From 868b769f169b9ff6f29f7755e775e5a9a70f0cd6 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Wed, 2 Oct 2024 11:19:50 -0500 Subject: [PATCH 1/8] adding SSVC v1.0.1 production schema to the CVE Record metrics block. --- schema/CVE_Record_Format.json | 4 ++ schema/imports/ssvc/ssvc-v1.0.1.json | 101 +++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 schema/imports/ssvc/ssvc-v1.0.1.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index f74450c32c..2501321685 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -859,6 +859,9 @@ { "required": ["cvssV2_0"] }, + { + "required": ["ssvcV1_0_1"] + }, { "required": ["other"] } @@ -898,6 +901,7 @@ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"}, + "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"}, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json new file mode 100644 index 0000000000..b15800d872 --- /dev/null +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -0,0 +1,101 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"] + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": ["1-0-1"] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": ["Automatable", "Exploitation"] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": ["ssvc","cvvsv4"] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + }, + "SsvcdecisionpointgroupselectionSchema": { + "properties": { + "id": { + "$ref": "#/definitions/id" + }, + "role": { + "$ref": "#/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + } + }, + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" +} From 54fbea8afc49f2375bb9e858552d40427ae3a977 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 10:30:44 -0500 Subject: [PATCH 2/8] added properties to root of schema to fix definition reference issue. --- schema/imports/ssvc/ssvc-v1.0.1.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index b15800d872..77f9b5adb6 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -97,5 +97,9 @@ "additionalProperties": false } }, - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + "properties": { + "SsvcdecisionpointgroupselectionSchema": { + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + } + } } From 54f561c4fc8d1595de9039314b5dd43979cbe4a3 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 10:48:57 -0500 Subject: [PATCH 3/8] added object type to properties. --- schema/imports/ssvc/ssvc-v1.0.1.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 77f9b5adb6..f5b1ae3e98 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -99,7 +99,10 @@ }, "properties": { "SsvcdecisionpointgroupselectionSchema": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + "type": "object", + "items": { + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + } } } } From 1b1ae14c9d7be95f8919feb32ce4ce1cdc6dd6da Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 11:22:07 -0500 Subject: [PATCH 4/8] removed and value and added type object to root. --- schema/imports/ssvc/ssvc-v1.0.1.json | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index f5b1ae3e98..4643a01f17 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,6 +1,5 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", "definitions": { "id": { "type": "string", @@ -97,12 +96,10 @@ "additionalProperties": false } }, + "type": "object", "properties": { "SsvcdecisionpointgroupselectionSchema": { - "type": "object", - "items": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" - } + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" } } } From 9e5c220a49c509590fdd7037a24912c8cf8c9f96 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Fri, 4 Oct 2024 15:22:16 -0400 Subject: [PATCH 5/8] Updated SSVC schema with examples due to bug in json-schema-parser for root circular reference --- schema/docs/CVE_Record_Format_bundled.json | 120 +++++++++++++++++- schema/docs/full-record-advanced-example.json | 38 +++++- schema/imports/ssvc/ssvc-v1.0.1.json | 17 +-- .../support/schema2markmap/schema-bundle.js | 2 +- 4 files changed, 156 insertions(+), 21 deletions(-) diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index 4b8f98b4cf..b4447e1ebe 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -973,6 +973,11 @@ "cvssV2_0" ] }, + { + "required": [ + "ssvcV1_0_1" + ] + }, { "required": [ "other" @@ -3057,6 +3062,119 @@ ], "additionalProperties": false }, + "ssvcV1_0_1": { + "$schema": "http://json-schema.org/draft-07/schema#", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": [ + "CVE-2024-101010", + "VU#11111", + "GHSA-11a1-22b2-33c3" + ] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": [ + "Supplier", + "Deployer", + "Coordinator" + ] + }, + "timestamp": { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": [ + "1-0-1" + ] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": [ + "Automatable", + "Exploitation" + ] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": [ + "ssvc", + "cvvsv4" + ] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/id" + }, + "role": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + }, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", @@ -3414,4 +3532,4 @@ "additionalProperties": false } ] -} \ No newline at end of file +} diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index da1532278c..cce1ba7938 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -14,7 +14,7 @@ "providerMetadata": { "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", "shortName": "example", - "dateUpdated": "2021-09-08T16:24:00.000Z" + "dateUpdated": "2021-09-08T16:24:00.000Z" }, "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.", "datePublic": "2021-09-08T16:24:00.000Z", @@ -111,15 +111,15 @@ }, { "lang": "eo", - "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn. Ĉi tiu afero efikas: 1.0-versioj antaŭ 1.0.6, 2.1-versioj de 2.16 ĝis 2.1.9.", + "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.", "supportingMedia": [ { "type": "text/html", "base64": false, - "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.

Ĉi tiu afero efikas:
  • 1.0-versioj antaŭ 1.0.6
  • 2.1-versioj de 2.16 ĝis 2.1.9.
" + "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.

\u0108i tiu afero efikas:
  • 1.0-versioj anta\u016d 1.0.6
  • 2.1-versioj de 2.16 \u011dis 2.1.9.
" } ] - } + } ], "metrics": [ { @@ -130,11 +130,35 @@ "value": "GENERAL" } ], - "cvssV4_0": { + "ssvcV1_0_1": { + "id": "CVE-1337-1234", + "selections": [ + { + "namespace": "ssvc", + "name": "Exploitation", + "values": [ + "Public PoC", + "Active" + ], + "version": "1.1.0" + }, + { + "namespace": "ssvc", + "name": "Technical Impact", + "values": [ + "Total" + ], + "version": "1.0.0" + } + ], + "timestamp": "1999-04-23T18:25:43.511Z", + "schemaVersion": "1-0-1" + }, + "cvssV4_0": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L", - "version":"4.0" + "version": "4.0" }, "cvssV3_1": { "version": "3.1", @@ -313,4 +337,4 @@ ] } } -} +} \ No newline at end of file diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 4643a01f17..41f55cd7eb 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,5 +1,6 @@ { "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group_Selection-1-0-1.schema.json", "definitions": { "id": { "type": "string", @@ -61,9 +62,9 @@ "version" ], "additionalProperties": false - }, - "SsvcdecisionpointgroupselectionSchema": { - "properties": { + } + }, + "properties": { "id": { "$ref": "#/definitions/id" }, @@ -85,7 +86,7 @@ "$ref": "#/definitions/SsvcdecisionpointselectionSchema" } } - }, + }, "type": "object", "required": [ "selections", @@ -94,12 +95,4 @@ "schemaVersion" ], "additionalProperties": false - } - }, - "type": "object", - "properties": { - "SsvcdecisionpointgroupselectionSchema": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" - } - } } diff --git a/schema/support/schema2markmap/schema-bundle.js b/schema/support/schema2markmap/schema-bundle.js index 7409ce807b..f001d51813 100644 --- a/schema/support/schema2markmap/schema-bundle.js +++ b/schema/support/schema2markmap/schema-bundle.js @@ -21,7 +21,7 @@ async function schemaBundle() { delete metricProperties.cvssV3_1.license; delete metricProperties.cvssV3_0.license; delete metricProperties.cvssV2_0.license; - + delete metricProperties.ssvcV1_0_1.$id; fs.writeFile(`${dirName}/CVE_Record_Format.json`, JSON.stringify(cveSchemaBundle, null, 2), From 00989854805b16889a3f7692d2cb809a9eb2f37d Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 24 Oct 2024 12:29:51 -0400 Subject: [PATCH 6/8] Mistake in ID field of SSVC schema JSON --- schema/imports/ssvc/ssvc-v1.0.1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 41f55cd7eb..6475c100a0 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,6 +1,6 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group_Selection-1-0-1.schema.json", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", "definitions": { "id": { "type": "string", From bfe48973c30d8427dc62b419ea2eade777f59e23 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 24 Oct 2024 12:33:17 -0400 Subject: [PATCH 7/8] Fix the earlier CVE_Record_Format to CVE_Record_Form_bundled --- schema/support/schema2markmap/schema-bundle.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/support/schema2markmap/schema-bundle.js b/schema/support/schema2markmap/schema-bundle.js index f001d51813..8c59a9bf7b 100644 --- a/schema/support/schema2markmap/schema-bundle.js +++ b/schema/support/schema2markmap/schema-bundle.js @@ -23,7 +23,7 @@ async function schemaBundle() { delete metricProperties.cvssV2_0.license; delete metricProperties.ssvcV1_0_1.$id; - fs.writeFile(`${dirName}/CVE_Record_Format.json`, + fs.writeFile(`${dirName}/CVE_Record_Format_bundled.json`, JSON.stringify(cveSchemaBundle, null, 2), err => { if(err) From cf19848ae57b2aea15f77861499e6864d058d021 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 19 Dec 2024 17:09:56 -0500 Subject: [PATCH 8/8] Fixed spelling mistake in cvss feeback from @ElectricNroff --- schema/imports/ssvc/ssvc-v1.0.1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 6475c100a0..ca86032e49 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -35,7 +35,7 @@ "description": "SSVC Namespace that were used for defining the evaluated Decision Points", "title": "namespace", "type": "string", - "examples": ["ssvc","cvvsv4"] + "examples": ["ssvc","cvssv4"] }, "values": { "description": "Evaluated values of the Decision Point",