oasis-tcs · tschmidtb51 · Mar 4, 2025 · Jan 16, 2025 · Jan 16, 2025 · Jan 16, 2025
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -1275,6 +1275,9 @@
                     },
                     "cvss_v4": {
                       "$ref": "https://www.first.org/cvss/cvss-v4.0.json"
+                    },
+                    "ssvc_v1": {
+                      "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json"
                     }
                   }
                 },

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
@@ -73,6 +73,9 @@ tests-01-mndtr-39-public-sharing-group-with-no-max-uuid.md
 tests-01-mndtr-40-invalid-sharing-group-name.md
 tests-01-mndtr-41-missing-sharing-group-name.md
 tests-01-mndtr-42-purl-qualifiers.md
+tests-01-mndtr-43-inconsistent-ssvc-id.md
+tests-01-mndtr-44-ssvc-decision-points.md
+tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
@@ -571,6 +571,15 @@ Secondly, the program fulfills the following for all items of:
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
+* `/vulnerabilities[]/metrics/ssvc_v1`: If a SSVC vector or decision points of an SSVC vector are given in an item of `notes` of the current
+  vulnerability using the `title` `SSVC` and the `category` `other`, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into the `ssvc_v1`
+  object within the current vulnerability.
+  If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid object without loosing any information, the corresponding `notes` item SHALL
+  be removed.
+  If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid object with the information given, the CSAF 2.0 to CSAF 2.1 converter SHALL
+  remove the invalid `ssvc_v1` object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data failed.
+  If the CSAF 2.0 to CSAF 2.1 converter would loose information during the conversion, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the `ssvc_v1`
+  object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data would lead to loosing information.
 * `/vulnerabilities[]/remediations[]`:
   * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
     if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
@@ -588,6 +597,7 @@ Secondly, the program fulfills the following for all items of:
   * In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`.
   * The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
     including the products it was changed for.
+* The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning.
 
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
 

diff --git a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
@@ -34,23 +34,26 @@ Proven and intended usage patterns from practice are given where possible.
 
 Delegation to industry best practices technologies is used in referencing schemas for:
 
-* Platform Data:
+* Classification for Document Distribution
+  * Traffic Light Protocol (TLP)
+    * Default Definition: https://www.first.org/tlp/
+* Platform Data
   * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
-* Vulnerability Scoring:
+* Vulnerability Categorization
+  * Stakeholder-Specific Vulnerability Categorization [cite](#SSVC)
+    * JSON Schema Reference: https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
+* Vulnerability Classification
+  * Common Weakness Enumeration (CWE) [cite](#CWE)
+    * CWE List: http://cwe.mitre.org/data/index.html
+* Vulnerability Scoring
   * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v4.0.json
   * Common Vulnerability Scoring System (CVSS) Version 3.1 [cite](#CVSS31)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.1.json
   * Common Vulnerability Scoring System (CVSS) Version 3.0 [cite](#CVSS30)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.0.json
   * Common Vulnerability Scoring System (CVSS) Version 2.0 [cite](#CVSS2)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v2.0.json
-* Vulnerability Classification
-  * Common Weakness Enumeration (CWE) [cite](#CWE)
-    * CWE List: http://cwe.mitre.org/data/index.html
-* Classification for Document Distribution
-  * Traffic Light Protocol (TLP)
-    * Default Definition: https://www.first.org/tlp/
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v2.0.json
 
 Even though the JSON schema does not prohibit specifically additional properties and custom keywords,
 it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC's GitHub.
@@ -65,5 +68,3 @@ consumers to verify rules from the specification which can not be tested by the
 Section [sec](#distributing-csaf-documents) states how to distribute and where to find CSAF documents.
 Safety, Security and Data Protection are considered in section [sec](#safety-security-and-data-protection-considerations).
 Finally, a set of conformance targets describes tools in the ecosystem.
-
-
diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -80,6 +80,8 @@ An array SHOULD NOT have more than:
   * `/vulnerabilities[]/acknowledgments[]/urls`
   * `/vulnerabilities[]/cwes`
   * `/vulnerabilities[]/ids`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values`
   * `/vulnerabilities[]/remediations[]/entitlements`
 
 * 40 000 items for
@@ -208,6 +210,12 @@ A string SHOULD NOT have a length greater than:
   * `/vulnerabilities[]/metrics[]/content/cvss_v2/vectorString`
   * `/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString`
   * `/vulnerabilities[]/metrics[]/content/cvss_v4/vectorString`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/id`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/role`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version`
   * `/vulnerabilities[]/metrics[]/products[]`
   * `/vulnerabilities[]/notes[]/audience`
   * `/vulnerabilities[]/notes[]/title`
@@ -266,6 +274,7 @@ The maximum length of strings representing a temporal value is given by the form
 * `/vulnerabilities[]/discovery_date`
 * `/vulnerabilities[]/flags[]/date`
 * `/vulnerabilities[]/involvements[]/date`
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp`
 * `/vulnerabilities[]/release_date`
 * `/vulnerabilities[]/remediations[]/date`
 * `/vulnerabilities[]/threats[]/date`
@@ -284,6 +293,7 @@ It seems to be safe to assume that the length of this value is not greater than
 
 For all other values, it seems to be safe to assume that the length of each value is not greater than 50.
 This applies to:
+
 * `/document/csaf_version` (3)
 * `/document/distribution/tlp/label` (12)
 * `/document/notes[]/category` (16)
@@ -373,6 +383,7 @@ This applies to:
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnConfidentialityImpact` (4)
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnerabilityResponseEffort` (11)
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion` (5)
 * `/vulnerabilities[]/notes[]/category` (16)
 * `/vulnerabilities[]/references[]/category` (8)
 * `/vulnerabilities[]/remediations[]/category` (14)

diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -102,6 +102,9 @@ SemVer
 SPDX301
 :    _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, <https://spdx.github.io/spdx-spec/>.
 
+SSVC
+:    _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, <https://certcc.github.io/SSVC/reference/>
+
 VERS
 :    _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
 

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
@@ -438,6 +438,9 @@ A Content object has at least 1 property.
           },
           "cvss_v4": {
             // ...
+          },
+          "ssvc_v1": {
+            // ....
           }
         }
 ```
@@ -452,6 +455,9 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
 The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at
 [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
 
+The property SSVC v1 (`ssvc_v1`) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at
+[https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json](https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json).
+
 ##### Vulnerabilities Property - Metrics - Products
 
 Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given content applies.

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-43-inconsistent-ssvc-id.md
@@ -0,0 +1,44 @@
+### Inconsistent SSVC ID
+
+For each `ssvc_v1` object it MUST be tested that `id` is either the CVE of the vulnerability given in `cve` or the `text` of an item in the `ids` array.
+The test MUST fail, if the `id` equals the `/document/tracking/id` and the CSAF document contains more than one vulnerability.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/id
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0002",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The SSVC ID does not match the CVE ID.
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-44-ssvc-decision-points.md
@@ -0,0 +1,49 @@
+### SSVC Decision Points
+
+For each SSVC decision point given under `selections` with the `namespace` of `ssvc`, it MUST be tested that given decision point exists, is valid and the items in `values` are ordered correctly.
+
+> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
+> The items in `values` need to have the same order as in their definition.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None",
+                    "Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The SSVC decision point `Mission Impact` doesn't have the value `Degraded` in version `1.0.0`.
+
+> If applicable, a tool MAY sort the items in `values` according to the order of their definition as a quick fix.
diff --git a/....1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md b/....1/prose/edit/src/tests-01-mndtr-45-prohibited-ssvc-decision-point-namespace.md
@@ -0,0 +1,54 @@
+### Prohibited SSVC Decision Point Namespace
+
+For each SSVC decision point given under `selections` with a `namespace` other than case-sensitive registered values,
+it MUST be tested that the `namespace` it not equal to the case-insensitive registered values.
+
+> According to the SSVC project, the following values are currently registered:
+>
+> ```
+>   cvss
+>   nciss
+>   ssvc
+> ```
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "SSVC",
+                  "values": [
+                    "None"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The SSVC decision point namespace uses the capitalized version of the reserved namespace `ssvc`.
+
+> A tool MAY convert the reserved namespace to lowercase as a quick fix.
-Original file line number
+Diff line change
@@ Expand Up / @@ -102,6 +102,9 @@ SemVer @@
     SPDX301
     :    _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, <https://spdx.github.io/spdx-spec/>.
+    SSVC
+    :    _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, <https://certcc.github.io/SSVC/reference/>
     VERS
     :    _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
@@ Expand Down @@