Add CVSS-based (v1, v2, v3) decision points as python classes (#343)

* add new json schemas for decision points and dp groups * add ssvc module to represent existing decision points and groups for SSVC v1, v2, v2.1 * add decision point group schema validation test * add doc for csv analyzer * add CVSS v1,2, and 3 decision points and groups * Update Decision_Point.schema.json change ID url to https://github.com/CERTCC/SSVC/tree/main/data/schema/... * Update Decision_Point_Group.schema.json change id url to https://github.com/CERTCC/SSVC/tree/main/data/schema/... * Merge access complexity and attack complexity into a single version tree * Merge access vector and attack vector into a single version tree --------- Co-authored-by: Vijay Sarvepalli <[email protected]>
CERTCC · Nov 7, 2023 · 292a977 · 292a977
1 parent ae71377
commit 292a977
Show file tree

Hide file tree

Showing 25 changed files with 1,771 additions and 1 deletion.
diff --git a/src/ssvc/decision_points/cvss/__init__.py b/src/ssvc/decision_points/cvss/__init__.py
@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+"""
+file: __init__.py
+author: adh
+created_at: 9/20/23 12:39 PM
+"""
+
+
+def main():
+    pass
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/decision_points/cvss/attack_complexity.py b/src/ssvc/decision_points/cvss/attack_complexity.py
@@ -0,0 +1,110 @@
+#!/usr/bin/env python
+"""
+Models the CVSS Attack Complexity (formerly known as Access Complexity) metric as an SSVC decision point.
+"""
+#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact [email protected] for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points.base import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+
+_HIGH_3 = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="A successful attack depends on conditions beyond the attacker's control.",
+)
+
+_LOW_3 = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="Specialized access conditions or extenuating circumstances do not exist. An attacker can expect "
+    "repeatable success against the vulnerable component.",
+)
+
+
+_HIGH_2 = SsvcDecisionPointValue(
+    name="High", key="H", description="Specialized access conditions exist."
+)
+_MEDIUM = SsvcDecisionPointValue(
+    name="Medium",
+    key="M",
+    description="The access conditions are somewhat specialized.",
+)
+_LOW_2 = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="Specialized access conditions or extenuating circumstances do not exist.",
+)
+_HIGH = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="Specialized access conditions exist; for example: the system is exploitable during specific windows "
+    "of time (a race condition), the system is exploitable under specific circumstances (nondefault "
+    "configurations), or the system is exploitable with victim interaction (vulnerability exploitable "
+    "only if user opens e-mail)",
+)
+_LOW = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="Specialized access conditions or extenuating circumstances do not exist; the system is always "
+    "exploitable.",
+)
+ACCESS_COMPLEXITY_1 = CvssDecisionPoint(
+    name="Access Complexity",
+    description="This metric measures the complexity of the attack required to exploit the vulnerability once an "
+    "attacker has gained access to the target system.",
+    key="AC",
+    version="1.0.0",
+    values=(
+        _LOW,
+        _HIGH,
+    ),
+)
+
+ACCESS_COMPLEXITY_2 = CvssDecisionPoint(
+    name="Access Complexity",
+    description="This metric measures the complexity of the attack required to exploit the vulnerability once an "
+    "attacker has gained access to the target system.",
+    key="AC",
+    version="2.0.0",
+    values=(
+        _LOW_2,
+        _MEDIUM,
+        _HIGH_2,
+    ),
+)
+
+ATTACK_COMPLEXITY_3 = CvssDecisionPoint(
+    name="Attack Complexity",
+    description="This metric describes the conditions beyond the attacker's control that must exist in order to "
+    "exploit the vulnerability.",
+    key="AC",
+    version="3.0.0",
+    values=(
+        _LOW_3,
+        _HIGH_3,
+    ),
+)
+"""
+Defines LOW and HIGH values for CVSS Attack Complexity.
+"""
+
+
+def main():
+    print(ACCESS_COMPLEXITY_1.to_json(indent=2))
+    print(ACCESS_COMPLEXITY_2.to_json(indent=2))
+    print(ATTACK_COMPLEXITY_3.to_json(indent=2))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py
@@ -0,0 +1,152 @@
+#!/usr/bin/env python
+"""
+Models the CVSS Attack Vector (formerly known as Access Vector) metric as an SSVC decision point.
+"""
+#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact [email protected] for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points.base import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+
+_REMOTE = SsvcDecisionPointValue(
+    name="Remote",
+    key="R",
+    description="The vulnerability is exploitable remotely.",
+)
+
+_LOCAL = SsvcDecisionPointValue(
+    name="Local",
+    key="L",
+    description="The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated "
+    "login to the target system)",
+)
+
+ACCESS_VECTOR_1 = CvssDecisionPoint(
+    name="Access Vector",
+    description="This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+    key="AV",
+    version="1.0.0",
+    values=(
+        _LOCAL,
+        _REMOTE,
+    ),
+)
+"""
+Defines LOCAL and REMOTE values for CVSS Access Vector.
+"""
+
+_NETWORK = SsvcDecisionPointValue(
+    name="Network",
+    key="N",
+    description="A vulnerability exploitable with network access means the vulnerable software is bound to the "
+    "network stack and the attacker does not require local network access or local access. Such a "
+    "vulnerability is often termed 'remotely exploitable'. An example of a network attack is an RPC "
+    "buffer overflow.",
+)
+
+_ADJACENT = SsvcDecisionPointValue(
+    name="Adjacent Network",
+    key="A",
+    description="A vulnerability exploitable with adjacent network access requires the attacker to have access to "
+    "either the broadcast or collision domain of the vulnerable software.  Examples of local networks "
+    "include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment.",
+)
+
+_LOCAL_2 = SsvcDecisionPointValue(
+    name="Local",
+    key="L",
+    description="A vulnerability exploitable with only local access requires the attacker to have either physical "
+    "access to the vulnerable system or a local (shell) account. Examples of locally exploitable "
+    "vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege "
+    "escalations (e.g., sudo).",
+)
+
+
+ACCESS_VECTOR_2 = CvssDecisionPoint(
+    name="Access Vector",
+    description="This metric reflects the context by which vulnerability exploitation is possible.",
+    key="AV",
+    version="2.0.0",
+    values=(
+        _LOCAL_2,
+        _ADJACENT,
+        _NETWORK,
+    ),
+)
+"""
+Updates LOCAL definition for CVSS Access Vector. Adds ADJACENT and NETWORK values. Removes REMOTE value.
+"""
+
+
+_NETWORK_2 = SsvcDecisionPointValue(
+    name="Network",
+    key="N",
+    description="A vulnerability exploitable with network access means the vulnerable component is bound to the "
+    "network stack and the attacker's path is through OSI layer 3 (the network layer). Such a "
+    "vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being "
+    "exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).",
+)
+
+_ADJACENT_2 = SsvcDecisionPointValue(
+    name="Adjacent",
+    key="A",
+    description="A vulnerability exploitable with adjacent network access means the vulnerable component is bound to "
+    "the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, "
+    "IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer "
+    "3 boundary (e.g. a router).",
+)
+
+_LOCAL_3 = SsvcDecisionPointValue(
+    name="Local",
+    key="L",
+    description="A vulnerability exploitable with Local access means that the vulnerable component is not bound to "
+    "the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, "
+    "the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely "
+    "on User Interaction to execute a malicious file.",
+)
+
+_PHYSICAL_2 = SsvcDecisionPointValue(
+    name="Physical",
+    key="P",
+    description="A vulnerability exploitable with Physical access requires the attacker to physically touch or "
+    "manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) "
+    "or persistent. An example of such an attack is a cold boot attack which allows an attacker to access "
+    "to disk encryption keys after gaining physical access to the system, or peripheral attacks such as "
+    "Firewire/USB Direct Memory Access attacks.",
+)
+
+ATTACK_VECTOR_3 = CvssDecisionPoint(
+    name="Attack Vector",
+    description="This metric reflects the context by which vulnerability exploitation is possible. ",
+    key="AV",
+    version="3.0.0",
+    values=(
+        _PHYSICAL_2,
+        _LOCAL_3,
+        _ADJACENT_2,
+        _NETWORK_2,
+    ),
+)
+"""
+Defines PHYSICAL, LOCAL, ADJACENT, and NETWORK values for CVSS Attack Vector.
+"""
+
+
+def main():
+    print(ACCESS_VECTOR_1.to_json(indent=2))
+    print(ACCESS_VECTOR_2.to_json(indent=2))
+    print(ATTACK_VECTOR_3.to_json(indent=2))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/decision_points/cvss/authentication.py b/src/ssvc/decision_points/cvss/authentication.py
@@ -0,0 +1,75 @@
+#!/usr/bin/env python
+"""
+Models the CVSS Authentication metric as an SSVC decision point.
+"""
+
+from ssvc.decision_points.base import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+
+_AUTH_NONE = SsvcDecisionPointValue(
+    name="None",
+    key="N",
+    description="Authentication is not required to exploit the vulnerability.",
+)
+
+_SINGLE = SsvcDecisionPointValue(
+    name="Single",
+    key="S",
+    description="The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).",
+)
+
+_MULTIPLE = SsvcDecisionPointValue(
+    name="Multiple",
+    key="M",
+    description="Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time.",
+)
+
+_REQUIRED = SsvcDecisionPointValue(
+    name="Required",
+    key="R",
+    description="Authentication is required to access and exploit the vulnerability.",
+)
+
+_NOT_REQUIRED = SsvcDecisionPointValue(
+    name="Not Required",
+    key="N",
+    description="Authentication is not required to access or exploit the vulnerability.",
+)
+
+AUTHENTICATION_1 = CvssDecisionPoint(
+    name="Authentication",
+    description="This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
+    key="Au",
+    version="1.0.0",
+    values=(
+        _NOT_REQUIRED,
+        _REQUIRED,
+    ),
+)
+"""
+Includes NOT_REQUIRED and REQUIRED values for CVSS Authentication.
+"""
+
+AUTHENTICATION_2 = CvssDecisionPoint(
+    name="Authentication",
+    description="This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
+    key="Au",
+    version="2.0.0",
+    values=(
+        _MULTIPLE,
+        _SINGLE,
+        _AUTH_NONE,
+    ),
+)
+"""
+Includes MULTIPLE, SINGLE, and AUTH_NONE values for CVSS Authentication.
+"""
+
+
+def main():
+    print(AUTHENTICATION_1.to_json(indent=2))
+    print(AUTHENTICATION_2.to_json(indent=2))
+
+
+if __name__ == "__main__":
+    main()