There might be a typo in the ssvc data example.

CERTCC / SSVC

Stakeholder-Specific Vulnerability Categorization

https://certcc.github.io/SSVC/

Other

116 stars 32 forks source link

There might be a typo in the ssvc data example. #584

Open ziadhany opened 2 weeks ago

ziadhany commented 2 weeks ago

I spotted a potential typo in the ssvc data example. Could you please take a look at SSVCv2/E:A/V:S/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/ and confirm if it's correct?

I think the correct ssvc should be like this: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/

https://github.com/CERTCC/SSVC/blob/a34a9768ef75209f8c1dd1bc2cf0523ba4d243c8/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json#L5-L25

sei-vsarvepalli commented 1 week ago

Hello @ziadhany

Thanks for catching this. It is from the earlier definition of Virulence that needs to be fixed. We will take care of the clean up soon. Also need to update the "Automatable" that has a label "V" to "A"

https://github.com/CERTCC/SSVC/blob/a34a9768ef75209f8c1dd1bc2cf0523ba4d243c8/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json#L54-L56

Thanks