-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVSSv4 Decision Points #377
Add CVSSv4 Decision Points #377
Conversation
This commit adheres closely to the CVSS v4 spec terminology. We might want to revisit the descriptions or names later.
it now lives in ssvc.csv_analyzer
CVSS v2 used ND as key CVSS v3, v4 uses X as key Deliberately referring to CVSS documentation for the Not Defined description since while it can change with CVSS versions, the semantics of not defined are ironically idempotent thus far.
FWIW, CVSS supplemental metric "Safety" "Yes/no" is conceptually a map to "public safety impact" in SSVC. This is identically true if we map the SSVC safety impact descriptions back to IEC/ISO 61508 explicitly. SSVC currently implicitly maps to it since SSVC uses FAA and CDC definitions which are based on 61508, whereas CVSS explicitly uses 61508. |
…ssv4-equivalence-sets-to-cvssv4-decision-points # Conflicts: # src/test/test_schema.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All looks good to me. Thanks!
I thought this went out of draft, but now I'm not sure, as it looks like it's still in draft. |
I was holding it in draft until I got the supplementals in place. That's now done. Follow-up tasks after this merges: |
To be addressed by |
Note that #391 was also spawned out of the work leading to this PR. |
Issue #330 and PR #343 were a first pass at modeling CVSS v1, v2, and v3 as SSVC decision points and groups.
This PR extends that work to include CVSS v4.
Along the way, I uncovered a few issues with how the changes in #343 didn't quite line up right, so I've fixed those issues as well.
Summarizing changes:
ND
for CVSS v2 and one with keyX
for CVSS v3 and v4dp_diff
method that can compare sequential versions of a decision point against most of our versioning rules and suggest whether it's a major, minor, or patch version change. If you run any of the individual decision point.py
files you'll see what it does.__init__.py
filesssvc.dp_groups.cvss.collections
Resolutions
Out of scope
I am considering the following to be out of scope for this PR:
It's not that either of these are difficult, they are just distinct tasks that can be broken out separately.
Remaining to do before taking this out of draft
Initially creating as draft PR because the following work is outstanding: