Add CVSSv4 Decision Points (#377)

* add CVSS v1, 2, 3 to schema test * add decision points and a group for eq sets This commit adheres closely to the CVSS v4 spec terminology. We might want to revisit the descriptions or names later. * add dp_diff helper * merge CVSS groups * add CVSSv4 models * move version print to helper method * analyze_csv snuck back in a merge it now lives in ssvc.csv_analyzer * clean up __init__.py in various modules * new v4 modify helper and unit tests * refactor `not defined` values. CVSS v2 used ND as key CVSS v3, v4 uses X as key Deliberately referring to CVSS documentation for the Not Defined description since while it can change with CVSS versions, the semantics of not defined are ironically idempotent thus far. * add thefuzz requirements.txt for string compares * add CVSS v4 Supplemental metrics
CERTCC · Nov 17, 2023 · ba72fce · ba72fce
1 parent 045c2c6
commit ba72fce
Show file tree

Hide file tree

Showing 49 changed files with 2,743 additions and 785 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -8,7 +8,8 @@ mkdocstrings
 mkdocstrings-python
 mkdocs-print-site-plugin
 dataclasses-json
+thefuzz==0.20.0
 pandas~=2.1.2
 scikit-learn~=1.3.2
 jsonschema~=4.19.2
-networkx~=3.1
+networkx~=3.1
diff --git a/src/analyze_csv.py b/src/analyze_csv.py
diff --git a/src/ssvc/__init__.py b/src/ssvc/__init__.py
@@ -1,14 +1,15 @@
-#!/usr/bin/env python
-'''
-file: __init__.py
-author: adh
-created_at: 9/20/23 10:36 AM
-'''
-
-
-def main():
-    pass
-
-
-if __name__ == '__main__':
-    main()
+#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact [email protected] for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+"""
+Provides SSVC modules.
+"""
diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py
@@ -23,23 +23,48 @@
 
 from dataclasses_json import dataclass_json
 
-from ssvc._mixins import _Base, _Commented, _Keyed, _Namespaced, _Versioned
+from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned
 
 logger = logging.getLogger(__name__)
 
 
+_RDP = {}
 REGISTERED_DECISION_POINTS = []
 
 
+def register(dp):
+    """
+    Register a decision point.
+    """
+    global _RDP
+
+    key = (dp.namespace, dp.name, dp.key, dp.version)
+
+    if key in _RDP:
+        logger.warning(f"Duplicate decision point {key}")
+
+    _RDP[key] = dp
+    REGISTERED_DECISION_POINTS.append(dp)
+
+
+def _reset_registered():
+    """
+    Reset the registered decision points.
+    """
+    global _RDP
+    global REGISTERED_DECISION_POINTS
+
+    _RDP = {}
+    REGISTERED_DECISION_POINTS = []
+
+
 @dataclass_json
 @dataclass(kw_only=True)
 class SsvcDecisionPointValue(_Base, _Keyed):
     """
     Models a single value option for a decision point.
     """
 
-    pass
-
 
 @dataclass_json
 @dataclass(kw_only=True)
@@ -62,9 +87,7 @@ def __iter__(self):
         return iter(self.values)
 
     def __post_init__(self):
-        global REGISTERED_DECISION_POINTS
-
-        REGISTERED_DECISION_POINTS.append(self)
+        register(self)
 
         if isinstance(self.values[0], dict):
             self.values = tuple(

diff --git a/src/ssvc/decision_points/cvss/__init__.py b/src/ssvc/decision_points/cvss/__init__.py
@@ -1,14 +1,16 @@
-#!/usr/bin/env python
+#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact [email protected] for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 """
-file: __init__.py
-author: adh
-created_at: 9/20/23 12:39 PM
+Provides SSVC decision points modeling CVSS metrics.
 """
-
-
-def main():
-    pass
-
-
-if __name__ == "__main__":
-    main()