SSVC

- addresses parts of #803 - update referenced schemas for SSVC
oasis-tcs · Mar 1, 2025 · 4a421c3 · 4a421c3
1 parent f7fbb1f
commit 4a421c3
Show file tree

Hide file tree

Showing 6 changed files with 155 additions and 46 deletions.
diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
@@ -0,0 +1,125 @@
+{
+	"$schema": "https://json-schema.org/draft/2020-12/schema",
+	"title": "Decision Point schema definition",
+	"$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json",
+	"description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.",
+	"$defs": {
+		"schemaVersion": {
+			"description": "Schema version used to represent this Decision Point.",
+			"type": "string",
+			"enum": [
+				"1-0-1"
+			]
+		},
+		"decision_point_value": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"key": {
+					"type": "string",
+					"description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.",
+					"minLength": 1,
+					"examples": [
+						"P",
+						"Y"
+					]
+				},
+				"name": {
+					"type": "string",
+					"description": "A short label that identifies a Decision Point Value",
+					"minLength": 1,
+					"examples": [
+						"Public PoC",
+						"Yes"
+					]
+				},
+				"description": {
+					"type": "string",
+					"description": "A full description of the Decision Point Value.",
+					"minLength": 1,
+					"examples": [
+						"One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.",
+						"Attackers can reliably automate steps 1-4 of the kill chain."
+					]
+				}
+			},
+			"required": [
+				"key",
+				"name",
+				"description"
+			]
+		},
+		"decision_point": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"schemaVersion": {
+					"$ref": "#/$defs/schemaVersion"
+				},
+				"namespace": {
+					"type": "string",
+					"description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
+					"pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
+					"examples": [
+						"ssvc",
+						"cvss",
+						"ssvc-jp",
+						"ssvc/acme",
+						"ssvc/example.com"
+					]
+				},
+				"version": {
+					"type": "string",
+					"description": "Version (a semantic version string) that identifies the version of a Decision Point.",
+					"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
+					"examples": [
+						"1.0.1",
+						"1.0.1-alpha"
+					]
+				},
+				"key": {
+					"type": "string",
+					"description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point.",
+					"minLength": 1,
+					"examples": [
+						"E",
+						"A"
+					]
+				},
+				"name": {
+					"type": "string",
+					"description": "A short label that identifies a Decision Point.",
+					"minLength": 1,
+					"examples": [
+						"Exploitation",
+						"Automatable"
+					]
+				},
+				"description": {
+					"type": "string",
+					"description": "A full description of the Decision Point, explaining what it represents and how it is used in SSVC.",
+					"minLength": 1
+				},
+				"values": {
+					"description": "A set of possible answers for a given Decision Point",
+					"uniqueItems": true,
+					"type": "array",
+					"minItems": 1,
+					"items": {
+						"$ref": "#/$defs/decision_point_value"
+					}
+				}
+			},
+			"required": [
+				"namespace",
+				"version",
+				"key",
+				"name",
+				"description",
+				"values",
+				"schemaVersion"
+			]
+		}
+	},
+	"$ref": "#/$defs/decision_point"
+}
diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
@@ -1,73 +1,53 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
+  "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
   "$defs": {
     "id": {
       "type": "string",
-      "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
+      "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
       "examples": [
-        "CVE-2024-101010",
+        "CVE-1900-1234",
         "VU#11111",
         "GHSA-11a1-22b2-33c3"
-      ]
+      ],
+      "minLength": 1
     },
     "role": {
       "type": "string",
-      "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
+      "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
       "examples": [
         "Supplier",
         "Deployer",
         "Coordinator"
-      ]
+      ],
+      "minLength": 1
     },
     "timestamp": {
-      "description": "Date and time in ISO format  ISO 8601 format",
+      "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
       "type": "string",
       "format": "date-time"
     },
-    "schemaVersion": {
-      "description": "Schema version used to represent this evaluation",
-      "type": "string",
-      "enum": [
-        "1-0-1"
-      ]
-    },
     "SsvcdecisionpointselectionSchema": {
-      "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
+      "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
       "properties": {
         "name": {
-          "description": "Name of the Decision Point that were evaluated",
-          "title": "name",
-          "type": "string",
-          "examples": [
-            "Automatable",
-            "Exploitation"
-          ]
+          "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name"
         },
         "namespace": {
-          "description": "SSVC Namespace that were used for defining the evaluated Decision Points",
-          "title": "namespace",
-          "type": "string",
-          "examples": [
-            "ssvc",
-            "cvssv4"
-          ]
+          "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace"
         },
         "values": {
-          "description": "Evaluated values of the Decision Point",
+          "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
           "title": "values",
           "type": "array",
           "minItems": 1,
           "items": {
-            "description": "Each value that were down-selected for a Decision Point",
-            "title": "values",
-            "type": "string"
+            "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name"
           }
         },
         "version": {
-          "description": "Version of the Decision Points that were evaluated",
-          "title": "version",
-          "type": "string"
+          "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version"
         }
       },
       "type": "object",
@@ -88,13 +68,13 @@
       "$ref": "#/$defs/role"
     },
     "schemaVersion": {
-      "$ref": "#/$defs/schemaVersion"
+      "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion"
     },
     "timestamp": {
       "$ref": "#/$defs/timestamp"
     },
     "selections": {
-      "description": "An array of Decision Points and their Values that were down-selected or evaluated ",
+      "description": "An array of Decision Points and their selected values for the identified Vulnerability.  If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
       "title": "selections",
       "type": "array",
       "minItems": 1,
@@ -111,4 +91,4 @@
     "schemaVersion"
   ],
   "additionalProperties": false
-}
+}
diff --git a/csaf_2.1/test/aggregator_schema/run_tests.sh b/csaf_2.1/test/aggregator_schema/run_tests.sh
@@ -8,7 +8,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -21,7 +22,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED

diff --git a/csaf_2.1/test/csaf_schema/run_tests.sh b/csaf_2.1/test/csaf_schema/run_tests.sh
@@ -7,7 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
 TESTPATH=csaf_2.1/examples/csaf/$1/*.json
@@ -19,7 +20,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED

diff --git a/csaf_2.1/test/provider_schema/run_tests.sh b/csaf_2.1/test/provider_schema/run_tests.sh
@@ -7,7 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -20,7 +21,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED

diff --git a/csaf_2.1/test/validator/run_tests.sh b/csaf_2.1/test/validator/run_tests.sh
@@ -7,7 +7,8 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
-SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
+SSVC_101_DP_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point-1-0-1.schema.json
+SSVC_101_DPVS_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
 TESTPATH=csaf_2.1/test/validator/data/$1/*.json
@@ -22,7 +23,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
+  if python3 $VALIDATOR $SCHEMA $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_DPVS_SCHEMA} ${SSVC_101_DP_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED