From b1680b4014acd9bef4d9087f6c6a27b50f7079b7 Mon Sep 17 00:00:00 2001 From: Laurie Tyzenhaus <33037086+laurie-tyz@users.noreply.github.com> Date: Thu, 10 Dec 2020 11:15:20 -0500 Subject: [PATCH 1/3] Update 040_treesForVulMgmt.md Issue #84 define the VRDA acronym --- doc/version_1/040_treesForVulMgmt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/version_1/040_treesForVulMgmt.md b/doc/version_1/040_treesForVulMgmt.md index 21ded07a..ce7e527c 100644 --- a/doc/version_1/040_treesForVulMgmt.md +++ b/doc/version_1/040_treesForVulMgmt.md @@ -60,7 +60,7 @@ Table 3: Proposed Meaning for Deployer Priority Outcomes | Immediate | Act immediately; focus all resources on applying the fix as quickly as possible, including, if necessary, pausing regular organization operations. | ### Coordinating Patches -In coordinated vulnerability disclosure (CVD), the available decision is whether or not to coordinate a vulnerability report. VRDA provides a starting point for a decision tree for this situation.23 VRDA is likely adequate for national-level CSIRTs that do general CVD, but other CSIRT types may have different needs. Future work may elicit those types and make a few different decision options. Specialized coordination organizations exist (e.g., ICS-CERT, which conducts CVD for safety-critical systems). We have not developed a coordination tree in this work, but future work could use our principles and design techniques to refine and evaluate VRDA or some other decision tree for coordinated vulnerability disclosure. The CERT guide to CVD provides something similar for those deciding how to report and disclose vulnerabilities they have discovered [@householder2020cvd, section 6.10]. +In coordinated vulnerability disclosure (CVD), the available decision is whether or not to coordinate a vulnerability report. Vulnerability Response Decision Assistance (VRDA) provides a starting point for a decision tree for this situation.23 VRDA is likely adequate for national-level CSIRTs that do general CVD, but other CSIRT types may have different needs. Future work may elicit those types and make a few different decision options. Specialized coordination organizations exist (e.g., ICS-CERT, which conducts CVD for safety-critical systems). We have not developed a coordination tree in this work, but future work could use our principles and design techniques to refine and evaluate VRDA or some other decision tree for coordinated vulnerability disclosure. The CERT guide to CVD provides something similar for those deciding how to report and disclose vulnerabilities they have discovered [@householder2020cvd, section 6.10]. Within each setting, the decisions are a kind of equivalence class for priority. That is, if an organization must deploy patches for three vulnerabilities, and if these vulnerabilities are all assigned the *scheduled* priority, then the organization can decide which to deploy first. The priority is equivalent. This approach may feel uncomfortable since CVSS gives the appearance of a finer grained priority. CVSS appears to say, “Not just 4.0 to 6.9 is ‘medium’ severity, but 4.6 is more severe than 4.5.” However, as discussed previously (see page 4), CVSS is designed to be accurate only within +/- 0.5, and, in practice, is scored with errors of around +/- 1.5 to 2.5 [@allodi2018effect, see Figure 1]. An error of this magnitude is enough to make all of the “normal” range from 4.0 to 6.9 equivalent, because 5.5 +/- 1.5 is the range 4.0 to 7.0. Our proposal is an improvement over this approach. CVSS errors often cross decision boundaries; in other words, the error range often includes the transition between “high” and “critical” or “medium.” Since our approach keeps the decisions qualitatively defined, this fuzziness does not affect the results. From 6ee7b16fdbea80ec1930609eea27f218434245de Mon Sep 17 00:00:00 2001 From: "Vijay Sarvepalli (SEI)" Date: Thu, 10 Dec 2020 15:17:07 -0500 Subject: [PATCH 2/3] Schemas updated and merged adh suggestions excep vector representation #88 --- ...puted+Provision-VU#290915_Coordinator.json | 375 ++++++++++++++++++ .../Computed-VU#290915_Coordinator.json | 24 ++ .../Provision-v2-CISA-Coordination.json | 351 ++++++++++++++++ data/computed/README.MD | 10 + data/schema/README.MD | 10 + data/schema/SSVC_Computed_v2.schema.json | 49 +++ data/schema/SSVC_Provision_v2.schema.json | 119 ++++++ ssvc-calc/SSVC_JSON_2.0_min.schema.json | 128 +----- ssvc-calc/css.css | 5 + ssvc-calc/index.html | 22 +- ssvc-calc/ssvc.js | 177 ++++++--- 11 files changed, 1086 insertions(+), 184 deletions(-) create mode 100644 data/computed/Computed+Provision-VU#290915_Coordinator.json