Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVSSv4 Decision Points #377

Merged
merged 15 commits into from
Nov 17, 2023
+2,743 −785
Merged

Add CVSSv4 Decision Points #377

Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
28e013f
add CVSS v1, 2, 3 to schema test
ahouseholder Oct 16, 2023
5f58474
add decision points and a group for eq sets
ahouseholder Nov 6, 2023
5ea5697
add dp_diff helper
ahouseholder Nov 7, 2023
90bd6ab
merge CVSS groups
ahouseholder Nov 7, 2023
6a2c839
add CVSSv4 models
ahouseholder Nov 7, 2023
1c317b5
move version print to helper method
ahouseholder Nov 8, 2023
489e699
analyze_csv snuck back in a merge
ahouseholder Nov 8, 2023
04b04f5
clean up __init__.py in various modules
ahouseholder Nov 8, 2023
e958174
new v4 modify helper and unit tests
ahouseholder Nov 8, 2023
753edbf
refactor `not defined` values.
ahouseholder Nov 8, 2023
080d223
add thefuzz requirements.txt for string compares
ahouseholder Nov 8, 2023
b0ba21f
Merge branch 'main' into 348-map-cvssv4-equivalence-sets-to-cvssv4-de…
ahouseholder Nov 9, 2023
2809b5a
Merge branch 'main' into 348-map-cvssv4-equivalence-sets-to-cvssv4-de…
ahouseholder Nov 10, 2023
8c9d041
Merge branch 'main' of https://github.com/CERTCC/SSVC into 348-map-cv…
ahouseholder Nov 14, 2023
1812c2f
add CVSS v4 Supplemental metrics
ahouseholder Nov 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add decision points and a group for eq sets 
This commit adheres closely to the CVSS v4 spec terminology.
We might want to revisit the descriptions or names later.
@ahouseholder
ahouseholder committed Nov 7, 2023
commit 5f584743a95a976546083d34931d710564a939a6
13 changes: 13 additions & 0 deletions src/ssvc/decision_points/cvss/base.py
View file
Original file line number Diff line number Diff line change
@@ -4,6 +4,19 @@
"""


# Copyright (c) 2023 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
# with this Software or contact [email protected] for full terms.
# Created, in part, with funding and support from the United States Government
# (see Acknowledgments file). This program may include and/or can make use of
# certain third party source code, object code, documentation and other files
# (“Third Party Software”). See LICENSE.md for more details.
# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
# U.S. Patent and Trademark Office by Carnegie Mellon University

from dataclasses import dataclass

from dataclasses_json import dataclass_json
191 changes: 191 additions & 0 deletions src/ssvc/decision_points/cvss/eq_sets.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
#!/usr/bin/env python
"""
CVSS v4 Equivalence Sets
"""
# Copyright (c) 2023 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
# with this Software or contact [email protected] for full terms.
# Created, in part, with funding and support from the United States Government
# (see Acknowledgments file). This program may include and/or can make use of
# certain third party source code, object code, documentation and other files
# (“Third Party Software”). See LICENSE.md for more details.
# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
# U.S. Patent and Trademark Office by Carnegie Mellon University

from ssvc.decision_points import SsvcDecisionPointValue
from ssvc.decision_points.cvss.base import CvssDecisionPoint


# EQ1 → AV/PR/UI with 3 levels specified in Table 24
# Levels Constraints Highest Severity Vector(s)
# 0 AV:N and PR:N and UI:N AV:N/PR:N/UI:N
# 1 (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P AV:A/PR:N/UI:N or AV:N/PR:L/UI:N or AV:N/PR:N:/UI:P
# 2 AV:P or not(AV:N or PR:N or UI:N) AV:P/PR:N/UI:N or AV:A/PR:L/UI:P
EQ1 = CvssDecisionPoint(
name="Equivalence Set 1",
key="EQ1",
description="AV/PR/UI with 3 levels specified in Table 24",
version="1.0.0",
values=[
SsvcDecisionPointValue(
name="Low",
key="L",
description="2: AV:P or not(AV:N or PR:N or UI:N)",
),
SsvcDecisionPointValue(
name="Medium",
key="M",
description="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P",
),
SsvcDecisionPointValue(
name="High",
key="H",
description="0: AV:N and PR:N and UI:N",
),
],
)

# EQ2 → AC/AT with 2 levels specified in Table 25
# Levels Constraints Highest Severity Vector(s)
# 0 AC:L and AT:N AC:L/AT:N
# 1 not (AC:L and AT:N) AC:L/AT:P or AC:H/AT:N
EQ2 = CvssDecisionPoint(
name="Equivalence Set 2",
key="EQ2",
description="AC/AT with 2 levels specified in Table 25",
version="1.0.0",
values=[
SsvcDecisionPointValue(
name="Low",
key="L",
description="1: not (AC:L and AT:N)",
),
SsvcDecisionPointValue(
name="High",
key="H",
description="0: AC:L and AT:N",
),
],
)


