-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8c9d041
commit 1812c2f
Showing
12 changed files
with
468 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # Copyright (c) 2023 Carnegie Mellon University and Contributors. | ||
| # - see Contributors.md for a full list of Contributors | ||
| # - see ContributionInstructions.md for information on how you can Contribute to this project | ||
| # Stakeholder Specific Vulnerability Categorization (SSVC) is | ||
| # licensed under a MIT (SEI)-style license, please see LICENSE.md distributed | ||
| # with this Software or contact [email protected] for full terms. | ||
| # Created, in part, with funding and support from the United States Government | ||
| # (see Acknowledgments file). This program may include and/or can make use of | ||
| # certain third party source code, object code, documentation and other files | ||
| # (“Third Party Software”). See LICENSE.md for more details. | ||
| # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the | ||
| # U.S. Patent and Trademark Office by Carnegie Mellon University | ||
|
|
||
| """ | ||
| Provides CVSS v4 Supplemental Metrics | ||
| """ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| #!/usr/bin/env python | ||
| """ | ||
| Provides the CVSS supplemental metric Automatable | ||
| """ | ||
| # Copyright (c) 2023 Carnegie Mellon University and Contributors. | ||
| # - see Contributors.md for a full list of Contributors | ||
| # - see ContributionInstructions.md for information on how you can Contribute to this project | ||
| # Stakeholder Specific Vulnerability Categorization (SSVC) is | ||
| # licensed under a MIT (SEI)-style license, please see LICENSE.md distributed | ||
| # with this Software or contact [email protected] for full terms. | ||
| # Created, in part, with funding and support from the United States Government | ||
| # (see Acknowledgments file). This program may include and/or can make use of | ||
| # certain third party source code, object code, documentation and other files | ||
| # (“Third Party Software”). See LICENSE.md for more details. | ||
| # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the | ||
| # U.S. Patent and Trademark Office by Carnegie Mellon University | ||
|
|
||
| from ssvc.decision_points import SsvcDecisionPointValue | ||
| from ssvc.decision_points.cvss.base import CvssDecisionPoint | ||
| from ssvc.decision_points.helpers import print_versions_and_diffs | ||
|
|
||
|
|
||
| AUTOMATABLE_1 = CvssDecisionPoint( | ||
| name="Automatable", | ||
| description='The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation ' | ||
| 'events for this vulnerability across multiple targets?" based on steps 1-4 of the kill chain.', | ||
| key="AU", | ||
| version="1.0.0", | ||
| values=( | ||
| SsvcDecisionPointValue( | ||
| name="No", | ||
| key="N", | ||
| description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for " | ||
| "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.", | ||
| ), | ||
| SsvcDecisionPointValue( | ||
| name="Yes", | ||
| key="Y", | ||
| description="Attackers can reliably automate all 4 steps of the kill chain. These steps are " | ||
| "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is " | ||
| '"wormable").', | ||
| ), | ||
| ), | ||
| ) | ||
|
|
||
|
|
||
| def main(): | ||
| versions = [ | ||
| AUTOMATABLE_1, | ||
| ] | ||
|
|
||
| print_versions_and_diffs(versions) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| main() |
67 changes: 67 additions & 0 deletions
67
src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| #!/usr/bin/env python | ||
| """ | ||
| Provides the CVSS supplemental metric Provider Urgency as a SSVC decision point. | ||
| """ | ||
| # Copyright (c) 2023 Carnegie Mellon University and Contributors. | ||
| # - see Contributors.md for a full list of Contributors | ||
| # - see ContributionInstructions.md for information on how you can Contribute to this project | ||
| # Stakeholder Specific Vulnerability Categorization (SSVC) is | ||
| # licensed under a MIT (SEI)-style license, please see LICENSE.md distributed | ||
| # with this Software or contact [email protected] for full terms. | ||
| # Created, in part, with funding and support from the United States Government | ||
| # (see Acknowledgments file). This program may include and/or can make use of | ||
| # certain third party source code, object code, documentation and other files | ||
| # (“Third Party Software”). See LICENSE.md for more details. | ||
| # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the | ||
| # U.S. Patent and Trademark Office by Carnegie Mellon University | ||
|
|
||
| from ssvc.decision_points import SsvcDecisionPointValue | ||
| from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_X | ||
| from ssvc.decision_points.cvss.base import CvssDecisionPoint | ||
| from ssvc.decision_points.helpers import print_versions_and_diffs | ||
|
|
||
| PROVIDER_URGENCY_1 = CvssDecisionPoint( | ||
| name="Provider Urgency", | ||
| description="Many vendors currently provide supplemental severity ratings to consumers via product security " | ||
| "advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document " | ||
| "in their advisories. To facilitate a standardized method to incorporate additional provider-supplied " | ||
| 'assessment, an optional "pass-through" Supplemental Metric called Provider Urgency is available.', | ||
| key="U", | ||
| version="1.0.0", | ||
| values=( | ||
| NOT_DEFINED_X, | ||
| # Red, Amber, Green, Clear | ||
| SsvcDecisionPointValue( | ||
| name="Red", | ||
| key="R", | ||
| description="Provider has assessed the impact of this vulnerability as having the highest urgency.", | ||
| ), | ||
| SsvcDecisionPointValue( | ||
| name="Amber", | ||
| key="A", | ||
| description="Provider has assessed the impact of this vulnerability as having a moderate urgency.", | ||
| ), | ||
| SsvcDecisionPointValue( | ||
| name="Green", | ||
| key="G", | ||
| description="Provider has assessed the impact of this vulnerability as having a reduced urgency.", | ||
| ), | ||
| SsvcDecisionPointValue( | ||
| name="Clear", | ||
| key="C", | ||
| description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).", | ||
| ), | ||
| ), | ||
| ) | ||
|
|
||
|
|
||
| def main(): | ||
| versions = [ | ||
| PROVIDER_URGENCY_1, | ||
| ] | ||
|
|
||
| print_versions_and_diffs(versions) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| #!/usr/bin/env python | ||
| """ | ||
| Provides the CVSS supplemental metric Recovery | ||
| """ | ||
| # Copyright (c) 2023 Carnegie Mellon University and Contributors. | ||
| # - see Contributors.md for a full list of Contributors | ||
| # - see ContributionInstructions.md for information on how you can Contribute to this project | ||
| # Stakeholder Specific Vulnerability Categorization (SSVC) is | ||
| # licensed under a MIT (SEI)-style license, please see LICENSE.md distributed | ||
| # with this Software or contact [email protected] for full terms. | ||
| # Created, in part, with funding and support from the United States Government | ||
| # (see Acknowledgments file). This program may include and/or can make use of | ||
| # certain third party source code, object code, documentation and other files | ||
| # (“Third Party Software”). See LICENSE.md for more details. | ||
| # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the | ||
| # U.S. Patent and Trademark Office by Carnegie Mellon University | ||
|
|
||
| from ssvc.decision_points import SsvcDecisionPointValue | ||
| from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_X | ||
| from ssvc.decision_points.cvss.base import CvssDecisionPoint | ||
| from ssvc.decision_points.helpers import print_versions_and_diffs | ||
|
|
||
|
|
||
| RECOVERY_1 = CvssDecisionPoint( | ||
| name="Recovery", | ||
| description="The Recovery metric describes the resilience of a system to recover services, in terms of performance " | ||
| "and availability, after an attack has been performed.", | ||
| key="R", | ||
| version="1.0.0", | ||
| values=( | ||
| NOT_DEFINED_X, | ||
| SsvcDecisionPointValue( | ||
| name="Automatic", | ||
| key="A", | ||
| description="The system recovers services automatically after an attack has been performed.", | ||
| ), | ||
| SsvcDecisionPointValue( | ||
| name="User", | ||
| key="U", | ||
| description="The system requires manual intervention by the user to recover services, after an attack has " | ||
| "been performed.", | ||
| ), | ||
| SsvcDecisionPointValue( | ||
| name="Irrecoverable", | ||
| key="I", | ||
| description="The system services are irrecoverable by the user, after an attack has been performed.", | ||
| ), | ||
| ), | ||
| ) | ||
|
|
||
|
|
||
| def main(): | ||
| versions = [ | ||
| RECOVERY_1, | ||
| ] | ||
|
|
||
| print_versions_and_diffs(versions) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| #!/usr/bin/env python | ||
| """ | ||
| Provides CVSS v4 Supplemental Metric for Safety | ||
| """ | ||
|
|
||
| # Copyright (c) 2023 Carnegie Mellon University and Contributors. | ||
| # - see Contributors.md for a full list of Contributors | ||
| # - see ContributionInstructions.md for information on how you can Contribute to this project | ||
| # Stakeholder Specific Vulnerability Categorization (SSVC) is | ||
| # licensed under a MIT (SEI)-style license, please see LICENSE.md distributed | ||
| # with this Software or contact [email protected] for full terms. | ||
| # Created, in part, with funding and support from the United States Government | ||
| # (see Acknowledgments file). This program may include and/or can make use of | ||
| # certain third party source code, object code, documentation and other files | ||
| # (“Third Party Software”). See LICENSE.md for more details. | ||
| # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the | ||
| # U.S. Patent and Trademark Office by Carnegie Mellon University | ||
|
|
||
| from ssvc.decision_points.base import SsvcDecisionPointValue | ||
| from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_X | ||
| from ssvc.decision_points.cvss.base import CvssDecisionPoint | ||
| from ssvc.decision_points.helpers import print_versions_and_diffs | ||
|
|
||
| SAFETY_1 = CvssDecisionPoint( | ||
| name="Safety", | ||
| description="The Safety decision point is a measure of the potential for harm to humans or the environment.", | ||
| key="S", | ||
| version="1.0.0", | ||
| values=( | ||
| NOT_DEFINED_X, | ||
| # Present, Negligible | ||
| SsvcDecisionPointValue( | ||
| name="Present", | ||
| key="P", | ||
| description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of " | ||
| '"marginal," "critical," or "catastrophic."', | ||
| ), | ||
| SsvcDecisionPointValue( | ||
| name="Negligible", | ||
| key="N", | ||
| description="Consequences of the vulnerability meet definition of IEC 61508 consequence category " | ||
| '"negligible."', | ||
| ), | ||
| ), | ||
| ) | ||
|
|
||
|
|
||
| def main(): | ||
| versions = [ | ||
| SAFETY_1, | ||
| ] | ||
|
|
||
| print_versions_and_diffs(versions) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| main() |
Oops, something went wrong.