From 79f5a4141cdbf24f763fab45c4b5e0af4dc8bda2 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 27 Feb 2025 11:56:00 -0500 Subject: [PATCH 1/4] markdownlint on github issue and pr templates --- .github/ISSUE_TEMPLATE/bug_report.md | 1 + .github/ISSUE_TEMPLATE/question.md | 2 +- .github/PULL_REQUEST_TEMPLATE/pull_request_template.md | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index eb1641c5..59a248b0 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -12,6 +12,7 @@ A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: + 1. Go to '...' 2. Click on '....' 3. Scroll down to '....' diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md index 83c47536..d45f0bd7 100644 --- a/.github/ISSUE_TEMPLATE/question.md +++ b/.github/ISSUE_TEMPLATE/question.md @@ -7,6 +7,6 @@ assignees: '' --- -_Note:_ Questions for the SSVC team can be asked here in the form of an issue. More general questions directed at the SSVC user community +*Note:* Questions for the SSVC team can be asked here in the form of an issue. More general questions directed at the SSVC user community might be a better fit in the [Q&A](https://github.com/CERTCC/SSVC/discussions/categories/q-a) category of our [Discussions](https://github.com/CERTCC/SSVC/discussions) area. diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md index 324b4ead..cf9b808e 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md +++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md @@ -4,7 +4,7 @@ not just a reference to an issue number. PR titles are used in the commit log and release notes, so they need to convey meaning on their own. - Most pull requests should be in response to an issue, and ideally a PR will - resolve or close one or more issues. + resolve or close one or more issues. - If a PR only partially resolves an issue, we suggest spawning one or more child issues from the main issue to identify what portion of the issue is resolved by the PR, and what work remains to be done. @@ -13,5 +13,5 @@ - Using bulleted lists with the issue id at the end lets github automatically link the issue and provide the title inline. E.g.: `- resolves #99999` - CoPilot summaries are welcome in the PR description, but please provide a brief -description of the changes in your own words as well. CoPilot can be good at the _what_, -but not so good at the _why_. \ No newline at end of file +description of the changes in your own words as well. CoPilot can be good at the *what*, +but not so good at the *why*. From 2bea679ead3502b5a9a8435e01dcd10b47cfee04 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 28 Feb 2025 16:16:48 -0500 Subject: [PATCH 2/4] update json examples (#727) forgot to run doctools.py after we modified some of the decision points --- .../cvss/automatable_1_0_0.json | 5 ++++ ...impact_to_the_subsequent_system_1_0_0.json | 25 ++++++++++++++++ ...impact_to_the_vulnerable_system_3_0_0.json | 25 ++++++++++++++++ ...impact_to_the_vulnerable_system_3_0_0.json | 25 ++++++++++++++++ ...impact_to_the_vulnerable_system_3_0_0.json | 25 ++++++++++++++++ .../cvss/integrity_requirement_1_1_1.json | 30 +++++++++++++++++++ ...impact_to_the_subsequent_system_1_0_0.json | 30 +++++++++++++++++++ ...impact_to_the_vulnerable_system_3_0_0.json | 30 +++++++++++++++++++ ...impact_to_the_vulnerable_system_3_0_0.json | 30 +++++++++++++++++++ ...impact_to_the_vulnerable_system_3_0_0.json | 30 +++++++++++++++++++ 10 files changed, 255 insertions(+) create mode 100644 data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json create mode 100644 data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json create mode 100644 data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json create mode 100644 data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json create mode 100644 data/json/decision_points/cvss/integrity_requirement_1_1_1.json create mode 100644 data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json create mode 100644 data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json create mode 100644 data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json create mode 100644 data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json diff --git a/data/json/decision_points/cvss/automatable_1_0_0.json b/data/json/decision_points/cvss/automatable_1_0_0.json index 9601b871..1963318c 100644 --- a/data/json/decision_points/cvss/automatable_1_0_0.json +++ b/data/json/decision_points/cvss/automatable_1_0_0.json @@ -15,6 +15,11 @@ "key": "Y", "name": "Yes", "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." } ] } diff --git a/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json new file mode 100644 index 00000000..be7cedbe --- /dev/null +++ b/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "SA", + "name": "Availability Impact to the Subsequent System", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} diff --git a/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json new file mode 100644 index 00000000..ebef410c --- /dev/null +++ b/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "VA", + "name": "Availability Impact to the Vulnerable System", + "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] +} diff --git a/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json new file mode 100644 index 00000000..ceea5568 --- /dev/null +++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "VC", + "name": "Confidentiality Impact to the Vulnerable System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json new file mode 100644 index 00000000..ad055d84 --- /dev/null +++ b/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "VI", + "name": "Integrity Impact to the Vulnerable System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of integrity within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + } + ] +} diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json new file mode 100644 index 00000000..4a99083a --- /dev/null +++ b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.1.1", + "schemaVersion": "1-0-1", + "key": "IR", + "name": "Integrity Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", + "values": [ + { + "key": "L", + "name": "Low", + "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json new file mode 100644 index 00000000..e1e91459 --- /dev/null +++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "1.0.0", + "schemaVersion": "1-0-1", + "key": "MSA", + "name": "Modified Availability Impact to the Subsequent System", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "values": [ + { + "key": "N", + "name": "Negligible", + "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json new file mode 100644 index 00000000..7003a551 --- /dev/null +++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "MVA", + "name": "Modified Availability Impact to the Vulnerable System", + "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no impact to availability within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json new file mode 100644 index 00000000..aba1fa8b --- /dev/null +++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "MVC", + "name": "Modified Confidentiality Impact to the Vulnerable System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json new file mode 100644 index 00000000..5a3c69e0 --- /dev/null +++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cvss", + "version": "3.0.0", + "schemaVersion": "1-0-1", + "key": "MVI", + "name": "Modified Integrity Impact to the Vulnerable System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "values": [ + { + "key": "N", + "name": "None", + "description": "There is no loss of integrity within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "description": "There is a total loss of integrity, or a complete loss of protection." + }, + { + "key": "X", + "name": "Not Defined", + "description": "This metric value is not defined. See CVSS documentation for details." + } + ] +} From 13c7937289388b875b889e2ac46aacecf8399f10 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Mar 2025 13:27:55 -0500 Subject: [PATCH 3/4] Bump the mkdocs group with 2 updates (#730) Bumps the mkdocs group with 2 updates: [mkdocs-bibtex](https://github.com/shyamd/mkdocs-bibtex) and [mkdocs-material](https://github.com/squidfunk/mkdocs-material). Updates `mkdocs-bibtex` from 4.2.1 to 4.2.2 - [Release notes](https://github.com/shyamd/mkdocs-bibtex/releases) - [Commits](https://github.com/shyamd/mkdocs-bibtex/compare/v4.2.1...v4.2.2) Updates `mkdocs-material` from 9.6.5 to 9.6.7 - [Release notes](https://github.com/squidfunk/mkdocs-material/releases) - [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG) - [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.6.5...9.6.7) --- updated-dependencies: - dependency-name: mkdocs-bibtex dependency-type: direct:production update-type: version-update:semver-patch dependency-group: mkdocs - dependency-name: mkdocs-material dependency-type: direct:production update-type: version-update:semver-patch dependency-group: mkdocs ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index f4294acb..22c220b4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,8 +1,8 @@ mkdocs==1.6.1 -mkdocs-bibtex==4.2.1 +mkdocs-bibtex==4.2.2 mkdocs-include-markdown-plugin==7.1.4 mkdocs-table-reader-plugin==3.1.0 -mkdocs-material==9.6.5 +mkdocs-material==9.6.7 mkdocs-material-extensions==1.3.1 mkdocstrings==0.28.2 mkdocstrings-python==1.16.2 From 26ac56fb9b350e0cf6dec1249622480b1ed2cabc Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 3 Mar 2025 13:42:46 -0500 Subject: [PATCH 4/4] Update deploy_site.yml attempting to fix #729 --- .github/workflows/deploy_site.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy_site.yml b/.github/workflows/deploy_site.yml index 7e69470d..83cb3cf2 100644 --- a/.github/workflows/deploy_site.yml +++ b/.github/workflows/deploy_site.yml @@ -49,6 +49,7 @@ jobs: - name: Build Site run: | + export PYTHONPATH=./src;$PYTHONPATH mkdocs build --verbose --clean --config-file mkdocs.yml - name: Upload artifact