# EQ3 → VC/VI/VA with 3 levels specified in Table 26
# Levels Constraints Highest Severity Vector(s)
# 0 VC:H and VI:H VC:H/VI:H/VA:H
# 1 not (VC:H and VI:H) and (VC:H or VI:H or VA:H) VC:L/VI:H/VA:H or VC:H/VI:L/VA:H
# 2 not (VC:H or VI:H or VA:H) VC:L/VI:L/VA:L
EQ3 = CvssDecisionPoint(
name="Equivalence Set 3",
key="EQ3",
description="VC/VI/VA with 3 levels specified in Table 26",
version="1.0.0",
values=[
SsvcDecisionPointValue(
name="Low",
key="L",
description="2: not (VC:H or VI:H or VA:H)",
),
SsvcDecisionPointValue(
name="Medium",
key="M",
description="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)",
),
SsvcDecisionPointValue(
name="High",
key="H",
description="0: VC:H and VI:H",
),
],
)


# EQ4 → SC/SI/SA with 3 levels specified in Table 27
# 0 MSI:S or MSA:S SC:H/SI:S/SA:S
# 1 not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H) SC:H/SI:H/SA:H
# 2 not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H) SC:L/SI:L/SA:L
EQ4 = CvssDecisionPoint(
name="Equivalence Set 4",
key="EQ4",
description="SC/SI/SA with 3 levels specified in Table 27",
version="1.0.0",
values=[
SsvcDecisionPointValue(
name="Low",
key="L",
description="2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)",
),
SsvcDecisionPointValue(
name="Medium",
key="M",
description="1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)",
),
SsvcDecisionPointValue(
name="High",
key="H",
description="0: MSI:S or MSA:S",
),
],
)


# EQ5 → E with 3 levels specified in Table 28
# 0 E:A E:A
# 1 E:P E:P
# 2 E:U E:U
EQ5 = CvssDecisionPoint(
name="Equivalence Set 5",
key="EQ5",
description="E with 3 levels specified in Table 28",
version="1.0.0",
values=[
SsvcDecisionPointValue(
name="Low",
key="L",
description="2: E:U",
),
SsvcDecisionPointValue(
name="Medium",
key="M",
description="1: E:P",
),
SsvcDecisionPointValue(
name="High",
key="H",
description="0: E:A",
),
],
)

# EQ6 → VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29
# 0 (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H) VC:H/VI:H/VA:H/CR:H/IR:H/AR:H
# 1 not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H) VC:H/VI:H/VA:H/CR:M/IR:M/AR:M or VC:H/VI:H/VA:L/CR:M/IR:M/AR:H or VC:H/VI:L/VA:H/CR:M/IR:H/AR:M or VC:H/VI:L/VA:L/CR:M/IR:H/AR:H or VC:L/VI:H/VA:H/CR:H/IR:M/AR:M or VC:L/VI:H/VA:L/CR:H/IR:M/AR:H or VC:L/VI:L/VA:H/CR:H/IR:H/AR:M or VC:L/VI:L/VA:L/CR:H/IR:H/AR:H
EQ6 = CvssDecisionPoint(
name="Equivalence Set 6",
key="EQ6",
description="VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
version="1.0.0",
values=[
SsvcDecisionPointValue(
name="Low",
key="L",
description="1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)",
),
SsvcDecisionPointValue(
name="High",
key="H",
description="0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)",
),
],
)


def main():
for dp in [EQ1, EQ2, EQ3, EQ4, EQ5, EQ6]:
print(dp.to_json(indent=2))


if __name__ == "__main__":
main()
44 changes: 44 additions & 0 deletions src/ssvc/dp_groups/cvss/v4.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#!/usr/bin/env python
"""
file: v4
author: adh
created_at: 11/6/23 11:48 AM
"""
# Copyright (c) 2023 Carnegie Mellon University and Contributors.
# - see Contributors.md for a full list of Contributors
# - see ContributionInstructions.md for information on how you can Contribute to this project
# Stakeholder Specific Vulnerability Categorization (SSVC) is
# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
# with this Software or contact [email protected] for full terms.
# Created, in part, with funding and support from the United States Government
# (see Acknowledgments file). This program may include and/or can make use of
# certain third party source code, object code, documentation and other files
# (“Third Party Software”). See LICENSE.md for more details.
# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
# U.S. Patent and Trademark Office by Carnegie Mellon University

from ssvc.decision_points.cvss.eq_sets import EQ1, EQ2, EQ3, EQ4, EQ5, EQ6
from ssvc.dp_groups.base import SsvcDecisionPointGroup


EquivalenceSetsV4 = SsvcDecisionPointGroup(
name="CVSSv4 EQ Sets",
description="Equivalence Sets for CVSS v4",
version="1.0.0",
decision_points=[
EQ1,
EQ2,
EQ3,
EQ4,
EQ5,
EQ6,
],
)


def main():
print(EquivalenceSetsV4.to_json(indent=2))


if __name__ == "__main__":
main()