From 2cf6faa5834a887c76e8503bd7d036a858a8cd42 Mon Sep 17 00:00:00 2001 From: Renae Metcalf Date: Wed, 5 Feb 2025 14:49:50 -0500 Subject: [PATCH 1/4] Standardize docstrings to define what the program does, add missing license wording, and format blank lines around header docstrings. --- src/ssvc/decision_points/automatable.py | 6 +++--- src/ssvc/decision_points/base.py | 6 +++--- src/ssvc/decision_points/critical_software.py | 2 ++ src/ssvc/decision_points/helpers.py | 2 ++ src/ssvc/decision_points/high_value_asset.py | 2 ++ src/ssvc/decision_points/human_impact.py | 2 ++ src/ssvc/decision_points/mission_impact.py | 5 ++--- .../decision_points/mission_prevalence.py | 6 ++++++ .../decision_points/public_safety_impact.py | 1 + .../decision_points/public_value_added.py | 1 + .../decision_points/report_credibility.py | 1 + src/ssvc/decision_points/report_public.py | 2 ++ src/ssvc/decision_points/safety_impact.py | 1 + .../decision_points/supplier_cardinality.py | 19 ++++++++++++++++--- .../decision_points/supplier_contacted.py | 18 +++++++++++++++--- .../decision_points/supplier_engagement.py | 5 ++--- .../decision_points/supplier_involvement.py | 4 +--- src/ssvc/decision_points/system_exposure.py | 19 ++++++++++++++++--- src/ssvc/decision_points/technical_impact.py | 19 ++++++++++++++++--- src/ssvc/decision_points/utility.py | 4 ++++ src/ssvc/decision_points/value_density.py | 18 +++++++++++++++--- 21 files changed, 113 insertions(+), 30 deletions(-) diff --git a/src/ssvc/decision_points/automatable.py b/src/ssvc/decision_points/automatable.py index c7051279..d3a417d2 100644 --- a/src/ssvc/decision_points/automatable.py +++ b/src/ssvc/decision_points/automatable.py @@ -1,9 +1,9 @@ #!/usr/bin/env python + """ -file: automatable -author: adh -created_at: 9/21/23 10:37 AM +Provides the Automatable decision point and its values. """ + # Copyright (c) 2023 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index 3e1d32ba..37da83f1 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -1,9 +1,9 @@ #!/usr/bin/env python + """ -file: decisionpoints -author: adh -created_at: 9/20/23 10:07 AM +Defines the formatting for SSVC Decision Points. """ + # Copyright (c) 2023 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py index c2bdead3..52876c58 100644 --- a/src/ssvc/decision_points/critical_software.py +++ b/src/ssvc/decision_points/critical_software.py @@ -1,7 +1,9 @@ #!/usr/bin/env python + """ Provides an SSVC decision point for critical software designation. """ + # Copyright (c) 2023 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py index 84c61bdc..9c92d3ef 100644 --- a/src/ssvc/decision_points/helpers.py +++ b/src/ssvc/decision_points/helpers.py @@ -1,7 +1,9 @@ #!/usr/bin/env python + """ Provides helper functions for working with SSVC decision points. """ + # Copyright (c) 2024 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py index 9cf95f96..4ac2d9a2 100644 --- a/src/ssvc/decision_points/high_value_asset.py +++ b/src/ssvc/decision_points/high_value_asset.py @@ -1,7 +1,9 @@ #!/usr/bin/env python + """ Models a high value asset as a decision point. """ + # Copyright (c) 2023 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/human_impact.py b/src/ssvc/decision_points/human_impact.py index bc3c48ad..72b3f70d 100644 --- a/src/ssvc/decision_points/human_impact.py +++ b/src/ssvc/decision_points/human_impact.py @@ -1,7 +1,9 @@ #!/usr/bin/env python + """ Provides the Human Impact decision point and its values. """ + # Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/mission_impact.py b/src/ssvc/decision_points/mission_impact.py index 299657ff..ed436e3b 100644 --- a/src/ssvc/decision_points/mission_impact.py +++ b/src/ssvc/decision_points/mission_impact.py @@ -1,8 +1,7 @@ #!/usr/bin/env python + """ -file: mission_impact -author: adh -created_at: 9/21/23 10:20 AM +Provides the Mission Impact decision point and its values. """ # Copyright (c) 2024 Carnegie Mellon University and Contributors. diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py index 73998bcc..950d3b88 100644 --- a/src/ssvc/decision_points/mission_prevalence.py +++ b/src/ssvc/decision_points/mission_prevalence.py @@ -1,3 +1,9 @@ +#!/usr/bin/env python + +""" +Provides the Mission Prevalence decision point and its values." +""" + # Copyright (c) 2024 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/public_safety_impact.py b/src/ssvc/decision_points/public_safety_impact.py index cb857797..312ca053 100644 --- a/src/ssvc/decision_points/public_safety_impact.py +++ b/src/ssvc/decision_points/public_safety_impact.py @@ -1,4 +1,5 @@ #!/usr/bin/env python + """ Provides the Public Safety Impact decision point and its values. """ diff --git a/src/ssvc/decision_points/public_value_added.py b/src/ssvc/decision_points/public_value_added.py index 6f8158de..e3a02ee4 100644 --- a/src/ssvc/decision_points/public_value_added.py +++ b/src/ssvc/decision_points/public_value_added.py @@ -1,4 +1,5 @@ #!/usr/bin/env python + """ This module provides the Public Value Added decision point for the Stakeholder Specific Vulnerability Categorization (SSVC) framework. """ diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py index 93ff6c4b..1998f694 100644 --- a/src/ssvc/decision_points/report_credibility.py +++ b/src/ssvc/decision_points/report_credibility.py @@ -1,4 +1,5 @@ #!/usr/bin/env python + """ Provides the SSVC Report Credibility Decision Point """ diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py index 7947e1fb..89e29f1e 100644 --- a/src/ssvc/decision_points/report_public.py +++ b/src/ssvc/decision_points/report_public.py @@ -1,7 +1,9 @@ #!/usr/bin/env python + """ Provides the SSVC Report Public Decision Point """ + # Copyright (c) 2023-2024 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/safety_impact.py b/src/ssvc/decision_points/safety_impact.py index 691263c2..a13b8a11 100644 --- a/src/ssvc/decision_points/safety_impact.py +++ b/src/ssvc/decision_points/safety_impact.py @@ -1,4 +1,5 @@ #!/usr/bin/env python + """ Provides the Safety Impact decision point and its values. """ diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py index ebde9d27..60a760d9 100644 --- a/src/ssvc/decision_points/supplier_cardinality.py +++ b/src/ssvc/decision_points/supplier_cardinality.py @@ -1,9 +1,22 @@ #!/usr/bin/env python + """ -file: supplier_cardinality -author: adh -created_at: 9/21/23 11:20 AM +Provides the Supplier Cardinality decision point and its values. """ + +# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue MULTIPLE = SsvcDecisionPointValue( diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py index eff08419..414cedfe 100644 --- a/src/ssvc/decision_points/supplier_contacted.py +++ b/src/ssvc/decision_points/supplier_contacted.py @@ -1,9 +1,21 @@ #!/usr/bin/env python """ -file: supplier_contacted -author: adh -created_at: 9/21/23 11:17 AM +Provides the Supplier Engagement decision point and its values. """ + +# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue YES = SsvcDecisionPointValue( diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py index 69380931..389613ac 100644 --- a/src/ssvc/decision_points/supplier_engagement.py +++ b/src/ssvc/decision_points/supplier_engagement.py @@ -1,8 +1,7 @@ #!/usr/bin/env python + """ -file: supplier_engagement -author: adh -created_at: 9/21/23 11:22 AM +Provides the Supplier Engagement decision point and its values. """ from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py index afc3ce07..57fb0f7e 100644 --- a/src/ssvc/decision_points/supplier_involvement.py +++ b/src/ssvc/decision_points/supplier_involvement.py @@ -1,8 +1,6 @@ #!/usr/bin/env python """ -file: supplier_involvement -author: adh -created_at: 9/21/23 11:28 AM +Provides the Supplier Involvement decision point and its values. """ from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py index 61dc6766..24b22f3a 100644 --- a/src/ssvc/decision_points/system_exposure.py +++ b/src/ssvc/decision_points/system_exposure.py @@ -1,9 +1,22 @@ #!/usr/bin/env python + """ -file: exposure -author: adh -created_at: 9/21/23 10:16 AM +Provides the System Exposure decision point and its values. """ + +# Copyright (c) 2023 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue EXP_UNAVOIDABLE = SsvcDecisionPointValue( diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py index da042f62..6aaecf81 100644 --- a/src/ssvc/decision_points/technical_impact.py +++ b/src/ssvc/decision_points/technical_impact.py @@ -1,9 +1,22 @@ #!