diff --git a/data/json/decision_points/cvss/attack_complexity_3.json b/data/json/decision_points/cvss/attack_complexity_3.json index f71772ce..895283e4 100644 --- a/data/json/decision_points/cvss/attack_complexity_3.json +++ b/data/json/decision_points/cvss/attack_complexity_3.json @@ -1 +1,20 @@ -{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."}, {"key": "H", "name": "High", "description": "A successful attack depends on conditions beyond the attacker's control."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "AC", + "name": "Attack Complexity", + "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + }, + { + "key": "H", + "name": "High", + "description": "A successful attack depends on conditions beyond the attacker's control." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json index bfece6aa..86686214 100644 --- a/data/json/decision_points/cvss/attack_complexity_3_0_1.json +++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json @@ -1 +1,20 @@ -{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [{"key": "L", "name": "Low", "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "}, {"key": "H", "name": "High", "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "3.0.1", + "schemaVersion": "1-0-1", + "key": "AC", + "name": "Attack Complexity", + "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", + "values": [ + { + "key": "L", + "name": "Low", + "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + }, + { + "key": "H", + "name": "High", + "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/attack_requirements_1.json b/data/json/decision_points/cvss/attack_requirements_1.json index 77b1e496..0a7d65f8 100644 --- a/data/json/decision_points/cvss/attack_requirements_1.json +++ b/data/json/decision_points/cvss/attack_requirements_1.json @@ -1 +1,20 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AT", "name": "Attack Requirements", "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [{"key": "N", "name": "None", "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."}, {"key": "P", "name": "Present", "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "AT", + "name": "Attack Requirements", + "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", + "values": [ + { + "key": "N", + "name": "None", + "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + }, + { + "key": "P", + "name": "Present", + "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/attack_vector_3.json b/data/json/decision_points/cvss/attack_vector_3.json index 4138eb79..43f2ca06 100644 --- a/data/json/decision_points/cvss/attack_vector_3.json +++ b/data/json/decision_points/cvss/attack_vector_3.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [{"key": "P", "name": "Physical", "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."}, {"key": "L", "name": "Local", "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."}, {"key": "A", "name": "Adjacent", "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."}, {"key": "N", "name": "Network", "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "AV", + "name": "Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. ", + "values": [ + { + "key": "P", + "name": "Physical", + "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + }, + { + "key": "L", + "name": "Local", + "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." + }, + { + "key": "A", + "name": "Adjacent", + "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + }, + { + "key": "N", + "name": "Network", + "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json index e8f2fb92..22006bd9 100644 --- a/data/json/decision_points/cvss/attack_vector_3_0_1.json +++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [{"key": "P", "name": "Physical", "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."}, {"key": "L", "name": "Local", "description": "The vulnerable system is not bound to the network stack and the attacker\u2019s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."}, {"key": "A", "name": "Adjacent", "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."}, {"key": "N", "name": "Network", "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed \u201cremotely exploitable\u201d and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "3.0.1", + "schemaVersion": "1-0-1", + "key": "AV", + "name": "Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", + "values": [ + { + "key": "P", + "name": "Physical", + "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + }, + { + "key": "L", + "name": "Local", + "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." + }, + { + "key": "A", + "name": "Adjacent", + "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + }, + { + "key": "N", + "name": "Network", + "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/authentication_1.json b/data/json/decision_points/cvss/authentication_1.json index e125e865..059f7f59 100644 --- a/data/json/decision_points/cvss/authentication_1.json +++ b/data/json/decision_points/cvss/authentication_1.json @@ -1 +1,20 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "values": [{"key": "N", "name": "Not Required", "description": "Authentication is not required to access or exploit the vulnerability."}, {"key": "R", "name": "Required", "description": "Authentication is required to access and exploit the vulnerability."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "Au", + "name": "Authentication", + "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", + "values": [ + { + "key": "N", + "name": "Not Required", + "description": "Authentication is not required to access or exploit the vulnerability." + }, + { + "key": "R", + "name": "Required", + "description": "Authentication is required to access and exploit the vulnerability." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/authentication_2.json b/data/json/decision_points/cvss/authentication_2.json index 325df4fb..3550aecb 100644 --- a/data/json/decision_points/cvss/authentication_2.json +++ b/data/json/decision_points/cvss/authentication_2.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "values": [{"key": "M", "name": "Multiple", "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."}, {"key": "S", "name": "Single", "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."}, {"key": "N", "name": "None", "description": "Authentication is not required to exploit the vulnerability."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "Au", + "name": "Authentication", + "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", + "values": [ + { + "key": "M", + "name": "Multiple", + "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time." + }, + { + "key": "S", + "name": "Single", + "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)." + }, + { + "key": "N", + "name": "None", + "description": "Authentication is not required to exploit the vulnerability." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/availability_impact_1.json b/data/json/decision_points/cvss/availability_impact_1.json index 0666e517..07201d9f 100644 --- a/data/json/decision_points/cvss/availability_impact_1.json +++ b/data/json/decision_points/cvss/availability_impact_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on availability."}, {"key": "P", "name": "Partial", "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."}, {"key": "C", "name": "Complete", "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "A", + "name": "Availability Impact", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No impact on availability." + }, + { + "key": "P", + "name": "Partial", + "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete." + }, + { + "key": "C", + "name": "Complete", + "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/availability_impact_2.json b/data/json/decision_points/cvss/availability_impact_2.json index b582e82d..98d6e493 100644 --- a/data/json/decision_points/cvss/availability_impact_2.json +++ b/data/json/decision_points/cvss/availability_impact_2.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the availability of the system."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "A", + "name": "Availability Impact", + "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to the availability of the system." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/availability_impact_2_0_1.json b/data/json/decision_points/cvss/availability_impact_2_0_1.json index 7c43bca6..1cc6921a 100644 --- a/data/json/decision_points/cvss/availability_impact_2_0_1.json +++ b/data/json/decision_points/cvss/availability_impact_2_0_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "A", + "name": "Availability Impact", + "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/availability_requirement_1.json b/data/json/decision_points/cvss/availability_requirement_1.json index bf9732ba..9f436294 100644 --- a/data/json/decision_points/cvss/availability_requirement_1.json +++ b/data/json/decision_points/cvss/availability_requirement_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "AR", + "name": "Availability Requirement", + "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/availability_requirement_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1.json index 73b25c1a..c1719568 100644 --- a/data/json/decision_points/cvss/availability_requirement_1_1.json +++ b/data/json/decision_points/cvss/availability_requirement_1_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "AR", + "name": "Availability Requirement", + "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json index f808db1c..80f909c5 100644 --- a/data/json/decision_points/cvss/availability_requirement_1_1_1.json +++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Availability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.1", + "schemaVersion": "1-0-1", + "key": "AR", + "name": "Availability Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1.json b/data/json/decision_points/cvss/collateral_damage_potential_1.json index 0b24042d..a2f3f630 100644 --- a/data/json/decision_points/cvss/collateral_damage_potential_1.json +++ b/data/json/decision_points/cvss/collateral_damage_potential_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "values": [{"key": "N", "name": "None", "description": "There is no potential for physical or property damage."}, {"key": "L", "name": "Low", "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."}, {"key": "M", "name": "Medium", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "CDP", + "name": "Collateral Damage Potential", + "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no potential for physical or property damage." + }, + { + "key": "L", + "name": "Low", + "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed." + }, + { + "key": "M", + "name": "Medium", + "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + }, + { + "key": "H", + "name": "High", + "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2.json b/data/json/decision_points/cvss/collateral_damage_potential_2.json index cc97cc2c..26af28f9 100644 --- a/data/json/decision_points/cvss/collateral_damage_potential_2.json +++ b/data/json/decision_points/cvss/collateral_damage_potential_2.json @@ -1 +1,35 @@ -{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for loss of life or physical assets.", "values": [{"key": "N", "name": "None", "description": "There is no potential for loss of life, physical assets, productivity or revenue."}, {"key": "LM", "name": "Low-Medium", "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."}, {"key": "MH", "name": "Medium-High", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "CDP", + "name": "Collateral Damage Potential", + "description": "This metric measures the potential for loss of life or physical assets.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no potential for loss of life, physical assets, productivity or revenue." + }, + { + "key": "LM", + "name": "Low-Medium", + "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss." + }, + { + "key": "MH", + "name": "Medium-High", + "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + }, + { + "key": "H", + "name": "High", + "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/confidentiality_impact_1.json b/data/json/decision_points/cvss/confidentiality_impact_1.json index 67e90005..feaed5b0 100644 --- a/data/json/decision_points/cvss/confidentiality_impact_1.json +++ b/data/json/decision_points/cvss/confidentiality_impact_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on confidentiality."}, {"key": "P", "name": "Partial", "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."}, {"key": "C", "name": "Complete", "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "C", + "name": "Confidentiality Impact", + "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No impact on confidentiality." + }, + { + "key": "P", + "name": "Partial", + "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained." + }, + { + "key": "C", + "name": "Complete", + "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/confidentiality_impact_2.json b/data/json/decision_points/cvss/confidentiality_impact_2.json index 13029660..f56c8f62 100644 --- a/data/json/decision_points/cvss/confidentiality_impact_2.json +++ b/data/json/decision_points/cvss/confidentiality_impact_2.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "C", + "name": "Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json index 683a7830..ce5046e2 100644 --- a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json +++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "C", + "name": "Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1.json index 4470ee41..64966a4b 100644 --- a/data/json/decision_points/cvss/confidentiality_requirement_1.json +++ b/data/json/decision_points/cvss/confidentiality_requirement_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "CR", + "name": "Confidentiality Requirement", + "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1.json index 7b909bc1..bedacd44 100644 --- a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "CR", + "name": "Confidentiality Requirement", + "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json index 016d932b..eecf2cac 100644 --- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.1", + "schemaVersion": "1-0-1", + "key": "CR", + "name": "Confidentiality Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/exploitability_1.json b/data/json/decision_points/cvss/exploitability_1.json index fdeac3d9..a4251052 100644 --- a/data/json/decision_points/cvss/exploitability_1.json +++ b/data/json/decision_points/cvss/exploitability_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "E", + "name": "Exploitability", + "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", + "values": [ + { + "key": "U", + "name": "Unproven", + "description": "No exploit code is yet available or an exploit method is entirely theoretical." + }, + { + "key": "P", + "name": "Proof of Concept", + "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + }, + { + "key": "F", + "name": "Functional", + "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + }, + { + "key": "H", + "name": "High", + "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/exploitability_1_1.json b/data/json/decision_points/cvss/exploitability_1_1.json index 65792b8c..a66619c8 100644 --- a/data/json/decision_points/cvss/exploitability_1_1.json +++ b/data/json/decision_points/cvss/exploitability_1_1.json @@ -1 +1,35 @@ -{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "E", + "name": "Exploitability", + "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", + "values": [ + { + "key": "U", + "name": "Unproven", + "description": "No exploit code is yet available or an exploit method is entirely theoretical." + }, + { + "key": "P", + "name": "Proof of Concept", + "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + }, + { + "key": "F", + "name": "Functional", + "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + }, + { + "key": "H", + "name": "High", + "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/impact_bias_1.json b/data/json/decision_points/cvss/impact_bias_1.json index 2d6b4f51..2a49fde0 100644 --- a/data/json/decision_points/cvss/impact_bias_1.json +++ b/data/json/decision_points/cvss/impact_bias_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IB", "name": "Impact Bias", "description": "This metric measures the impact bias of the vulnerability.", "values": [{"key": "N", "name": "Normal", "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."}, {"key": "C", "name": "Confidentiality", "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."}, {"key": "I", "name": "Integrity", "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."}, {"key": "A", "name": "Availability", "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "IB", + "name": "Impact Bias", + "description": "This metric measures the impact bias of the vulnerability.", + "values": [ + { + "key": "N", + "name": "Normal", + "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight." + }, + { + "key": "C", + "name": "Confidentiality", + "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact." + }, + { + "key": "I", + "name": "Integrity", + "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact." + }, + { + "key": "A", + "name": "Availability", + "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/integrity_impact_1.json b/data/json/decision_points/cvss/integrity_impact_1.json index daf6d35c..bb9d0b30 100644 --- a/data/json/decision_points/cvss/integrity_impact_1.json +++ b/data/json/decision_points/cvss/integrity_impact_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on integrity."}, {"key": "P", "name": "Partial", "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."}, {"key": "C", "name": "Complete", "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "I", + "name": "Integrity Impact", + "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No impact on integrity." + }, + { + "key": "P", + "name": "Partial", + "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope." + }, + { + "key": "C", + "name": "Complete", + "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/integrity_impact_2.json b/data/json/decision_points/cvss/integrity_impact_2.json index 58da5c1b..9bc278ad 100644 --- a/data/json/decision_points/cvss/integrity_impact_2.json +++ b/data/json/decision_points/cvss/integrity_impact_2.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the integrity of the system."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "I", + "name": "Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to the integrity of the system." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_1.json b/data/json/decision_points/cvss/integrity_impact_2_0_1.json index d689989e..95671937 100644 --- a/data/json/decision_points/cvss/integrity_impact_2_0_1.json +++ b/data/json/decision_points/cvss/integrity_impact_2_0_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.1", + "schemaVersion": "1-0-1", + "key": "I", + "name": "Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of integrity within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/integrity_requirement_1.json b/data/json/decision_points/cvss/integrity_requirement_1.json index 8d24a7e1..33ef7161 100644 --- a/data/json/decision_points/cvss/integrity_requirement_1.json +++ b/data/json/decision_points/cvss/integrity_requirement_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "IR", + "name": "Integrity Requirement", + "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1.json index 25dad33b..405b1500 100644 --- a/data/json/decision_points/cvss/integrity_requirement_1_1.json +++ b/data/json/decision_points/cvss/integrity_requirement_1_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "IR", + "name": "Integrity Requirement", + "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json index 9e83e2c2..9f54fe28 100644 --- a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json +++ b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.1", + "schemaVersion": "1-0-1", + "key": "IR", + "name": "Integrity Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/privileges_required_1.json b/data/json/decision_points/cvss/privileges_required_1.json index cc4dc58e..003960ee 100644 --- a/data/json/decision_points/cvss/privileges_required_1.json +++ b/data/json/decision_points/cvss/privileges_required_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "PR", + "name": "Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", + "values": [ + { + "key": "H", + "name": "High", + "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." + }, + { + "key": "L", + "name": "Low", + "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." + }, + { + "key": "N", + "name": "None", + "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json index 8fcdde86..e46eb67d 100644 --- a/data/json/decision_points/cvss/privileges_required_1_0_1.json +++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system\u2019s settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.1", + "schemaVersion": "1-0-1", + "key": "PR", + "name": "Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", + "values": [ + { + "key": "H", + "name": "High", + "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + }, + { + "key": "L", + "name": "Low", + "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." + }, + { + "key": "N", + "name": "None", + "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/remediation_level_1.json b/data/json/decision_points/cvss/remediation_level_1.json index 78c08b16..a71b3444 100644 --- a/data/json/decision_points/cvss/remediation_level_1.json +++ b/data/json/decision_points/cvss/remediation_level_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "RL", + "name": "Remediation Level", + "description": "This metric measures the remediation status of a vulnerability.", + "values": [ + { + "key": "OF", + "name": "Official Fix", + "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." + }, + { + "key": "TF", + "name": "Temporary Fix", + "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." + }, + { + "key": "W", + "name": "Workaround", + "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + { + "key": "U", + "name": "Unavailable", + "description": "There is either no solution available or it is impossible to apply." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/remediation_level_1_1.json b/data/json/decision_points/cvss/remediation_level_1_1.json index 3354c3a5..0855a3fb 100644 --- a/data/json/decision_points/cvss/remediation_level_1_1.json +++ b/data/json/decision_points/cvss/remediation_level_1_1.json @@ -1 +1,35 @@ -{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "RL", + "name": "Remediation Level", + "description": "This metric measures the remediation status of a vulnerability.", + "values": [ + { + "key": "OF", + "name": "Official Fix", + "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." + }, + { + "key": "TF", + "name": "Temporary Fix", + "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." + }, + { + "key": "W", + "name": "Workaround", + "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + { + "key": "U", + "name": "Unavailable", + "description": "There is either no solution available or it is impossible to apply." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/report_confidence_1.json b/data/json/decision_points/cvss/report_confidence_1.json index 2383385c..01fc795f 100644 --- a/data/json/decision_points/cvss/report_confidence_1.json +++ b/data/json/decision_points/cvss/report_confidence_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "RC", + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "values": [ + { + "key": "UC", + "name": "Unconfirmed", + "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." + }, + { + "key": "UR", + "name": "Uncorroborated", + "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." + }, + { + "key": "C", + "name": "Confirmed", + "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/report_confidence_1_1.json b/data/json/decision_points/cvss/report_confidence_1_1.json index 859ae0ae..be9759a7 100644 --- a/data/json/decision_points/cvss/report_confidence_1_1.json +++ b/data/json/decision_points/cvss/report_confidence_1_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "RC", + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "values": [ + { + "key": "UC", + "name": "Unconfirmed", + "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." + }, + { + "key": "UR", + "name": "Uncorroborated", + "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." + }, + { + "key": "C", + "name": "Confirmed", + "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." + }, + { + "key": "ND", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/report_confidence_2.json b/data/json/decision_points/cvss/report_confidence_2.json index f35f1bc9..794d8da4 100644 --- a/data/json/decision_points/cvss/report_confidence_2.json +++ b/data/json/decision_points/cvss/report_confidence_2.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "U", "name": "Unknown", "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."}, {"key": "R", "name": "Reasonable", "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."}, {"key": "C", "name": "Confirmed", "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "RC", + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "values": [ + { + "key": "U", + "name": "Unknown", + "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described." + }, + { + "key": "R", + "name": "Reasonable", + "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)." + }, + { + "key": "C", + "name": "Confirmed", + "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/scope_1.json b/data/json/decision_points/cvss/scope_1.json index 640ae6da..9dbdef2e 100644 --- a/data/json/decision_points/cvss/scope_1.json +++ b/data/json/decision_points/cvss/scope_1.json @@ -1 +1,20 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "S", "name": "Scope", "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "values": [{"key": "U", "name": "Unchanged", "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."}, {"key": "C", "name": "Changed", "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "S", + "name": "Scope", + "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", + "values": [ + { + "key": "U", + "name": "Unchanged", + "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + }, + { + "key": "C", + "name": "Changed", + "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/subsequent_availability_impact_1.json b/data/json/decision_points/cvss/subsequent_availability_impact_1.json index 88822ee1..76d1190c 100644 --- a/data/json/decision_points/cvss/subsequent_availability_impact_1.json +++ b/data/json/decision_points/cvss/subsequent_availability_impact_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SA", "name": "Subsequent Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."}, {"key": "H", "name": "High", "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "SA", + "name": "Subsequent Availability Impact", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json b/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json index 4e08a1a0..ff897172 100644 --- a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json +++ b/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SC", "name": "Confidentiality Impact to the Subsequent System", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "values": [{"key": "N", "name": "Negligible", "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "SC", + "name": "Confidentiality Impact to the Subsequent System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", + "values": [ + { + "key": "N", + "name": "Negligible", + "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json b/data/json/decision_points/cvss/subsequent_integrity_impact_1.json index 59181634..a6baf936 100644 --- a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json +++ b/data/json/decision_points/cvss/subsequent_integrity_impact_1.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SI", "name": "Integrity Impact to the Subsequent System", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "SI", + "name": "Integrity Impact to the Subsequent System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/target_distribution_1.json b/data/json/decision_points/cvss/target_distribution_1.json index 40f0b191..7cbaccec 100644 --- a/data/json/decision_points/cvss/target_distribution_1.json +++ b/data/json/decision_points/cvss/target_distribution_1.json @@ -1 +1,30 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "TD", + "name": "Target Distribution", + "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + }, + { + "key": "L", + "name": "Low", + "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." + }, + { + "key": "M", + "name": "Medium", + "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + }, + { + "key": "H", + "name": "High", + "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/target_distribution_1_1.json b/data/json/decision_points/cvss/target_distribution_1_1.json index c61af269..45d295da 100644 --- a/data/json/decision_points/cvss/target_distribution_1_1.json +++ b/data/json/decision_points/cvss/target_distribution_1_1.json @@ -1 +1,35 @@ -{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.1.0", + "schemaVersion": "1-0-1", + "key": "TD", + "name": "Target Distribution", + "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + }, + { + "key": "L", + "name": "Low", + "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." + }, + { + "key": "M", + "name": "Medium", + "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + }, + { + "key": "H", + "name": "High", + "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/user_interaction_1.json b/data/json/decision_points/cvss/user_interaction_1.json index afc55331..8c378db1 100644 --- a/data/json/decision_points/cvss/user_interaction_1.json +++ b/data/json/decision_points/cvss/user_interaction_1.json @@ -1 +1,20 @@ -{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "values": [{"key": "R", "name": "Required", "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any user."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "UI", + "name": "User Interaction", + "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", + "values": [ + { + "key": "R", + "name": "Required", + "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." + }, + { + "key": "N", + "name": "None", + "description": "The vulnerable system can be exploited without interaction from any user." + } + ] +} \ No newline at end of file diff --git a/data/json/decision_points/cvss/user_interaction_2.json b/data/json/decision_points/cvss/user_interaction_2.json index 0f2f1640..98b997d5 100644 --- a/data/json/decision_points/cvss/user_interaction_2.json +++ b/data/json/decision_points/cvss/user_interaction_2.json @@ -1 +1,25 @@ -{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "values": [{"key": "A", "name": "Active", "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker\u2019s payload, or the user\u2019s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."}, {"key": "P", "name": "Passive", "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker\u2019s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."}]} \ No newline at end of file +{ + "namespace": "cvss", + "version": "2.0.0", + "schemaVersion": "1-0-1", + "key": "UI", + "name": "User Interaction", + "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", + "values": [ + { + "key": "A", + "name": "Active", + "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + }, + { + "key": "P", + "name": "Passive", + "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + }, + { + "key": "N", + "name": "None", + "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json index 779e4112..c4ebbd2a 100644 --- a/data/json/outcomes/CISA.json +++ b/data/json/outcomes/CISA.json @@ -1 +1,28 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "CISA Levels", "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", "outcomes": [{"key": "T", "name": "Track", "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."}, {"key": "T*", "name": "Track*", "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."}, {"key": "A", "name": "Attend", "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."}, {"key": "A", "name": "Act", "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "CISA Levels", + "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", + "outcomes": [ + { + "key": "T", + "name": "Track", + "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." + }, + { + "key": "T*", + "name": "Track*", + "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + }, + { + "key": "A", + "name": "Attend", + "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." + }, + { + "key": "A", + "name": "Act", + "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/COORDINATE.json b/data/json/outcomes/COORDINATE.json index 19ad020f..67a4d9fa 100644 --- a/data/json/outcomes/COORDINATE.json +++ b/data/json/outcomes/COORDINATE.json @@ -1 +1,23 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Decline, Track, Coordinate", "description": "The coordinate outcome group.", "outcomes": [{"key": "D", "name": "Decline", "description": "Decline"}, {"key": "T", "name": "Track", "description": "Track"}, {"key": "C", "name": "Coordinate", "description": "Coordinate"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Decline, Track, Coordinate", + "description": "The coordinate outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Decline", + "description": "Decline" + }, + { + "key": "T", + "name": "Track", + "description": "Track" + }, + { + "key": "C", + "name": "Coordinate", + "description": "Coordinate" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/CVSS.json b/data/json/outcomes/CVSS.json index ee9cec55..5d3d3bd2 100644 --- a/data/json/outcomes/CVSS.json +++ b/data/json/outcomes/CVSS.json @@ -1 +1,28 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "CVSS Levels", "description": "The CVSS outcome group.", "outcomes": [{"key": "L", "name": "Low", "description": "Low"}, {"key": "M", "name": "Medium", "description": "Medium"}, {"key": "H", "name": "High", "description": "High"}, {"key": "C", "name": "Critical", "description": "Critical"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "CVSS Levels", + "description": "The CVSS outcome group.", + "outcomes": [ + { + "key": "L", + "name": "Low", + "description": "Low" + }, + { + "key": "M", + "name": "Medium", + "description": "Medium" + }, + { + "key": "H", + "name": "High", + "description": "High" + }, + { + "key": "C", + "name": "Critical", + "description": "Critical" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/DSOI.json b/data/json/outcomes/DSOI.json index 8cc15f4b..8e16b6f6 100644 --- a/data/json/outcomes/DSOI.json +++ b/data/json/outcomes/DSOI.json @@ -1 +1,28 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Defer, Scheduled, Out-of-Cycle, Immediate", "description": "The original SSVC outcome group.", "outcomes": [{"key": "D", "name": "Defer", "description": "Defer"}, {"key": "S", "name": "Scheduled", "description": "Scheduled"}, {"key": "O", "name": "Out-of-Cycle", "description": "Out-of-Cycle"}, {"key": "I", "name": "Immediate", "description": "Immediate"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Defer, Scheduled, Out-of-Cycle, Immediate", + "description": "The original SSVC outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Defer", + "description": "Defer" + }, + { + "key": "S", + "name": "Scheduled", + "description": "Scheduled" + }, + { + "key": "O", + "name": "Out-of-Cycle", + "description": "Out-of-Cycle" + }, + { + "key": "I", + "name": "Immediate", + "description": "Immediate" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/EISENHOWER.json b/data/json/outcomes/EISENHOWER.json index 0bf7844e..40d98902 100644 --- a/data/json/outcomes/EISENHOWER.json +++ b/data/json/outcomes/EISENHOWER.json @@ -1 +1,28 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Do, Schedule, Delegate, Delete", "description": "The Eisenhower outcome group.", "outcomes": [{"key": "D", "name": "Delete", "description": "Delete"}, {"key": "G", "name": "Delegate", "description": "Delegate"}, {"key": "S", "name": "Schedule", "description": "Schedule"}, {"key": "O", "name": "Do", "description": "Do"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Do, Schedule, Delegate, Delete", + "description": "The Eisenhower outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Delete", + "description": "Delete" + }, + { + "key": "G", + "name": "Delegate", + "description": "Delegate" + }, + { + "key": "S", + "name": "Schedule", + "description": "Schedule" + }, + { + "key": "O", + "name": "Do", + "description": "Do" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/MOSCOW.json b/data/json/outcomes/MOSCOW.json index e4f466be..3156c47d 100644 --- a/data/json/outcomes/MOSCOW.json +++ b/data/json/outcomes/MOSCOW.json @@ -1 +1,28 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Must, Should, Could, Won't", "description": "The Moscow outcome group.", "outcomes": [{"key": "W", "name": "Won't", "description": "Won't"}, {"key": "C", "name": "Could", "description": "Could"}, {"key": "S", "name": "Should", "description": "Should"}, {"key": "M", "name": "Must", "description": "Must"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Must, Should, Could, Won't", + "description": "The Moscow outcome group.", + "outcomes": [ + { + "key": "W", + "name": "Won't", + "description": "Won't" + }, + { + "key": "C", + "name": "Could", + "description": "Could" + }, + { + "key": "S", + "name": "Should", + "description": "Should" + }, + { + "key": "M", + "name": "Must", + "description": "Must" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/PUBLISH.json b/data/json/outcomes/PUBLISH.json index 355a56a2..fd656624 100644 --- a/data/json/outcomes/PUBLISH.json +++ b/data/json/outcomes/PUBLISH.json @@ -1 +1,18 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Publish, Do Not Publish", "description": "The publish outcome group.", "outcomes": [{"key": "N", "name": "Do Not Publish", "description": "Do Not Publish"}, {"key": "P", "name": "Publish", "description": "Publish"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Publish, Do Not Publish", + "description": "The publish outcome group.", + "outcomes": [ + { + "key": "N", + "name": "Do Not Publish", + "description": "Do Not Publish" + }, + { + "key": "P", + "name": "Publish", + "description": "Publish" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/THE_PARANOIDS.json b/data/json/outcomes/THE_PARANOIDS.json index 121804e7..f19fb83d 100644 --- a/data/json/outcomes/THE_PARANOIDS.json +++ b/data/json/outcomes/THE_PARANOIDS.json @@ -1 +1,38 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "theParanoids", "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.", "outcomes": [{"key": "5", "name": "Track 5", "description": "Track"}, {"key": "4", "name": "Track Closely 4", "description": "Track Closely"}, {"key": "3", "name": "Attend 3", "description": "Attend"}, {"key": "2", "name": "Attend 2", "description": "Attend"}, {"key": "1", "name": "Act 1", "description": "Act"}, {"key": "0", "name": "Act ASAP 0", "description": "Act ASAP"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "theParanoids", + "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.", + "outcomes": [ + { + "key": "5", + "name": "Track 5", + "description": "Track" + }, + { + "key": "4", + "name": "Track Closely 4", + "description": "Track Closely" + }, + { + "key": "3", + "name": "Attend 3", + "description": "Attend" + }, + { + "key": "2", + "name": "Attend 2", + "description": "Attend" + }, + { + "key": "1", + "name": "Act 1", + "description": "Act" + }, + { + "key": "0", + "name": "Act ASAP 0", + "description": "Act ASAP" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/VALUE_COMPLEXITY.json b/data/json/outcomes/VALUE_COMPLEXITY.json index e7f03c44..b60d42f8 100644 --- a/data/json/outcomes/VALUE_COMPLEXITY.json +++ b/data/json/outcomes/VALUE_COMPLEXITY.json @@ -1 +1,28 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Value, Complexity", "description": "The Value/Complexity outcome group.", "outcomes": [{"key": "D", "name": "Drop", "description": "Drop"}, {"key": "R", "name": "Reconsider Later", "description": "Reconsider Later"}, {"key": "E", "name": "Easy Win", "description": "Easy Win"}, {"key": "F", "name": "Do First", "description": "Do First"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Value, Complexity", + "description": "The Value/Complexity outcome group.", + "outcomes": [ + { + "key": "D", + "name": "Drop", + "description": "Drop" + }, + { + "key": "R", + "name": "Reconsider Later", + "description": "Reconsider Later" + }, + { + "key": "E", + "name": "Easy Win", + "description": "Easy Win" + }, + { + "key": "F", + "name": "Do First", + "description": "Do First" + } + ] +} \ No newline at end of file diff --git a/data/json/outcomes/YES_NO.json b/data/json/outcomes/YES_NO.json index ad840aaa..1a6dcdff 100644 --- a/data/json/outcomes/YES_NO.json +++ b/data/json/outcomes/YES_NO.json @@ -1 +1,18 @@ -{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Yes, No", "description": "The Yes/No outcome group.", "outcomes": [{"key": "N", "name": "No", "description": "No"}, {"key": "Y", "name": "Yes", "description": "Yes"}]} \ No newline at end of file +{ + "version": "1.0.0", + "schemaVersion": "1-0-1", + "name": "Yes, No", + "description": "The Yes/No outcome group.", + "outcomes": [ + { + "key": "N", + "name": "No", + "description": "No" + }, + { + "key": "Y", + "name": "Yes", + "description": "Yes" + } + ] +} \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index cd9c038d..1bee6066 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,9 +7,9 @@ mkdocs-material-extensions==1.3.1 mkdocstrings==0.27.0 mkdocstrings-python==1.13.0 mkdocs-print-site-plugin==2.6.0 -dataclasses-json==0.6.7 thefuzz==0.22.1 pandas==2.2.3 scikit-learn==1.6.1 jsonschema==4.23.0 networkx==3.4.2 +pydantic==2.10.3 diff --git a/src/cvss_to_json.py b/src/cvss_to_json.py index 63a23465..df739988 100644 --- a/src/cvss_to_json.py +++ b/src/cvss_to_json.py @@ -1,22 +1,57 @@ #!/usr/bin/python3" -mods = ["attack_complexity", "attack_requirements", "attack_vector", - "authentication", "availability_impact", "availability_requirement", - "collateral_damage_potential", "confidentiality_impact", - "confidentiality_requirement", "exploitability", "helpers", - "impact_bias", "integrity_impact", "integrity_requirement", - "privileges_required", "remediation_level", "report_confidence", - "scope", "subsequent_availability_impact", - "subsequent_confidentiality_impact", "subsequent_integrity_impact", - "target_distribution", "user_interaction"] -for mod in mods: - module = getattr(__import__('ssvc.decision_points.cvss', fromlist=[mod]), - mod) - for dp in dir(module): - if dp.upper().find(mod.upper()) > -1: - #user_interaction USER_INTERACTION_2 - print(mod, dp) - sdp = getattr(module, dp) - with open(f"../data/json/decision_points/cvss/{dp.lower()}.json", "w") as f: - f.write(sdp.to_json()) +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University - +mods = [ + "attack_complexity", + "attack_requirements", + "attack_vector", + "authentication", + "availability_impact", + "availability_requirement", + "collateral_damage_potential", + "confidentiality_impact", + "confidentiality_requirement", + "exploitability", + "helpers", + "impact_bias", + "integrity_impact", + "integrity_requirement", + "privileges_required", + "remediation_level", + "report_confidence", + "scope", + "subsequent_availability_impact", + "subsequent_confidentiality_impact", + "subsequent_integrity_impact", + "target_distribution", + "user_interaction", +] + + +def main(): + for mod in mods: + module = getattr(__import__("ssvc.decision_points.cvss", fromlist=[mod]), mod) + for dp in dir(module): + if dp.upper().find(mod.upper()) > -1: + # user_interaction USER_INTERACTION_2 + print(mod, dp) + sdp = getattr(module, dp) + with open( + f"../data/json/decision_points/cvss/{dp.lower()}.json", "w" + ) as f: + f.write(sdp.model_dump_json(indent=2)) + + +if __name__ == "__main__": + main() diff --git a/src/outcomes_to_json.py b/src/outcomes_to_json.py index 6a1925a3..192c8169 100644 --- a/src/outcomes_to_json.py +++ b/src/outcomes_to_json.py @@ -1,11 +1,29 @@ #!/usr/bin/python3 + +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.outcomes import groups from ssvc.outcomes.base import OutcomeGroup -for x in dir(groups): - outcome = getattr(groups,x); - if type(outcome) == OutcomeGroup: - with open(f"../data/json/outcomes/{x}.json","w") as f: - f.write(outcome.to_json()) - +def main(): + for x in dir(groups): + outcome = getattr(groups, x) + if type(outcome) == OutcomeGroup: + with open(f"../data/json/outcomes/{x}.json", "w") as f: + f.write(outcome.model_dump_json(indent=2)) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py index 69b27017..c363a06f 100644 --- a/src/ssvc/_mixins.py +++ b/src/ssvc/_mixins.py @@ -17,17 +17,14 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass, field from typing import Optional -from dataclasses_json import config, dataclass_json +from pydantic import BaseModel, ConfigDict from . import _schemaVersion -@dataclass_json -@dataclass(kw_only=True) -class _Versioned: +class _Versioned(BaseModel): """ Mixin class for versioned SSVC objects. """ @@ -36,9 +33,7 @@ class _Versioned: schemaVersion: str = _schemaVersion -@dataclass_json -@dataclass(kw_only=True) -class _Namespaced: +class _Namespaced(BaseModel): """ Mixin class for namespaced SSVC objects. """ @@ -46,9 +41,7 @@ class _Namespaced: namespace: str = "ssvc" -@dataclass_json -@dataclass(kw_only=True) -class _Keyed: +class _Keyed(BaseModel): """ Mixin class for keyed SSVC objects. """ @@ -60,21 +53,17 @@ def exclude_if_none(value): return value is None -@dataclass_json -@dataclass(kw_only=True) -class _Commented: +class _Commented(BaseModel): """ Mixin class for commented SSVC objects. """ - _comment: Optional[str] = field( - default=None, metadata=config(exclude=exclude_if_none) - ) + _comment: Optional[str] = None + model_config = ConfigDict(json_encoders={Optional[str]: exclude_if_none}) -@dataclass_json -@dataclass(kw_only=True) -class _Base: + +class _Base(BaseModel): """ Base class for SSVC objects. """ diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index 2c85c2e6..b7726c3e 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -18,10 +18,8 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University import logging -from dataclasses import dataclass -from typing import Iterable -from dataclasses_json import dataclass_json +from pydantic import BaseModel from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned @@ -58,27 +56,18 @@ def _reset_registered(): REGISTERED_DECISION_POINTS = [] -@dataclass_json -@dataclass(kw_only=True) -class SsvcDecisionPointValue(_Base, _Keyed): +class SsvcDecisionPointValue(_Base, _Keyed, BaseModel): """ Models a single value option for a decision point. """ -@dataclass_json -@dataclass(kw_only=True) -class SsvcDecisionPoint( - _Base, - _Keyed, - _Versioned, - _Namespaced, -): +class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, BaseModel): """ Models a single decision point as a list of values. """ - values: Iterable[SsvcDecisionPointValue] = () + values: list[SsvcDecisionPointValue] = [] def __iter__(self): """ @@ -86,13 +75,12 @@ def __iter__(self): """ return iter(self.values) - def __post_init__(self): + def __init__(self, **data): + super().__init__(**data) register(self) - if isinstance(self.values[0], dict): - self.values = tuple( - SsvcDecisionPointValue.from_dict(v) for v in self.values - ) + def __post_init__(self): + register(self) def main(): @@ -116,7 +104,7 @@ def main(): version="1.0.0", ) - print(dp.to_json(indent=2)) + print(dp.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py index eeab7283..b7b3042f 100644 --- a/src/ssvc/decision_points/critical_software.py +++ b/src/ssvc/decision_points/critical_software.py @@ -42,7 +42,7 @@ def main(): - print(CRITICAL_SOFTWARE_1.to_json(indent=2)) + print(CRITICAL_SOFTWARE_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/cvss/base.py b/src/ssvc/decision_points/cvss/base.py index e8868087..9a935991 100644 --- a/src/ssvc/decision_points/cvss/base.py +++ b/src/ssvc/decision_points/cvss/base.py @@ -2,8 +2,6 @@ """ Provides a base class for modeling CVSS vector metrics as SSVC decision points. """ - - # Copyright (c) 2023-2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project @@ -17,16 +15,12 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass - -from dataclasses_json import dataclass_json +from pydantic import BaseModel from ssvc.decision_points.base import SsvcDecisionPoint -@dataclass_json -@dataclass(kw_only=True) -class CvssDecisionPoint(SsvcDecisionPoint): +class CvssDecisionPoint(SsvcDecisionPoint, BaseModel): """ Models a single CVSS decision point as a list of values. """ diff --git a/src/ssvc/decision_points/cvss/eq_sets.py b/src/ssvc/decision_points/cvss/eq_sets.py index e00a37ee..0e12c2ea 100644 --- a/src/ssvc/decision_points/cvss/eq_sets.py +++ b/src/ssvc/decision_points/cvss/eq_sets.py @@ -184,7 +184,7 @@ def main(): for dp in [EQ1, EQ2, EQ3, EQ4, EQ5, EQ6]: - print(dp.to_json(indent=2)) + print(dp.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py index a4c60c7b..3dfb81ed 100644 --- a/src/ssvc/decision_points/helpers.py +++ b/src/ssvc/decision_points/helpers.py @@ -134,10 +134,14 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]: # did the value keys change? for name in intersection: - v1 = {value["name"]: value["key"] for value in dp1.to_dict()["values"]} + v1 = { + value["name"]: value["key"] for value in dp1.model_dump()["values"] + } v1 = v1[name] - v2 = {value["name"]: value["key"] for value in dp2.to_dict()["values"]} + v2 = { + value["name"]: value["key"] for value in dp2.model_dump()["values"] + } v2 = v2[name] if v1 != v2: @@ -154,13 +158,13 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]: for name in intersection: v1 = { value["name"]: value["description"] - for value in dp1.to_dict()["values"] + for value in dp1.model_dump()["values"] } v1 = v1[name] v2 = { value["name"]: value["description"] - for value in dp2.to_dict()["values"] + for value in dp2.model_dump()["values"] } v2 = v2[name] @@ -225,7 +229,7 @@ def print_versions_and_diffs(versions: Sequence[SsvcDecisionPoint]) -> None: None """ for version in versions: - print(version.to_json(indent=2)) + print(version.model_dump_json(indent=2)) show_diffs(versions) diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py index 476c1848..66cb145b 100644 --- a/src/ssvc/decision_points/high_value_asset.py +++ b/src/ssvc/decision_points/high_value_asset.py @@ -42,7 +42,7 @@ def main(): - print(HIGH_VALUE_ASSET_1.to_json(indent=2)) + print(HIGH_VALUE_ASSET_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/in_kev.py b/src/ssvc/decision_points/in_kev.py index 2eccb516..2b10690c 100644 --- a/src/ssvc/decision_points/in_kev.py +++ b/src/ssvc/decision_points/in_kev.py @@ -42,7 +42,7 @@ def main(): - print(IN_KEV_1.to_json(indent=2)) + print(IN_KEV_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py index 621de7dd..40c168b1 100644 --- a/src/ssvc/decision_points/report_credibility.py +++ b/src/ssvc/decision_points/report_credibility.py @@ -43,7 +43,7 @@ def main(): - print(REPORT_CREDIBILITY_1.to_json(indent=2)) + print(REPORT_CREDIBILITY_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py index a3232121..fa2e4f59 100644 --- a/src/ssvc/decision_points/report_public.py +++ b/src/ssvc/decision_points/report_public.py @@ -42,7 +42,7 @@ def main(): - print(REPORT_PUBLIC_1.to_json(indent=2)) + print(REPORT_PUBLIC_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py index 4eb6d078..6cb2d330 100644 --- a/src/ssvc/decision_points/supplier_cardinality.py +++ b/src/ssvc/decision_points/supplier_cardinality.py @@ -44,7 +44,7 @@ def main(): - print(SUPPLIER_CARDINALITY_1.to_json(indent=2)) + print(SUPPLIER_CARDINALITY_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py index 87147f5f..3f185521 100644 --- a/src/ssvc/decision_points/supplier_contacted.py +++ b/src/ssvc/decision_points/supplier_contacted.py @@ -44,7 +44,7 @@ def main(): - print(SUPPLIER_CONTACTED_1.to_json(indent=2)) + print(SUPPLIER_CONTACTED_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py index 5c44249d..a3904d6b 100644 --- a/src/ssvc/decision_points/supplier_engagement.py +++ b/src/ssvc/decision_points/supplier_engagement.py @@ -45,7 +45,7 @@ def main(): - print(SUPPLIER_ENGAGEMENT_1.to_json(indent=2)) + print(SUPPLIER_ENGAGEMENT_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py index 09796f8f..a24aa8bf 100644 --- a/src/ssvc/decision_points/supplier_involvement.py +++ b/src/ssvc/decision_points/supplier_involvement.py @@ -52,7 +52,7 @@ def main(): - print(SUPPLIER_INVOLVEMENT_1.to_json(indent=2)) + print(SUPPLIER_INVOLVEMENT_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py index 131171cf..f0827083 100644 --- a/src/ssvc/decision_points/system_exposure.py +++ b/src/ssvc/decision_points/system_exposure.py @@ -79,8 +79,8 @@ def main(): - print(SYSTEM_EXPOSURE_1.to_json(indent=2)) - print(SYSTEM_EXPOSURE_1_0_1.to_json(indent=2)) + print(SYSTEM_EXPOSURE_1.model_dump_json(indent=2)) + print(SYSTEM_EXPOSURE_1_0_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py index ffa5d2cb..ae247bea 100644 --- a/src/ssvc/decision_points/technical_impact.py +++ b/src/ssvc/decision_points/technical_impact.py @@ -44,7 +44,7 @@ def main(): - print(TECHNICAL_IMPACT_1.to_json(indent=2)) + print(TECHNICAL_IMPACT_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py index f491314b..1daaed86 100644 --- a/src/ssvc/decision_points/value_density.py +++ b/src/ssvc/decision_points/value_density.py @@ -44,7 +44,7 @@ def main(): - print(VALUE_DENSITY_1.to_json(indent=2)) + print(VALUE_DENSITY_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py index 58fd3c28..8130aeb6 100644 --- a/src/ssvc/doctools.py +++ b/src/ssvc/doctools.py @@ -247,7 +247,7 @@ def dump_json( with EnsureDirExists(jsondir): try: with open(json_file, "x") as f: - f.write(dp.to_json(indent=2)) + f.write(dp.model_dump_json(indent=2)) except FileExistsError: logger.warning( f"File {json_file} already exists, use --overwrite to replace" diff --git a/src/ssvc/dp_groups/base.py b/src/ssvc/dp_groups/base.py index 8ef826d5..f2c0b530 100644 --- a/src/ssvc/dp_groups/base.py +++ b/src/ssvc/dp_groups/base.py @@ -17,23 +17,18 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass -from typing import Iterable - -from dataclasses_json import dataclass_json +from pydantic import BaseModel from ssvc._mixins import _Base, _Versioned from ssvc.decision_points.base import SsvcDecisionPoint -@dataclass_json -@dataclass(kw_only=True) -class SsvcDecisionPointGroup(_Base, _Versioned): +class SsvcDecisionPointGroup(_Base, _Versioned, BaseModel): """ Models a group of decision points. """ - decision_points: Iterable[SsvcDecisionPoint] + decision_points: list[SsvcDecisionPoint] def __iter__(self): """ @@ -45,11 +40,13 @@ def __len__(self): """ Allow len() to be called on the group. """ - return len(self.decision_points) + dplist = list(self.decision_points) + l = len(dplist) + return l def get_all_decision_points_from( - *groups: Iterable[SsvcDecisionPointGroup], + *groups: list[SsvcDecisionPointGroup], ) -> list[SsvcDecisionPoint]: """ Given a list of SsvcDecisionPointGroup objects, return a list of all diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py index d0d32f73..a8e8a271 100644 --- a/src/ssvc/dp_groups/cvss/collections.py +++ b/src/ssvc/dp_groups/cvss/collections.py @@ -375,7 +375,7 @@ def main(): CVSSv4, ]: print(f"## {group.name} v{group.version}") - print(group.to_json(indent=2)) + print(group.model_dump_json(indent=2)) print() diff --git a/src/ssvc/dp_groups/ssvc/collections.py b/src/ssvc/dp_groups/ssvc/collections.py index be24c7ec..c7b2b527 100644 --- a/src/ssvc/dp_groups/ssvc/collections.py +++ b/src/ssvc/dp_groups/ssvc/collections.py @@ -60,7 +60,7 @@ def main(): for dpg in [SSVCv1, SSVCv2, SSVCv2_1]: - print(dpg.to_json(indent=2)) + print(dpg.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/coordinator_publication.py b/src/ssvc/dp_groups/ssvc/coordinator_publication.py index 6289c661..35423fd9 100644 --- a/src/ssvc/dp_groups/ssvc/coordinator_publication.py +++ b/src/ssvc/dp_groups/ssvc/coordinator_publication.py @@ -45,7 +45,7 @@ def main(): - print(COORDINATOR_PUBLICATION_1.to_json(indent=2)) + print(COORDINATOR_PUBLICATION_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/coordinator_triage.py b/src/ssvc/dp_groups/ssvc/coordinator_triage.py index 7266fbea..2fedb785 100644 --- a/src/ssvc/dp_groups/ssvc/coordinator_triage.py +++ b/src/ssvc/dp_groups/ssvc/coordinator_triage.py @@ -66,7 +66,7 @@ def main(): - print(COORDINATOR_TRIAGE_1.to_json(indent=2)) + print(COORDINATOR_TRIAGE_1.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/deployer.py b/src/ssvc/dp_groups/ssvc/deployer.py index 20df6e6d..76218acd 100644 --- a/src/ssvc/dp_groups/ssvc/deployer.py +++ b/src/ssvc/dp_groups/ssvc/deployer.py @@ -124,9 +124,9 @@ def main(): - print(PATCH_APPLIER_1.to_json(indent=2)) - print(DEPLOYER_2.to_json(indent=2)) - print(DEPLOYER_3.to_json(indent=2)) + print(PATCH_APPLIER_1.model_dump_json(indent=2)) + print(DEPLOYER_2.model_dump_json(indent=2)) + print(DEPLOYER_3.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/dp_groups/ssvc/supplier.py b/src/ssvc/dp_groups/ssvc/supplier.py index dc313dd4..05fb092c 100644 --- a/src/ssvc/dp_groups/ssvc/supplier.py +++ b/src/ssvc/dp_groups/ssvc/supplier.py @@ -91,8 +91,8 @@ def main(): - print(PATCH_DEVELOPER_1.to_json(indent=2)) - print(SUPPLIER_2.to_json(indent=2)) + print(PATCH_DEVELOPER_1.model_dump_json(indent=2)) + print(SUPPLIER_2.model_dump_json(indent=2)) if __name__ == "__main__": diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py index 3436dce3..11eaf873 100644 --- a/src/ssvc/outcomes/base.py +++ b/src/ssvc/outcomes/base.py @@ -15,30 +15,23 @@ # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University -from dataclasses import dataclass -from typing import Iterable - -from dataclasses_json import dataclass_json +from pydantic import BaseModel from ssvc._mixins import _Base, _Keyed, _Versioned -@dataclass_json -@dataclass(kw_only=True) -class OutcomeValue(_Base, _Keyed): +class OutcomeValue(_Base, _Keyed, BaseModel): """ Models a single value option for an SSVC outcome. """ -@dataclass_json -@dataclass(kw_only=True) -class OutcomeGroup(_Base, _Versioned): +class OutcomeGroup(_Base, _Versioned, BaseModel): """ Models an outcome group. """ - outcomes: Iterable[OutcomeValue] + outcomes: list[OutcomeValue] def __iter__(self): """ @@ -50,6 +43,8 @@ def __len__(self): """ Allow len() to be called on the group. """ - return len(self.outcomes) + olist = list(self.outcomes) + l = len(olist) + return l # register all instances diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py index 9779bf81..85ce86b9 100644 --- a/src/ssvc/policy_generator.py +++ b/src/ssvc/policy_generator.py @@ -19,7 +19,6 @@ import itertools import logging import math -from typing import List, Tuple import networkx as nx import pandas as pd @@ -48,7 +47,7 @@ def __init__( self, dp_group: SsvcDecisionPointGroup = None, outcomes: OutcomeGroup = None, - outcome_weights: List[float] = None, + outcome_weights: list[float] = None, validate: bool = False, ): """ @@ -87,17 +86,15 @@ def __init__( # validate that the outcome weights sum to 1.0 total = sum(outcome_weights) if not math.isclose(total, 1.0): - raise ValueError( - f"Outcome weights must sum to 1.0, but sum to {total}" - ) + raise ValueError(f"Outcome weights must sum to 1.0, but sum to {total}") self.outcome_weights = outcome_weights logger.debug(f"Outcome weights: {self.outcome_weights}") self.policy: pd.DataFrame = None self.G: nx.DiGraph = nx.DiGraph() - self.top: Tuple[int] = None - self.bottom: Tuple[int] = None + self.top: tuple[int] = None + self.bottom: tuple[int] = None self._enumerated_vec = None self._check_valid_paths = validate @@ -205,9 +202,7 @@ def _assign_outcomes(self): logger.debug(f"Layer count: {len(layers)}") logger.debug(f"Layer sizes: {[len(layer) for layer in layers]}") - outcome_counts = [ - round(node_count * weight) for weight in self.outcome_weights - ] + outcome_counts = [round(node_count * weight) for weight in self.outcome_weights] toposort = list(nx.topological_sort(self.G)) logger.debug(f"Toposort: {toposort[:4]}...{toposort[-4:]}") @@ -296,15 +291,11 @@ def _confirm_topological_order(self, node_order: list) -> None: # all nodes must be in the graph for node in node_order: if node not in self.G.nodes: - raise ValueError( - f"Node order contains node {node} not in the graph" - ) + raise ValueError(f"Node order contains node {node} not in the graph") for node in self.G.nodes: if node not in node_order: - raise ValueError( - f"Graph contains node {node} not in the node order" - ) + raise ValueError(f"Graph contains node {node} not in the node order") node_idx = {node: i for i, node in enumerate(node_order)} diff --git a/src/ssvc_v2.py b/src/ssvc_v2.py index 5e084e1a..01f041bf 100644 --- a/src/ssvc_v2.py +++ b/src/ssvc_v2.py @@ -18,6 +18,7 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University import os + import pandas as pd DATAPATH = "../data/csvs" @@ -107,21 +108,21 @@ def main(): df = lookup("coord_triage", query) print(query) print(df) - print(outcome_dist(df).round(decimals=3).to_dict()) + print(outcome_dist(df).round(decimals=3).model_dump()) print() query = {"Value added": "precedence"} df = lookup("coord_pub", query) print(query) print(df) - print(outcome_dist(df).round(decimals=3).to_dict()) + print(outcome_dist(df).round(decimals=3).model_dump()) print() query = {"Public-Safety Impact": "minimal"} df = lookup("supplier", query) print(query) print(df) - print(outcome_dist(df).round(decimals=3).to_dict()) + print(outcome_dist(df).round(decimals=3).model_dump()) if __name__ == "__main__": diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py index f5036cd0..2e2083c7 100644 --- a/src/test/test_doctools.py +++ b/src/test/test_doctools.py @@ -42,7 +42,7 @@ class MyTestCase(unittest.TestCase): def setUp(self) -> None: - self.dp = SsvcDecisionPoint.from_dict(_dp_dict) + self.dp = SsvcDecisionPoint.model_validate(_dp_dict) # create a temp working dir self.tempdir = tempfile.TemporaryDirectory() @@ -187,7 +187,7 @@ def test_dump_json(self): # file is loadable json d = json.load(open(json_file)) - for k, v in dp.to_dict().items(): + for k, v in dp.model_dump().items(): self.assertEqual(v, d[k]) # should not overwrite the file diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py index a5bf3567..7fa233d9 100644 --- a/src/test/test_dp_base.py +++ b/src/test/test_dp_base.py @@ -95,25 +95,25 @@ def test_ssvc_decision_point(self): def test_ssvc_value_json_roundtrip(self): for i, obj in enumerate(self.values): - json = obj.to_json() + json = obj.model_dump_json() self.assertIsInstance(json, str) self.assertGreater(len(json), 0) - obj2 = base.SsvcDecisionPointValue.from_json(json) + obj2 = base.SsvcDecisionPointValue.model_validate_json(json) self.assertEqual(obj, obj2) def test_ssvc_decision_point_json_roundtrip(self): obj = self.dp - json = obj.to_json() + json = obj.model_dump_json() self.assertIsInstance(json, str) self.assertGreater(len(json), 0) - obj2 = base.SsvcDecisionPoint.from_json(json) + obj2 = base.SsvcDecisionPoint.model_validate_json(json) # the objects should be equal self.assertEqual(obj, obj2) - self.assertEqual(obj.to_dict(), obj2.to_dict()) + self.assertEqual(obj.model_dump(), obj2.model_dump()) if __name__ == "__main__": diff --git a/src/test/test_dp_groups.py b/src/test/test_dp_groups.py index df3c04ac..e4c2397e 100644 --- a/src/test/test_dp_groups.py +++ b/src/test/test_dp_groups.py @@ -65,7 +65,8 @@ def test_len(self): decision_points=self.dps, ) - self.assertEqual(len(self.dps), len(g.decision_points)) + self.assertGreater(len(self.dps), 0) + self.assertEqual(len(self.dps), len(list(g.decision_points))) self.assertEqual(len(self.dps), len(g)) def test_json_roundtrip(self): @@ -77,12 +78,12 @@ def test_json_roundtrip(self): ) # serialize the group to json - g_json = g.to_json() + g_json = g.model_dump_json() # deserialize the json to a new group - g2 = dpg.SsvcDecisionPointGroup.from_json(g_json) + g2 = dpg.SsvcDecisionPointGroup.model_validate_json(g_json) # assert that the new group is the same as the old group - self.assertEqual(g.to_dict(), g2.to_dict()) + self.assertEqual(g_json, g2.model_dump_json()) if __name__ == "__main__": diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py index b3751177..f86ae5c1 100644 --- a/src/test/test_mixins.py +++ b/src/test/test_mixins.py @@ -12,11 +12,10 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University import unittest -from dataclasses import dataclass -from dataclasses_json import dataclass_json +from pydantic import BaseModel, ValidationError -from ssvc._mixins import _Base, _Keyed, _Versioned, _Namespaced +from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned class TestMixins(unittest.TestCase): @@ -29,34 +28,33 @@ def test_ssvc_base_create(self): self.assertEqual(obj.description, "baz") # empty - self.assertRaises(TypeError, _Base) + self.assertRaises(ValidationError, _Base) # no name - self.assertRaises(TypeError, _Base, description="baz") + self.assertRaises(ValidationError, _Base, description="baz") # no description - self.assertRaises(TypeError, _Base, name="foo") + self.assertRaises(ValidationError, _Base, name="foo") def test_json_roundtrip(self): obj = self.obj - json = obj.to_json() + json = obj.model_dump_json() # is it a string? self.assertIsInstance(json, str) # does it look right? - self.assertEqual(json, '{"name": "foo", "description": "baz"}') + self.assertEqual(json, '{"name":"foo","description":"baz"}') # modify the raw json string json = json.replace("foo", "quux") - self.assertEqual(json, '{"name": "quux", "description": "baz"}') + self.assertEqual(json, '{"name":"quux","description":"baz"}') # does it load? - obj2 = _Base.from_json(json) + obj2 = _Base.model_validate_json(json) self.assertEqual(obj2.name, "quux") self.assertEqual(obj2.description, "baz") def test_asdict_roundtrip(self): - from dataclasses import asdict obj = self.obj - d = asdict(obj) + d = obj.model_dump() self.assertIsInstance(d, dict) self.assertEqual(d["name"], "foo") @@ -88,7 +86,7 @@ def test_keyed_create(self): obj = _Keyed(key="foo") self.assertEqual(obj.key, "foo") - self.assertRaises(TypeError, _Keyed) + self.assertRaises(ValidationError, _Keyed) def test_mixin_combos(self): # We need to test all the combinations @@ -122,9 +120,7 @@ def test_mixin_combos(self): args = {k: v for x in combo for k, v in x["args"].items()} # create an object with the mixins - @dataclass_json - @dataclass(kw_only=True) - class Foo(_Base, *classes): + class Foo(_Base, *classes, BaseModel): pass # make sure it breaks if we leave out a required arg @@ -136,10 +132,10 @@ class Foo(_Base, *classes): # expect success obj = Foo(name="foo", description="baz", **args_copy) # make sure the key is defaulted - self.assertEqual(getattr(Foo, k), getattr(obj, k)) + self.assertIsNotNone(getattr(obj, k)) else: self.assertRaises( - TypeError, + ValidationError, Foo, name="foo", description="baz", @@ -155,19 +151,19 @@ class Foo(_Base, *classes): self.assertEqual(getattr(obj, k), v) # test json roundtrip - json = obj.to_json() + json = obj.model_dump_json() # is it a string? self.assertIsInstance(json, str) # does it look right? - self.assertIn('"name": "foo"', json) - self.assertIn('"description": "baz"', json) + self.assertIn('"name":"foo"', json) + self.assertIn('"description":"baz"', json) for k, v in args.items(): - self.assertIn(f'"{k}": "{v}"', json) + self.assertIn(f'"{k}":"{v}"', json) # change the name and description json = json.replace("foo", "quux") json = json.replace("baz", "fizz") # does it load? - obj2 = Foo.from_json(json) + obj2 = Foo.model_validate_json(json) self.assertEqual(obj2.name, "quux") self.assertEqual(obj2.description, "fizz") # make sure the args are set diff --git a/src/test/test_outcomes.py b/src/test/test_outcomes.py index 698991b3..4f5738e9 100644 --- a/src/test/test_outcomes.py +++ b/src/test/test_outcomes.py @@ -27,8 +27,6 @@ def test_outcome_value(self): self.assertEqual(ov.description, x) def test_outcome_group(self): - ALPHABET - values = [] for x in ALPHABET: values.append(OutcomeValue(key=x, name=x, description=x)) @@ -42,10 +40,11 @@ def test_outcome_group(self): self.assertEqual(len(og), len(ALPHABET)) + og_outcomes = list(og.outcomes) for i, letter in enumerate(ALPHABET): - self.assertEqual(og.outcomes[i].key, letter) - self.assertEqual(og.outcomes[i].name, letter) - self.assertEqual(og.outcomes[i].description, letter) + self.assertEqual(og_outcomes[i].key, letter) + self.assertEqual(og_outcomes[i].name, letter) + self.assertEqual(og_outcomes[i].description, letter) if __name__ == "__main__": diff --git a/src/test/test_schema.py b/src/test/test_schema.py index db08923c..65568501 100644 --- a/src/test/test_schema.py +++ b/src/test/test_schema.py @@ -32,7 +32,6 @@ CVSSv3, CVSSv4, ) # noqa - # importing these causes the decision points to register themselves from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1 # noqa @@ -55,7 +54,6 @@ def retrieve_local(uri: str) -> Resource: return Resource.from_contents(schema) - registry = Registry(retrieve=retrieve_local) @@ -90,19 +88,17 @@ def test_decision_point_validation(self): for dp in decision_points: exp = None - as_json = dp.to_json() + as_json = dp.model_dump_json() loaded = json.loads(as_json) try: - Draft202012Validator( - {"$ref": schema_url}, registry=registry - ).validate(loaded) + Draft202012Validator({"$ref": schema_url}, registry=registry).validate( + loaded + ) except jsonschema.exceptions.ValidationError as e: exp = e - self.assertIsNone( - exp, f"Validation failed for {dp.name} {dp.version}" - ) + self.assertIsNone(exp, f"Validation failed for {dp.name} {dp.version}") self.logger.debug( f"Validation passed for Decision Point ({dp.namespace}) {dp.name} v{dp.version}" ) @@ -111,23 +107,26 @@ def test_decision_point_group_validation(self): schema_url = "https://certcc.github.io/SSVC/data/schema/current/Decision_Point_Group.schema.json" for dpg in self.dpgs: exp = None - as_json = dpg.to_json() + as_json = dpg.model_dump_json() loaded = json.loads(as_json) try: - Draft202012Validator( - {"$ref": schema_url}, registry=registry - ).validate(loaded) + Draft202012Validator({"$ref": schema_url}, registry=registry).validate( + loaded + ) except jsonschema.exceptions.ValidationError as e: exp = e - self.assertIsNone( - exp, f"Validation failed for {dpg.name} {dpg.version}" - ) + self.assertIsNone(exp, f"Validation failed for {dpg.name} {dpg.version}") self.logger.debug( f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}" ) + @unittest.skip("Test not implemented") + def test_outcome_group_schema_validation(self): + # TODO: Implement test + self.fail() + if __name__ == "__main__": unittest.main()