
"version": "1.0.0",
"key": "DPT",
"name": "Decision Point Test",
- "description": "This is a test decision point.",
+ "definition": "This is a test decision point.",
"values": (
- {"key": "N", "name": "No", "description": "No means no"},
- {"key": "Y", "name": "Yes", "description": "Yes means yes"},
+ {"key": "N", "name": "No", "definition": "No means no"},
+ {"key": "Y", "name": "Yes", "definition": "Yes means yes"},
),
}
diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py
index e6db69fc..decba16f 100644
--- a/src/test/test_mixins.py
+++ b/src/test/test_mixins.py
@@ -30,17 +30,17 @@
_Versioned,
)
from ssvc.namespaces import NameSpace
-from ssvc.utils.defaults import DEFAULT_VERSION, MAX_NS_LENGTH
+from ssvc.utils.defaults import DEFAULT_VERSION
class TestMixins(unittest.TestCase):
def setUp(self) -> None:
- self.obj = _Base(name="foo", description="baz")
+ self.obj = _Base(name="foo", definition="baz")
def test_ssvc_base_create(self):
- obj = _Base(name="foo", description="baz")
+ obj = _Base(name="foo", definition="baz")
self.assertEqual(obj.name, "foo")
- self.assertEqual(obj.description, "baz")
+ self.assertEqual(obj.definition, "baz")
# empty
self.assertRaises(ValidationError, _Base)
@@ -55,16 +55,16 @@ def test_json_roundtrip(self):
# is it a string?
self.assertIsInstance(json, str)
# does it look right?
- self.assertEqual(json, '{"name":"foo","description":"baz"}')
+ self.assertEqual(json, '{"name":"foo","definition":"baz"}')
# modify the raw json string
json = json.replace("foo", "quux")
- self.assertEqual(json, '{"name":"quux","description":"baz"}')
+ self.assertEqual(json, '{"name":"quux","definition":"baz"}')
# does it load?
obj2 = _Base.model_validate_json(json)
self.assertEqual(obj2.name, "quux")
- self.assertEqual(obj2.description, "baz")
+ self.assertEqual(obj2.definition, "baz")
def test_asdict_roundtrip(self):
@@ -73,7 +73,7 @@ def test_asdict_roundtrip(self):
self.assertIsInstance(d, dict)
self.assertEqual(d["name"], "foo")
- self.assertEqual(d["description"], "baz")
+ self.assertEqual(d["definition"], "baz")
# modify the dict
d["name"] = "quux"
@@ -81,7 +81,7 @@ def test_asdict_roundtrip(self):
# does it load?
obj2 = _Base(**d)
self.assertEqual(obj2.name, "quux")
- self.assertEqual(obj2.description, "baz")
+ self.assertEqual(obj2.definition, "baz")
def test_namespaced_create_errors(self):
# error if no namespace given
@@ -98,7 +98,6 @@ def test_namespaced_create_errors(self):
with self.assertRaises(ValidationError):
_Namespaced(namespace="x_")
-
def test_namespaced_create(self):
# use the official namespace values
for ns in NameSpace:
@@ -213,7 +212,7 @@ class Foo(_Base, *classes, BaseModel):
if k in keys_with_defaults:
# expect success
- obj = Foo(name="foo", description="baz", **args_copy)
+ obj = Foo(name="foo", definition="baz", **args_copy)
# make sure the key is defaulted
self.assertIsNotNone(getattr(obj, k))
else:
@@ -226,9 +225,9 @@ class Foo(_Base, *classes, BaseModel):
)
# instantiate the object
- obj = Foo(name="foo", description="baz", **args)
+ obj = Foo(name="foo", definition="baz", **args)
self.assertEqual(obj.name, "foo")
- self.assertEqual(obj.description, "baz")
+ self.assertEqual(obj.definition, "baz")
# make sure the args are set
for k, v in args.items():
self.assertEqual(getattr(obj, k), v)
@@ -239,7 +238,7 @@ class Foo(_Base, *classes, BaseModel):
self.assertIsInstance(json, str)
# does it look right?
self.assertIn('"name":"foo"', json)
- self.assertIn('"description":"baz"', json)
+ self.assertIn('"definition":"baz"', json)
for k, v in args.items():
self.assertIn(f'"{k}":"{v}"', json)
# change the name and description
@@ -248,7 +247,7 @@ class Foo(_Base, *classes, BaseModel):
# does it load?
obj2 = Foo.model_validate_json(json)
self.assertEqual(obj2.name, "quux")
- self.assertEqual(obj2.description, "fizz")
+ self.assertEqual(obj2.definition, "fizz")
# make sure the args are set
for k, v in args.items():
self.assertEqual(getattr(obj2, k), v)
diff --git a/src/test/test_policy_generator.py b/src/test/test_policy_generator.py
index f4107456..b486700e 100644
--- a/src/test/test_policy_generator.py
+++ b/src/test/test_policy_generator.py
@@ -37,31 +37,29 @@ def setUp(self) -> None:
self.og = DecisionPoint(
name="test",
- description="test",
+ definition="test",
key="TEST",
namespace="test",
values=tuple(
[
- DecisionPointValue(key=c, name=c, description=c)
+ DecisionPointValue(key=c, name=c, definition=c)
for c in self.og_names
]
),
)
self.dpg = DecisionPointGroup(
name="test",
- description="test",
+ definition="test",
decision_points=tuple(
[
DecisionPoint(
name=c,
- description=c,
+ definition=c,
key=c,
namespace="test",
values=tuple(
[
- DecisionPointValue(
- name=v, key=v, description=v
- )
+ DecisionPointValue(name=v, key=v, definition=v)
for v in self.dp_values
]
),
diff --git a/src/test/test_selections.py b/src/test/test_selections.py
index a2cf3e13..f548cb72 100644
--- a/src/test/test_selections.py
+++ b/src/test/test_selections.py
@@ -129,14 +129,14 @@ def test_minimal_decision_point_value_validators(self):
# Test set_optional_fields validator
value = MinimalDecisionPointValue(key="test_key")
self.assertIsNone(value.name)
- self.assertIsNone(value.description)
+ self.assertIsNone(value.definition)
# Test with empty strings
value_empty = MinimalDecisionPointValue(
- key="test_key", name="", description=""
+ key="test_key", name="", definition=""
)
self.assertIsNone(value_empty.name)
- self.assertIsNone(value_empty.description)
+ self.assertIsNone(value_empty.definition)
def test_selection_validators(self):
"""Test the model validators for Selection."""
@@ -148,7 +148,7 @@ def test_selection_validators(self):
values=[{"key": "value1"}],
)
self.assertIsNone(selection_minimal.name)
- self.assertIsNone(selection_minimal.description)
+ self.assertIsNone(selection_minimal.definition)
# Test with empty strings
selection_empty = selection.Selection(
@@ -157,10 +157,10 @@ def test_selection_validators(self):
version="1.0.0",
values=[{"key": "value1"}],
name="",
- description="",
+ definition="",
)
self.assertIsNone(selection_empty.name)
- self.assertIsNone(selection_empty.description)
+ self.assertIsNone(selection_empty.definition)
def test_from_decision_point(self):
"""Test converting a decision point to a selection."""
@@ -288,7 +288,7 @@ def test_target_ids_validation(self):
selections=[self.s1],
timestamp=datetime.now(),
# Invalid: due to duplicates
- target_ids=["CVE-1900-1234","CVE-1900-1234"],
+ target_ids=["CVE-1900-1234", "CVE-1900-1234"],
)
def test_add_selection_method(self):
diff --git a/src/test/utils/test_toposort.py b/src/test/utils/test_toposort.py
index 8f665d4d..52c6206b 100644
--- a/src/test/utils/test_toposort.py
+++ b/src/test/utils/test_toposort.py
@@ -76,13 +76,13 @@ def setUp(self):
name="Decision Point 1",
key="DP1",
version="1.0.0",
- description="Test DP 1",
+ definition="Test DP 1",
values=[
DecisionPointValue(
- name="Value 1", key="V1", description="value 1 description"
+ name="Value 1", key="V1", definition="value 1 description"
),
DecisionPointValue(
- name="Value 2", key="V2", description="value 2 description"
+ name="Value 2", key="V2", definition="value 2 description"
),
],
)
@@ -91,13 +91,13 @@ def setUp(self):
name="Decision Point 2",
key="DP2",
version="1.0.0",
- description="Test DP 2",
+ definition="Test DP 2",
values=[
DecisionPointValue(
- name="Value A", key="VA", description="value A description"
+ name="Value A", key="VA", definition="value A description"
),
DecisionPointValue(
- name="Value B", key="VB", description="value B description"
+ name="Value B", key="VB", definition="value B description"
),
],
)