create mode 100644 data/computed/Computed-VU#290915_Coordinator.json create mode 100644 data/computed/Provision-v2-CISA-Coordination.json create mode 100644 data/computed/README.MD create mode 100644 data/schema/README.MD create mode 100644 data/schema/SSVC_Computed_v2.schema.json create mode 100644 data/schema/SSVC_Provision_v2.schema.json diff --git a/data/computed/Computed+Provision-VU#290915_Coordinator.json b/data/computed/Computed+Provision-VU#290915_Coordinator.json new file mode 100644 index 00000000..f31b9e16 --- /dev/null +++ b/data/computed/Computed+Provision-VU#290915_Coordinator.json @@ -0,0 +1,375 @@ +{ + "timestamp": "2020-12-10T18:58:04.153Z", + "role": "Coordinator", + "id": "VU#290915", + "version": "2.0", + "computed": "SSVCv2/E:P/V:R/T:P/M:H/D:A/1607626684/", + "choices": [ + { + "Exploitation": "poc" + }, + { + "Virulence": "rapid" + }, + { + "Technical Impact": "partial" + }, + { + "Mission & Well-being": "high" + }, + { + "Decision": "Attend" + } + ], + "decision_tree": { + "decision_points": [ + { + "label": "Exploitation", + "decision_type": "simple", + "choices": [ + { + "label": "none", + "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "label": "poc", + "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks." + }, + { + "label": "active", + "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + { + "label": "Virulence", + "decision_type": "simple", + "choices": [ + { + "label": "slow", + "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool." + }, + { + "label": "rapid", + "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely rapid." + } + ] + }, + { + "label": "Technical Impact", + "decision_type": "simple", + "choices": [ + { + "label": "partial", + "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, “low” means that the attacker cannot reasonably make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component." + }, + { + "label": "total", + "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + } + ] + }, + { + "label": "Mission & Well-being", + "decision_type": "simple", + "choices": [ + { + "label": "low", + "description": "Mission Prevelance is Low and Public well-being impact is Minimal" + }, + { + "label": "medium", + "description": "Mission Prevelance is Medium and Public well-being impact is in Material" + }, + { + "label": "high", + "description": "Mission Prevelance is Essential and Public well-being impact is Irreversible" + } + ] + }, + { + "label": "Decision", + "decision_type": "final", + "choices": [ + { + "label": "Track", + "description": "The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.", + "color": "#28a745" + }, + { + "label": "Track*", + "description": "Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.", + "color": "#ffc107" + }, + { + "label": "Attend", + "description": "The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.", + "color": "#EE8733" + }, + { + "label": "Act", + "description": "The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond.", + "color": "#dc3545" + } + ] + } + ], + "decisions_table": [ + { + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "low", + "Decision": "Track" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track*", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "high" + } + ], + "lang": "en", + "version": "2.0", + "title": "SSVC Provision table" + } +} diff --git a/data/computed/Computed-VU#290915_Coordinator.json b/data/computed/Computed-VU#290915_Coordinator.json new file mode 100644 index 00000000..b37cb2a2 --- /dev/null +++ b/data/computed/Computed-VU#290915_Coordinator.json @@ -0,0 +1,24 @@ +{ + "timestamp": "2020-12-10T18:57:45.961Z", + "role": "Coordinator", + "id": "VU#290915", + "version": "2.0", + "computed": "SSVCv2/E:P/V:R/T:P/M:H/D:A/1607626665/", + "choices": [ + { + "Exploitation": "poc" + }, + { + "Virulence": "rapid" + }, + { + "Technical Impact": "partial" + }, + { + "Mission & Well-being": "high" + }, + { + "Decision": "Attend" + } + ] +} diff --git a/data/computed/Provision-v2-CISA-Coordination.json b/data/computed/Provision-v2-CISA-Coordination.json new file mode 100644 index 00000000..44bf4ef6 --- /dev/null +++ b/data/computed/Provision-v2-CISA-Coordination.json @@ -0,0 +1,351 @@ +{ + "decision_points": [ + { + "label": "Exploitation", + "decision_type": "simple", + "choices": [ + { + "label": "none", + "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "label": "poc", + "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks." + }, + { + "label": "active", + "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + { + "label": "Virulence", + "decision_type": "simple", + "choices": [ + { + "label": "slow", + "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool." + }, + { + "label": "rapid", + "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely rapid." + } + ] + }, + { + "label": "Technical Impact", + "decision_type": "simple", + "choices": [ + { + "label": "partial", + "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, “low” means that the attacker cannot reasonably make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component." + }, + { + "label": "total", + "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + } + ] + }, + { + "label": "Mission & Well-being", + "decision_type": "simple", + "choices": [ + { + "label": "low", + "description": "Mission Prevelance is Low and Public well-being impact is Minimal" + }, + { + "label": "medium", + "description": "Mission Prevelance is Medium and Public well-being impact is in Material" + }, + { + "label": "high", + "description": "Mission Prevelance is Essential and Public well-being impact is Irreversible" + } + ] + }, + { + "label": "Decision", + "decision_type": "final", + "choices": [ + { + "label": "Track", + "description": "The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.", + "color": "#28a745" + }, + { + "label": "Track*", + "description": "Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.", + "color": "#ffc107" + }, + { + "label": "Attend", + "description": "The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.", + "color": "#EE8733" + }, + { + "label": "Act", + "description": "The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond.", + "color": "#dc3545" + } + ] + } + ], + "decisions_table": [ + { + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "low", + "Decision": "Track" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track*", + "Exploitation": "none", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "none", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "slow", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Virulence": "rapid", + "Technical Impact": "total", + "Mission & Well-being": "high" + } + ], + "lang": "en", + "version": "2.0", + "title": "SSVC Provision table" +} diff --git a/data/computed/README.MD b/data/computed/README.MD new file mode 100644 index 00000000..475cea48 --- /dev/null +++ b/data/computed/README.MD @@ -0,0 +1,10 @@ +# Sample JSON files + + +There are there sample JSON files that provide examples of the current [JSON schema](../schema/). +The JSON files here are +1. Full Decision tree used for making an SSVC based decision. +2. Computed SSVC score of a vulnerability at a point of time. +3. Computed SSVC score with the full decision tree embedded. + + diff --git a/data/schema/README.MD b/data/schema/README.MD new file mode 100644 index 00000000..75c80654 --- /dev/null +++ b/data/schema/README.MD @@ -0,0 +1,10 @@ +# SSVC decision tree schemas + +Two JSON schema files are embedded here that provide schema information for + +1. Full Decision tree schema for represeting an SSVC decision tree for a Role +2. Computed SSVC score schema of a vulnerability at a point of time, optionally includes the tree used in making the decision. + + + + diff --git a/data/schema/SSVC_Computed_v2.schema.json b/data/schema/SSVC_Computed_v2.schema.json new file mode 100644 index 00000000..2709ea3d --- /dev/null +++ b/data/schema/SSVC_Computed_v2.schema.json @@ -0,0 +1,49 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "$id": "https://democert.org/ssvc/SVC_Computed_v2.schema.json", + "title": "Computed SSVC score representing the path in the decision tree", + "description": "This schema represents the full path in the decision tree taken by an analyst with a specific role. The representation of the full decision tree is optional", + "type": "object", + "properties": { + "choices": { + "type": "array", + "items": { + "type": "object", + "items": { + "type": "string" + } + }, + "minItems": 1, + "uniqueItems": true + }, + "computed": { + "description": "Computed score short representation such as SSVCv2/Ps:Nm/T:T/U:E/1605040000/ for a vulnerability with no or minor Public Safety Impact, total Technical Impact, and efficient Utility, which was evaluated on Nov 10, 2020.", + "type": "string" + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "role": { + "type": "string", + "description": "Roles are defined in SSVC spec and optional in SSVC provision schema" + }, + "version": { + "type": "string", + "description":"Version of the SSVC that was used in this decision" + }, + "decision_tree": { + "description": "The full decision tree that was used for this SSVC computed