/usr/bin/env python + """ -file: technical_impact -author: adh -created_at: 9/21/23 9:49 AM +Provides the Technical Impact decision point and its values. """ + +# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue TOTAL = SsvcDecisionPointValue( diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py index 9aace78a..b2dc5428 100644 --- a/src/ssvc/decision_points/utility.py +++ b/src/ssvc/decision_points/utility.py @@ -1,4 +1,8 @@ #!/usr/bin/env python +""" +Provides the Utility decision point and its values. +""" + # Copyright (c) 2024 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py index eac48a13..34691cf2 100644 --- a/src/ssvc/decision_points/value_density.py +++ b/src/ssvc/decision_points/value_density.py @@ -1,9 +1,21 @@ #!/usr/bin/env python """ -file: value_density -author: adh -created_at: 9/21/23 10:01 AM +Provides the Value Density decision point and its values. """ + +# Copyright (c) 2024 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue CONCENTRATED = SsvcDecisionPointValue( From 745b8798b861cafd09dbb9496746ede875c670a5 Mon Sep 17 00:00:00 2001 From: Renae Metcalf Date: Mon, 17 Feb 2025 14:38:58 -0500 Subject: [PATCH 2/4] Update schemas for typos --- .../Computed-CVE-2014-0751-Coordinator-with-tree.json | 2 +- data/schema_examples/Computed-CVE-2014-0751-Coordinator.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json b/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json index 38184aff..1157462f 100644 --- a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json +++ b/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json @@ -31,7 +31,7 @@ { "label": "Exploitation", "decision_type": "simple", - "key": "E", + "key": "V", "options": [ { "label": "none", diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json b/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json index 7e869630..b75aa68b 100644 --- a/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json +++ b/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json @@ -2,7 +2,7 @@ "role": "Coordinator", "id": "CVE-2014-0751", "version": "2.0.3", - "computed": "SSVCv2/E:A/V:S/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", + "computed": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", "timestamp": "2021-09-29T15:29:44Z", "options": [ { From 300da84a31bf8c34407ff4e73330e9fb1b6b8d2a Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 17 Feb 2025 15:21:19 -0500 Subject: [PATCH 3/4] Update mission_prevalence.py --- src/ssvc/decision_points/mission_prevalence.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py index 6fb697e8..293ac179 100644 --- a/src/ssvc/decision_points/mission_prevalence.py +++ b/src/ssvc/decision_points/mission_prevalence.py @@ -1,7 +1,7 @@ #!/usr/bin/env python """ -Provides the Mission Prevalence decision point and its values." +Provides the Mission Prevalence decision point and its values. """ # Copyright (c) 2024-2025 Carnegie Mellon University and Contributors. From 33889f0275fe3920fa4e214c13ab0d84c2af14df Mon Sep 17 00:00:00 2001 From: Renae Metcalf Date: Mon, 17 Feb 2025 15:33:13 -0500 Subject: [PATCH 4/4] Update 'virulence' to 'automatable' keys --- .../Computed-CVE-2014-0751-Coordinator-with-tree.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json b/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json index 1157462f..d7896c88 100644 --- a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json +++ b/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json @@ -2,7 +2,7 @@ "role": "Coordinator", "id": "CVE-2014-0751", "version": "2.0.3", - "computed": "SSVCv2/E:A/V:S/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", + "computed": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/", "timestamp": "2021-09-29T15:29:44Z", "options": [ { @@ -31,7 +31,7 @@ { "label": "Exploitation", "decision_type": "simple", - "key": "V", + "key": "E", "options": [ { "label": "none", @@ -52,7 +52,7 @@ }, { "label": "Automatable", - "key": "V", + "key": "A", "decision_type": "simple", "options": [ {