From affa90fc5284b534c9b9fb9fd7c176f797991633 Mon Sep 17 00:00:00 2001 From: sei-renae Date: Thu, 6 Mar 2025 16:20:43 -0500 Subject: [PATCH 01/12] Convert cwes list to markdown with fewer rows and columns (#737) * Update verbiage because we have a list of CWE-IDs per issue 529. * Clean CWE-IDs list to only exploit_possible=yes, eliminate need for side scrolling, add hyperlinks, and create a markdown version of the csv per issues 530 and 713. * markdown lint * Fix broken link to cwe examples and remove cwe csvs file to enforce a single source of truth. * Make the linkchecker happy * Really fix links this time --- .../cwe/possible-cwe-with-poc-examples.csv | 157 ------------------ docs/_includes/cwe-with-poc-examples.md | 38 +++++ .../reference/decision_points/exploitation.md | 5 +- docs/topics/information_sources.md | 8 +- 4 files changed, 42 insertions(+), 166 deletions(-) delete mode 100644 data/csvs/cwe/possible-cwe-with-poc-examples.csv create mode 100644 docs/_includes/cwe-with-poc-examples.md diff --git a/data/csvs/cwe/possible-cwe-with-poc-examples.csv b/data/csvs/cwe/possible-cwe-with-poc-examples.csv deleted file mode 100644 index c8fdc97b..00000000 --- a/data/csvs/cwe/possible-cwe-with-poc-examples.csv +++ /dev/null @@ -1,157 +0,0 @@ -CWE-ID,CWE name,In NVD's CWE Slice?,Possible PoC? ,How could vulnerabilities containing this CWE be exploited?,Tools,Links to tools -20,Improper Input Validation,yes,no,,, -22,Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'),yes,yes,"directory/path traversal ""../""",Panoptic; Burp Suite,https://github.com/lightos/Panoptic; https://portswigger.net/burp -59,Improper Link Resolution Before File Access ('Link Following'),yes,yes,symlink attack,No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link.,https://capec.mitre.org/data/definitions/132.html -73,External Control of File Name or Path,no,no,,, -74,Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'),yes,no,,, -77,Improper Neutralization of Special Elements used in a Command ('Command Injection'),yes,yes,command injection,Commix,https://github.com/commixproject/commix -78,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'),yes,yes,OS command injection,Commix; Burp Suite,https://github.com/commixproject/commix; https://portswigger.net/burp -79,Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'),yes,yes,cross-site scripting attack,XSSER; Pybelt; XSStrike,https://github.com/epsylon/xsser; https://github.com/Ekultek/Pybelt; https://github.com/s0md3v/XSStrike -88,Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'),yes,yes,argument/parameter injection,Argument Injection Hammer,https://github.com/nccgroup/argumentinjectionhammer -89,Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'),yes,yes,malicious SQL command injection,SQLMap; BBQSQL; JSQL injection; NoSQLMap,https://github.com/sqlmapproject/sqlmap; https://github.com/CiscoCXSecurity/bbqsql; https://github.com/ron190/jsql-injection; https://github.com/codingo/NoSQLMap -91,XML Injection (aka Blind XPath Injection),yes,yes,"inject XML code into a web input, XML file or stream",XXExploiter,https://github.com/luisfontes19/xxexploiter -94,Improper Control of Generation of Code ('Code Injection'),yes,no,,, -115,Misinterpretation of Input,no,no,,, -116,Improper Encoding or Escaping of Output,yes,no,,, -119,Improper Restriction of Operations within the Bounds of a Memory Buffer,yes,no,,, -120,Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'),yes,no,,, -122,Heap-based Buffer Overflow,no,no,,, -125,Out-of-bounds Read,yes,no,,, -129,Improper Validation of Array Index,yes,no,,, -131,Incorrect Calculation of Buffer Size,yes,no,,, -134,Use of Externally-Controlled Format String,yes,no,,, -178,Improper Handling of Case Sensitivity,yes,no,,, -190,Integer Overflow or Wraparound,yes,no,,, -191,Integer Underflow (Wrap or Wraparound),yes,no,,, -193,Off-by-one Error,yes,no,,, -194,Unexpected Sign Extension,no,no,,, -200,Exposure of Sensitive Information to an Unauthorized Actor,yes,no,,, -201,Insertion of Sensitive Information Into Sent Data,no,no,,, -203,Observable Discrepancy,yes,no,,, -209,Generation of Error Message Containing Sensitive Information,yes,yes,read/capture sensitive information contained in error message,OWASP ZAP; Burp Suite,https://www.zaproxy.org/; https://portswigger.net/burp -212,Improper Removal of Sensitive Information Before Storage or Transfer,yes,no,,, -252,Unchecked Return Value,yes,no,,, -257,Storing Passwords in a Recoverable Format,no,no,,, -264,"Permissions, Privileges, and Access Controls",no,no,,, -269,Improper Privilege Management,yes,no,,, -273,Improper Check for Dropped Privileges,yes,no,,, -275,Permission Issues,no,no,,, -276,Incorrect Default Permissions,yes,yes,try to access data or privileges you normally should not have access to,"No specialized resources are required to execute this type of attack. In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.",https://capec.mitre.org/data/definitions/1.html -280,Improper Handling of Insufficient Permissions or Privileges,no,no,,, -281,Improper Preservation of Permissions,yes,no,,, -284,Improper Access Control,no,no,,, -287,Improper Authentication,yes,no,,, -290,Authentication Bypass by Spoofing,yes,no,,, -294,Authentication Bypass by Capture-replay,yes,yes,capture-replay attack,Wireshark; smartsniff,https://www.wireshark.org/; https://www.nirsoft.net/utils/smsniff.html -295,Improper Certificate Validation,yes,no,,, -305,Authentication Bypass by Primary Weakness,no,no,,, -306,Missing Authentication for Critical Function,yes,no,,, -307,Improper Restriction of Excessive Authentication Attempts,yes,yes,brute force attack,THC Hydra; John the Ripper; L0phtCrack; Hashcat,https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/ -311,Missing Encryption of Sensitive Data,yes,no,,, -312,Cleartext Storage of Sensitive Information,yes,yes,find sensitive data stored in system,OWASP ZAP; Burp Suite,https://www.zaproxy.org/; https://portswigger.net/burp -319,Cleartext Transmission of Sensitive Information,yes,yes,capture traffic and extract sensitive information,Wireshark; Smartsniff,https://www.wireshark.org/; https://www.nirsoft.net/utils/smsniff.html -321,Use of Hard-coded Cryptographic Key,no,no,,, -326,Inadequate Encryption Strength,yes,no,,, -327,Use of a Broken or Risky Cryptographic Algorithm,yes,no,,, -330,Use of Insufficiently Random Values,yes,yes,brute force attack,THC Hydra; John the Ripper; L0phtCrack; Hashcat,https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/ -331,Insufficient Entropy,yes,yes,brute force attack/predictive programs,hashcat; php_mt_seed,https://hashcat.net/hashcat/; https://github.com/openwall/php_mt_seed -335,Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG),yes,no,,, -337,Predictable Seed in Pseudo-Random Number Generator (PRNG),no,no,,, -338,Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG),yes,no,,, -345,Insufficient Verification of Data Authenticity,yes,no,,, -346,Origin Validation Error,yes,no,,, -347,Improper Verification of Cryptographic Signature,yes,no,,, -352,Cross-Site Request Forgery (CSRF),yes,yes,CSRF,Burp Suite; XSRFProbe,https://portswigger.net/burp; https://github.com/0xInfection/XSRFProbe -354,Improper Validation of Integrity Check Value,yes,no,,, -362,Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'),yes,no,,, -367,Time-of-check Time-of-use (TOCTOU) Race Condition,yes,no,,, -369,Divide By Zero,yes,no,,, -384,Session Fixation,yes,no,,, -388,7PK - Errors,no,no,,, -400,Uncontrolled Resource Consumption,yes,no,,, -401,Missing Release of Memory after Effective Lifetime,yes,no,,, -404,Improper Resource Shutdown or Release,yes,no,,, -405,Asymmetric Resource Consumption (Amplification),no,no,,, -407,Inefficient Algorithmic Complexity,yes,no,,, -415,Double Free,yes,no,,, -416,Use After Free,yes,no,,, -425,Direct Request ('Forced Browsing'),yes,yes,forcibly navigate to unintended (by the system) URLs,Dirbuster; Dirstalk,https://sourceforge.net/projects/dirbuster/; https://github.com/stefanoj3/dirstalk -426,Untrusted Search Path,yes,yes,malicious dll injection/loading,evildll; evilldll-gen,https://github.com/CrackerCat/evildll; https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011 -427,Uncontrolled Search Path Element,yes,yes,malicious dll injection/loading,evildll; evilldll-gen,https://github.com/CrackerCat/evildll; https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011 -428,Unquoted Search Path or Element,yes,yes,insert malicious input into unquoted search path,Metasploit,https://www.metasploit.com/ -434,Unrestricted Upload of File with Dangerous Type,yes,yes,uploading of malicious file (program lacks restrictions to prevent this from occuring),No specialized resources are required to execute this type of attack.,https://capec.mitre.org/data/definitions/1.html -436,Interpretation Conflict,yes,no,,, -441,Unintended Proxy or Intermediary ('Confused Deputy'),no,no,,, -444,Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'),yes,yes,HTTP smuggling,Smuggler,https://github.com/defparam/smuggler -451,User Interface (UI) Misrepresentation of Critical Information,no,no,,, -459,Incomplete Cleanup,yes,no,,, -470,Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'),yes,no,,, -476,NULL Pointer Dereference,yes,no,,, -494,Download of Code Without Integrity Check,yes,no,,, -502,Deserialization of Untrusted Data,yes,no,,, -521,Weak Password Requirements,yes,yes,brute force attack,THC Hydra; John the Ripper; L0phtCrack; Hashcat,https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/ -522,Insufficiently Protected Credentials,yes,yes,"search for exposed credentials, capture traffic, or brute force (context-dependent)","Context-dependent, may utilize traffic sniffing tools, tools for discovering sensitive information, or brute forcing tools",https://www.wireshark.org/; https://www.nirsoft.net/utils/smsniff.html; https://www.zaproxy.org/; https://portswigger.net/burp; https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/ -532,Insertion of Sensitive Information into Log File,yes,yes,access log files and search them for sensitive information,OWASP ZAP; Burp Suite - along with the ability to access log files,https://www.zaproxy.org/; https://portswigger.net/burp -552,Files or Directories Accessible to External Parties,yes,no,,, -565,Reliance on Cookies without Validation and Integrity Checking,yes,no,,, -592,Authentication Bypass Issues,no,no,,, -601,URL Redirection to Untrusted Site ('Open Redirect'),yes,no,,, -602,Client-Side Enforcement of Server-Side Security,no,no,,, -610,Externally Controlled Reference to a Resource in Another Sphere,yes,no,,, -611,Improper Restriction of XML External Entity Reference,yes,yes,XML external entity injection,XXExploiter,https://github.com/luisfontes19/xxexploiter -613,Insufficient Session Expiration,yes,no,,, -617,Reachable Assertion,yes,no,,, -639,Authorization Bypass Through User-Controlled Key,yes,yes,"modify key values to change what data attacker has access to, insecure direct object vulnerability exploit",AuthZ for burpsuite,https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e -640,Weak Password Recovery Mechanism for Forgotten Password,yes,no,,, -662,Improper Synchronization,yes,no,,, -665,Improper Initialization,yes,no,,, -667,Improper Locking,yes,no,,, -668,Exposure of Resource to Wrong Sphere,yes,no,,, -669,Incorrect Resource Transfer Between Spheres,yes,no,,, -670,Always-Incorrect Control Flow Implementation,yes,no,,, -672,Operation on a Resource after Expiration or Release,yes,no,,, -674,Uncontrolled Recursion,yes,no,,, -681,Incorrect Conversion between Numeric Types,yes,no,,, -682,Incorrect Calculation,yes,no,,, -697,Incorrect Comparison,yes,no,,, -703,Improper Check or Handling of Exceptional Conditions,no,no,,, -704,Incorrect Type Conversion or Cast,yes,no,,, -706,Use of Incorrectly-Resolved Name or Reference,yes,no,,, -732,Incorrect Permission Assignment for Critical Resource,yes,no,,, -749,Exposed Dangerous Method or Function,no,no,,, -754,Improper Check for Unusual or Exceptional Conditions,yes,no,,, -755,Improper Handling of Exceptional Conditions,yes,no,,, -759,Use of a One-Way Hash without a Salt,no,no,,, -763,Release of Invalid Pointer or Reference,yes,no,,, -770,Allocation of Resources Without Limits or Throttling,yes,no,,, -772,Missing Release of Resource after Effective Lifetime,yes,no,,, -776,Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'),yes,yes,XML entity expansion,XXExploiter,https://github.com/luisfontes19/xxexploiter -787,Out-of-bounds Write,yes,no,,, -789,Memory Allocation with Excessive Size Value,no,no,,, -798,Use of Hard-coded Credentials,yes,yes,discover and use hardcoded credentials,"Context-dependent, may use password cracking tools, binary analysis tools, or may not require any tools (just knowledge of the default hard-coded credentials)",https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/; https://www.powergrep.com/ -823,Use of Out-of-range Pointer Offset,no,no,,, -824,Access of Uninitialized Pointer,yes,no,,, -829,Inclusion of Functionality from Untrusted Control Sphere,yes,no,,, -834,Excessive Iteration,yes,no,,, -835,Loop with Unreachable Exit Condition ('Infinite Loop'),yes,no,,, -838,Inappropriate Encoding for Output Context,yes,no,,, -843,Access of Resource Using Incompatible Type ('Type Confusion'),yes,no,,, -862,Missing Authorization,yes,no,,, -863,Incorrect Authorization,yes,no,,, -908,Use of Uninitialized Resource,yes,no,,, -909,Missing Initialization of Resource,yes,no,,, -913,Improper Control of Dynamically-Managed Code Resources,yes,no,,, -916,Use of Password Hash With Insufficient Computational Effort,yes,yes,brute force,THC Hydra; John the Ripper; L0phtCrack; Hashcat,https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/ -917,Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La,yes,no,,, -918,Server-Side Request Forgery (SSRF),yes,yes,SSRF,SSRFmap; Burp Suite,https://github.com/swisskyrepo/SSRFmap; https://portswigger.net/web-security/ssrf -920,Improper Restriction of Power Consumption,yes,no,,, -922,Insecure Storage of Sensitive Information,yes,no,,, -924,Improper Enforcement of Message Integrity During Transmission in a Communication Channel,yes,no,,, -1021,Improper Restriction of Rendered UI Layers or Frames,yes,no,,, -1188,Insecure Default Initialization of Resource,yes,yes,use default credentials,"Context-dependent, but may not need any tools (for example, try to use default credentials or access resources that typically require permissions) - knowledge of the system (and its defaults) helps", -1236,Improper Neutralization of Formula Elements in a CSV File,yes,yes,CSV injection,"No specialized resources are required to execute this type of attack, it is more based on payloads.",https://gitlab.com/pentest-tools/PayloadsAllTheThings/-/tree/master/CSV%20Injection; https://owasp.org/www-community/attacks/CSV_Injection -1284,Improper Validation of Specified Quantity in Input,yes,no,,, -1321,Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'),yes,yes,prototype pollution,DOM Invader (Burp Suite),https://portswigger.net/burp/documentation/desktop/tools/dom-invader -1333,Inefficient Regular Expression Complexity,yes,yes,ReDoS or exponential backtracking,ReScue,https://2bdenny.github.io/ReScue/ -NVD-noinfo,There is insufficient information about the issue to classify it; details are unkown or unspecified.,yes,no,,, -NVD-Other,"NVD is only using a subset of CWE for mapping instead of the entire CWE, and the weakness type is not covered by that subset.",yes,no,,, diff --git a/docs/_includes/cwe-with-poc-examples.md b/docs/_includes/cwe-with-poc-examples.md new file mode 100644 index 00000000..475fb5da --- /dev/null +++ b/docs/_includes/cwe-with-poc-examples.md @@ -0,0 +1,38 @@ +|CWE-ID|CWE name|How could vulnerabilities containing this CWE be exploited?|Tools| +|---|---|---|---| +|[CWE-22](https://cwe.mitre.org/data/definitions/22.html)|Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')|"directory/path traversal ""../"""|[Panoptic](https://github.com/lightos/Panoptic); [Burp Suite](https://portswigger.net/burp)| +|[CWE-59](https://cwe.mitre.org/data/definitions/59.html)|Improper Link Resolution Before File Access ('Link Following')|symlink attack|No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link. [CAPEC](https://capec.mitre.org/data/definitions/132.html)| +|[CWE-77](https://cwe.mitre.org/data/definitions/77.html)|Improper Neutralization of Special Elements used in a Command ('Command Injection')|command injection|[Commix](https://github.com/commixproject/commix)| +|[CWE-78](https://cwe.mitre.org/data/definitions/78.html)|Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')|OS command injection|[Commix](https://github.com/commixproject/commix); [Burp Suite]( https://portswigger.net/burp)| +|[CWE-79](https://cwe.mitre.org/data/definitions/79.html)|Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')|cross-site scripting attack|[XSSER](https://github.com/epsylon/xsser); [Pybelt](https://github.com/Ekultek/Pybelt); [XSStrike](https://github.com/s0md3v/XSStrike)| +|[CWE-88](https://cwe.mitre.org/data/definitions/88.html)|Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')|argument/parameter injection|[Argument Injection Hammer](https://github.com/nccgroup/argumentinjectionhammer)| +|[CWE-89](https://cwe.mitre.org/data/definitions/89.html)|Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')|malicious SQL command injection|[SQLMap](https://github.com/sqlmapproject/sqlmap); [BBQSQL](https://github.com/CiscoCXSecurity/bbqsql); [JSQL injection](https://github.com/ron190/jsql-injection); [NoSQLMap](https://github.com/codingo/NoSQLMap)| +|[CWE-91](https://cwe.mitre.org/data/definitions/91.html)|XML Injection (aka Blind XPath Injection)|"inject XML code into a web input, XML file or stream"|[XXExploiter](https://github.com/luisfontes19/xxexploiter)| +|[CWE-209](https://cwe.mitre.org/data/definitions/209.html)|Generation of Error Message Containing Sensitive Information|read/capture sensitive information contained in error message|[OWASP ZAP](https://www.zaproxy.org/); [Burp Suite](https://portswigger.net/burp)| +|[CWE-276](https://cwe.mitre.org/data/definitions/276.html)|Incorrect Default Permissions try to access data or privileges you normally should not have access to|"No specialized resources are required to execute this type of attack. In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly."|[CAPEC](https://capec.mitre.org/data/definitions/1.html)| +|[CWE-294](https://cwe.mitre.org/data/definitions/294.html)|Authentication Bypass by Capture-replay|capture-replay attack|[Wireshark](https://www.wireshark.org/); [smartsniff](https://www.nirsoft.net/utils/smsniff.html)| +|[CWE-307](https://cwe.mitre.org/data/definitions/307.html)|Improper Restriction of Excessive Authentication Attempts|brute force attack|[THC Hydra](https://github.com/vanhauser-thc/thc-hydra); [John the Ripper](https://github.com/openwall/john); [L0phtCrack](https://gitlab.com/l0phtcrack/l0phtcrack); [Hashcat](https://hashcat.net/hashcat)| +|[CWE-312](https://cwe.mitre.org/data/definitions/312.html)|Cleartext Storage of Sensitive Information|find sensitive data stored in system|[OWASP ZAP](https://www.zaproxy.org/); [Burp Suite](https://portswigger.net/burp)| +|[CWE-319](https://cwe.mitre.org/data/definitions/319.html)|Cleartext Transmission of Sensitive Information|capture traffic and extract sensitive information|[Wireshark](https://www.wireshark.org/); [Smartsniff](https://www.nirsoft.net/utils/smsniff.html)| +|[CWE-330](https://cwe.mitre.org/data/definitions/330.html)|Use of Insufficiently Random Values|brute force attack|[THC Hydra](https://github.com/vanhauser-thc/thc-hydra); [John the Ripper](https://github.com/openwall/john); [L0phtCrack](https://gitlab.com/l0phtcrack/l0phtcrack); [Hashcat](https://hashcat.net/hashcat)| +|[CWE-331](https://cwe.mitre.org/data/definitions/331.html)|Insufficient Entropy|brute force attack/predictive programs|[hashcat](https://hashcat.net/hashcat/); [php_mt_seed](https://github.com/openwall/php_mt_seed)| +|[CWE-352](https://cwe.mitre.org/data/definitions/352.html)|Cross-Site Request Forgery (CSRF)|CSRF|[Burp Suite](https://portswigger.net/burp); [XSRFProbe](https://github.com/0xInfection/XSRFProbe)| +|[CWE-425](https://cwe.mitre.org/data/definitions/425.html)|Direct Request ('Forced Browsing')|forcibly navigate to unintended (by the system) URLs|[Dirbuster](https://sourceforge.net/projects/dirbuster/); [Dirstalk](https://github.com/stefanoj3/dirstalk)| +|[CWE-426](https://cwe.mitre.org/data/definitions/426.html)|Untrusted Search Path|malicious dll injection/loading|[evildll](https://github.com/CrackerCat/evildll); [evilldll-gen](https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011 )| +|[CWE-427](https://cwe.mitre.org/data/definitions/427.html)|Uncontrolled Search Path Element|malicious dll injection/loading|[evildll](https://github.com/CrackerCat/evildll); [evilldll-gen](https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011 )| +|[CWE-428](https://cwe.mitre.org/data/definitions/428.html)|Unquoted Search Path or Element|insert malicious input into unquoted search path|[Metasploit](https://www.metasploit.com/)| +|[CWE-434](https://cwe.mitre.org/data/definitions/434.html)|Unrestricted Upload of File with Dangerous Type|uploading of malicious file (program lacks restrictions to prevent this from occuring)|No specialized resources are required to execute this type of attack. [CAPEC](https://capec.mitre.org/data/definitions/1.html)| +|[CWE-444](https://cwe.mitre.org/data/definitions/444.html)|Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')|HTTP smuggling|[Smuggler](https://github.com/defparam/smuggler)| +|[CWE-521](https://cwe.mitre.org/data/definitions/521.html)|Weak Password Requirements|brute force attack|[THC Hydra](https://github.com/vanhauser-thc/thc-hydra); [John the Ripper](https://github.com/openwall/john); [L0phtCrack](https://gitlab.com/l0phtcrack/l0phtcrack); [Hashcat](https://hashcat.net/hashcat)| +|[CWE-522](https://cwe.mitre.org/data/definitions/522.html)|Insufficiently Protected Credentials|"search for exposed credentials, capture traffic, or brute force (context-dependent)"|"Context-dependent, may utilize traffic sniffing tools, tools for discovering sensitive information, or brute forcing tools. [Wireshark](https://www.wireshark.org/); [SMS Sniff](https://www.nirsoft.net/utils/smsniff.html); [OWASP ZAP](https://www.zaproxy.org/); [Burp suite](https://portswigger.net/burp); [THC Hydra](https://github.com/vanhauser-thc/thc-hydra); [John the Ripper](https://github.com/openwall/john); [L0phtCrack](https://gitlab.com/l0phtcrack/l0phtcrack); [Hashcat](https://hashcat.net/hashcat)| +|[CWE-532](https://cwe.mitre.org/data/definitions/532.html)|Insertion of Sensitive Information into Log File|access log files and search them for sensitive information|[OWASP ZAP](https://www.zaproxy.org/); [Burp Suite](https://portswigger.net/burp); - along with the ability to access log files| +|[CWE-611](https://cwe.mitre.org/data/definitions/611.html)|Improper Restriction of XML External Entity Reference|XML external entity injection|[XXExploiter](https://github.com/luisfontes19/xxexploiter)| +|[CWE-639](https://cwe.mitre.org/data/definitions/639.html)|Authorization Bypass Through User-Controlled Key|"modify key values to change what data attacker has access to, insecure direct object vulnerability exploit"|[AuthZ for burpsuite](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)| +|[CWE-776](https://cwe.mitre.org/data/definitions/776.html)|Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')|XML entity expansion|[XXExploiter](https://github.com/luisfontes19/xxexploiter)| +|[CWE-798](https://cwe.mitre.org/data/definitions/798.html)|Use of Hard-coded Credentials|discover and use hardcoded credentials|"Context-dependent, may use password cracking tools, binary analysis tools, or may not require any tools (just knowledge of the default hard-coded credentials)". [THC Hydra](https://github.com/vanhauser-thc/thc-hydra); [John the Ripper](https://github.com/openwall/john); [L0phtCrack](https://gitlab.com/l0phtcrack/l0phtcrack); [Hashcat](https://hashcat.net/hashcat); [Power Grep](https://www.powergrep.com/)| +|[CWE-916](https://cwe.mitre.org/data/definitions/916.html)|Use of Password Hash With Insufficient Computational Effort|brute force|[THC Hydra](https://github.com/vanhauser-thc/thc-hydra); [John the Ripper](https://github.com/openwall/john); [L0phtCrack](https://gitlab.com/l0phtcrack/l0phtcrack); [Hashcat](https://hashcat.net/hashcat)| +|[CWE-918](https://cwe.mitre.org/data/definitions/918.html)|Server-Side Request Forgery (SSRF)|SSRF|[SSRFmap](https://github.com/swisskyrepo/SSRFmap); [Burp Suite](https://portswigger.net/web-security/ssrf)| +|[CWE-1188](https://cwe.mitre.org/data/definitions/1188.html)|Insecure Default Initialization of Resource|use default credentials|"Context-dependent, but may not need any tools (for example, try to use default credentials or access resources that typically require permissions) - knowledge of the system (and its defaults) helps"| +|[CWE-1236](https://cwe.mitre.org/data/definitions/1236.html)|Improper Neutralization of Formula Elements in a CSV File|CSV injection|"No specialized resources are required to execute this type of attack, it is more based on payloads.":[PayloadsAllTheThings](https://gitlab.com/pentest-tools/PayloadsAllTheThings/-/tree/master/CSV%20Injection);[OWASP CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection)| +|[CWE-1321](https://cwe.mitre.org/data/definitions/1321.html)|Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')|prototype pollution|[DOM Invader (Burp Suite)](https://portswigger.net/burp/documentation/desktop/tools/dom-invader)| +|[CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)|Inefficient Regular Expression Complexity|ReDoS or exponential backtracking|[ReScue](https://2bdenny.github.io/ReScue/)| diff --git a/docs/reference/decision_points/exploitation.md b/docs/reference/decision_points/exploitation.md index 478d4033..b4f93bb3 100644 --- a/docs/reference/decision_points/exploitation.md +++ b/docs/reference/decision_points/exploitation.md @@ -44,10 +44,7 @@ The table below lists CWE-IDs that could be used to mark a vulnerability as *PoC describe improper validation of TLS certificates. These CWE-IDs could always be marked as *PoC* since that meets condition (3) in the definition. -{% include-markdown "../../_includes/_scrollable_table.md" heading-offset=1 %} - - -{{ read_csv('cwe/possible-cwe-with-poc-examples.csv') }} +{% include-markdown "../../_includes/cwe-with-poc-examples.md" heading-offset=1 %} ## Prior Versions diff --git a/docs/topics/information_sources.md b/docs/topics/information_sources.md index 3ed11424..93d760c7 100644 --- a/docs/topics/information_sources.md +++ b/docs/topics/information_sources.md @@ -16,7 +16,7 @@ However, if there is a category of information source we have not captured, plea ## Exploitation Various vendors provide paid feeds of vulnerabilities that are currently exploited by attacker groups. -Any of these could be used to indicate that [*active*](../reference/decision_points/exploitation.md) is true for a vulnerability. +Any of these could be used to indicate that [*active*](../reference/decision_points/exploitation.md/#cwe-ids-for-poc) is true for a vulnerability. Although the lists are all different, we expect they are all valid information sources; the difficulty is matching a list's scope and vantage with a compatible scope and vantage of the consumer. We are not aware of a comparative study of the different lists of active exploits; however, we expect they have similar properties to block lists of network touchpoints [@metcalf2015blocklist] and malware [@kuhrer2014paint]. Namely, each list has a different view and vantage on the problem, which makes them appear to be different, but each list accurately represents its particular vantage at a point in time. @@ -89,11 +89,9 @@ This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../re As mentioned in the discussion of [*Exploitation*](../reference/decision_points/exploitation.md), [CWE](https://cwe.mitre.org/) could be used to inform one of the conditions that satisfy [*proof of concept*](../reference/decision_points/exploitation.md). For some classes of vulnerabilities, the proof of concept is well known because the method of exploitation is already part of open-source tools. -For example, on-path attacker scenarios for intercepting TLS certificates. +An example of this is on-path attacker scenarios for intercepting TLS certificates. These scenarios are a cluster of related vulnerabilities. -Since CWE classifies clusters of related vulnerabilities, the community could likely curate a list of CWE-IDs for which this condition of well known exploit technique is satisfied. -Once that list were curated, it could be used to automatically populate a CVE-ID as [*proof of concept*](../reference/decision_points/exploitation.md) if the CWE-ID of which it is an instance is on the list. -Such a check could not be exhaustive, since there are other conditions that satisfy [*proof of concept*](../reference/decision_points/exploitation.md). +We provide a non-exhaustive [list of CWE-IDs with known proofs of concept](../reference/decision_points/exploitation.md/#cwe-ids-for-poc). This is list is non-exhaustive becuase there are other conditions that satisfy [*proof of concept*](../reference/decision_points/exploitation.md). If paired with automatic searches for exploit code in public repositories, these checks would cover many scenarios. If paired with active exploitation feeds discussed above, then the value of [*Exploitation*](../reference/decision_points/exploitation.md) could be determined almost entirely from available information without direct analyst involvement at each organization. From a54f99948d59896d2a5a45770c10c5c3df52871c Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 11 Mar 2025 15:12:20 -0400 Subject: [PATCH 02/12] Replace `Track*`/`Track *` with `Monitor` in CISA-based decision model (#738) * change type hints on OutcomeGroup class * black reformat * replace `Track *` with `Monitor` * carve a new version of CISA OutcomeGroup to reflect `Track *` -> `Monitor` * replace `Track*` with `Monitor` in json * replace CISA.json with Monitor outcome value * more substitutions --- data/json/outcomes/CISA.json | 14 +++---- docs/ssvc-calc/CISA-Coordinator.json | 12 +++--- docs/ssvc-calc/findex.html | 2 +- docs/ssvc-calc/old_index.html | 2 +- docs/ssvc-calc/sample-ssvc.txt | 4 +- docs/ssvc-calc/ssvc.js | 2 +- src/ssvc/outcomes/base.py | 2 +- src/ssvc/outcomes/groups.py | 58 ++++++++++++++++++++++------ 8 files changed, 66 insertions(+), 30 deletions(-) diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json index c4ebbd2a..15e03647 100644 --- a/data/json/outcomes/CISA.json +++ b/data/json/outcomes/CISA.json @@ -1,8 +1,8 @@ { - "version": "1.0.0", + "version": "1.1.0", "schemaVersion": "1-0-1", "name": "CISA Levels", - "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", + "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.", "outcomes": [ { "key": "T", @@ -10,9 +10,9 @@ "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." }, { - "key": "T*", - "name": "Track*", - "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + "key": "M", + "name": "Monitor", + "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Monitor vulnerabilities within standard update timelines." }, { "key": "A", @@ -20,9 +20,9 @@ "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." }, { - "key": "A", + "key": "C", "name": "Act", "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." } ] -} \ No newline at end of file +} diff --git a/docs/ssvc-calc/CISA-Coordinator.json b/docs/ssvc-calc/CISA-Coordinator.json index 7bffef4b..a9bbee2e 100644 --- a/docs/ssvc-calc/CISA-Coordinator.json +++ b/docs/ssvc-calc/CISA-Coordinator.json @@ -209,8 +209,8 @@ "color": "#28a745" }, { - "label": "Track*", - "key": "R", + "label": "Monitor", + "key": "M", "description": "Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.", "color": "#ffc107" }, @@ -266,7 +266,7 @@ "Mission & Well-being": "medium" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "none", "Automatable": "no", "Technical Impact": "total", @@ -329,7 +329,7 @@ "Mission & Well-being": "medium" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "poc", "Automatable": "no", "Technical Impact": "partial", @@ -343,7 +343,7 @@ "Mission & Well-being": "low" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "poc", "Automatable": "no", "Technical Impact": "total", @@ -385,7 +385,7 @@ "Mission & Well-being": "low" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "poc", "Automatable": "yes", "Technical Impact": "total", diff --git a/docs/ssvc-calc/findex.html b/docs/ssvc-calc/findex.html index 63456ee2..1562e0b1 100644 --- a/docs/ssvc-calc/findex.html +++ b/docs/ssvc-calc/findex.html @@ -294,7 +294,7 @@
Mission Prevelance choices
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
- Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion. + Monitor   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
diff --git a/docs/ssvc-calc/old_index.html b/docs/ssvc-calc/old_index.html index 9d99945f..2e6b13b2 100644 --- a/docs/ssvc-calc/old_index.html +++ b/docs/ssvc-calc/old_index.html @@ -292,7 +292,7 @@
Mission Prevelance choices
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
- Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion. + Monitor   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
diff --git a/docs/ssvc-calc/sample-ssvc.txt b/docs/ssvc-calc/sample-ssvc.txt index e273d496..b6ac3788 100644 --- a/docs/ssvc-calc/sample-ssvc.txt +++ b/docs/ssvc-calc/sample-ssvc.txt @@ -1,8 +1,8 @@ CVE Vulnerability CVSS (v3.x Base Score) SSVC (Decision) Exploit Virulence Technical Mission/Well-Being (Impact) CVE-2020-7961 Liferay Portal JSON web services (JSONWS) deserialization 9.8 Track PoC Yes Total Low (Minimal/Minimal) CVE-2020-5847 Unraid 6.8.0 PHP RCE 9.8 Track PoC Yes Total Low (Minimal/Minimal) -CVE-2019-0708 Microsoft Windows Remote Desktop RCE (BlueKeep) 9.8 Track* PoC Yes Total Medium (Support/Material) -CVE-2019-13918 Rockwell Automation MicroLogix Controller open redirect 6.1 Track* PoC No Partial High (Essential/Material) +CVE-2019-0708 Microsoft Windows Remote Desktop RCE (BlueKeep) 9.8 Monitor PoC Yes Total Medium (Support/Material) +CVE-2019-13918 Rockwell Automation MicroLogix Controller open redirect 6.1 Monitor PoC No Partial High (Essential/Material) CVE-2019-19781 Citrix directory traversal and Perl RCE 9.8 Critical Active Yes Total Medium (Support/Minimal) CVE-2014-0751 GE CIMPLICITY HMI/SCADA directory traversal RCE (Black Energy) 9.8 Critical Active No Total High (Essential/Material) CVE-2018-5734 BIND 9 SERVFAIL assertion failure in badcache.c 7.5 Track None Yes Partial Medium (Support/Minimal) diff --git a/docs/ssvc-calc/ssvc.js b/docs/ssvc-calc/ssvc.js index f9d6cdc6..35568ef8 100644 --- a/docs/ssvc-calc/ssvc.js +++ b/docs/ssvc-calc/ssvc.js @@ -21,7 +21,7 @@ var diagonal,tree,svg,duration,root var treeData = [] /* Deefault color array of possible color options */ var acolors = ["#28a745","#ffc107","#EE8733","#dc3545","#ff0000","#aa0000","#ff0000"] -var lcolors = {"Track":"#28a745","Track*":"#ffc107","Attend":"#EE8733","Act":"#dc3545"} +var lcolors = {"Track":"#28a745","Monitor":"#ffc107","Attend":"#EE8733","Act":"#dc3545"} var ssvc_short_keys = {}; /* These variables are for decision tree schema JSON aka SSVC Provision Schema */ var export_schema = {decision_points: [],decisions_table: [], lang: "en", diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py index 11eaf873..2262c816 100644 --- a/src/ssvc/outcomes/base.py +++ b/src/ssvc/outcomes/base.py @@ -31,7 +31,7 @@ class OutcomeGroup(_Base, _Versioned, BaseModel): Models an outcome group. """ - outcomes: list[OutcomeValue] + outcomes: tuple[OutcomeValue, ...] def __iter__(self): """ diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py index 5326b6d9..e61c9d9a 100644 --- a/src/ssvc/outcomes/groups.py +++ b/src/ssvc/outcomes/groups.py @@ -40,9 +40,7 @@ description="The publish outcome group.", version="1.0.0", outcomes=( - OutcomeValue( - name="Do Not Publish", key="N", description="Do Not Publish" - ), + OutcomeValue(name="Do Not Publish", key="N", description="Do Not Publish"), OutcomeValue(name="Publish", key="P", description="Publish"), ), ) @@ -109,7 +107,7 @@ The CVSS outcome group. """ -CISA = OutcomeGroup( +CISA_1 = OutcomeGroup( name="CISA Levels", description="The CISA outcome group. " "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", @@ -124,7 +122,7 @@ ), OutcomeValue( name="Track*", - key="T*", + key="R", description="The vulnerability contains specific characteristics that may require closer monitoring for changes. " "CISA recommends remediating Track* vulnerabilities within standard update timelines.", ), @@ -137,7 +135,48 @@ ), OutcomeValue( name="Act", + key="C", + description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. " + "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. " + "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. " + "CISA recommends remediating Act vulnerabilities as soon as possible.", + ), + ), +) +""" +The CISA outcome group. Based on CISA's customizations of the SSVC model. +See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc +""" + +CISA = OutcomeGroup( + name="CISA Levels", + description="The CISA outcome group. " + "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.", + version="1.1.0", + outcomes=( + OutcomeValue( + name="Track", + key="T", + description="The vulnerability does not require action at this time. " + "The organization would continue to track the vulnerability and reassess it if new information becomes available. " + "CISA recommends remediating Track vulnerabilities within standard update timelines.", + ), + OutcomeValue( + name="Monitor", + key="M", + description="The vulnerability contains specific characteristics that may require closer monitoring for changes. " + "CISA recommends remediating Monitor vulnerabilities within standard update timelines.", + ), + OutcomeValue( + name="Attend", key="A", + description="The vulnerability requires attention from the organization's internal, supervisory-level individuals. " + "Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. " + "CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.", + ), + OutcomeValue( + name="Act", + key="C", description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. " "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. " "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. " @@ -150,6 +189,7 @@ See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc """ + YES_NO = OutcomeGroup( name="Yes, No", description="The Yes/No outcome group.", @@ -170,9 +210,7 @@ outcomes=( # drop, reconsider later, easy win, do first OutcomeValue(name="Drop", key="D", description="Drop"), - OutcomeValue( - name="Reconsider Later", key="R", description="Reconsider Later" - ), + OutcomeValue(name="Reconsider Later", key="R", description="Reconsider Later"), OutcomeValue(name="Easy Win", key="E", description="Easy Win"), OutcomeValue(name="Do First", key="F", description="Do First"), ), @@ -187,9 +225,7 @@ version="1.0.0", outcomes=( OutcomeValue(name="Track 5", key="5", description="Track"), - OutcomeValue( - name="Track Closely 4", key="4", description="Track Closely" - ), + OutcomeValue(name="Track Closely 4", key="4", description="Track Closely"), OutcomeValue(name="Attend 3", key="3", description="Attend"), OutcomeValue(name="Attend 2", key="2", description="Attend"), OutcomeValue(name="Act 1", key="1", description="Act"), From c0503d9a611abcb64a02049480e3700beaf4e65d Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 11 Mar 2025 15:28:19 -0400 Subject: [PATCH 03/12] =?UTF-8?q?Revert=20"Replace=20`Track*`/`Track=20*`?= =?UTF-8?q?=20with=20`Monitor`=20in=20CISA-based=20decision=20mode?= =?UTF-8?q?=E2=80=A6"=20(#741)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit a54f99948d59896d2a5a45770c10c5c3df52871c. --- data/json/outcomes/CISA.json | 14 +++---- docs/ssvc-calc/CISA-Coordinator.json | 12 +++--- docs/ssvc-calc/findex.html | 2 +- docs/ssvc-calc/old_index.html | 2 +- docs/ssvc-calc/sample-ssvc.txt | 4 +- docs/ssvc-calc/ssvc.js | 2 +- src/ssvc/outcomes/base.py | 2 +- src/ssvc/outcomes/groups.py | 58 ++++++---------------------- 8 files changed, 30 insertions(+), 66 deletions(-) diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json index 15e03647..c4ebbd2a 100644 --- a/data/json/outcomes/CISA.json +++ b/data/json/outcomes/CISA.json @@ -1,8 +1,8 @@ { - "version": "1.1.0", + "version": "1.0.0", "schemaVersion": "1-0-1", "name": "CISA Levels", - "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.", + "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", "outcomes": [ { "key": "T", @@ -10,9 +10,9 @@ "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." }, { - "key": "M", - "name": "Monitor", - "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Monitor vulnerabilities within standard update timelines." + "key": "T*", + "name": "Track*", + "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." }, { "key": "A", @@ -20,9 +20,9 @@ "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." }, { - "key": "C", + "key": "A", "name": "Act", "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." } ] -} +} \ No newline at end of file diff --git a/docs/ssvc-calc/CISA-Coordinator.json b/docs/ssvc-calc/CISA-Coordinator.json index a9bbee2e..7bffef4b 100644 --- a/docs/ssvc-calc/CISA-Coordinator.json +++ b/docs/ssvc-calc/CISA-Coordinator.json @@ -209,8 +209,8 @@ "color": "#28a745" }, { - "label": "Monitor", - "key": "M", + "label": "Track*", + "key": "R", "description": "Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.", "color": "#ffc107" }, @@ -266,7 +266,7 @@ "Mission & Well-being": "medium" }, { - "Decision": "Monitor", + "Decision": "Track*", "Exploitation": "none", "Automatable": "no", "Technical Impact": "total", @@ -329,7 +329,7 @@ "Mission & Well-being": "medium" }, { - "Decision": "Monitor", + "Decision": "Track*", "Exploitation": "poc", "Automatable": "no", "Technical Impact": "partial", @@ -343,7 +343,7 @@ "Mission & Well-being": "low" }, { - "Decision": "Monitor", + "Decision": "Track*", "Exploitation": "poc", "Automatable": "no", "Technical Impact": "total", @@ -385,7 +385,7 @@ "Mission & Well-being": "low" }, { - "Decision": "Monitor", + "Decision": "Track*", "Exploitation": "poc", "Automatable": "yes", "Technical Impact": "total", diff --git a/docs/ssvc-calc/findex.html b/docs/ssvc-calc/findex.html index 1562e0b1..63456ee2 100644 --- a/docs/ssvc-calc/findex.html +++ b/docs/ssvc-calc/findex.html @@ -294,7 +294,7 @@
Mission Prevelance choices
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
- Monitor   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion. + Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
diff --git a/docs/ssvc-calc/old_index.html b/docs/ssvc-calc/old_index.html index 2e6b13b2..9d99945f 100644 --- a/docs/ssvc-calc/old_index.html +++ b/docs/ssvc-calc/old_index.html @@ -292,7 +292,7 @@
Mission Prevelance choices
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
- Monitor   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion. + Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
diff --git a/docs/ssvc-calc/sample-ssvc.txt b/docs/ssvc-calc/sample-ssvc.txt index b6ac3788..e273d496 100644 --- a/docs/ssvc-calc/sample-ssvc.txt +++ b/docs/ssvc-calc/sample-ssvc.txt @@ -1,8 +1,8 @@ CVE Vulnerability CVSS (v3.x Base Score) SSVC (Decision) Exploit Virulence Technical Mission/Well-Being (Impact) CVE-2020-7961 Liferay Portal JSON web services (JSONWS) deserialization 9.8 Track PoC Yes Total Low (Minimal/Minimal) CVE-2020-5847 Unraid 6.8.0 PHP RCE 9.8 Track PoC Yes Total Low (Minimal/Minimal) -CVE-2019-0708 Microsoft Windows Remote Desktop RCE (BlueKeep) 9.8 Monitor PoC Yes Total Medium (Support/Material) -CVE-2019-13918 Rockwell Automation MicroLogix Controller open redirect 6.1 Monitor PoC No Partial High (Essential/Material) +CVE-2019-0708 Microsoft Windows Remote Desktop RCE (BlueKeep) 9.8 Track* PoC Yes Total Medium (Support/Material) +CVE-2019-13918 Rockwell Automation MicroLogix Controller open redirect 6.1 Track* PoC No Partial High (Essential/Material) CVE-2019-19781 Citrix directory traversal and Perl RCE 9.8 Critical Active Yes Total Medium (Support/Minimal) CVE-2014-0751 GE CIMPLICITY HMI/SCADA directory traversal RCE (Black Energy) 9.8 Critical Active No Total High (Essential/Material) CVE-2018-5734 BIND 9 SERVFAIL assertion failure in badcache.c 7.5 Track None Yes Partial Medium (Support/Minimal) diff --git a/docs/ssvc-calc/ssvc.js b/docs/ssvc-calc/ssvc.js index 35568ef8..f9d6cdc6 100644 --- a/docs/ssvc-calc/ssvc.js +++ b/docs/ssvc-calc/ssvc.js @@ -21,7 +21,7 @@ var diagonal,tree,svg,duration,root var treeData = [] /* Deefault color array of possible color options */ var acolors = ["#28a745","#ffc107","#EE8733","#dc3545","#ff0000","#aa0000","#ff0000"] -var lcolors = {"Track":"#28a745","Monitor":"#ffc107","Attend":"#EE8733","Act":"#dc3545"} +var lcolors = {"Track":"#28a745","Track*":"#ffc107","Attend":"#EE8733","Act":"#dc3545"} var ssvc_short_keys = {}; /* These variables are for decision tree schema JSON aka SSVC Provision Schema */ var export_schema = {decision_points: [],decisions_table: [], lang: "en", diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py index 2262c816..11eaf873 100644 --- a/src/ssvc/outcomes/base.py +++ b/src/ssvc/outcomes/base.py @@ -31,7 +31,7 @@ class OutcomeGroup(_Base, _Versioned, BaseModel): Models an outcome group. """ - outcomes: tuple[OutcomeValue, ...] + outcomes: list[OutcomeValue] def __iter__(self): """ diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py index e61c9d9a..5326b6d9 100644 --- a/src/ssvc/outcomes/groups.py +++ b/src/ssvc/outcomes/groups.py @@ -40,7 +40,9 @@ description="The publish outcome group.", version="1.0.0", outcomes=( - OutcomeValue(name="Do Not Publish", key="N", description="Do Not Publish"), + OutcomeValue( + name="Do Not Publish", key="N", description="Do Not Publish" + ), OutcomeValue(name="Publish", key="P", description="Publish"), ), ) @@ -107,7 +109,7 @@ The CVSS outcome group. """ -CISA_1 = OutcomeGroup( +CISA = OutcomeGroup( name="CISA Levels", description="The CISA outcome group. " "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", @@ -122,7 +124,7 @@ ), OutcomeValue( name="Track*", - key="R", + key="T*", description="The vulnerability contains specific characteristics that may require closer monitoring for changes. " "CISA recommends remediating Track* vulnerabilities within standard update timelines.", ), @@ -135,48 +137,7 @@ ), OutcomeValue( name="Act", - key="C", - description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. " - "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. " - "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. " - "CISA recommends remediating Act vulnerabilities as soon as possible.", - ), - ), -) -""" -The CISA outcome group. Based on CISA's customizations of the SSVC model. -See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc -""" - -CISA = OutcomeGroup( - name="CISA Levels", - description="The CISA outcome group. " - "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.", - version="1.1.0", - outcomes=( - OutcomeValue( - name="Track", - key="T", - description="The vulnerability does not require action at this time. " - "The organization would continue to track the vulnerability and reassess it if new information becomes available. " - "CISA recommends remediating Track vulnerabilities within standard update timelines.", - ), - OutcomeValue( - name="Monitor", - key="M", - description="The vulnerability contains specific characteristics that may require closer monitoring for changes. " - "CISA recommends remediating Monitor vulnerabilities within standard update timelines.", - ), - OutcomeValue( - name="Attend", key="A", - description="The vulnerability requires attention from the organization's internal, supervisory-level individuals. " - "Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. " - "CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.", - ), - OutcomeValue( - name="Act", - key="C", description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. " "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. " "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. " @@ -189,7 +150,6 @@ See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc """ - YES_NO = OutcomeGroup( name="Yes, No", description="The Yes/No outcome group.", @@ -210,7 +170,9 @@ outcomes=( # drop, reconsider later, easy win, do first OutcomeValue(name="Drop", key="D", description="Drop"), - OutcomeValue(name="Reconsider Later", key="R", description="Reconsider Later"), + OutcomeValue( + name="Reconsider Later", key="R", description="Reconsider Later" + ), OutcomeValue(name="Easy Win", key="E", description="Easy Win"), OutcomeValue(name="Do First", key="F", description="Do First"), ), @@ -225,7 +187,9 @@ version="1.0.0", outcomes=( OutcomeValue(name="Track 5", key="5", description="Track"), - OutcomeValue(name="Track Closely 4", key="4", description="Track Closely"), + OutcomeValue( + name="Track Closely 4", key="4", description="Track Closely" + ), OutcomeValue(name="Attend 3", key="3", description="Attend"), OutcomeValue(name="Attend 2", key="2", description="Attend"), OutcomeValue(name="Act 1", key="1", description="Act"), From e6f5b589c221320ce89852a01e3e722423467d78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Mar 2025 11:32:27 -0400 Subject: [PATCH 04/12] Bump markdown-exec from 1.10.0 to 1.10.1 (#746) Bumps [markdown-exec](https://github.com/pawamoy/markdown-exec) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/pawamoy/markdown-exec/releases) - [Changelog](https://github.com/pawamoy/markdown-exec/blob/main/CHANGELOG.md) - [Commits](https://github.com/pawamoy/markdown-exec/compare/1.10.0...1.10.1) --- updated-dependencies: - dependency-name: markdown-exec dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 22c220b4..1eb831c6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,7 @@ mkdocs-material-extensions==1.3.1 mkdocstrings==0.28.2 mkdocstrings-python==1.16.2 mkdocs-print-site-plugin==2.6.0 -markdown-exec==1.10.0 +markdown-exec==1.10.1 thefuzz==0.22.1 pandas==2.2.3 scikit-learn==1.6.1 From b491f4b8783074e2d930ced0bceed6fa1ee28211 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Mar 2025 16:01:49 -0400 Subject: [PATCH 05/12] Bump the mkdocs group with 6 updates (#747) Bumps the mkdocs group with 6 updates: | Package | From | To | | --- | --- | --- | | [mkdocs-bibtex](https://github.com/shyamd/mkdocs-bibtex) | `4.2.2` | `4.2.3` | | [mkdocs-include-markdown-plugin](https://github.com/mondeja/mkdocs-include-markdown-plugin) | `7.1.4` | `7.1.5` | | [mkdocs-material](https://github.com/squidfunk/mkdocs-material) | `9.6.7` | `9.6.9` | | [mkdocstrings](https://github.com/mkdocstrings/mkdocstrings) | `0.28.2` | `0.29.0` | | [mkdocstrings-python](https://github.com/mkdocstrings/python) | `1.16.2` | `1.16.5` | | [mkdocs-print-site-plugin](https://github.com/timvink/mkdocs-print-site-plugin) | `2.6.0` | `2.7.1` | Updates `mkdocs-bibtex` from 4.2.2 to 4.2.3 - [Release notes](https://github.com/shyamd/mkdocs-bibtex/releases) - [Commits](https://github.com/shyamd/mkdocs-bibtex/compare/v4.2.2...v4.2.3) Updates `mkdocs-include-markdown-plugin` from 7.1.4 to 7.1.5 - [Release notes](https://github.com/mondeja/mkdocs-include-markdown-plugin/releases) - [Commits](https://github.com/mondeja/mkdocs-include-markdown-plugin/compare/v7.1.4...v7.1.5) Updates `mkdocs-material` from 9.6.7 to 9.6.9 - [Release notes](https://github.com/squidfunk/mkdocs-material/releases) - [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG) - [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.6.7...9.6.9) Updates `mkdocstrings` from 0.28.2 to 0.29.0 - [Release notes](https://github.com/mkdocstrings/mkdocstrings/releases) - [Changelog](https://github.com/mkdocstrings/mkdocstrings/blob/main/CHANGELOG.md) - [Commits](https://github.com/mkdocstrings/mkdocstrings/compare/0.28.2...0.29.0) Updates `mkdocstrings-python` from 1.16.2 to 1.16.5 - [Release notes](https://github.com/mkdocstrings/python/releases) - [Changelog](https://github.com/mkdocstrings/python/blob/main/CHANGELOG.md) - [Commits](https://github.com/mkdocstrings/python/compare/1.16.2...1.16.5) Updates `mkdocs-print-site-plugin` from 2.6.0 to 2.7.1 - [Release notes](https://github.com/timvink/mkdocs-print-site-plugin/releases) - [Commits](https://github.com/timvink/mkdocs-print-site-plugin/compare/v2.6.0...v2.7.1) --- updated-dependencies: - dependency-name: mkdocs-bibtex dependency-type: direct:production update-type: version-update:semver-patch dependency-group: mkdocs - dependency-name: mkdocs-include-markdown-plugin dependency-type: direct:production update-type: version-update:semver-patch dependency-group: mkdocs - dependency-name: mkdocs-material dependency-type: direct:production update-type: version-update:semver-patch dependency-group: mkdocs - dependency-name: mkdocstrings dependency-type: direct:production update-type: version-update:semver-minor dependency-group: mkdocs - dependency-name: mkdocstrings-python dependency-type: direct:production update-type: version-update:semver-patch dependency-group: mkdocs - dependency-name: mkdocs-print-site-plugin dependency-type: direct:production update-type: version-update:semver-minor dependency-group: mkdocs ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements.txt b/requirements.txt index 1eb831c6..b27150be 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,12 +1,12 @@ mkdocs==1.6.1 -mkdocs-bibtex==4.2.2 -mkdocs-include-markdown-plugin==7.1.4 +mkdocs-bibtex==4.2.3 +mkdocs-include-markdown-plugin==7.1.5 mkdocs-table-reader-plugin==3.1.0 -mkdocs-material==9.6.7 +mkdocs-material==9.6.9 mkdocs-material-extensions==1.3.1 -mkdocstrings==0.28.2 -mkdocstrings-python==1.16.2 -mkdocs-print-site-plugin==2.6.0 +mkdocstrings==0.29.0 +mkdocstrings-python==1.16.5 +mkdocs-print-site-plugin==2.7.1 markdown-exec==1.10.1 thefuzz==0.22.1 pandas==2.2.3 From 8b39c01aac7893a9b7de520db9a1be09f7567ec6 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 18 Mar 2025 16:02:19 -0400 Subject: [PATCH 06/12] add `mdlint_fix` target to Makefile (#744) --- Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Makefile b/Makefile index 40f8e7f0..1345e143 100644 --- a/Makefile +++ b/Makefile @@ -17,6 +17,10 @@ DOCS_IMAGE = $(PFX)_docs all: help +mdlint_fix: + @echo "Running markdownlint..." + markdownlint --config .markdownlint.yml --fix . + dockerbuild_test: @echo "Building the test Docker image..." $(DOCKER_BUILD) --target $(TEST_DOCKER_TARGET) --tag $(TEST_IMAGE) . @@ -46,6 +50,7 @@ help: @echo "" @echo "Targets:" @echo " all - Display this help message" + @echo " mdlint_fix - Run markdownlint with --fix" @echo " docs - Build and run the docs Docker image" @echo " docker_test - Build and run the test Docker image" @echo "" From 639bb6756c74777e0db2b1a53b8ed117a0029029 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 19 Mar 2025 15:42:55 -0400 Subject: [PATCH 07/12] pin changed-files action to specific sha1 (#750) --- .github/workflows/lint_md_changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml index 7c076a7b..6daf9d6a 100644 --- a/.github/workflows/lint_md_changes.yml +++ b/.github/workflows/lint_md_changes.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: tj-actions/changed-files@v45 + - uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 id: changed-files with: files: '**/*.md' From 77baef33b4e3633aec8331532f13ae301e622bb6 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Mar 2025 10:26:47 -0400 Subject: [PATCH 08/12] Add NameSpace Enum (#749) * add a namespace Enum along with a pydantic dataclass validator to enforce it Valid = str in enum OR str.startswith("x_") * add validator to _Namespaced mixin class * refactor base classes to use NameSpace enum values * add optional "x_" prefix as valid namespace pattern * update unit tests * add docstrings * bump python test version to 3.12 * update the regex pattern for namespaces, add validation to pydantic field * refactor namespace validation methods * add unit tests * simplify regex to avoid inefficiencies * add length requirements to namespace patterns and fields * refactor regex again * add docstrings * add docs, update docstrings * Update Decision_Point-1-0-1.schema.json Modify Namespace information and examples as wel.. * Update Decision_Point-1-0-1.schema.json Matching x_custom/extension as examples for schema docs. * we shouldn't mention nciss yet as it's still a draft PR * missed an nciss --------- Co-authored-by: Vijay Sarvepalli --- .github/workflows/python-app.yml | 4 +- .../v1/Decision_Point-1-0-1.schema.json | 6 +- docs/reference/code/index.md | 1 + docs/reference/code/namespaces.md | 3 + mkdocs.yml | 1 + src/ssvc/_mixins.py | 29 ++++- src/ssvc/decision_points/base.py | 2 + src/ssvc/decision_points/cvss/base.py | 3 +- src/ssvc/namespaces.py | 108 ++++++++++++++++++ src/test/test_doc_helpers.py | 10 +- src/test/test_dp_base.py | 6 +- src/test/test_mixins.py | 55 +++++++-- src/test/test_namespaces.py | 79 +++++++++++++ 13 files changed, 278 insertions(+), 29 deletions(-) create mode 100644 docs/reference/code/namespaces.md create mode 100644 src/ssvc/namespaces.py create mode 100644 src/test/test_namespaces.py diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index ecbe9b4c..eda4f001 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -21,10 +21,10 @@ jobs: - uses: actions/checkout@v4 with: fetch-tags: true - - name: Set up Python 3.10 + - name: Set up Python 3.12 uses: actions/setup-python@v5 with: - python-version: "3.10" + python-version: "3.12" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/data/schema/v1/Decision_Point-1-0-1.schema.json b/data/schema/v1/Decision_Point-1-0-1.schema.json index 019accee..0d1faf9c 100644 --- a/data/schema/v1/Decision_Point-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point-1-0-1.schema.json @@ -47,9 +47,9 @@ }, "namespace": { "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", - "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", - "examples": ["ssvc", "cvss", "ssvc-jp", "ssvc/acme", "ssvc/example.com"] + "description": "Namespace (a short, unique string): The value must be one of the official namespaces, currenlty \"ssvc\", \"cvss\" OR can start with 'x_' for private namespaces. See SSVC Documentation for details.", + "pattern": "^(?=.{3,25}$)(x_)?[a-z0-9]{3}([/.-]?[a-z0-9]+){0,22}$", + "examples": ["ssvc", "cvss", "x_custom","x_custom/extension"] }, "version": { "type": "string", diff --git a/docs/reference/code/index.md b/docs/reference/code/index.md index 8f2f47ad..0d36bea8 100644 --- a/docs/reference/code/index.md +++ b/docs/reference/code/index.md @@ -6,4 +6,5 @@ These include: - [CSV Analyzer](analyze_csv.md) - [Policy Generator](policy_generator.md) - [Outcomes](outcomes.md) +- [Namespaces](namespaces.md) - [Doctools](doctools.md) diff --git a/docs/reference/code/namespaces.md b/docs/reference/code/namespaces.md new file mode 100644 index 00000000..bc7ed7b4 --- /dev/null +++ b/docs/reference/code/namespaces.md @@ -0,0 +1,3 @@ +# SSVC Namespaces + +::: ssvc.namespaces diff --git a/mkdocs.yml b/mkdocs.yml index 2e47540c..b7f686c3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -112,6 +112,7 @@ nav: - CSV Analyzer: 'reference/code/analyze_csv.md' - Policy Generator: 'reference/code/policy_generator.md' - Outcomes: 'reference/code/outcomes.md' + - Namespaces: 'reference/code/namespaces.md' - Doctools: 'reference/code/doctools.md' - Calculator: 'ssvc-calc/index.md' - About: diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py index 414c99e1..2e7edfb2 100644 --- a/src/ssvc/_mixins.py +++ b/src/ssvc/_mixins.py @@ -17,9 +17,10 @@ from typing import Optional -from pydantic import BaseModel, ConfigDict, field_validator +from pydantic import BaseModel, ConfigDict, Field, field_validator from semver import Version +from ssvc.namespaces import NS_PATTERN, NameSpace from . import _schemaVersion @@ -33,7 +34,7 @@ class _Versioned(BaseModel): @field_validator("version") @classmethod - def validate_version(cls, value): + def validate_version(cls, value: str) -> str: """ Validate the version field. Args: @@ -54,7 +55,29 @@ class _Namespaced(BaseModel): Mixin class for namespaced SSVC objects. """ - namespace: str = "ssvc" + # the field definition enforces the pattern for namespaces + # additional validation is performed in the field_validator immediately after the pattern check + namespace: str = Field(pattern=NS_PATTERN, min_length=3, max_length=25) + + @field_validator("namespace", mode="before") + @classmethod + def validate_namespace(cls, value: str) -> str: + """ + Validate the namespace field. + The value will have already been checked against the pattern in the field definition. + The value must be one of the official namespaces or start with 'x_'. + + Args: + value: a string representing a namespace + + Returns: + the validated namespace value + + Raises: + ValueError: if the value is not a valid namespace + """ + + return NameSpace.validate(value) class _Keyed(BaseModel): diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index 869e3263..dd79f041 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -21,6 +21,7 @@ from pydantic import BaseModel from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned +from ssvc.namespaces import NameSpace logger = logging.getLogger(__name__) @@ -66,6 +67,7 @@ class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, BaseModel): Models a single decision point as a list of values. """ + namespace: str = NameSpace.SSVC values: list[SsvcDecisionPointValue] = [] def __iter__(self): diff --git a/src/ssvc/decision_points/cvss/base.py b/src/ssvc/decision_points/cvss/base.py index 9a935991..1fc721ac 100644 --- a/src/ssvc/decision_points/cvss/base.py +++ b/src/ssvc/decision_points/cvss/base.py @@ -18,6 +18,7 @@ from pydantic import BaseModel from ssvc.decision_points.base import SsvcDecisionPoint +from ssvc.namespaces import NameSpace class CvssDecisionPoint(SsvcDecisionPoint, BaseModel): @@ -25,4 +26,4 @@ class CvssDecisionPoint(SsvcDecisionPoint, BaseModel): Models a single CVSS decision point as a list of values. """ - namespace: str = "cvss" + namespace: NameSpace = NameSpace.CVSS diff --git a/src/ssvc/namespaces.py b/src/ssvc/namespaces.py new file mode 100644 index 00000000..74fc921b --- /dev/null +++ b/src/ssvc/namespaces.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python +""" +SSVC objects use namespaces to distinguish between objects that arise from different +stakeholders or analytical category sources. This module defines the official namespaces +for SSVC and provides a method to validate namespace values. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +import re +from enum import StrEnum, auto + +X_PFX = "x_" +"""The prefix for extension namespaces. Extension namespaces must start with this prefix.""" + +# pattern to match +# `(?=.{3,25}$)`: 3-25 characters long +# `^(x_)`: `x_` prefix is optional +# `[a-z0-9]{3,4}`: must start with 3-4 alphanumeric characters +# `[/.-]?`: only one punctuation character is allowed between alphanumeric characters +# `[a-z0-9]+`: at least one alphanumeric character is required after the punctuation character +# `([/.-]?[a-z0-9]+){0,22}`: zero to 22 occurrences of the punctuation character followed by at least one alphanumeric character +# (note that the total limit will kick in at or before this point) +# `$`: end of the string +NS_PATTERN = re.compile(r"^(?=.{3,25}$)(x_)?[a-z0-9]{3}([/.-]?[a-z0-9]+){0,22}$") +"""The regular expression pattern for validating namespaces. + +Note: + Namespace values must + + - be 3-25 characters long + - contain only lowercase alphanumeric characters and limited punctuation characters (`/`,`.` and `-`) + - have only one punctuation character in a row + - start with 3-4 alphanumeric characters after the optional extension prefix + - end with an alphanumeric character + + See examples in the `NameSpace` enum. +""" + + +class NameSpace(StrEnum): + """ + Defines the official namespaces for SSVC. + + The namespace value must be one of the members of this enum or start with the prefix specified in X_PFX. + Namespaces must be 3-25 lowercase characters long and must start with 3-4 alphanumeric characters after the optional prefix. + Limited punctuation characters (/.-) are allowed between alphanumeric characters, but only one at a time. + + Example: + Following are examples of valid and invalid namespace values: + + - `ssvc` is *valid* because it is present in the enum + - `custom` is *invalid* because it does not start with the experimental prefix and is not in the enum + - `x_custom` is *valid* because it starts with the experimental prefix and meets the pattern requirements + - `x_custom/extension` is *valid* because it starts with the experimental prefix and meets the pattern requirements + - `x_custom/extension/with/multiple/segments` is *invalid* because it exceeds the maximum length + - `x_custom//extension` is *invalid* because it has multiple punctuation characters in a row + - `x_custom.extension.` is *invalid* because it does not end with an alphanumeric character + - `x_custom.extension.9` is *valid* because it meets the pattern requirements + """ + + # auto() is used to automatically assign values to the members. + # when used in a StrEnum, auto() assigns the lowercase name of the member as the value + SSVC = auto() + CVSS = auto() + + @classmethod + def validate(cls, value: str) -> str: + """ + Validate the namespace value. Valid values are members of the enum or start with the experimental prefix and + meet the specified pattern requirements. + + Args: + value: the namespace value to validate + + Returns: + the validated namespace value + + Raises: + ValueError: if the value is not a valid namespace + + """ + if value in cls.__members__.values(): + return value + if value.startswith(X_PFX) and NS_PATTERN.match(value): + return value + raise ValueError( + f"Invalid namespace: {value}. Must be one of {[ns.value for ns in cls]} or start with '{X_PFX}'." + ) + + +def main(): + for ns in NameSpace: + print(ns) + + +if __name__ == "__main__": + main() diff --git a/src/test/test_doc_helpers.py b/src/test/test_doc_helpers.py index 76b217f4..fbbb7f45 100644 --- a/src/test/test_doc_helpers.py +++ b/src/test/test_doc_helpers.py @@ -20,18 +20,14 @@ class MyTestCase(unittest.TestCase): def setUp(self): self.dp = SsvcDecisionPoint( - namespace="test", + namespace="x_test", name="test name", description="test description", key="TK", version="1.0.0", values=( - SsvcDecisionPointValue( - name="A", key="A", description="A Definition" - ), - SsvcDecisionPointValue( - name="B", key="B", description="B Definition" - ), + SsvcDecisionPointValue(name="A", key="A", description="A Definition"), + SsvcDecisionPointValue(name="B", key="B", description="B Definition"), ), ) diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py index c6b580e6..a386b94c 100644 --- a/src/test/test_dp_base.py +++ b/src/test/test_dp_base.py @@ -34,7 +34,7 @@ def setUp(self) -> None: key="bar", description="baz", version="1.0.0", - namespace="name1", + namespace="x_test", values=tuple(self.values), ) @@ -64,7 +64,7 @@ def test_registry(self): key="asdfasdf", description="asdfasdf", version="1.33.1", - namespace="asdfasdf", + namespace="x_test", values=self.values, ) @@ -90,7 +90,7 @@ def test_ssvc_decision_point(self): self.assertEqual(obj.key, "bar") self.assertEqual(obj.description, "baz") self.assertEqual(obj.version, "1.0.0") - self.assertEqual(obj.namespace, "name1") + self.assertEqual(obj.namespace, "x_test") self.assertEqual(len(self.values), len(obj.values)) def test_ssvc_value_json_roundtrip(self): diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py index f86ae5c1..4db76959 100644 --- a/src/test/test_mixins.py +++ b/src/test/test_mixins.py @@ -12,10 +12,12 @@ # U.S. Patent and Trademark Office by Carnegie Mellon University import unittest +from random import randint from pydantic import BaseModel, ValidationError from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned +from ssvc.namespaces import NameSpace class TestMixins(unittest.TestCase): @@ -68,12 +70,47 @@ def test_asdict_roundtrip(self): self.assertEqual(obj2.name, "quux") self.assertEqual(obj2.description, "baz") - def test_namespaced_create(self): - obj = _Namespaced() - self.assertEqual(obj.namespace, "ssvc") + def test_namespaced_create_errors(self): + # error if no namespace given + with self.assertRaises(ValidationError): + _Namespaced() + + # error if namespace is not in the enum + # and it doesn't start with x_ + self.assertNotIn("quux", NameSpace) + with self.assertRaises(ValidationError): + _Namespaced(namespace="quux") + + # error if namespace starts with x_ but is too short + with self.assertRaises(ValidationError): + _Namespaced(namespace="x_") + + # error if namespace starts with x_ but is too long + for i in range(100): + shortest = "x_aaa" + ns = shortest + "a" * i + with self.subTest(ns=ns): + # length limit set in the NS_PATTERN regex + if len(ns) <= 25: + # expect success on shorter than limit + _Namespaced(namespace=ns) + else: + # expect failure on longer than limit + with self.assertRaises(ValidationError): + _Namespaced(namespace=ns) - obj = _Namespaced(namespace="quux") - self.assertEqual(obj.namespace, "quux") + def test_namespaced_create(self): + # use the official namespace values + for ns in NameSpace: + obj = _Namespaced(namespace=ns) + self.assertEqual(obj.namespace, ns) + + # custom namespaces are allowed as long as they start with x_ + for _ in range(100): + # we're just fuzzing some random strings here + ns = f"x_{randint(1000,1000000)}" + obj = _Namespaced(namespace=ns) + self.assertEqual(obj.namespace, ns) def test_versioned_create(self): obj = _Versioned() @@ -94,8 +131,8 @@ def test_mixin_combos(self): {"class": _Keyed, "args": {"key": "fizz"}, "has_default": False}, { "class": _Namespaced, - "args": {"namespace": "buzz"}, - "has_default": True, + "args": {"namespace": "x_test"}, + "has_default": False, }, { "class": _Versioned, @@ -103,9 +140,7 @@ def test_mixin_combos(self): "has_default": True, }, ] - keys_with_defaults = [ - x["args"].keys() for x in mixins if x["has_default"] - ] + keys_with_defaults = [x["args"].keys() for x in mixins if x["has_default"]] # flatten the list keys_with_defaults = [ item for sublist in keys_with_defaults for item in sublist diff --git a/src/test/test_namespaces.py b/src/test/test_namespaces.py new file mode 100644 index 00000000..3866c8cc --- /dev/null +++ b/src/test/test_namespaces.py @@ -0,0 +1,79 @@ +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +import unittest + +from ssvc.namespaces import NS_PATTERN, NameSpace + + +class MyTestCase(unittest.TestCase): + def setUp(self): + pass + + def tearDown(self): + pass + + def test_ns_pattern(self): + should_match = [ + "foo", + "foo.bar", + "foo.bar.baz", + "foo/bar/baz/quux", + "foo.bar/baz.quux", + ] + should_match.extend([f"x_{ns}" for ns in should_match]) + + for ns in should_match: + with self.subTest(ns=ns): + self.assertTrue(NS_PATTERN.match(ns), ns) + + should_not_match = [ + "", + "ab", + ".foo", + "foo..bar", + "foo/bar//baz", + "foo/bar/baz/", + "(&(&" "foo\\bar", + "foo|bar|baz", + ] + + should_not_match.extend([f"_{ns}" for ns in should_not_match]) + + for ns in should_not_match: + with self.subTest(ns=ns): + self.assertFalse(NS_PATTERN.match(ns)) + + def test_namspace_enum(self): + for ns in NameSpace: + self.assertEqual(ns.name.lower(), ns.value) + + # make sure we have an SSVC namespace with the correct value + self.assertIn("SSVC", NameSpace.__members__) + values = [ns.value for ns in NameSpace] + self.assertIn("ssvc", values) + + def test_namespace_validator(self): + for ns in NameSpace: + self.assertTrue(NameSpace.validate(ns.value)) + + for ns in ["foo", "bar", "baz", "quux"]: + with self.assertRaises(ValueError): + NameSpace.validate(ns) + + for ns in ["x_foo", "x_bar", "x_baz", "x_quux"]: + self.assertEqual(ns, NameSpace.validate(ns)) + + +if __name__ == "__main__": + unittest.main() From 8887a136b7f7f6c5f6862a1f3dbbb7ecf1ba50a8 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Mar 2025 16:16:51 -0400 Subject: [PATCH 09/12] Refactor SsvcDecisionPoint base class mixins (#743) * create a `_Valued` mixin * add `_Valued` mixin to base decision point class. Also reorder mixins to adjust default json output key order * update json examples to reflect new base class mixin ordering * add len() to _Valued mixin * add tests --- .../decision_points/automatable_2_0_0.json | 4 ++-- .../cvss/access_complexity_1_0_0.json | 4 ++-- .../cvss/access_complexity_2_0_0.json | 4 ++-- .../cvss/access_vector_1_0_0.json | 4 ++-- .../cvss/access_vector_2_0_0.json | 4 ++-- .../cvss/attack_complexity_3_0_0.json | 4 ++-- .../cvss/attack_complexity_3_0_1.json | 4 ++-- .../cvss/attack_requirements_1_0_0.json | 4 ++-- .../cvss/attack_vector_3_0_0.json | 4 ++-- .../cvss/attack_vector_3_0_1.json | 4 ++-- .../cvss/authentication_1_0_0.json | 4 ++-- .../cvss/authentication_2_0_0.json | 4 ++-- .../cvss/automatable_1_0_0.json | 4 ++-- .../cvss/availability_impact_1_0_0.json | 4 ++-- .../cvss/availability_impact_2_0_0.json | 4 ++-- ...impact_to_the_subsequent_system_1_0_0.json | 4 ++-- ...impact_to_the_vulnerable_system_3_0_0.json | 4 ++-- .../cvss/availability_requirement_1_0_0.json | 4 ++-- .../cvss/availability_requirement_1_1_0.json | 4 ++-- .../cvss/availability_requirement_1_1_1.json | 4 ++-- .../collateral_damage_potential_1_0_0.json | 4 ++-- .../collateral_damage_potential_2_0_0.json | 4 ++-- .../cvss/confidentiality_impact_1_0_0.json | 4 ++-- .../cvss/confidentiality_impact_2_0_0.json | 4 ++-- ...impact_to_the_subsequent_system_1_0_0.json | 4 ++-- ...impact_to_the_vulnerable_system_3_0_0.json | 4 ++-- .../confidentiality_requirement_1_0_0.json | 4 ++-- .../confidentiality_requirement_1_1_0.json | 4 ++-- .../confidentiality_requirement_1_1_1.json | 4 ++-- .../cvss/equivalence_set_1_1_0_0.json | 4 ++-- .../cvss/equivalence_set_2_1_0_0.json | 4 ++-- .../cvss/equivalence_set_3_1_0_0.json | 4 ++-- .../cvss/equivalence_set_4_1_0_0.json | 4 ++-- .../cvss/equivalence_set_5_1_0_0.json | 4 ++-- .../cvss/equivalence_set_6_1_0_0.json | 4 ++-- .../cvss/exploit_code_maturity_1_2_0.json | 4 ++-- .../cvss/exploit_maturity_2_0_0.json | 4 ++-- .../cvss/exploitability_1_0_0.json | 4 ++-- .../cvss/exploitability_1_1_0.json | 4 ++-- .../cvss/impact_bias_1_0_0.json | 4 ++-- .../cvss/integrity_impact_1_0_0.json | 4 ++-- .../cvss/integrity_impact_2_0_0.json | 4 ++-- ...impact_to_the_subsequent_system_1_0_0.json | 4 ++-- ...impact_to_the_vulnerable_system_3_0_0.json | 4 ++-- .../cvss/integrity_requirement_1_0_0.json | 4 ++-- .../cvss/integrity_requirement_1_1_0.json | 4 ++-- .../cvss/integrity_requirement_1_1_1.json | 4 ++-- .../modified_attack_complexity_3_0_0.json | 4 ++-- .../modified_attack_complexity_3_0_1.json | 4 ++-- .../modified_attack_requirements_1_0_0.json | 4 ++-- .../cvss/modified_attack_vector_3_0_0.json | 4 ++-- .../cvss/modified_attack_vector_3_0_1.json | 4 ++-- .../modified_availability_impact_2_0_0.json | 4 ++-- ...impact_to_the_subsequent_system_1_0_0.json | 4 ++-- ...impact_to_the_vulnerable_system_3_0_0.json | 4 ++-- ...modified_confidentiality_impact_2_0_0.json | 4 ++-- ...impact_to_the_subsequent_system_1_0_0.json | 4 ++-- ...impact_to_the_vulnerable_system_3_0_0.json | 4 ++-- .../cvss/modified_integrity_impact_2_0_0.json | 4 ++-- ...impact_to_the_subsequent_system_1_0_0.json | 4 ++-- ...impact_to_the_vulnerable_system_3_0_0.json | 4 ++-- .../modified_privileges_required_1_0_0.json | 4 ++-- .../modified_privileges_required_1_0_1.json | 4 ++-- .../cvss/modified_scope_1_0_0.json | 4 ++-- .../cvss/modified_user_interaction_1_0_0.json | 4 ++-- .../cvss/modified_user_interaction_2_0_0.json | 4 ++-- .../cvss/privileges_required_1_0_0.json | 4 ++-- .../cvss/privileges_required_1_0_1.json | 4 ++-- .../cvss/provider_urgency_1_0_0.json | 4 ++-- .../decision_points/cvss/recovery_1_0_0.json | 4 ++-- .../cvss/remediation_level_1_0_0.json | 4 ++-- .../cvss/remediation_level_1_1_0.json | 4 ++-- .../cvss/report_confidence_1_0_0.json | 4 ++-- .../cvss/report_confidence_1_1_0.json | 4 ++-- .../cvss/report_confidence_2_0_0.json | 4 ++-- .../decision_points/cvss/safety_1_0_0.json | 4 ++-- .../decision_points/cvss/scope_1_0_0.json | 4 ++-- .../cvss/target_distribution_1_0_0.json | 4 ++-- .../cvss/target_distribution_1_1_0.json | 4 ++-- .../cvss/user_interaction_1_0_0.json | 4 ++-- .../cvss/user_interaction_2_0_0.json | 4 ++-- .../cvss/value_density_1_0_0.json | 4 ++-- .../vulnerability_response_effort_1_0_0.json | 4 ++-- .../decision_points/exploitation_1_0_0.json | 4 ++-- .../decision_points/exploitation_1_1_0.json | 4 ++-- .../decision_points/human_impact_2_0_0.json | 4 ++-- .../decision_points/human_impact_2_0_1.json | 4 ++-- .../mission_and_well-being_impact_1_0_0.json | 4 ++-- .../decision_points/mission_impact_1_0_0.json | 4 ++-- .../decision_points/mission_impact_2_0_0.json | 4 ++-- .../public_safety_impact_2_0_0.json | 4 ++-- .../public_safety_impact_2_0_1.json | 4 ++-- .../public_value_added_1_0_0.json | 4 ++-- .../public_well-being_impact_1_0_0.json | 4 ++-- .../report_credibility_1_0_0.json | 4 ++-- .../decision_points/report_public_1_0_0.json | 4 ++-- .../decision_points/safety_impact_1_0_0.json | 4 ++-- .../decision_points/safety_impact_2_0_0.json | 4 ++-- .../supplier_cardinality_1_0_0.json | 4 ++-- .../supplier_contacted_1_0_0.json | 4 ++-- .../supplier_engagement_1_0_0.json | 4 ++-- .../supplier_involvement_1_0_0.json | 4 ++-- .../system_exposure_1_0_0.json | 4 ++-- .../system_exposure_1_0_1.json | 4 ++-- .../technical_impact_1_0_0.json | 4 ++-- data/json/decision_points/utility_1_0_0.json | 4 ++-- data/json/decision_points/utility_1_0_1.json | 4 ++-- .../decision_points/value_density_1_0_0.json | 4 ++-- .../json/decision_points/virulence_1_0_0.json | 4 ++-- src/ssvc/_mixins.py | 20 +++++++++++++++++++ src/ssvc/decision_points/base.py | 6 +++--- src/test/test_doctools.py | 11 +++++++--- src/test/test_dp_base.py | 8 ++++++++ src/test/test_mixins.py | 18 ++++++++++++++++- 114 files changed, 274 insertions(+), 225 deletions(-) diff --git a/data/json/decision_points/automatable_2_0_0.json b/data/json/decision_points/automatable_2_0_0.json index a44086f9..5a0528d8 100644 --- a/data/json/decision_points/automatable_2_0_0.json +++ b/data/json/decision_points/automatable_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Automatable", + "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?", "namespace": "ssvc", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "A", - "name": "Automatable", - "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/access_complexity_1_0_0.json b/data/json/decision_points/cvss/access_complexity_1_0_0.json index 30e88f11..b07e7595 100644 --- a/data/json/decision_points/cvss/access_complexity_1_0_0.json +++ b/data/json/decision_points/cvss/access_complexity_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Access Complexity", + "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AC", - "name": "Access Complexity", - "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/access_complexity_2_0_0.json b/data/json/decision_points/cvss/access_complexity_2_0_0.json index 09c795fc..15fec7b8 100644 --- a/data/json/decision_points/cvss/access_complexity_2_0_0.json +++ b/data/json/decision_points/cvss/access_complexity_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Access Complexity", + "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "AC", - "name": "Access Complexity", - "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/access_vector_1_0_0.json b/data/json/decision_points/cvss/access_vector_1_0_0.json index beee709d..55d6d8c6 100644 --- a/data/json/decision_points/cvss/access_vector_1_0_0.json +++ b/data/json/decision_points/cvss/access_vector_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Access Vector", + "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AV", - "name": "Access Vector", - "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/access_vector_2_0_0.json b/data/json/decision_points/cvss/access_vector_2_0_0.json index 9f68fb5a..14918e5c 100644 --- a/data/json/decision_points/cvss/access_vector_2_0_0.json +++ b/data/json/decision_points/cvss/access_vector_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Access Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "AV", - "name": "Access Vector", - "description": "This metric reflects the context by which vulnerability exploitation is possible.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_0.json b/data/json/decision_points/cvss/attack_complexity_3_0_0.json index b9dd8584..e2ef4655 100644 --- a/data/json/decision_points/cvss/attack_complexity_3_0_0.json +++ b/data/json/decision_points/cvss/attack_complexity_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Attack Complexity", + "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AC", - "name": "Attack Complexity", - "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json index 7f49cf1d..a3469f1b 100644 --- a/data/json/decision_points/cvss/attack_complexity_3_0_1.json +++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json @@ -1,10 +1,10 @@ { + "name": "Attack Complexity", + "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AC", - "name": "Attack Complexity", - "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/attack_requirements_1_0_0.json b/data/json/decision_points/cvss/attack_requirements_1_0_0.json index 4232fa7b..eaff05de 100644 --- a/data/json/decision_points/cvss/attack_requirements_1_0_0.json +++ b/data/json/decision_points/cvss/attack_requirements_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Attack Requirements", + "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AT", - "name": "Attack Requirements", - "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/attack_vector_3_0_0.json b/data/json/decision_points/cvss/attack_vector_3_0_0.json index 612e5c72..3db17af6 100644 --- a/data/json/decision_points/cvss/attack_vector_3_0_0.json +++ b/data/json/decision_points/cvss/attack_vector_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AV", - "name": "Attack Vector", - "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [ { "key": "P", diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json index fbf31693..fe2baea6 100644 --- a/data/json/decision_points/cvss/attack_vector_3_0_1.json +++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json @@ -1,10 +1,10 @@ { + "name": "Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AV", - "name": "Attack Vector", - "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [ { "key": "P", diff --git a/data/json/decision_points/cvss/authentication_1_0_0.json b/data/json/decision_points/cvss/authentication_1_0_0.json index 0e2f41e7..a2bedd42 100644 --- a/data/json/decision_points/cvss/authentication_1_0_0.json +++ b/data/json/decision_points/cvss/authentication_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Authentication", + "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "Au", - "name": "Authentication", - "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/authentication_2_0_0.json b/data/json/decision_points/cvss/authentication_2_0_0.json index 98a1037b..f618747f 100644 --- a/data/json/decision_points/cvss/authentication_2_0_0.json +++ b/data/json/decision_points/cvss/authentication_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Authentication", + "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "Au", - "name": "Authentication", - "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "values": [ { "key": "M", diff --git a/data/json/decision_points/cvss/automatable_1_0_0.json b/data/json/decision_points/cvss/automatable_1_0_0.json index 1963318c..03956092 100644 --- a/data/json/decision_points/cvss/automatable_1_0_0.json +++ b/data/json/decision_points/cvss/automatable_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Automatable", + "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AU", - "name": "Automatable", - "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/availability_impact_1_0_0.json b/data/json/decision_points/cvss/availability_impact_1_0_0.json index 4c2b59e3..ad667d01 100644 --- a/data/json/decision_points/cvss/availability_impact_1_0_0.json +++ b/data/json/decision_points/cvss/availability_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Availability Impact", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "A", - "name": "Availability Impact", - "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/availability_impact_2_0_0.json b/data/json/decision_points/cvss/availability_impact_2_0_0.json index f3b37b02..7fd162ed 100644 --- a/data/json/decision_points/cvss/availability_impact_2_0_0.json +++ b/data/json/decision_points/cvss/availability_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Availability Impact", + "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "A", - "name": "Availability Impact", - "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json index be7cedbe..79369891 100644 --- a/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json +++ b/data/json/decision_points/cvss/availability_impact_to_the_subsequent_system_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Availability Impact to the Subsequent System", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SA", - "name": "Availability Impact to the Subsequent System", - "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json index ebef410c..4e999e21 100644 --- a/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json +++ b/data/json/decision_points/cvss/availability_impact_to_the_vulnerable_system_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Availability Impact to the Vulnerable System", + "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "VA", - "name": "Availability Impact to the Vulnerable System", - "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/availability_requirement_1_0_0.json b/data/json/decision_points/cvss/availability_requirement_1_0_0.json index cbffe72a..01bd1da6 100644 --- a/data/json/decision_points/cvss/availability_requirement_1_0_0.json +++ b/data/json/decision_points/cvss/availability_requirement_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Availability Requirement", + "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AR", - "name": "Availability Requirement", - "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_0.json b/data/json/decision_points/cvss/availability_requirement_1_1_0.json index 66dec4d4..28045aa0 100644 --- a/data/json/decision_points/cvss/availability_requirement_1_1_0.json +++ b/data/json/decision_points/cvss/availability_requirement_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Availability Requirement", + "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "AR", - "name": "Availability Requirement", - "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json index 9e4a94fe..cb041336 100644 --- a/data/json/decision_points/cvss/availability_requirement_1_1_1.json +++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json @@ -1,10 +1,10 @@ { + "name": "Availability Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.", "namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "AR", - "name": "Availability Requirement", - "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json index b650ad2f..19666f0f 100644 --- a/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json +++ b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Collateral Damage Potential", + "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CDP", - "name": "Collateral Damage Potential", - "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json index c08f0fe8..00206e66 100644 --- a/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json +++ b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Collateral Damage Potential", + "description": "This metric measures the potential for loss of life or physical assets.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "CDP", - "name": "Collateral Damage Potential", - "description": "This metric measures the potential for loss of life or physical assets.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json index f8e633e6..8f9ad138 100644 --- a/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json +++ b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Confidentiality Impact", + "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "C", - "name": "Confidentiality Impact", - "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json index 5d8f0826..6f8c6c64 100644 --- a/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json +++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "C", - "name": "Confidentiality Impact", - "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json index 741722cd..1b2041aa 100644 --- a/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json +++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Confidentiality Impact to the Subsequent System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SC", - "name": "Confidentiality Impact to the Subsequent System", - "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json index ceea5568..6fc61ef9 100644 --- a/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json +++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_vulnerable_system_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Confidentiality Impact to the Vulnerable System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "VC", - "name": "Confidentiality Impact to the Vulnerable System", - "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json index 988ee409..04b9e92d 100644 --- a/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Confidentiality Requirement", + "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CR", - "name": "Confidentiality Requirement", - "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json index 2c508587..87453bab 100644 --- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Confidentiality Requirement", + "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "CR", - "name": "Confidentiality Requirement", - "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json index 2e1ef437..1c71ed0d 100644 --- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json +++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json @@ -1,10 +1,10 @@ { + "name": "Confidentiality Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", "namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "CR", - "name": "Confidentiality Requirement", - "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json index 9046163e..e4563635 100644 --- a/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json +++ b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Equivalence Set 1", + "description": "AV/PR/UI with 3 levels specified in Table 24", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ1", - "name": "Equivalence Set 1", - "description": "AV/PR/UI with 3 levels specified in Table 24", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json index f9fa06e5..db8745ce 100644 --- a/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json +++ b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Equivalence Set 2", + "description": "AC/AT with 2 levels specified in Table 25", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ2", - "name": "Equivalence Set 2", - "description": "AC/AT with 2 levels specified in Table 25", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json index a617a8f4..4b1aaf2b 100644 --- a/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json +++ b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Equivalence Set 3", + "description": "VC/VI/VA with 3 levels specified in Table 26", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ3", - "name": "Equivalence Set 3", - "description": "VC/VI/VA with 3 levels specified in Table 26", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json index 761d6ec8..d732ec5b 100644 --- a/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json +++ b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Equivalence Set 4", + "description": "SC/SI/SA with 3 levels specified in Table 27", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ4", - "name": "Equivalence Set 4", - "description": "SC/SI/SA with 3 levels specified in Table 27", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json index 1f1b7eec..f79d20a7 100644 --- a/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json +++ b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Equivalence Set 5", + "description": "E with 3 levels specified in Table 28", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ5", - "name": "Equivalence Set 5", - "description": "E with 3 levels specified in Table 28", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json index 599ec3b1..631acd7b 100644 --- a/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json +++ b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Equivalence Set 6", + "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ6", - "name": "Equivalence Set 6", - "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json index a900808a..a4e59e23 100644 --- a/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json +++ b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json @@ -1,10 +1,10 @@ { + "name": "Exploit Code Maturity", + "description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation", "namespace": "cvss", "version": "1.2.0", "schemaVersion": "1-0-1", "key": "E", - "name": "Exploit Code Maturity", - "description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation", "values": [ { "key": "U", diff --git a/data/json/decision_points/cvss/exploit_maturity_2_0_0.json b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json index 879891f6..28eeebd3 100644 --- a/data/json/decision_points/cvss/exploit_maturity_2_0_0.json +++ b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Exploit Maturity", + "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "E", - "name": "Exploit Maturity", - "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.", "values": [ { "key": "U", diff --git a/data/json/decision_points/cvss/exploitability_1_0_0.json b/data/json/decision_points/cvss/exploitability_1_0_0.json index be804085..707f297d 100644 --- a/data/json/decision_points/cvss/exploitability_1_0_0.json +++ b/data/json/decision_points/cvss/exploitability_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Exploitability", + "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "E", - "name": "Exploitability", - "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [ { "key": "U", diff --git a/data/json/decision_points/cvss/exploitability_1_1_0.json b/data/json/decision_points/cvss/exploitability_1_1_0.json index f2d07e9d..add3fd28 100644 --- a/data/json/decision_points/cvss/exploitability_1_1_0.json +++ b/data/json/decision_points/cvss/exploitability_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Exploitability", + "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "E", - "name": "Exploitability", - "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [ { "key": "U", diff --git a/data/json/decision_points/cvss/impact_bias_1_0_0.json b/data/json/decision_points/cvss/impact_bias_1_0_0.json index 97039be4..fc7316eb 100644 --- a/data/json/decision_points/cvss/impact_bias_1_0_0.json +++ b/data/json/decision_points/cvss/impact_bias_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Impact Bias", + "description": "This metric measures the impact bias of the vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IB", - "name": "Impact Bias", - "description": "This metric measures the impact bias of the vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/integrity_impact_1_0_0.json b/data/json/decision_points/cvss/integrity_impact_1_0_0.json index cf1dcc9b..5880fcf4 100644 --- a/data/json/decision_points/cvss/integrity_impact_1_0_0.json +++ b/data/json/decision_points/cvss/integrity_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Integrity Impact", + "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "I", - "name": "Integrity Impact", - "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_0.json b/data/json/decision_points/cvss/integrity_impact_2_0_0.json index 48102023..ecb0fd66 100644 --- a/data/json/decision_points/cvss/integrity_impact_2_0_0.json +++ b/data/json/decision_points/cvss/integrity_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "I", - "name": "Integrity Impact", - "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json index ab4089b3..80c99790 100644 --- a/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json +++ b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Integrity Impact to the Subsequent System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SI", - "name": "Integrity Impact to the Subsequent System", - "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json index ad055d84..745ee9e1 100644 --- a/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json +++ b/data/json/decision_points/cvss/integrity_impact_to_the_vulnerable_system_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Integrity Impact to the Vulnerable System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "VI", - "name": "Integrity Impact to the Vulnerable System", - "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/integrity_requirement_1_0_0.json b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json index 73d07de1..f49d6438 100644 --- a/data/json/decision_points/cvss/integrity_requirement_1_0_0.json +++ b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Integrity Requirement", + "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IR", - "name": "Integrity Requirement", - "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_0.json b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json index 5515b3b4..7378845f 100644 --- a/data/json/decision_points/cvss/integrity_requirement_1_1_0.json +++ b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Integrity Requirement", + "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "IR", - "name": "Integrity Requirement", - "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json index 4a99083a..05fd2858 100644 --- a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json +++ b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json @@ -1,10 +1,10 @@ { + "name": "Integrity Requirement", + "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", "namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "IR", - "name": "Integrity Requirement", - "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json index 09fa2cab..6e8df236 100644 --- a/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json +++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Attack Complexity", + "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "MAC", - "name": "Modified Attack Complexity", - "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json index 9ddd5581..a8bee010 100644 --- a/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json +++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json @@ -1,10 +1,10 @@ { + "name": "Modified Attack Complexity", + "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "MAC", - "name": "Modified Attack Complexity", - "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [ { "key": "L", diff --git a/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json index be523348..4f446155 100644 --- a/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json +++ b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Attack Requirements", + "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MAT", - "name": "Modified Attack Requirements", - "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json index afb49892..cd8261e7 100644 --- a/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json +++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "MAV", - "name": "Modified Attack Vector", - "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [ { "key": "P", diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json index 32f378f7..35995809 100644 --- a/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json +++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json @@ -1,10 +1,10 @@ { + "name": "Modified Attack Vector", + "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "MAV", - "name": "Modified Attack Vector", - "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [ { "key": "P", diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json index 861be583..efea9be1 100644 --- a/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json +++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Availability Impact", + "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "MA", - "name": "Modified Availability Impact", - "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json index e1e91459..786f0390 100644 --- a/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json +++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_subsequent_system_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Availability Impact to the Subsequent System", + "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MSA", - "name": "Modified Availability Impact to the Subsequent System", - "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json index 7003a551..689120d5 100644 --- a/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json +++ b/data/json/decision_points/cvss/modified_availability_impact_to_the_vulnerable_system_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Availability Impact to the Vulnerable System", + "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "MVA", - "name": "Modified Availability Impact to the Vulnerable System", - "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json index 5920006a..ef523bac 100644 --- a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json +++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Confidentiality Impact", + "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "MC", - "name": "Modified Confidentiality Impact", - "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json index 1abda292..ea677a2a 100644 --- a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json +++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Confidentiality Impact to the Subsequent System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MSC", - "name": "Modified Confidentiality Impact to the Subsequent System", - "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json index aba1fa8b..b3f09692 100644 --- a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json +++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_vulnerable_system_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Confidentiality Impact to the Vulnerable System", + "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "MVC", - "name": "Modified Confidentiality Impact to the Vulnerable System", - "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json index 359fb804..0e010de0 100644 --- a/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json +++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Integrity Impact", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "MI", - "name": "Modified Integrity Impact", - "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json index ec3d57b3..719e36b4 100644 --- a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json +++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Integrity Impact to the Subsequent System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MSI", - "name": "Modified Integrity Impact to the Subsequent System", - "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json index 5a3c69e0..76f318a2 100644 --- a/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json +++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_vulnerable_system_3_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Integrity Impact to the Vulnerable System", + "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "MVI", - "name": "Modified Integrity Impact to the Vulnerable System", - "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json index b31ad194..4aa2e7fe 100644 --- a/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json +++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MPR", - "name": "Modified Privileges Required", - "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "values": [ { "key": "H", diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json index 92297091..9edb12a4 100644 --- a/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json +++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json @@ -1,10 +1,10 @@ { + "name": "Modified Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "MPR", - "name": "Modified Privileges Required", - "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "values": [ { "key": "H", diff --git a/data/json/decision_points/cvss/modified_scope_1_0_0.json b/data/json/decision_points/cvss/modified_scope_1_0_0.json index 21d82cba..7eb01d1c 100644 --- a/data/json/decision_points/cvss/modified_scope_1_0_0.json +++ b/data/json/decision_points/cvss/modified_scope_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified Scope", + "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MS", - "name": "Modified Scope", - "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "values": [ { "key": "U", diff --git a/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json index cea0d0c0..dab50cf5 100644 --- a/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json +++ b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified User Interaction", + "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MUI", - "name": "Modified User Interaction", - "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "values": [ { "key": "R", diff --git a/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json index a4242ca6..2fbfe36b 100644 --- a/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json +++ b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Modified User Interaction", + "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "MUI", - "name": "Modified User Interaction", - "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "values": [ { "key": "A", diff --git a/data/json/decision_points/cvss/privileges_required_1_0_0.json b/data/json/decision_points/cvss/privileges_required_1_0_0.json index e7a14402..0f918c46 100644 --- a/data/json/decision_points/cvss/privileges_required_1_0_0.json +++ b/data/json/decision_points/cvss/privileges_required_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "PR", - "name": "Privileges Required", - "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "values": [ { "key": "H", diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json index 79c6c94a..698e4dc3 100644 --- a/data/json/decision_points/cvss/privileges_required_1_0_1.json +++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json @@ -1,10 +1,10 @@ { + "name": "Privileges Required", + "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "PR", - "name": "Privileges Required", - "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "values": [ { "key": "H", diff --git a/data/json/decision_points/cvss/provider_urgency_1_0_0.json b/data/json/decision_points/cvss/provider_urgency_1_0_0.json index 0e277cca..6a319c77 100644 --- a/data/json/decision_points/cvss/provider_urgency_1_0_0.json +++ b/data/json/decision_points/cvss/provider_urgency_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Provider Urgency", + "description": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "U", - "name": "Provider Urgency", - "description": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.", "values": [ { "key": "X", diff --git a/data/json/decision_points/cvss/recovery_1_0_0.json b/data/json/decision_points/cvss/recovery_1_0_0.json index 8a4beda9..b8597662 100644 --- a/data/json/decision_points/cvss/recovery_1_0_0.json +++ b/data/json/decision_points/cvss/recovery_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Recovery", + "description": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "R", - "name": "Recovery", - "description": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.", "values": [ { "key": "X", diff --git a/data/json/decision_points/cvss/remediation_level_1_0_0.json b/data/json/decision_points/cvss/remediation_level_1_0_0.json index 11f9384f..cc5a3866 100644 --- a/data/json/decision_points/cvss/remediation_level_1_0_0.json +++ b/data/json/decision_points/cvss/remediation_level_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Remediation Level", + "description": "This metric measures the remediation status of a vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RL", - "name": "Remediation Level", - "description": "This metric measures the remediation status of a vulnerability.", "values": [ { "key": "OF", diff --git a/data/json/decision_points/cvss/remediation_level_1_1_0.json b/data/json/decision_points/cvss/remediation_level_1_1_0.json index ccaa439c..eda1100a 100644 --- a/data/json/decision_points/cvss/remediation_level_1_1_0.json +++ b/data/json/decision_points/cvss/remediation_level_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Remediation Level", + "description": "This metric measures the remediation status of a vulnerability.", "namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RL", - "name": "Remediation Level", - "description": "This metric measures the remediation status of a vulnerability.", "values": [ { "key": "OF", diff --git a/data/json/decision_points/cvss/report_confidence_1_0_0.json b/data/json/decision_points/cvss/report_confidence_1_0_0.json index 85940cf0..0dc24b8b 100644 --- a/data/json/decision_points/cvss/report_confidence_1_0_0.json +++ b/data/json/decision_points/cvss/report_confidence_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RC", - "name": "Report Confidence", - "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [ { "key": "UC", diff --git a/data/json/decision_points/cvss/report_confidence_1_1_0.json b/data/json/decision_points/cvss/report_confidence_1_1_0.json index 691f1e87..c3c2b7aa 100644 --- a/data/json/decision_points/cvss/report_confidence_1_1_0.json +++ b/data/json/decision_points/cvss/report_confidence_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RC", - "name": "Report Confidence", - "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [ { "key": "UC", diff --git a/data/json/decision_points/cvss/report_confidence_2_0_0.json b/data/json/decision_points/cvss/report_confidence_2_0_0.json index 502e1291..cf6cf0ca 100644 --- a/data/json/decision_points/cvss/report_confidence_2_0_0.json +++ b/data/json/decision_points/cvss/report_confidence_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Report Confidence", + "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "RC", - "name": "Report Confidence", - "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [ { "key": "U", diff --git a/data/json/decision_points/cvss/safety_1_0_0.json b/data/json/decision_points/cvss/safety_1_0_0.json index a72a7cd6..987de4d0 100644 --- a/data/json/decision_points/cvss/safety_1_0_0.json +++ b/data/json/decision_points/cvss/safety_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Safety", + "description": "The Safety decision point is a measure of the potential for harm to humans or the environment.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "S", - "name": "Safety", - "description": "The Safety decision point is a measure of the potential for harm to humans or the environment.", "values": [ { "key": "X", diff --git a/data/json/decision_points/cvss/scope_1_0_0.json b/data/json/decision_points/cvss/scope_1_0_0.json index 2ed72c80..0025ac97 100644 --- a/data/json/decision_points/cvss/scope_1_0_0.json +++ b/data/json/decision_points/cvss/scope_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Scope", + "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "S", - "name": "Scope", - "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "values": [ { "key": "U", diff --git a/data/json/decision_points/cvss/target_distribution_1_0_0.json b/data/json/decision_points/cvss/target_distribution_1_0_0.json index 1d86b7ca..97b94297 100644 --- a/data/json/decision_points/cvss/target_distribution_1_0_0.json +++ b/data/json/decision_points/cvss/target_distribution_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Target Distribution", + "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "TD", - "name": "Target Distribution", - "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/target_distribution_1_1_0.json b/data/json/decision_points/cvss/target_distribution_1_1_0.json index bc126152..5e0d93f0 100644 --- a/data/json/decision_points/cvss/target_distribution_1_1_0.json +++ b/data/json/decision_points/cvss/target_distribution_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Target Distribution", + "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "TD", - "name": "Target Distribution", - "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/cvss/user_interaction_1_0_0.json b/data/json/decision_points/cvss/user_interaction_1_0_0.json index 84f623ba..eb4e9bfb 100644 --- a/data/json/decision_points/cvss/user_interaction_1_0_0.json +++ b/data/json/decision_points/cvss/user_interaction_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "User Interaction", + "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "UI", - "name": "User Interaction", - "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "values": [ { "key": "R", diff --git a/data/json/decision_points/cvss/user_interaction_2_0_0.json b/data/json/decision_points/cvss/user_interaction_2_0_0.json index 7794cc14..160107aa 100644 --- a/data/json/decision_points/cvss/user_interaction_2_0_0.json +++ b/data/json/decision_points/cvss/user_interaction_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "User Interaction", + "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "UI", - "name": "User Interaction", - "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "values": [ { "key": "A", diff --git a/data/json/decision_points/cvss/value_density_1_0_0.json b/data/json/decision_points/cvss/value_density_1_0_0.json index a4f06724..1ca1a355 100644 --- a/data/json/decision_points/cvss/value_density_1_0_0.json +++ b/data/json/decision_points/cvss/value_density_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Value Density", + "description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "V", - "name": "Value Density", - "description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.", "values": [ { "key": "X", diff --git a/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json index 71e2f3cc..bb334844 100644 --- a/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json +++ b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Vulnerability Response Effort", + "description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.", "namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RE", - "name": "Vulnerability Response Effort", - "description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.", "values": [ { "key": "X", diff --git a/data/json/decision_points/exploitation_1_0_0.json b/data/json/decision_points/exploitation_1_0_0.json index 42242c30..d1cf71b2 100644 --- a/data/json/decision_points/exploitation_1_0_0.json +++ b/data/json/decision_points/exploitation_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Exploitation", + "description": "The present state of exploitation of the vulnerability.", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "E", - "name": "Exploitation", - "description": "The present state of exploitation of the vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/exploitation_1_1_0.json b/data/json/decision_points/exploitation_1_1_0.json index f436738a..e54d2ace 100644 --- a/data/json/decision_points/exploitation_1_1_0.json +++ b/data/json/decision_points/exploitation_1_1_0.json @@ -1,10 +1,10 @@ { + "name": "Exploitation", + "description": "The present state of exploitation of the vulnerability.", "namespace": "ssvc", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "E", - "name": "Exploitation", - "description": "The present state of exploitation of the vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/human_impact_2_0_0.json b/data/json/decision_points/human_impact_2_0_0.json index b9fec592..80af1b78 100644 --- a/data/json/decision_points/human_impact_2_0_0.json +++ b/data/json/decision_points/human_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Human Impact", + "description": "Human Impact is a combination of Safety and Mission impacts.", "namespace": "ssvc", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "HI", - "name": "Human Impact", - "description": "Human Impact is a combination of Safety and Mission impacts.", "values": [ { "key": "L", diff --git a/data/json/decision_points/human_impact_2_0_1.json b/data/json/decision_points/human_impact_2_0_1.json index 9fd6ba91..3942e93a 100644 --- a/data/json/decision_points/human_impact_2_0_1.json +++ b/data/json/decision_points/human_impact_2_0_1.json @@ -1,10 +1,10 @@ { + "name": "Human Impact", + "description": "Human Impact is a combination of Safety and Mission impacts.", "namespace": "ssvc", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "HI", - "name": "Human Impact", - "description": "Human Impact is a combination of Safety and Mission impacts.", "values": [ { "key": "L", diff --git a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json index 20c2ad3a..95de41e6 100644 --- a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json +++ b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Mission and Well-Being Impact", + "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MWI", - "name": "Mission and Well-Being Impact", - "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.", "values": [ { "key": "L", diff --git a/data/json/decision_points/mission_impact_1_0_0.json b/data/json/decision_points/mission_impact_1_0_0.json index 3dd1a4ba..ac6b2915 100644 --- a/data/json/decision_points/mission_impact_1_0_0.json +++ b/data/json/decision_points/mission_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Mission Impact", + "description": "Impact on Mission Essential Functions of the Organization", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "MI", - "name": "Mission Impact", - "description": "Impact on Mission Essential Functions of the Organization", "values": [ { "key": "N", diff --git a/data/json/decision_points/mission_impact_2_0_0.json b/data/json/decision_points/mission_impact_2_0_0.json index 51f392e9..b0a3fc77 100644 --- a/data/json/decision_points/mission_impact_2_0_0.json +++ b/data/json/decision_points/mission_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Mission Impact", + "description": "Impact on Mission Essential Functions of the Organization", "namespace": "ssvc", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "MI", - "name": "Mission Impact", - "description": "Impact on Mission Essential Functions of the Organization", "values": [ { "key": "D", diff --git a/data/json/decision_points/public_safety_impact_2_0_0.json b/data/json/decision_points/public_safety_impact_2_0_0.json index 03eaa0d8..74b06423 100644 --- a/data/json/decision_points/public_safety_impact_2_0_0.json +++ b/data/json/decision_points/public_safety_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Public Safety Impact", + "description": "A coarse-grained representation of impact to public safety.", "namespace": "ssvc", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "PSI", - "name": "Public Safety Impact", - "description": "A coarse-grained representation of impact to public safety.", "values": [ { "key": "M", diff --git a/data/json/decision_points/public_safety_impact_2_0_1.json b/data/json/decision_points/public_safety_impact_2_0_1.json index e61afe04..7c60c4ef 100644 --- a/data/json/decision_points/public_safety_impact_2_0_1.json +++ b/data/json/decision_points/public_safety_impact_2_0_1.json @@ -1,10 +1,10 @@ { + "name": "Public Safety Impact", + "description": "A coarse-grained representation of impact to public safety.", "namespace": "ssvc", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "PSI", - "name": "Public Safety Impact", - "description": "A coarse-grained representation of impact to public safety.", "values": [ { "key": "M", diff --git a/data/json/decision_points/public_value_added_1_0_0.json b/data/json/decision_points/public_value_added_1_0_0.json index a376f8bb..ae508569 100644 --- a/data/json/decision_points/public_value_added_1_0_0.json +++ b/data/json/decision_points/public_value_added_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Public Value Added", + "description": "How much value would a publication from the coordinator benefit the broader community?", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "PVA", - "name": "Public Value Added", - "description": "How much value would a publication from the coordinator benefit the broader community?", "values": [ { "key": "L", diff --git a/data/json/decision_points/public_well-being_impact_1_0_0.json b/data/json/decision_points/public_well-being_impact_1_0_0.json index 2b1c02bd..7994e948 100644 --- a/data/json/decision_points/public_well-being_impact_1_0_0.json +++ b/data/json/decision_points/public_well-being_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Public Well-Being Impact", + "description": "A coarse-grained representation of impact to public well-being.", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "PWI", - "name": "Public Well-Being Impact", - "description": "A coarse-grained representation of impact to public well-being.", "values": [ { "key": "M", diff --git a/data/json/decision_points/report_credibility_1_0_0.json b/data/json/decision_points/report_credibility_1_0_0.json index 06f2d323..8cf756bd 100644 --- a/data/json/decision_points/report_credibility_1_0_0.json +++ b/data/json/decision_points/report_credibility_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Report Credibility", + "description": "Is the report credible?", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RC", - "name": "Report Credibility", - "description": "Is the report credible?", "values": [ { "key": "NC", diff --git a/data/json/decision_points/report_public_1_0_0.json b/data/json/decision_points/report_public_1_0_0.json index ba36050a..5c4d19d8 100644 --- a/data/json/decision_points/report_public_1_0_0.json +++ b/data/json/decision_points/report_public_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Report Public", + "description": "Is a viable report of the details of the vulnerability already publicly available?", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RP", - "name": "Report Public", - "description": "Is a viable report of the details of the vulnerability already publicly available?", "values": [ { "key": "Y", diff --git a/data/json/decision_points/safety_impact_1_0_0.json b/data/json/decision_points/safety_impact_1_0_0.json index 7aadf352..fe240916 100644 --- a/data/json/decision_points/safety_impact_1_0_0.json +++ b/data/json/decision_points/safety_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Safety Impact", + "description": "The safety impact of the vulnerability.", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SI", - "name": "Safety Impact", - "description": "The safety impact of the vulnerability.", "values": [ { "key": "N", diff --git a/data/json/decision_points/safety_impact_2_0_0.json b/data/json/decision_points/safety_impact_2_0_0.json index 19d74d6b..4f839fb8 100644 --- a/data/json/decision_points/safety_impact_2_0_0.json +++ b/data/json/decision_points/safety_impact_2_0_0.json @@ -1,10 +1,10 @@ { + "name": "Safety Impact", + "description": "The safety impact of the vulnerability. (based on IEC 61508)", "namespace": "ssvc", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "SI", - "name": "Safety Impact", - "description": "The safety impact of the vulnerability. (based on IEC 61508)", "values": [ { "key": "N", diff --git a/data/json/decision_points/supplier_cardinality_1_0_0.json b/data/json/decision_points/supplier_cardinality_1_0_0.json index 0adc8300..ec1df5a8 100644 --- a/data/json/decision_points/supplier_cardinality_1_0_0.json +++ b/data/json/decision_points/supplier_cardinality_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Supplier Cardinality", + "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SC", - "name": "Supplier Cardinality", - "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?", "values": [ { "key": "O", diff --git a/data/json/decision_points/supplier_contacted_1_0_0.json b/data/json/decision_points/supplier_contacted_1_0_0.json index 2cceb5ed..c32d5755 100644 --- a/data/json/decision_points/supplier_contacted_1_0_0.json +++ b/data/json/decision_points/supplier_contacted_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Supplier Contacted", + "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SC", - "name": "Supplier Contacted", - "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?", "values": [ { "key": "N", diff --git a/data/json/decision_points/supplier_engagement_1_0_0.json b/data/json/decision_points/supplier_engagement_1_0_0.json index ffd69c94..d9f704b0 100644 --- a/data/json/decision_points/supplier_engagement_1_0_0.json +++ b/data/json/decision_points/supplier_engagement_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Supplier Engagement", + "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SE", - "name": "Supplier Engagement", - "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?", "values": [ { "key": "A", diff --git a/data/json/decision_points/supplier_involvement_1_0_0.json b/data/json/decision_points/supplier_involvement_1_0_0.json index d9c5b433..15d014e5 100644 --- a/data/json/decision_points/supplier_involvement_1_0_0.json +++ b/data/json/decision_points/supplier_involvement_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Supplier Involvement", + "description": "What is the state of the supplier’s work on addressing the vulnerability?", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SI", - "name": "Supplier Involvement", - "description": "What is the state of the supplier’s work on addressing the vulnerability?", "values": [ { "key": "FR", diff --git a/data/json/decision_points/system_exposure_1_0_0.json b/data/json/decision_points/system_exposure_1_0_0.json index 45671101..c72411b5 100644 --- a/data/json/decision_points/system_exposure_1_0_0.json +++ b/data/json/decision_points/system_exposure_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "System Exposure", + "description": "The Accessible Attack Surface of the Affected System or Service", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EXP", - "name": "System Exposure", - "description": "The Accessible Attack Surface of the Affected System or Service", "values": [ { "key": "S", diff --git a/data/json/decision_points/system_exposure_1_0_1.json b/data/json/decision_points/system_exposure_1_0_1.json index a6b713d4..4babf60e 100644 --- a/data/json/decision_points/system_exposure_1_0_1.json +++ b/data/json/decision_points/system_exposure_1_0_1.json @@ -1,10 +1,10 @@ { + "name": "System Exposure", + "description": "The Accessible Attack Surface of the Affected System or Service", "namespace": "ssvc", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "EXP", - "name": "System Exposure", - "description": "The Accessible Attack Surface of the Affected System or Service", "values": [ { "key": "S", diff --git a/data/json/decision_points/technical_impact_1_0_0.json b/data/json/decision_points/technical_impact_1_0_0.json index 5f3c7375..92ecdb4e 100644 --- a/data/json/decision_points/technical_impact_1_0_0.json +++ b/data/json/decision_points/technical_impact_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Technical Impact", + "description": "The technical impact of the vulnerability.", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "TI", - "name": "Technical Impact", - "description": "The technical impact of the vulnerability.", "values": [ { "key": "P", diff --git a/data/json/decision_points/utility_1_0_0.json b/data/json/decision_points/utility_1_0_0.json index 033b00a3..71d0ca5f 100644 --- a/data/json/decision_points/utility_1_0_0.json +++ b/data/json/decision_points/utility_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Utility", + "description": "The Usefulness of the Exploit to the Adversary", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "U", - "name": "Utility", - "description": "The Usefulness of the Exploit to the Adversary", "values": [ { "key": "L", diff --git a/data/json/decision_points/utility_1_0_1.json b/data/json/decision_points/utility_1_0_1.json index 79091345..5c22b7fe 100644 --- a/data/json/decision_points/utility_1_0_1.json +++ b/data/json/decision_points/utility_1_0_1.json @@ -1,10 +1,10 @@ { + "name": "Utility", + "description": "The Usefulness of the Exploit to the Adversary", "namespace": "ssvc", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "U", - "name": "Utility", - "description": "The Usefulness of the Exploit to the Adversary", "values": [ { "key": "L", diff --git a/data/json/decision_points/value_density_1_0_0.json b/data/json/decision_points/value_density_1_0_0.json index 725b53fe..4658a012 100644 --- a/data/json/decision_points/value_density_1_0_0.json +++ b/data/json/decision_points/value_density_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Value Density", + "description": "The concentration of value in the target", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "VD", - "name": "Value Density", - "description": "The concentration of value in the target", "values": [ { "key": "D", diff --git a/data/json/decision_points/virulence_1_0_0.json b/data/json/decision_points/virulence_1_0_0.json index 5d2200d9..b08d9539 100644 --- a/data/json/decision_points/virulence_1_0_0.json +++ b/data/json/decision_points/virulence_1_0_0.json @@ -1,10 +1,10 @@ { + "name": "Virulence", + "description": "The speed at which the vulnerability can be exploited.", "namespace": "ssvc", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "V", - "name": "Virulence", - "description": "The speed at which the vulnerability can be exploited.", "values": [ { "key": "S", diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py index 2e7edfb2..fabbdc8b 100644 --- a/src/ssvc/_mixins.py +++ b/src/ssvc/_mixins.py @@ -88,6 +88,26 @@ class _Keyed(BaseModel): key: str +class _Valued(BaseModel): + """ + Mixin class for valued SSVC objects. + """ + + values: tuple + + def __iter__(self): + """ + Allow iteration over the values in the object. + """ + return iter(self.values) + + def __len__(self): + """ + Allow len() to be called on the object. + """ + return len(self.values) + + def exclude_if_none(value): return value is None diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index dd79f041..0bb87ecd 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -20,7 +20,7 @@ from pydantic import BaseModel -from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned +from ssvc._mixins import _Base, _Keyed, _Namespaced, _Valued, _Versioned from ssvc.namespaces import NameSpace logger = logging.getLogger(__name__) @@ -62,13 +62,13 @@ class SsvcDecisionPointValue(_Base, _Keyed, BaseModel): """ -class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, BaseModel): +class SsvcDecisionPoint(_Valued, _Keyed, _Versioned, _Namespaced, _Base, BaseModel): """ Models a single decision point as a list of values. """ namespace: str = NameSpace.SSVC - values: list[SsvcDecisionPointValue] = [] + values: tuple[SsvcDecisionPointValue, ...] def __iter__(self): """ diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py index c59226a5..70fba2f9 100644 --- a/src/test/test_doctools.py +++ b/src/test/test_doctools.py @@ -31,10 +31,10 @@ "key": "DPT", "name": "Decision Point Test", "description": "This is a test decision point.", - "values": [ + "values": ( {"key": "N", "name": "No", "description": "No means no"}, {"key": "Y", "name": "Yes", "description": "Yes means yes"}, - ], + ), } @@ -122,7 +122,12 @@ def test_dump_json(self): # file is loadable json d = json.load(open(json_file)) for k, v in dp.model_dump().items(): - self.assertEqual(v, d[k]) + # on reload, the tuples are lists, but they should be the same + reloaded_value = d[k] + if isinstance(reloaded_value, list): + reloaded_value = tuple(reloaded_value) + + self.assertEqual(v, reloaded_value) # should not overwrite the file overwrite = False diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py index a386b94c..58b626a6 100644 --- a/src/test/test_dp_base.py +++ b/src/test/test_dp_base.py @@ -42,6 +42,14 @@ def tearDown(self) -> None: # restore the original registry base._reset_registered() + def test_decision_point_basics(self): + from ssvc._mixins import _Base, _Keyed, _Namespaced, _Valued, _Versioned + + # inherits from mixins + mixins = [_Valued, _Base, _Keyed, _Versioned, _Namespaced] + for mixin in mixins: + self.assertIsInstance(self.dp, mixin) + def test_registry(self): # just by creating the objects, they should be registered self.assertIn(self.dp, base.REGISTERED_DECISION_POINTS) diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py index 4db76959..49450578 100644 --- a/src/test/test_mixins.py +++ b/src/test/test_mixins.py @@ -16,7 +16,7 @@ from pydantic import BaseModel, ValidationError -from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned +from ssvc._mixins import _Base, _Keyed, _Namespaced, _Valued, _Versioned from ssvc.namespaces import NameSpace @@ -125,6 +125,22 @@ def test_keyed_create(self): self.assertRaises(ValidationError, _Keyed) + def test_valued_create(self): + values = ("foo", "bar", "baz", "quux") + obj = _Valued(values=values) + + # length + self.assertEqual(len(obj), len(values)) + + # iteration + for i, v in enumerate(obj): + self.assertEqual(v, values[i]) + + # values + self.assertEqual(obj.values, values) + + self.assertRaises(ValidationError, _Valued) + def test_mixin_combos(self): # We need to test all the combinations mixins = [ From 0fb6690f3df2909a8fea2939551b56430c1161a8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 10:49:02 -0400 Subject: [PATCH 10/12] Bump tj-actions/changed-files from 46.0.1 to 46.0.3 (#757) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 46.0.1 to 46.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/2f7c5bfce28377bc069a65ba478de0a74aa0ca32...823fcebdb31bb35fdf2229d9f769b400309430d0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint_md_changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml index 6daf9d6a..17cbd9c1 100644 --- a/.github/workflows/lint_md_changes.yml +++ b/.github/workflows/lint_md_changes.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 + - uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 id: changed-files with: files: '**/*.md' From 59c9677c13785c73d9586911d840b73541cb3003 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 10:49:56 -0400 Subject: [PATCH 11/12] Bump markdown-exec from 1.10.1 to 1.10.2 (#756) Bumps [markdown-exec](https://github.com/pawamoy/markdown-exec) from 1.10.1 to 1.10.2. - [Release notes](https://github.com/pawamoy/markdown-exec/releases) - [Changelog](https://github.com/pawamoy/markdown-exec/blob/main/CHANGELOG.md) - [Commits](https://github.com/pawamoy/markdown-exec/compare/1.10.1...1.10.2) --- updated-dependencies: - dependency-name: markdown-exec dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b27150be..d24d02fd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,7 @@ mkdocs-material-extensions==1.3.1 mkdocstrings==0.29.0 mkdocstrings-python==1.16.5 mkdocs-print-site-plugin==2.7.1 -markdown-exec==1.10.1 +markdown-exec==1.10.2 thefuzz==0.22.1 pandas==2.2.3 scikit-learn==1.6.1 From 293808a5da9ccbe69239cf53487939d6099a17da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 10:50:33 -0400 Subject: [PATCH 12/12] Bump mkdocstrings-python from 1.16.5 to 1.16.8 in the mkdocs group (#755) Bumps the mkdocs group with 1 update: [mkdocstrings-python](https://github.com/mkdocstrings/python). Updates `mkdocstrings-python` from 1.16.5 to 1.16.8 - [Release notes](https://github.com/mkdocstrings/python/releases) - [Changelog](https://github.com/mkdocstrings/python/blob/main/CHANGELOG.md) - [Commits](https://github.com/mkdocstrings/python/compare/1.16.5...1.16.8) --- updated-dependencies: - dependency-name: mkdocstrings-python dependency-type: direct:production update-type: version-update:semver-patch dependency-group: mkdocs ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d24d02fd..aa50661d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,7 +5,7 @@ mkdocs-table-reader-plugin==3.1.0 mkdocs-material==9.6.9 mkdocs-material-extensions==1.3.1 mkdocstrings==0.29.0 -mkdocstrings-python==1.16.5 +mkdocstrings-python==1.16.8 mkdocs-print-site-plugin==2.7.1 markdown-exec==1.10.2 thefuzz==0.22.1