From 39f7bf3968e6edc882db71fc5ffa47771906c342 Mon Sep 17 00:00:00 2001 From: sei-renae Date: Thu, 27 Mar 2025 09:43:39 -0400 Subject: [PATCH 1/2] Change docs copyright page to reflect new LICENSE wording (#763) * Change docs copyright page to reflect new LICENSE wording * markdownlint --- docs/about/copyright.md | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/docs/about/copyright.md b/docs/about/copyright.md index 5637a336..79904388 100644 --- a/docs/about/copyright.md +++ b/docs/about/copyright.md @@ -1,24 +1,14 @@ +Copyright 2025 Carnegie Mellon University. -# Copyright - -Copyright 2019-2023 Carnegie Mellon University. - -This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. +This material is based upon work funded and supported by the Department of Homeland Security under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. -References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. - NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. -\[DISTRIBUTION STATEMENT A\] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. - -Internal use:\* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. - -External use:\* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at . - -\* These restrictions do not apply to U.S. government entities. +[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. -Carnegie Mellon®, CERT Coordination Center® and OCTAVE® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. +This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. Requests for permission for non-licensed uses should be directed to the Software Engineering Institute at . +CERT Coordination Center® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. -DM19-1222 +DM24-0278 From 20a7a9cdf01a67d3a764c2d664938ccca4bed463 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 27 Mar 2025 09:44:59 -0400 Subject: [PATCH 2/2] Update namespace to ensure sufficient limits are established (#765) * Update namespace to ensure sufficient limits are established * Remove tabs smoothly * Remove ending spaces * Update namespace test_mixins.py --- .../v1/Decision_Point-1-0-1.schema.json | 136 +++++++++--------- .../v1/Decision_Point_Group-1-0-1.schema.json | 74 +++++----- ...on_Point_Value_Selection-1-0-1.schema.json | 130 ++++++++--------- .../schema/v1/Outcome_Group-1-0-1.schema.json | 92 ++++++------ src/ssvc/_mixins.py | 2 +- src/ssvc/namespaces.py | 4 +- src/test/test_mixins.py | 4 +- 7 files changed, 221 insertions(+), 221 deletions(-) diff --git a/data/schema/v1/Decision_Point-1-0-1.schema.json b/data/schema/v1/Decision_Point-1-0-1.schema.json index 0d1faf9c..b3693d8f 100644 --- a/data/schema/v1/Decision_Point-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point-1-0-1.schema.json @@ -4,97 +4,97 @@ "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json", "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.", "$defs": { - "schemaVersion": { + "schemaVersion": { "description": "Schema version used to represent this Decision Point.", "type": "string", "enum": ["1-0-1"] }, - "decision_point_value": { + "decision_point_value": { "type": "object", - "additionalProperties": false, + "additionalProperties": false, "properties": { "key": { "type": "string", "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.", - "minLength": 1, - "examples": ["P", "Y"] + "minLength": 1, + "examples": ["P", "Y"] }, "name": { "type": "string", "description": "A short label that identifies a Decision Point Value", - "minLength": 1, - "examples": ["Public PoC", "Yes"] + "minLength": 1, + "examples": ["Public PoC", "Yes"] }, "description": { "type": "string", "description": "A full description of the Decision Point Value.", - "minLength": 1, - "examples": ["One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.","Attackers can reliably automate steps 1-4 of the kill chain."] + "minLength": 1, + "examples": ["One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.","Attackers can reliably automate steps 1-4 of the kill chain."] } }, - "required" : [ - "key", - "name", - "description" - ] - }, - "decision_point": { - "type": "object", - "additionalProperties": false, - "properties": { - "schemaVersion": { - "$ref": "#/$defs/schemaVersion" - }, - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): The value must be one of the official namespaces, currenlty \"ssvc\", \"cvss\" OR can start with 'x_' for private namespaces. See SSVC Documentation for details.", - "pattern": "^(?=.{3,25}$)(x_)?[a-z0-9]{3}([/.-]?[a-z0-9]+){0,22}$", - "examples": ["ssvc", "cvss", "x_custom","x_custom/extension"] - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies the version of a Decision Point.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "examples": ["1.0.1", "1.0.1-alpha"] - }, - "key": { - "type": "string", + "required" : [ + "key", + "name", + "description" + ] + }, + "decision_point": { + "type": "object", + "additionalProperties": false, + "properties": { + "schemaVersion": { + "$ref": "#/$defs/schemaVersion" + }, + "namespace": { + "type": "string", + "description": "Namespace (a short, unique string): The value must be one of the official namespaces, currenlty \"ssvc\", \"cvss\" OR can start with 'x_' for private namespaces. See SSVC Documentation for details.", + "pattern": "^(?=.{3,100}$)(x_)?[a-z0-9]{3}([/.-]?[a-z0-9]+){0,97}$", + "examples": ["ssvc", "cvss", "x_custom","x_custom/extension"] + }, + "version": { + "type": "string", + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": ["1.0.1", "1.0.1-alpha"] + }, + "key": { + "type": "string", "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point.", - "minLength": 1, - "examples": ["E", "A"] - }, - "name": { - "type": "string", + "minLength": 1, + "examples": ["E", "A"] + }, + "name": { + "type": "string", "description": "A short label that identifies a Decision Point.", - "minLength": 1, - "examples": ["Exploitation", "Automatable"] - }, - "description": { - "type": "string", + "minLength": 1, + "examples": ["Exploitation", "Automatable"] + }, + "description": { + "type": "string", "description": "A full description of the Decision Point, explaining what it represents and how it is used in SSVC.", - "minLength": 1 - }, - "values": { - "description": "A set of possible answers for a given Decision Point", - "uniqueItems": true, - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/$defs/decision_point_value" - } - } - }, - "required": [ - "namespace", - "version", - "key", - "name", - "description", - "values", - "schemaVersion" - ] - } + "minLength": 1 + }, + "values": { + "description": "A set of possible answers for a given Decision Point", + "uniqueItems": true, + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/decision_point_value" + } + } + }, + "required": [ + "namespace", + "version", + "key", + "name", + "description", + "values", + "schemaVersion" + ] + } }, "$ref": "#/$defs/decision_point" } diff --git a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json index ec2768ab..f1dc16c4 100644 --- a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json @@ -4,49 +4,49 @@ "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group-1-0-1.schema.json", "description": "Decision Point Groups are sets of decision points pinned to specific versions of those decision points. These groups may change over time.", "$defs": { - "schemaVersion": { + "schemaVersion": { "description": "Schema version used to represent Decision Point Group.", "type": "string", "enum": ["1-0-1"] }, - "decision_point_group": { - "type": "object", - "additionalProperties": false, - "properties": { - "schemaVersion": { + "decision_point_group": { + "type": "object", + "additionalProperties": false, + "properties": { + "schemaVersion": { "$ref": "#/$defs/schemaVersion" }, - "version": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" - }, - "name": { - "type": "string", - "description": "A short label that captures the description of the Decision Point Group.", - "minLength": 1, - "examples": ["SSVC Supplier","Coordinator Triage", "SSVC Deployer"] - }, - "description": { - "type": "string", - "description": "A full description of the Decision Point Group.", - "minLength": 1, - "examples": ["These decision points used by the Coordinator during publication."] - }, - "decision_points": { - "type": "array", - "minItems": 1, - "items": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json" - } - } - }, - "required": [ - "version", - "name", - "description", - "decision_points", - "schemaVersion" - ] - } + "version": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" + }, + "name": { + "type": "string", + "description": "A short label that captures the description of the Decision Point Group.", + "minLength": 1, + "examples": ["SSVC Supplier","Coordinator Triage", "SSVC Deployer"] + }, + "description": { + "type": "string", + "description": "A full description of the Decision Point Group.", + "minLength": 1, + "examples": ["These decision points used by the Coordinator during publication."] + }, + "decision_points": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json" + } + } + }, + "required": [ + "version", + "name", + "description", + "decision_points", + "schemaVersion" + ] + } }, "$ref": "#/$defs/decision_point_group" diff --git a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json index ca5b1115..873265fc 100644 --- a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json @@ -3,84 +3,84 @@ "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { - "id": { + "id": { "type": "string", "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"], - "minLength": 1 - }, - "role": { + "minLength": 1 + }, + "role": { "type": "string", "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", "examples": ["Supplier","Deployer","Coordinator"], - "minLength": 1 + "minLength": 1 }, - "timestamp" : { + "timestamp" : { "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", - "format": "date-time" - }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", - "properties": { - "name": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name" - }, - "namespace": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace" - }, - "values": { - "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name" - } - }, - "version": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } + "format": "date-time" + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", + "properties": { + "name": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name" + }, + "namespace": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace" + }, + "values": { + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name" + } + }, + "version": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } }, "properties": { - "id": { - "$ref": "#/$defs/id" - }, - "role": { - "$ref": "#/$defs/role" - }, - "schemaVersion": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion" - }, - "timestamp": { - "$ref": "#/$defs/timestamp" - }, - "selections": { - "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/$defs/SsvcdecisionpointselectionSchema" - } - } - }, + "id": { + "$ref": "#/$defs/id" + }, + "role": { + "$ref": "#/$defs/role" + }, + "schemaVersion": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion" + }, + "timestamp": { + "$ref": "#/$defs/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/SsvcdecisionpointselectionSchema" + } + } + }, "type": "object", "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" + "selections", + "id", + "timestamp", + "schemaVersion" ], "additionalProperties": false } diff --git a/data/schema/v1/Outcome_Group-1-0-1.schema.json b/data/schema/v1/Outcome_Group-1-0-1.schema.json index aba8d781..96b2f6a1 100644 --- a/data/schema/v1/Outcome_Group-1-0-1.schema.json +++ b/data/schema/v1/Outcome_Group-1-0-1.schema.json @@ -4,14 +4,14 @@ "$id": "https://certcc.github.io/SSVC/data/schema/v1/Outcome-1-0-1.schema.json", "description": "An outcome is the result of making a decision. Outcomes are often tailored specifically to the stakeholder context in which the decision is being made. We call the set of possible outcomes for a decision an Outcome Set.", "$defs": { - "schemaVersion": { + "schemaVersion": { "description": "Schema version used to represent this Outcome Group", "type": "string", "enum": ["1-0-1"] }, - "outcome_value": { + "outcome_value": { "type": "object", - "additionalProperties": false, + "additionalProperties": false, "properties": { "key": { "type": "string", @@ -26,49 +26,49 @@ "description": "Description of the Decision Point Value" } }, - "required" : [ - "key", - "name", - "description" - ] - }, - "outcome_group": { - "type": "object", - "additionalProperties": false, - "properties": { - "schemaVersion": { - "$ref": "#/$defs/schemaVersion" - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies this object" - }, - "name": { - "type": "string", - "description": "A short label that captures the description of the group of Outcomes" - }, - "description": { - "type": "string", - "description": " Description of the of group of Outcomes." - }, - "outcomes": { - "description": "Collection Set of Outcomes.", - "uniqueItems": true, - "type": "array", - "minItems": 2, - "items": { - "$ref": "#/$defs/outcome_value" - } - } - }, - "required": [ - "version", - "name", - "description", - "outcomes", - "schemaVersion" - ] - } + "required" : [ + "key", + "name", + "description" + ] + }, + "outcome_group": { + "type": "object", + "additionalProperties": false, + "properties": { + "schemaVersion": { + "$ref": "#/$defs/schemaVersion" + }, + "version": { + "type": "string", + "description": "Version (a semantic version string) that identifies this object" + }, + "name": { + "type": "string", + "description": "A short label that captures the description of the group of Outcomes" + }, + "description": { + "type": "string", + "description": " Description of the of group of Outcomes." + }, + "outcomes": { + "description": "Collection Set of Outcomes.", + "uniqueItems": true, + "type": "array", + "minItems": 2, + "items": { + "$ref": "#/$defs/outcome_value" + } + } + }, + "required": [ + "version", + "name", + "description", + "outcomes", + "schemaVersion" + ] + } }, "$ref": "#/$defs/outcome_group" } diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py index cff88321..4e52ff35 100644 --- a/src/ssvc/_mixins.py +++ b/src/ssvc/_mixins.py @@ -63,7 +63,7 @@ class _Namespaced(BaseModel): # the field definition enforces the pattern for namespaces # additional validation is performed in the field_validator immediately after the pattern check - namespace: str = Field(pattern=NS_PATTERN, min_length=3, max_length=25) + namespace: str = Field(pattern=NS_PATTERN, min_length=3, max_length=100) @field_validator("namespace", mode="before") @classmethod diff --git a/src/ssvc/namespaces.py b/src/ssvc/namespaces.py index de0a78d9..4c34260c 100644 --- a/src/ssvc/namespaces.py +++ b/src/ssvc/namespaces.py @@ -30,7 +30,7 @@ """The prefix for extension namespaces. Extension namespaces must start with this prefix.""" # pattern to match -# `(?=.{3,25}$)`: 3-25 characters long +# `(?=.{3,100}$)`: 3-25 characters long # `^(x_)`: `x_` prefix is optional # `[a-z0-9]{3,4}`: must start with 3-4 alphanumeric characters # `[/.-]?`: only one punctuation character is allowed between alphanumeric characters @@ -38,7 +38,7 @@ # `([/.-]?[a-z0-9]+){0,22}`: zero to 22 occurrences of the punctuation character followed by at least one alphanumeric character # (note that the total limit will kick in at or before this point) # `$`: end of the string -NS_PATTERN = re.compile(r"^(?=.{3,25}$)(x_)?[a-z0-9]{3}([/.-]?[a-z0-9]+){0,22}$") +NS_PATTERN = re.compile(r"^(?=.{3,100}$)(x_)?[a-z0-9]{3}([/.-]?[a-z0-9]+){0,97}$") """The regular expression pattern for validating namespaces. Note: diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py index 188f8ab5..c4724c1c 100644 --- a/src/test/test_mixins.py +++ b/src/test/test_mixins.py @@ -92,12 +92,12 @@ def test_namespaced_create_errors(self): _Namespaced(namespace="x_") # error if namespace starts with x_ but is too long - for i in range(100): + for i in range(150): shortest = "x_aaa" ns = shortest + "a" * i with self.subTest(ns=ns): # length limit set in the NS_PATTERN regex - if len(ns) <= 25: + if len(ns) <= 100: # expect success on shorter than limit _Namespaced(namespace=ns) else: