Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CERT/CC SSVC metrics for CVE using ADP #144

Open
sei-vsarvepalli opened this issue Feb 18, 2022 · 9 comments
Open

CERT/CC SSVC metrics for CVE using ADP #144

sei-vsarvepalli opened this issue Feb 18, 2022 · 9 comments
Assignees

Comments

@sei-vsarvepalli
Copy link
Contributor

This is a follow-up after discussions in CVE QWG meeting on the topic of being able to publish as an Authorized Data Provider (ADP) into CVE's current JSON schema. CERT/CC Stakeholder Specific Vulnerability Categorization (SSVC) project attempts to provides vulnerability metrics in the form of decision trees for different vulnerability management communities.

More information about SSVC can be found SSVC Overview. In practice, SSVC code, examples and customization information are available in GitHub repository (https://github.com/CERTCC/SSVC.

CERT/CC would like to publish such metrics in adherence to the CVE-5 JSON schema. We have a sample ADP enhanced CVE record that is available at https://democert.org/ssvc/cve-5/CVE-2022-0012-adp.json. This record validates properly for the current CVE-5.0 JSON schema.

The ADP container data from the example is also included here for convenience. Let us know how we can provide such data into CVE to support enrichment of the CVE JSON records.

	"adp": [{
            "providerMetadata": {
                "dateUpdated": "2022-02-09T18:45:53Z",
                "orgId": "e9c1279f-00f6-4ef7-9217-f89ffe703ec0",
                "shortName": "cert_cc"
            },
	    "datePublic": "2022-01-27T00:00:00",
	    "metrics": [{
		"other": {
		    "type": "ssvc",
		    "content": {
			"role": "Coordinator",
			"id": "CVE-2022-0012",
			"version": "2.0",
			"generator": "Dryad SSVC Calculator 5.1.1",
			"computed": "SSVCv2/E:N/A:Y/T:P/P:M/B:M/M:L/D:T/2022-02-09T18:45:53Z/",
			"timestamp": "2022-02-09T18:45:53Z",
			"options": [
			    {
				"Exploitation": "none"
			    },
			    {
				"Automatable": "yes"
			    },
			    {
				"Technical Impact": "partial"
			    },
			    {
				"Mission Prevalence": "Minimal"
			    },
			    {
				"Public Well-being Impact": "Minimal"
			    },
			    {
				"Mission & Well-being": "low"
			    },
			    {
				"Decision": "Track"
			    }
			],
			"$schema": "https://democert.org/ssvc/SSVC_Computed_v2.02.schema.json",
			"decision_tree_url": "https://democert.org/ssvc/CISA-Coordinator-v2.0.3.json"
		    }
		}
	    }]
	    
	}]

Thanks
Vijay

Additional stakeholders highlighted:
@zmanion @david-waltermire-nist @chandanbn

@ElectricNroff
Copy link

I don't think that

"$schema": "https://democert.org/ssvc/SSVC_Computed_v2.02.schema.json",

will be accepted by CVE Services during an ADP container submission. CVE Services uses Amazon DocumentDB to store JSON documents, and doesn't allow a $ character in that context (even though the schema allows it):

$schema is not accepted by the implementation. See #145 for other information about what happens within the CVE Services code, and what error a client would see.

@sei-vsarvepalli
Copy link
Contributor Author

sei-vsarvepalli commented Feb 21, 2022

Hello @ElectricNroff

Thanks for your quick response. Happy to modify he $schema to be reference_schema (as below), avoid any $ references so it poses less trouble. I was using $schema from JSON doc recommendations. not really married to that notation. Let me know if there are any other concerns to address.

	"adp": [{
            "providerMetadata": {
                "dateUpdated": "2022-02-09T18:45:53Z",
                "orgId": "e9c1279f-00f6-4ef7-9217-f89ffe703ec0",
                "shortName": "cert_cc"
            },
	    "datePublic": "2022-01-27T00:00:00",
	    "metrics": [{
		"other": {
		    "type": "ssvc",
		    "content": {
			"role": "Coordinator",
			"id": "CVE-2022-0012",
			"version": "2.0",
			"generator": "Dryad SSVC Calculator 5.1.1",
			"computed": "SSVCv2/E:N/A:Y/T:P/P:M/B:M/M:L/D:T/2022-02-09T18:45:53Z/",
			"timestamp": "2022-02-09T18:45:53Z",
			"options": [
			    {
				"Exploitation": "none"
			    },
			    {
				"Automatable": "yes"
			    },
			    {
				"Technical Impact": "partial"
			    },
			    {
				"Mission Prevalence": "Minimal"
			    },
			    {
				"Public Well-being Impact": "Minimal"
			    },
			    {
				"Mission & Well-being": "low"
			    },
			    {
				"Decision": "Track"
			    }
			],
			"reference_schema": "https://democert.org/ssvc/SSVC_Computed_v2.02.schema.json",
			"decision_tree_url": "https://democert.org/ssvc/CISA-Coordinator-v2.0.3.json"
		    }
		}
	    }]
	    
	}]

@sei-vsarvepalli
Copy link
Contributor Author

Just capturing these notes from QWG meeting on 2022/03/10. Currently the CVE Services 2.1 which is about to launch and be ready soon will not support publishing of ADP containers. It is planned somewhere in the fall time for CVE services next revision to accept JSON ADP containers. Once we are able publish, CERT/CC can request an update to the CVE 5.1 JSON schema to include a well-formatted SSVC ADP record as a metric.

Vijay

@david-waltermire
Copy link
Collaborator

The QWG will need to address this as a new optional feature in v5.1. Marking this milestone.

@zmanion
Copy link
Contributor

zmanion commented Apr 6, 2023

SPWG is prioritizing ADP, this came up at today's meeting in that certain ADPs, if they are approved to provide content that is not already part of the existing CNA container schema, would have to create custom schema. This is the case for an SSVC ADP. It seems that a references ADP may be the first pilot, however we'll need to develop process for custom schema development and inclusion at some point.

@sei-vsarvepalli
Copy link
Contributor Author

sei-vsarvepalli commented Jun 20, 2023

Our ADP container updated setup has been updated as the following. We are also tracking this with discussions under our SSVC - CERTCC/SSVC#229

{
    "adpContainer": {
        "providerMetadata": {
            "dateUpdated": "2022-02-09T18:45:53Z",
            "orgId": "e9c1279f-00f6-4ef7-9217-f89ffe703ec0",
            "shortName": "cert_cc"
        },
        "datePublic": "2022-01-27T00:00:00",
        "metrics": [
            {
                "other": {
                    "type": "ssvc",
                    "content": {
                        "role": "CISA-Coordinator",
                        "id": "CVE-2022-45119",
                        "version": "2.0",
                        "generator": "Dryad SSVC Calculator 5.1.7",
                        "computed": "SSVCv2/E:P/A:N/T:T/P:S/B:M/M:M/D:R/2023-06-20T14:33:57Z/",
                        "timestamp": "2023-06-20T14:33:57Z",
                        "options": [
                            {
                                "Exploitation": "poc"
                            },
                            {
                                "Automatable": "no"
                            }
                        ],
                        "reference_schema": "https://certcc.github.io/SSVC/ssvc-calc/SSVC_Computed_v2.03.schema.json",
                        "decision_tree_url": "https://certcc.github.io/SSVC/ssvc-calc/CISA-Coordinator-v2.0.3.json"
                    }
                }
            }
        ]
    }
}

ADP testing is ready to start and we will be working with CVE AWG on feedback.

Thanks
Vijay

@sei-vsarvepalli
Copy link
Contributor Author

sei-vsarvepalli commented Sep 30, 2024

We have a production schema now as version 1.0.1 using schemaVersion templates. This should be ready for the v5.2.0 integration. Please collect the latest from
https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json

@ccoffin
Copy link
Collaborator

ccoffin commented Oct 4, 2024

Created pull request #348 to implement SSVC as an imported schema.

@sei-vsarvepalli
Copy link
Contributor Author

Please see #350 is the new PR that covers all the inclusions and fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants