Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Related to #348 SSVC1.0.1 additions. #350

Open
wants to merge 8 commits into
base: feature-144-SSVC
Choose a base branch
from
Open

Related to #348 SSVC1.0.1 additions. #350

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
868b769
adding SSVC v1.0.1 production schema to the CVE Record metrics block.
ccoffin Oct 2, 2024
54fbea8
added properties to root of schema to fix definition reference issue.
ccoffin Oct 4, 2024
54f561c
added object type to properties.
ccoffin Oct 4, 2024
1b1ae14
removed and value and added type object to root.
ccoffin Oct 4, 2024
9e5c220
Updated SSVC schema with examples due to bug in json-schema-parser fo…
sei-vsarvepalli Oct 4, 2024
0098985
Mistake in ID field of SSVC schema JSON
sei-vsarvepalli Oct 24, 2024
bfe4897
Fix the earlier CVE_Record_Format to CVE_Record_Form_bundled
sei-vsarvepalli Oct 24, 2024
cf19848
Fixed spelling mistake in cvss feeback from @ElectricNroff
sei-vsarvepalli Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions schema/CVE_Record_Format.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -859,6 +859,9 @@
{
"required": ["cvssV2_0"]
},
{
"required": ["ssvcV1_0_1"]
},
{
"required": ["other"]
}
Expand Down Expand Up @@ -898,6 +901,7 @@
"cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"},
"cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"},
"cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"},
"ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"},
"other": {
"type": "object",
"description": "A non-standard impact description, may be prose or JSON block.",
Expand Down
120 changes: 119 additions & 1 deletion schema/docs/CVE_Record_Format_bundled.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -973,6 +973,11 @@
"cvssV2_0"
]
},
{
"required": [
"ssvcV1_0_1"
]
},
{
"required": [
"other"
Expand Down Expand Up @@ -3057,6 +3062,119 @@
],
"additionalProperties": false
},
"ssvcV1_0_1": {
"$schema": "http://json-schema.org/draft-07/schema#",
"definitions": {
"id": {
"type": "string",
"description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
"examples": [
"CVE-2024-101010",
"VU#11111",
"GHSA-11a1-22b2-33c3"
]
},
"role": {
"type": "string",
"description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
"examples": [
"Supplier",
"Deployer",
"Coordinator"
]
},
"timestamp": {
"description": "Date and time in ISO format ISO 8601 format",
"type": "string",
"format": "date-time"
},
"schemaVersion": {
"description": "Schema version used to represent this evaluation",
"type": "string",
"enum": [
"1-0-1"
]
},
"SsvcdecisionpointselectionSchema": {
"description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
"properties": {
"name": {
"description": "Name of the Decision Point that were evaluated",
"title": "name",
"type": "string",
"examples": [
"Automatable",
"Exploitation"
]
},
"namespace": {
"description": "SSVC Namespace that were used for defining the evaluated Decision Points",
"title": "namespace",
"type": "string",
"examples": [
"ssvc",
"cvvsv4"
]
},
"values": {
"description": "Evaluated values of the Decision Point",
"title": "values",
"type": "array",
"minItems": 1,
"items": {
"description": "Each value that were down-selected for a Decision Point",
"title": "values",
"type": "string"
}
},
"version": {
"description": "Version of the Decision Points that were evaluated",
"title": "version",
"type": "string"
}
},
"type": "object",
"required": [
"name",
"namespace",
"values",
"version"
],
"additionalProperties": false
}
},
"properties": {
"id": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/id"
},
"role": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/role"
},
"schemaVersion": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/schemaVersion"
},
"timestamp": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/timestamp"
},
"selections": {
"description": "An array of Decision Points and their Values that were down-selected or evaluated ",
"title": "selections",
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/SsvcdecisionpointselectionSchema"
}
}
},
"type": "object",
"required": [
"selections",
"id",
"timestamp",
"schemaVersion"
],
"additionalProperties": false
},
"other": {
"type": "object",
"description": "A non-standard impact description, may be prose or JSON block.",
Expand Down Expand Up @@ -3414,4 +3532,4 @@
"additionalProperties": false
}
]
}
}
38 changes: 31 additions & 7 deletions schema/docs/full-record-advanced-example.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"providerMetadata": {
"orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
"shortName": "example",
"dateUpdated": "2021-09-08T16:24:00.000Z"
"dateUpdated": "2021-09-08T16:24:00.000Z"
},
"title": "Buffer overflow in Example Enterprise allows Privilege Escalation.",
"datePublic": "2021-09-08T16:24:00.000Z",
Expand Down Expand Up @@ -111,15 +111,15 @@
},
{
"lang": "eo",
"value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn. Ĉi tiu afero efikas: 1.0-versioj antaŭ 1.0.6, 2.1-versioj de 2.16 ĝis 2.1.9.",
"value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "OS-komand-injekta vundebleco <tt>parseFilename</tt> funkcio de <tt>example.php</tt> en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.<br><br> Ĉi tiu afero efikas:<br><ul><li>1.0-versioj antaŭ 1.0.6</li><li>2.1-versioj de 2.16 ĝis 2.1.9.</li></ul>"
"value": "OS-komand-injekta vundebleco <tt>parseFilename</tt> funkcio de <tt>example.php</tt> en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.<br><br> \u0108i tiu afero efikas:<br><ul><li>1.0-versioj anta\u016d 1.0.6</li><li>2.1-versioj de 2.16 \u011dis 2.1.9.</li></ul>"
}
]
}
}
],
"metrics": [
{
Expand All @@ -130,11 +130,35 @@
"value": "GENERAL"
}
],
"cvssV4_0": {
"ssvcV1_0_1": {
"id": "CVE-1337-1234",
"selections": [
{
"namespace": "ssvc",
"name": "Exploitation",
"values": [
"Public PoC",
"Active"
],
"version": "1.1.0"
},
{
"namespace": "ssvc",
"name": "Technical Impact",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "1999-04-23T18:25:43.511Z",
"schemaVersion": "1-0-1"
},
"cvssV4_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L",
"version":"4.0"
"version": "4.0"
},
"cvssV3_1": {
"version": "3.1",
Expand Down Expand Up @@ -313,4 +337,4 @@
]
}
}
}
}
98 changes: 98 additions & 0 deletions schema/imports/ssvc/ssvc-v1.0.1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
"definitions": {
"id": {
"type": "string",
"description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
"examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"]
},
"role": {
"type": "string",
"description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
"examples": ["Supplier","Deployer","Coordinator"]
},
"timestamp" : {
"description": "Date and time in ISO format ISO 8601 format",
"type": "string",
"format": "date-time"
},
"schemaVersion": {
"description": "Schema version used to represent this evaluation",
"type": "string",
"enum": ["1-0-1"]
},
"SsvcdecisionpointselectionSchema": {
"description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
"properties": {
"name": {
"description": "Name of the Decision Point that were evaluated",
"title": "name",
"type": "string",
"examples": ["Automatable", "Exploitation"]
},
"namespace": {
"description": "SSVC Namespace that were used for defining the evaluated Decision Points",
"title": "namespace",
"type": "string",
"examples": ["ssvc","cvssv4"]
},
"values": {
"description": "Evaluated values of the Decision Point",
"title": "values",
"type": "array",
"minItems": 1,
"items": {
"description": "Each value that were down-selected for a Decision Point",
"title": "values",
"type": "string"
}
},
"version": {
"description": "Version of the Decision Points that were evaluated",
"title": "version",
"type": "string"
}
},
"type": "object",
"required": [
"name",
"namespace",
"values",
"version"
],
"additionalProperties": false
}
},
"properties": {
"id": {
"$ref": "#/definitions/id"
},
"role": {
"$ref": "#/definitions/role"
},
"schemaVersion": {
"$ref": "#/definitions/schemaVersion"
},
"timestamp": {
"$ref": "#/definitions/timestamp"
},
"selections": {
"description" : "An array of Decision Points and their Values that were down-selected or evaluated ",
"title": "selections",
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/SsvcdecisionpointselectionSchema"
}
}
},
"type": "object",
"required": [
"selections",
"id",
"timestamp",
"schemaVersion"
],
"additionalProperties": false
}
4 changes: 2 additions & 2 deletions schema/support/schema2markmap/schema-bundle.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ async function schemaBundle() {
delete metricProperties.cvssV3_1.license;
delete metricProperties.cvssV3_0.license;
delete metricProperties.cvssV2_0.license;
delete metricProperties.ssvcV1_0_1.$id;


fs.writeFile(`${dirName}/CVE_Record_Format.json`,
fs.writeFile(`${dirName}/CVE_Record_Format_bundled.json`,
JSON.stringify(cveSchemaBundle, null, 2),
err => {
if(err)
Expand Down
Loading