Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVSSv4 Decision Points #377

Merged

Conversation

ahouseholder
Copy link
Contributor

@ahouseholder ahouseholder commented Nov 8, 2023

Issue #330 and PR #343 were a first pass at modeling CVSS v1, v2, and v3 as SSVC decision points and groups.

This PR extends that work to include CVSS v4.

Along the way, I uncovered a few issues with how the changes in #343 didn't quite line up right, so I've fixed those issues as well.

Summarizing changes:

  • Add decision points for all CVSS v4 BTE vector elements
  • Add decision points for CVSS v4 equivalence sets
  • Individual CVSS decision point versions should be aligned with our SSVC DP versioning rules
  • I simplified the various "Not Defined" values into two distinct versions: one with the key ND for CVSS v2 and one with key X for CVSS v3 and v4
  • Added/updated helper methods and unit tests for generating the "modified" elements in v3 and v4
  • Added a dp_diff method that can compare sequential versions of a decision point against most of our versioning rules and suggest whether it's a major, minor, or patch version change. If you run any of the individual decision point .py files you'll see what it does.
  • Cleaned up a bunch of long string lines (wrapped them)
  • Removed some default IDE cruft from various __init__.py files
  • consolidates v1, v2, v3, and v4 decision point groups into a single module ssvc.dp_groups.cvss.collections
  • add DP groups for Base, Base + Temporal, Base + Temporal + Environmental for older versions (following example of B, BT, BTE in v4)
  • added copyright blob to modified files.

Resolutions

Out of scope

I am considering the following to be out of scope for this PR:

It's not that either of these are difficult, they are just distinct tasks that can be broken out separately.

Remaining to do before taking this out of draft

Initially creating as draft PR because the following work is outstanding:

  • CVSS v4 supplemental metrics are not yet included. There is conceptual overlap with some existing SSVC decision points (Automatable, Value Density, Safety) that we'll need to consider. Probably not a problem, just noting it still needs to done.

This commit adheres closely to the CVSS v4 spec terminology.
We might want to revisit the descriptions or names later.
it now lives in ssvc.csv_analyzer
CVSS v2 used ND as key
CVSS v3, v4 uses X as key

Deliberately referring to CVSS documentation for the Not Defined description since while it can change with CVSS versions, the semantics of not defined are ironically idempotent thus far.
@ahouseholder ahouseholder linked an issue Nov 8, 2023 that may be closed by this pull request
@ahouseholder ahouseholder self-assigned this Nov 8, 2023
@j---
Copy link
Collaborator

j--- commented Nov 8, 2023

FWIW, CVSS supplemental metric "Safety" "Yes/no" is conceptually a map to "public safety impact" in SSVC. This is identically true if we map the SSVC safety impact descriptions back to IEC/ISO 61508 explicitly. SSVC currently implicitly maps to it since SSVC uses FAA and CDC definitions which are based on 61508, whereas CVSS explicitly uses 61508.

@ahouseholder ahouseholder added this to the SSVC 2023Q4 milestone Nov 8, 2023
…ssv4-equivalence-sets-to-cvssv4-decision-points

# Conflicts:
#	src/test/test_schema.py
Copy link
Collaborator

@j--- j--- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All looks good to me. Thanks!

@j---
Copy link
Collaborator

j--- commented Nov 17, 2023

I thought this went out of draft, but now I'm not sure, as it looks like it's still in draft.

@ahouseholder
Copy link
Contributor Author

FWIW, CVSS supplemental metric "Safety" "Yes/no" is conceptually a map to "public safety impact" in SSVC. This is identically true if we map the SSVC safety impact descriptions back to IEC/ISO 61508 explicitly. SSVC currently implicitly maps to it since SSVC uses FAA and CDC definitions which are based on 61508, whereas CVSS explicitly uses 61508.

To be addressed by

@ahouseholder ahouseholder merged commit ba72fce into main Nov 17, 2023
3 checks passed
@ahouseholder ahouseholder deleted the 348-map-cvssv4-equivalence-sets-to-cvssv4-decision-points branch November 17, 2023 16:14
@ahouseholder
Copy link
Contributor Author

Note that #391 was also spawned out of the work leading to this PR.

@ahouseholder ahouseholder added documentation Improvements or additions to documentation enhancement New feature or request tools Software Tools labels Nov 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request tools Software Tools
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Map CVSSv4 equivalence sets to CVSSv4 decision points Model CVSS v4 vector elements as decision points
2 participants