search

CERTCC / SSVC

Stakeholder-Specific Vulnerability Categorization
https://certcc.github.io/SSVC/
Other
132 stars 33 forks source link

Model CVSSv4 macrovectors as an SSVC tree #329

Open ahouseholder opened 1 year ago

ahouseholder commented 1 year ago

CVSS v4 uses the concept of macrovectors. I'm not going to explain that here, check out the CVSS v4 spec for that.

It might be interesting to use SSVC to construct a model of CVSSv4 macrovectors -> CVSSv4 categories (Low, Medium, High, Critical) for demonstration purposes.

sei-vsarvepalli commented 1 year ago

Here is the JSON representation of the CVSSv4 as a Decision Tree - we can save it for later. CVSS_v4_as_Tree_json.txt

j--- commented 1 year ago

We definitely arranged the equivalency sets in a decision tree. However, the process for community voting on assigning relative ranking (and therefore the labels 0.1 to 10.0) is probably more interesting than the fact that the equivalence sets are arranged into a decision tree.

Is there anything else to do for this? I don't see any further concrete value add.

ahouseholder commented 1 year ago

Is there anything else to do for this? I don't see any further concrete value add.

Yeah, I want this to exist in python because I want to be able to do things with it like use some of the other tooling I'm building on it.

sei-vsarvepalli commented 1 week ago

Here is a script to be kept for later for enumerating CVSS vectors as SSVC decision points for backpocket generating CVSS JSON files as well

mods = ["attack_complexity", "attack_requirements", "attack_vector",
        "authentication", "availability_impact", "availability_requirement",
        "collateral_damage_potential", "confidentiality_impact",
        "confidentiality_requirement", "exploitability", "helpers",
        "impact_bias", "integrity_impact", "integrity_requirement",
        "privileges_required", "remediation_level", "report_confidence",
        "scope", "subsequent_availability_impact",
        "subsequent_confidentiality_impact", "subsequent_integrity_impact",
        "target_distribution", "user_interaction"]
for mod in mods:
    module = getattr(__import__('ssvc.decision_points.cvss', fromlist=[mod]),
                     mod)
    for dp in dir(module):
        if dp.upper().find(mod.upper()) > -1:
        #user_interaction USER_INTERACTION_2
            print(mod, dp)
            sdp = getattr(module, dp)
            f = open(f"{dp.lower()}.json", "w")
            f.write(sdp.to_json())
            f.close()