Add Decision Point Value Selection schema with an example

[sei-vsarvepalli]

This will be an attempt to breakup our work from schema development that will help #588 into smaller pieces and run test cases against this.

All the future schemas will start livings in data/schema/current/ folder symlinked to a schemaVer version controlled schema documents.

[ahouseholder]

I think the filenames are overloading the phrase "Decision Point Group" which has meaning in the definition of decision models. Can we call it "Decision Point Value Selection" instead?

I'd like us to keep this schema as absolutely narrowly scoped as possible. This schema does not require the creation of a "decision point group" object, as it's just a list of decision points and selected values from them.

[sei-vsarvepalli]

Looks like the data/schema/Decision_Point.schema.json and data/schema/Decision_Point_Group.schema.json should be setup for some Test Cases to run properly. adding these with some vision strings and tests to run properly

[sei-vsarvepalli]

I think we are mostly there for Value Selection schema which is ideally what ADP like capabilities can use to reliably provide their evaluation of a vulnerability using SSVC. Now some questions remains

1. If SSVC is versioned and all the Decision Points are fixed that are part of SSVC 2.1 and are documented. Is it redundant or over-stating to provide version under each Decision Point ?
2. Should Value Selection schema have a Vector representation that simplifies a specific evaluation?

It may be helpful for @j--- to also comment about these questions for operational viability and usage in CISA. Issue #576 will get a very different answer if this PR is merged.

[ahouseholder]

1. If SSVC is versioned and all the Decision Points are fixed that are part of SSVC 2.1 and are documented. Is it redundant or over-stating to provide version under each Decision Point ?

The version in each decision point is the decision point version, which we describe in https://certcc.github.io/SSVC/adr/0006-ssvc-decision-point-versioning-rules/

That's not the same as SSVC 2.1 (which FWIW we're already past with v2024.3) -- but the idea is that eventually a decision point version approaches stability even as the rest of SSVC continues to be revised. We really don't want to get into having to descramble SSVC v2.1's Exploitation vs SSVC v2024.3's Exploitation vs SSVC v2024.3.1's Exploitation vs SSVC v2024.3.2's Exploitation. Because across all extant SSVC versions, Exploitation has only changed twice (Exploitation v1.0.0 and v1.1.0)

[ahouseholder]

2. Should Value Selection schema have a Vector representation that simplifies a specific evaluation?

I'm of the opinion that the answer is likely "No" based on

• Reduce emphasis or possibly deprecate the vector format #333
• Remove abbreviated format from docs #451

where we took the vector stuff out of everything except the calculator.
If we need to reopen the decision about the vector, I'd suggest we treat it as a separate issue/PR from this one.

[sei-vsarvepalli]

Another question came up in my mind - should there a optional "references" section in Selection schema to provide information such as Public POC was seen at a URL with optional "type" of reference information such as "exploit" - say something like

{"references" : [
      { 
          "url": "https://www.exploit-db.com/exploits/32998",
          "type": "exploit"
        } 
]}

[ahouseholder]

I don't have any objections to proceeding with this PR as-is. My comment regarding versioning rules for schemas isn't a reason to hold this up. I'm planning to spawn it into an issue so we can at least track the outcome of any ensuing discussion.

[ahouseholder]

Another question came up in my mind - should there a optional "references" section in Selection schema to provide information such as Public POC was seen at a URL with optional "type" of reference information such as "exploit" - say something like

{"references" : [
      { 
          "url": "https://www.exploit-db.com/exploits/32998",
          "type": "exploit"
        } 
]}

I'd like to split this off into a separate issue

• Should there a optional "references" section in Selection schema? #600

because it seems like we should consider whether the references apply to the list or to the individual decision point selections. I could imagine you'd want to say "we chose foo for Decision Point A because reference and bar for Decision Point B because other reference. We might need to understand better if/how this would be used to make a decision.

[ahouseholder]

I think this PR might resolve cisagov/vulnrichment#40. Will leave a comment over there too.