score", + "$ref": "https://democert.org/ssvc/SSVC_Provision_v2.schema.json" + } + }, + "required": [ + "choices", + "computed", + "timestamp", + "role", + "id", + "version" + ] +} diff --git a/data/schema/SSVC_Provision_v2.schema.json b/data/schema/SSVC_Provision_v2.schema.json new file mode 100644 index 00000000..caad4cb1 --- /dev/null +++ b/data/schema/SSVC_Provision_v2.schema.json @@ -0,0 +1,119 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "$id": "https://democert.org/ssvc/SSVC_Provision_v2.schema.json", + "title": "Decision tree schema definition for SSVC v2", + "description": "This provides a schema for a decision tree used to compute SSVC score for a vulnerability", + "definitions": { + "color_regex": { + "pattern": "^(#(?:[0-9a-f]{2}){2,4}$|(#[0-9a-f]{3}$)|(rgb|hsl)a?\\((-?\\d+%?[,\\s]+){2,3}\\s*[\\d\\.]+%?\\)$|black$|silver$|gray$|whitesmoke$|maroon$|red$|purple$|fuchsia$|green$|lime$|olivedrab$|yellow$|navy$|blue$|teal$|aquamarine$|orange$|aliceblue$|antiquewhite$|aqua$|azure$|beige$|bisque$|blanchedalmond$|blueviolet$|brown$|burlywood$|cadetblue$|chartreuse$|chocolate$|coral$|cornflowerblue$|cornsilk$|crimson$|currentcolor$|darkblue$|darkcyan$|darkgoldenrod$|darkgray$|darkgreen$|darkgrey$|darkkhaki$|darkmagenta$|darkolivegreen$|darkorange$|darkorchid$|darkred$|darksalmon$|darkseagreen$|darkslateblue$|darkslategray$|darkslategrey$|darkturquoise$|darkviolet$|deeppink$|deepskyblue$|dimgray$|dimgrey$|dodgerblue$|firebrick$|floralwhite$|forestgreen$|gainsboro$|ghostwhite$|goldenrod$|gold$|greenyellow$|grey$|honeydew$|hotpink$|indianred$|indigo$|ivory$|khaki$|lavenderblush$|lavender$|lawngreen$|lemonchiffon$|lightblue$|lightcoral$|lightcyan$|lightgoldenrodyellow$|lightgray$|lightgreen$|lightgrey$|lightpink$|lightsalmon$|lightseagreen$|lightskyblue$|lightslategray$|lightslategrey$|lightsteelblue$|lightyellow$|limegreen$|linen$|mediumaquamarine$|mediumblue$|mediumorchid$|mediumpurple$|mediumseagreen$|mediumslateblue$|mediumspringgreen$|mediumturquoise$|mediumvioletred$|midnightblue$|mintcream$|mistyrose$|moccasin$|navajowhite$|oldlace$|olive$|orangered$|orchid$|palegoldenrod$|palegreen$|paleturquoise$|palevioletred$|papayawhip$|peachpuff$|peru$|pink$|plum$|powderblue$|rosybrown$|royalblue$|saddlebrown$|salmon$|sandybrown$|seagreen$|seashell$|sienna$|skyblue$|slateblue$|slategray$|slategrey$|snow$|springgreen$|steelblue$|tan$|thistle$|tomato$|transparent$|turquoise$|violet$|wheat$|white$|yellowgreen$|rebeccapurple$)$", + "type": "string" + } + }, + "type": "object", + "properties": { + "decision_points": { + "decisions_table": { + "items": { + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "items": { + "anyOf": [ + { + "required": [ + "decision_type", + "label", + "children" + ] + }, + { + "required": [ + "decision_type", + "label", + "choices" + ] + } + ], + "properties": { + "children": { + "items": { + "maxLength": 255, + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "choices": { + "items": { + "properties": { + "description": { + "maxLength": 65535, + "type": "string" + }, + "label": { + "maxLength": 255, + "type": "string" + } + }, + "required": [ + "label", + "description" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "decision_type": { + "enum": [ + "child", + "complex", + "simple", + "final" + ], + "description": "Decision Type is used to identify if this is a \"simple\" decision or a \"complex\" decision. The \"complex\" decisions can have \"child\" decisions under them. The \"final\" decision basically is the last node on the decision tree" + }, + "label": { + "maxLength": 255, + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "lang": { + "maxLength": 7, + "type": "string" + }, + "roles": { + "description": "Roles as described in SSVC as distinct array elements", + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1, + "uniqueItems": true + }, + "title": { + "maxLength": 255, + "type": "string" + }, + "version": { + "enum": [ + "1.0", + "2.0" + ] + } + }, + "required": [ + "lang", + "version", + "decision_points", + "decisions_table" + ] +} + diff --git a/ssvc-calc/SSVC_JSON_2.0_min.schema.json b/ssvc-calc/SSVC_JSON_2.0_min.schema.json index e403228a..ade7c119 100644 --- a/ssvc-calc/SSVC_JSON_2.0_min.schema.json +++ b/ssvc-calc/SSVC_JSON_2.0_min.schema.json @@ -1,129 +1,3 @@ { - "$schema": "http://json-schema.org/draft-04/schema#", - "definitions": { - "color_regex": { - "pattern": "^(#(?:[0-9a-f]{2}){2,4}$|(#[0-9a-f]{3}$)|(rgb|hsl)a?\\((-?\\d+%?[,\\s]+){2,3}\\s*[\\d\\.]+%?\\)$|black$|silver$|gray$|whitesmoke$|maroon$|red$|purple$|fuchsia$|green$|lime$|olivedrab$|yellow$|navy$|blue$|teal$|aquamarine$|orange$|aliceblue$|antiquewhite$|aqua$|azure$|beige$|bisque$|blanchedalmond$|blueviolet$|brown$|burlywood$|cadetblue$|chartreuse$|chocolate$|coral$|cornflowerblue$|cornsilk$|crimson$|currentcolor$|darkblue$|darkcyan$|darkgoldenrod$|darkgray$|darkgreen$|darkgrey$|darkkhaki$|darkmagenta$|darkolivegreen$|darkorange$|darkorchid$|darkred$|darksalmon$|darkseagreen$|darkslateblue$|darkslategray$|darkslategrey$|darkturquoise$|darkviolet$|deeppink$|deepskyblue$|dimgray$|dimgrey$|dodgerblue$|firebrick$|floralwhite$|forestgreen$|gainsboro$|ghostwhite$|goldenrod$|gold$|greenyellow$|grey$|honeydew$|hotpink$|indianred$|indigo$|ivory$|khaki$|lavenderblush$|lavender$|lawngreen$|lemonchiffon$|lightblue$|lightcoral$|lightcyan$|lightgoldenrodyellow$|lightgray$|lightgreen$|lightgrey$|lightpink$|lightsalmon$|lightseagreen$|lightskyblue$|lightslategray$|lightslategrey$|lightsteelblue$|lightyellow$|limegreen$|linen$|mediumaquamarine$|mediumblue$|mediumorchid$|mediumpurple$|mediumseagreen$|mediumslateblue$|mediumspringgreen$|mediumturquoise$|mediumvioletred$|midnightblue$|mintcream$|mistyrose$|moccasin$|navajowhite$|oldlace$|olive$|orangered$|orchid$|palegoldenrod$|palegreen$|paleturquoise$|palevioletred$|papayawhip$|peachpuff$|peru$|pink$|plum$|powderblue$|rosybrown$|royalblue$|saddlebrown$|salmon$|sandybrown$|seagreen$|seashell$|sienna$|skyblue$|slateblue$|slategray$|slategrey$|snow$|springgreen$|steelblue$|tan$|thistle$|tomato$|transparent$|turquoise$|violet$|wheat$|white$|yellowgreen$|rebeccapurple$)$", - "type": "string" - } - }, - "properties": { - "decision_points": { - "decisions": { - "items": { - "properties": { - "color": { - "$ref": "#/definitions/color_regex" - }, - "description": { - "maxLength": 65535, - "type": "string" - }, - "label": { - "maxLength": 255, - "type": "string" - } - }, - "required": [ - "label", - "description" - ], - "type": "object" - }, - "minItems": 1, - "type": "array" - }, - "decisions_table": { - "items": { - "type": "object" - }, - "minItems": 1, - "type": "array" - }, - "items": { - "anyOf": [ - { - "required": [ - "decision_type", - "label", - "children" - ] - }, - { - "required": [ - "decision_type", - "label", - "choices" - ] - } - ], - "properties": { - "children": { - "items": { - "maxLength": 255, - "type": "string" - }, - "minItems": 1, - "type": "array" - }, - "choices": { - "items": { - "properties": { - "description": { - "maxLength": 65535, - "type": "string" - }, - "label": { - "maxLength": 255, - "type": "string" - } - }, - "required": [ - "label", - "description" - ], - "type": "object" - }, - "minItems": 1, - "type": "array" - }, - "decision_type": { - "enum": [ - "child", - "complex", - "simple" - ] - }, - "label": { - "maxLength": 255, - "type": "string" - } - }, - "type": "object" - }, - "minItems": 1, - "type": "array" - }, - "lang": { - "maxLength": 7, - "type": "string" - }, - "title": { - "maxLength": 255, - "type": "string" - }, - "version": { - "enum": [ - "1.0", - "2.0" - ] - } - }, - "required": [ - "lang", - "version", - "decision_points", - "decision_table", - "decisions" - ], - "type": "object" + "_comment": "This file is moved to ../data/schema/" } diff --git a/ssvc-calc/css.css b/ssvc-calc/css.css index 8bf4a29c..6948b391 100644 --- a/ssvc-calc/css.css +++ b/ssvc-calc/css.css @@ -10,6 +10,11 @@ #mwb,.tescape { max-width: 450px; } .nomobile { display: none; } } +.decisiontab { + background: #222; + border: 2px solid white; + border-radius: 4px; +} #biscuit { background-color: rgba(2,2,2,0.3); } diff --git a/ssvc-calc/index.html b/ssvc-calc/index.html index 8c0b9c1e..e589be56 100644 --- a/ssvc-calc/index.html +++ b/ssvc-calc/index.html @@ -23,7 +23,7 @@ integrity="sha384-N8EP0Yml0jN7e0DcXlZ6rt+iqKU9Ck6f1ZQ+j2puxatnBq4k9E8Q6vqBcY34LNbn" crossorigin="anonymous"> - + CERT LogoMission & Well-Being impact value
-
+
Exploitation choices
None:   There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.
@@ -212,13 +212,13 @@
Exploitation choices
Active:   Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.
-
+
Virulence choices
Slow:   Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool.
Rapid:   Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely rapid.
-
+
Technical Impact
Partial:   The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, “low” means that the attacker cannot reasonably make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component.
@@ -234,7 +234,7 @@
Mission Prevelance choices
Support:   The operation of the vulnerable component merely supports mission essential functions for two or more entities. EssentialThe vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity, and failure may (but need not) lead to overall mission failure.
-
+
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
@@ -245,7 +245,7 @@
Vulnerability Scoring Decisions
Act   The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond.
-
+
@@ -390,7 +390,13 @@

Decision Tree Usage:

@@ -400,7 +406,7 @@

Decision Tree Usage:

- + diff --git a/ssvc-calc/ssvc.js b/ssvc-calc/ssvc.js index b2c710ec..5486cef5 100644 --- a/ssvc-calc/ssvc.js +++ b/ssvc-calc/ssvc.js @@ -1,5 +1,5 @@ /* SSVC code for graph building */ -const _version = 2.9 +const _version = 4.1 var showFullTree = false var diagonal,tree,svg,duration,root var treeData = [] @@ -8,8 +8,8 @@ var acolors = ["#28a745","#ffc107","#EE8733","#dc3545","#ff0000","#aa0000","#ff0 var lcolors = {"Track":"#28a745","Track*":"#ffc107","High":"#EE8733","Critical":"#dc3545"} lcolors = {"Track":"#28a745","Track*":"#ffc107","Attend":"#EE8733","Act":"#dc3545"} /* These variables are for decision tree schema JSON aka SSVC Provision Schema */ -var export_schema = {decision_points: [],decision_table: [], decisions: [], - lang: "en", version: "2.0", title: "SSVC Provision table"} +var export_schema = {decision_points: [],decisions_table: [], lang: "en", + version: "2.0", title: "SSVC Provision table"} /* Extend jQuery to support simulate D3 click events */ jQuery.fn.simClick = function () { this.each(function (i, e) { @@ -26,6 +26,7 @@ $(function () { localStorage.setItem("beenhere",1) } load_tsv_score() + export_tree() }) var raw = [ {name:"Exploitation",id:254,children:[],parent:null,props:"{}"}, @@ -139,12 +140,13 @@ function export_show() { $('#graph').append(q) if($('#cve_samples').val().match(/^(cve|vu)/i)) $('.exportId').val($('#cve_samples').val()) - } function export_tree() { - var yhead = [] + /* First column is the decision in this tree */ + var tchoices = [] + var yhead = ["Decision"] var yprops = {} - var allrows = raw.filter(x => { + export_schema.decisions_table = raw.filter(x => { if (x.name.split(":").length > 4) return true else { @@ -155,19 +157,37 @@ function export_tree() { } return false } - }).map(x => x.name.split(":").reverse(). - map((y,i) => { - z={} - z[yhead[i] ? yhead[i] : "Decision" ] = y + }).map(x => x.name.split(":"). + reduce((z,y,i) => { + z[yhead[i]] = y + if(!tchoices[i]) { + tchoices[i] = [{label: y, description: y}] + } + else if (!tchoices[i].find(t => t.label == y)) + tchoices[i].push({label: y, description:y}) return z - })) + },{})) + /* Now the decision points should be moved to the end of the array */ + yhead.push(yhead.shift()) + tchoices.push(tchoices.shift()) + export_schema.decision_points = yhead.map((a,i) => { + var ax = {label: a, decision_type: "simple", choices: tchoices[i]} + return ax + }) + //console.log(tchoices) + //export_schema.decisions = tdecisions.map((x,i) => Object.assign(x,{color: acolors[i]})) + /* + export_schema.decisions = Object.keys(tdecisions).map((n,i) => { + return {label: n, description: n, color:acolors[i]}}) + */ + //return allrows; /* "[{"Exploitation":"none"},{"Utility":"partial"}, {"TechnicalImpact":"laborious"},{"SafetyImpact":"none"}, {"Decision":"defer"}]" */ } -function export_vul() { +function export_vul(includetree) { var tstamp = new Date() - var oexport = { timestamp: tstamp.toLocaleString(), + var oexport = { timestamp: tstamp.toISOString(), timestamp_epoch_ms: tstamp.getTime(), role: $('#graph .exportRole').val() || "Unknown", id: $('#graph .exportId').val() || "Unspecified", @@ -177,12 +197,29 @@ function export_vul() { var vals = $('#graph svg g.pathlink textPath.chosen').map((i,w) => $(w).html()).toArray() vals.push(labels[labels.length-1]) labels[labels.length-1] = "Decision" - var ochoice = {} - labels.forEach((k, i) => ochoice[k] = vals[i]) + /* SSVCv2/Ps:Nm/T:T/U:E/1605040000/ + For a vulnerability with no or minor Public Safety Impact, + total Technical Impact, and efficient Utility, + which was evaluated on Nov 10, 2020. */ + var computed = "SSVCv2/" + var ochoice = labels.map((k, i) => { + var ox = {} + ox[k] = vals[i] + computed = computed + k[0].toUpperCase()+":"+vals[i][0].toUpperCase()+"/" + return ox + }) + computed = computed + String(parseInt(tstamp.getTime()/1000))+"/" + oexport['computed'] = computed oexport['choices'] = ochoice var a = document.createElement("a") - a.href = "data:text/plain;charset=utf-8,"+encodeURIComponent(JSON.stringify(oexport,null,2)) - a.setAttribute("download", oexport.id+"_"+oexport.role+"_json.txt") + var download_filename = oexport.id+"_"+oexport.role+"_json.txt" + if (includetree) { + oexport['decision_tree'] = export_schema + download_filename = "tree_and_path-"+oexport.id+"_"+oexport.role+"_json.txt" + } + a.href = "data:text/plain;charset=utf-8,"+ + encodeURIComponent(JSON.stringify(oexport,null,2)) + a.setAttribute("download", download_filename) a.click() a.remove() } @@ -205,7 +242,8 @@ function readFile(input) { else tsv_load(reader.result) }catch(err) { - topalert("Reading data in file as text failed, Sorry check format and try again!","danger") + topalert("Reading data in file as text failed, Sorry check format "+ + "and try again!","danger") console.log(err) } }; @@ -319,38 +357,41 @@ function parse_json(xraw) { topalert("JSON schema has no decision_points","danger") return } - if(!('decision_table' in tm)) { + if(!('decisions_table' in tm)) { topalert("JSON schema has no decision table, we can't help you with that","danger") return } - if(!('decisions' in tm)) { - topalert("JSON schema has no decisions, we can't help you with that","danger") - return - } - /* Map colors if present */ - tm.decisions.map(d => 'color' in d ? lcolors[d.label] = d.color : d.color = "white") - /* Save JSON for export*/ export_schema = tm /* decisions_points have a label field which we care about with type != child */ var x = tm.decision_points.filter(q => q["decision_type"] != "child").map(r => r.label) //console.log(x) - var y = tm.decision_table + var y = tm.decisions_table //console.log(y) var yraw = [...Array(x.length)].map(u => []) var id = 1 var thash = {} + var decisions = tm.decision_points.filter(x => x.decision_type == "final") + if(decisions.length != 1) { + topalert("JSON schema has no decisions marked as final, this is required!","danger") + return + } + var decision_keyword = decisions[0].label + //console.log(decisions) + //console.log(decision_keyword) for(var i=0; i y[i][t]).join(":") - //console.log(tname) - for( var j=0; j< x.length; j++) { + var tname = y[i][decision_keyword]+":"+x.map(t => y[i][t]).slice(0,-1).join(":") + for( var j=0; j< x.length-1; j++) { //var tparent = x[x.length-2-j]+":"+y[i].slice(0,x.length-2-j).join(":") - var tparent = x[x.length-1-j]+":"+x.slice(0,x.length-1-j).map(q => y[i][q]).join(":") - //console.log(tparent) + var tparent = x[x.length-2-j]+":"+x.slice(0,x.length-2-j).map(q => y[i][q]).join(":") + //var tparent = x[x.length-1-j]+":"+x.slice(0,x.length-1-j).map(q => y[i][q]).join(":") if(!(tname in thash)) var yt = {name:tname.replace(/\:+$/,''),id:id++,parent:tparent.replace(/\:+$/,''),props:"{}",children:[]} else @@ -360,22 +401,59 @@ function parse_json(xraw) { yraw[j].push(yt) } } + for(var j=yraw.length; j> -1; j--) { if(yraw.length > 0) zraw = zraw.concat(yraw[j]) } - /* Next part of the tree data */ + /* Top or the first part of the tree data */ zraw[0] = {name:x[0],id:id+254,children:[],parent:null,props:"{}"} /* yraw[0].push({name:"Exploitation:",id:1024,children:[],parent:null,props:"{}"}) */ raw = zraw topalert("Decision tree has been updated with "+raw.length+" nodes, with "+ y.length+" possible decisions, You can use it now!","success") - dt_clear() - + dt_clear() + /* Create label fields if they exists*/ + tm.decision_points.map(x => { + var choices_html = x.choices.reduce((h,r) => { + var rlabel = r.label[0].toLocaleUpperCase()+r.label.substr(1) + return h + ""+rlabel+" "+r.description+"
" + },"
"+x.label+"
") + var hdiv = safedivname(x.label) + if($("."+hdiv).length != 1) { + $("."+hdiv).remove() + $('body').append($('
').addClass("d-none "+hdiv)) + } + $("."+hdiv).html(choices_html) + }) + var classes = [] + var decision_div = decisions[0].choices.reduce((h,r) => { + classes.push(safedivname(r.label)) + return h + $("
").append($("").addClass("decisiontab"). + css({color:r.color}).html(r.label)) + .append(" "+r.description+"
").html() + },"
"+decision_keyword+"
") + if($("."+classes[0]).length != 1) { + $("."+classes[0]).remove() + $('body').append($('
').addClass("d-none "+classes[0])) + } + //console.log(classes) + //console.log(decision_div) + $("."+classes[0]).addClass(classes.join(" ")).html(decision_div) } + +function safedivname(instr) { + var uri_esc = encodeURIComponent(instr) + var safestr = btoa(uri_esc.replace(/%([0-9A-F]{2})/g, + (m, p) => String.fromCharCode('0x' + p))) + var fstr = "d-"+safestr.replace(/[\+\/\=]/gi,(m,p) => { return m.charCodeAt(0) }) + return fstr.substr(0,14) +} + + function create_export_schema_dtable(yi,x) { - export_schema.decision_table.push(yi.reduce((a,b,c) => { + export_schema.decisions_table.push(yi.reduce((a,b,c) => { /* Add labels that do not exist */ if(export_schema.decision_points[c]['choices'] .filter(d => ('label' in d) && (d.label == b)).length != 1) @@ -384,11 +462,11 @@ function create_export_schema_dtable(yi,x) { return a; },{})) } function parse_file(xraw) { + /* This is really parse csv instead of parse file*/ //var xraw = 'TSV data' var zraw=[] export_schema.decision_points = [] - export_schema.decision_table = [] - export_schema.decisions = [] + export_schema.decisions_table = [] /* CSV or TSV looks like ID,Exploitation,Utility,TechnicalImpact,SafetyImpact,Outcome */ @@ -409,12 +487,14 @@ function parse_file(xraw) { ix.label = dc return ix }) + /* make the last column final decision/outcome/action */ + export_schema.decision_points[export_schema.decision_points.length-1].decision_type="final" /* Initialize Empty arrray */ var yraw = [...Array(x.length)].map(u => []); var id=1; /* This will create just the last branches of the tree */ var thash = {} - for(var i=0; i< y.length; i++) { + for(var i=0; i< y.length - 1; i++) { if(y[i].length < 1) continue /* Remove ID column */ y[i].shift() @@ -452,12 +532,9 @@ function parse_file(xraw) { topalert("Decision tree has been updated with "+raw.length+" nodes, with "+ y.length+" possible decisions, You can use it now!","success") dt_clear() - var edp = export_schema.decision_points - export_schema.decisions = edp[edp.length-1]['choices'].map( - (echoice,i) => { - lcolors[echoice.label] = acolors[i]; - return Object.assign(echoice,{color:acolors[i]}) - }) + export_schema.decision_points[export_schema.decision_points.length-1]. + choices.map((x,i) => lcolors[x.label] = acolors[i]) + } function add_invalid_feedback(xel,msg) { @@ -763,12 +840,14 @@ function showdiv(d) { name = $(this).find("text").text() else name = $(this).parent().find("text").text() - name=name.replace(/\W/g,'_') + //name=name.replace(/\W/g,'_') //console.log(name) //console.log(vul_data) var addons = '' - if($('.'+name).length == 1) { - $('#mpopup').html($('.'+name).html()) + var safename = safedivname(name) + //console.log(name,safename) + if($('.'+safename).length == 1) { + $('#mpopup').html($('.'+safename).html()) $('#mpopup').css({left:(iconPos.right + 10) + "px", top:(window.scrollY + iconPos.top - 20) + "px", display:"block"}) From 627a861cb692fd44f88458a232ac2add6d312106 Mon Sep 17 00:00:00 2001 From: Laurie Tyzenhaus <33037086+laurie-tyz@users.noreply.github.com> Date: Mon, 14 Dec 2020 14:21:24 -0500 Subject: [PATCH 3/3] Update 047_treesForVulMgmt_4.md --- doc/version_1/047_treesForVulMgmt_4.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/version_1/047_treesForVulMgmt_4.md b/doc/version_1/047_treesForVulMgmt_4.md index 6e90b127..46fb87c3 100644 --- a/doc/version_1/047_treesForVulMgmt_4.md +++ b/doc/version_1/047_treesForVulMgmt_4.md @@ -71,7 +71,7 @@ Once the decision points are selected and the prioritization labels agreed upon, Making the decision process accessible has a lot of benefits. Unfortunately, it also makes it a bit too easy to overcomplicate the decision. -The SSVC version 1 deployer tree had 225 rows when we wrote it out in long text form. +The SSVC version 1 ~applier~ deployer tree had 225 rows when we wrote it out in long text form. It only has four outcomes to differentiate between. Thus on average that decision process treats one situation (combination of decision values) as equivalent to 65 other situations. If nothing else, this means analysts are spending time gathering evidence to make fine distinctions that are not used in the final decision.
-