CERT/CC SSVC metrics for CVE using ADP

[sei-vsarvepalli]

This is a follow-up after discussions in CVE QWG meeting on the topic of being able to publish as an Authorized Data Provider (ADP) into CVE's current JSON schema. CERT/CC Stakeholder Specific Vulnerability Categorization (SSVC) project attempts to provides vulnerability metrics in the form of decision trees for different vulnerability management communities.

More information about SSVC can be found SSVC Overview. In practice, SSVC code, examples and customization information are available in GitHub repository (https://github.com/CERTCC/SSVC.

CERT/CC would like to publish such metrics in adherence to the CVE-5 JSON schema. We have a sample ADP enhanced CVE record that is available at https://democert.org/ssvc/cve-5/CVE-2022-0012-adp.json. This record validates properly for the current CVE-5.0 JSON schema.

The ADP container data from the example is also included here for convenience. Let us know how we can provide such data into CVE to support enrichment of the CVE JSON records.

    "adp": [{
            "providerMetadata": {
                "dateUpdated": "2022-02-09T18:45:53Z",
                "orgId": "e9c1279f-00f6-4ef7-9217-f89ffe703ec0",
                "shortName": "cert_cc"
            },
        "datePublic": "2022-01-27T00:00:00",
        "metrics": [{
        "other": {
            "type": "ssvc",
            "content": {
            "role": "Coordinator",
            "id": "CVE-2022-0012",
            "version": "2.0",
            "generator": "Dryad SSVC Calculator 5.1.1",
            "computed": "SSVCv2/E:N/A:Y/T:P/P:M/B:M/M:L/D:T/2022-02-09T18:45:53Z/",
            "timestamp": "2022-02-09T18:45:53Z",
            "options": [
                {
                "Exploitation": "none"
                },
                {
                "Automatable": "yes"
                },
                {
                "Technical Impact": "partial"
                },
                {
                "Mission Prevalence": "Minimal"
                },
                {
                "Public Well-being Impact": "Minimal"
                },
                {
                "Mission & Well-being": "low"
                },
                {
                "Decision": "Track"
                }
            ],
            "$schema": "https://democert.org/ssvc/SSVC_Computed_v2.02.schema.json",
            "decision_tree_url": "https://democert.org/ssvc/CISA-Coordinator-v2.0.3.json"
            }
        }
        }]

    }]

Thanks Vijay

Additional stakeholders highlighted: @zmanion @david-waltermire-nist @chandanbn

[ElectricNroff]

I don't think that

"$schema": "https://democert.org/ssvc/SSVC_Computed_v2.02.schema.json",

will be accepted by CVE Services during an ADP container submission. CVE Services uses Amazon DocumentDB to store JSON documents, and doesn't allow a $ character in that context (even though the schema allows it):

• https://docs.aws.amazon.com/documentdb/latest/developerguide/functional-differences.html#functional-differences.field-name-restrictions
• Amazon DocumentDB also does not support the $ prefix in field names. The following field names that begin with the $ prefix have been whitelisted and can be successfully used in Amazon DocumentDB: $id, $ref and $db.

$schema is not accepted by the implementation. See https://github.com/CVEProject/cve-schema/issues/145 for other information about what happens within the CVE Services code, and what error a client would see.

[sei-vsarvepalli]

Hello @ElectricNroff

Thanks for your quick response. Happy to modify he $schema to be reference_schema (as below), avoid any $ references so it poses less trouble. I was using $schema from JSON doc recommendations. not really married to that notation. Let me know if there are any other concerns to address.

    "adp": [{
            "providerMetadata": {
                "dateUpdated": "2022-02-09T18:45:53Z",
                "orgId": "e9c1279f-00f6-4ef7-9217-f89ffe703ec0",
                "shortName": "cert_cc"
            },
        "datePublic": "2022-01-27T00:00:00",
        "metrics": [{
        "other": {
            "type": "ssvc",
            "content": {
            "role": "Coordinator",
            "id": "CVE-2022-0012",
            "version": "2.0",
            "generator": "Dryad SSVC Calculator 5.1.1",
            "computed": "SSVCv2/E:N/A:Y/T:P/P:M/B:M/M:L/D:T/2022-02-09T18:45:53Z/",
            "timestamp": "2022-02-09T18:45:53Z",
            "options": [
                {
                "Exploitation": "none"
                },
                {
                "Automatable": "yes"
                },
                {
                "Technical Impact": "partial"
                },
                {
                "Mission Prevalence": "Minimal"
                },
                {
                "Public Well-being Impact": "Minimal"
                },
                {
                "Mission & Well-being": "low"
                },
                {
                "Decision": "Track"
                }
            ],
            "reference_schema": "https://democert.org/ssvc/SSVC_Computed_v2.02.schema.json",
            "decision_tree_url": "https://democert.org/ssvc/CISA-Coordinator-v2.0.3.json"
            }
        }
        }]

    }]

[sei-vsarvepalli]

Just capturing these notes from QWG meeting on 2022/03/10. Currently the CVE Services 2.1 which is about to launch and be ready soon will not support publishing of ADP containers. It is planned somewhere in the fall time for CVE services next revision to accept JSON ADP containers. Once we are able publish, CERT/CC can request an update to the CVE 5.1 JSON schema to include a well-formatted SSVC ADP record as a metric.

Vijay

[david-waltermire]

The QWG will need to address this as a new optional feature in v5.1. Marking this milestone.

[zmanion]

SPWG is prioritizing ADP, this came up at today's meeting in that certain ADPs, if they are approved to provide content that is not already part of the existing CNA container schema, would have to create custom schema. This is the case for an SSVC ADP. It seems that a references ADP may be the first pilot, however we'll need to develop process for custom schema development and inclusion at some point.

[sei-vsarvepalli]

Our ADP container updated setup has been updated as the following. We are also tracking this with discussions under our SSVC - https://github.com/CERTCC/SSVC/discussions/229

{
    "adpContainer": {
        "providerMetadata": {
            "dateUpdated": "2022-02-09T18:45:53Z",
            "orgId": "e9c1279f-00f6-4ef7-9217-f89ffe703ec0",
            "shortName": "cert_cc"
        },
        "datePublic": "2022-01-27T00:00:00",
        "metrics": [
            {
                "other": {
                    "type": "ssvc",
                    "content": {
                        "role": "CISA-Coordinator",
                        "id": "CVE-2022-45119",
                        "version": "2.0",
                        "generator": "Dryad SSVC Calculator 5.1.7",
                        "computed": "SSVCv2/E:P/A:N/T:T/P:S/B:M/M:M/D:R/2023-06-20T14:33:57Z/",
                        "timestamp": "2023-06-20T14:33:57Z",
                        "options": [
                            {
                                "Exploitation": "poc"
                            },
                            {
                                "Automatable": "no"
                            }
                        ],
                        "reference_schema": "https://certcc.github.io/SSVC/ssvc-calc/SSVC_Computed_v2.03.schema.json",
                        "decision_tree_url": "https://certcc.github.io/SSVC/ssvc-calc/CISA-Coordinator-v2.0.3.json"
                    }
                }
            }
        ]
    }
}

ADP testing is ready to start and we will be working with CVE AWG on feedback.

Thanks Vijay