Requirements for new updates for the ssvc-calc tool aka Dryad

[sei-vsarvepalli]

Here are the few new requirements from our sponsors on SSVC calc tool

1. Provide SSVC export in PDF format with a table and information
2. Export JSON to include full definitions of all the various options.
3. Import CVE template for ssvc-calc to be available.
4. Display SSVC vector format in the screen right before Export
5. Provide permalink for people to share for the current decision for processing.

[sei-vsarvepalli]

There seems to be a bug in the schema.json and json file examples where "options" has replaced "choices" I can't remember if this was intentional or not? may be @ahouseholder or @j--- can recall?

The code for ssvc.js has trouble due to this change in creating and assembling data fields on import and export. I will mark this also as a bug so either JSON+Schema or javascript should be modified or perhaps both?

Vijay

[sei-vsarvepalli]

The move from "choices" to "options" was intentional and SSVC code is being updated to fix this bug. This came from #106

There is a concern that SSVC Vector and the current export formats loose information that is collected as part of an SSVC decision that was made. For example as "Mission & Well-being" is a cumulative decision from two factors. Current exported JSON format even with full tree only records the combinatorial decision from "M & WB" section. We should find a way to preserve this data in both SSVC vector and in exported trees in JSON and PDF format.

Some possible solutions are

1. For JSON - Provide an additional JSON blob that captures the decisions apart from the current "decisions_table" in JSON schema. Provide details of the sub-components that make a "complex" decision.
2. For PDF - include a Table for complex decision and include the current selections of an SSVC decision maker.

Current updates and features in the website https://democert.org/ssvc/

1. Two versions of PDF export are available, one with the full tree and documentation of the SSVC tree, and another that just has the current decision/recommendation reached.
2. There is a link in the PDF to the CVE if the vulnerability being scored is a CVE linking it to NVD.
3. SSVC score is shown in current vector presentation on the site before export and it is also included in the PDF itself.
4. Next to the SSVC score is a link icon that if you click will take you to the permalink URL showing the current decision as an animated path through the tree. Example - permalink example: https://democert.org/ssvc/#SSVCv2/E:A/V:S/T:T/M:M/D:A/1632238698/&CVE-2014-0751&Coordinator
5. Every time you visit https://democert.org/ssvc/ the top title has the SSVC Tree currently being used as well as the role “(CISA Coordinator v2)” this comes from a data import file (JSON) that can be updated if you prefer a different title.
6. If you run any vulnerability through the default “CISA Coordinator v2” tree your last page will have both PDF (human) and JSON(machine) export available.
7. The import and export samples are both kept in folders in different formats. The list is below. You can download and modify and use the “Import” feature to upload the import formats (CSV/TXT,JSON). JSON can have rich information, whereas CSV import will be limited.

[j---]

PDF - include a Table for complex decision and include the current selections of an SSVC decision maker.

I'm in favor of a table in the text describing the complex decision. Followed by the text for what each of the child decisions are defined as.

For JSON - Provide an additional JSON blob that captures the decisions apart from the current "decisions_table" in JSON schema. Provide details of the sub-components that make a "complex" decision.

Each decision point that an analyst answers should be represented as itself in the JSON. Then if there is a "complex" decision, it should be defined as depending on it's child decision points. The results of the "complex" decision point should be exhaustively defined line by line. For example, if automatable = no and value density = diffuse then utility = laborious and so on for each possible combination of the child decision points.

The vector string should have all the items in it (for example, automatable, value density, and and utility) even though Utility is technically calculable from the other two. That calculation is represented in the table that defines Utility, and so that does bring some more information into the vector string.

[sei-vsarvepalli]

cover by PR #152