SSVC values are not consistently cased

[bjedwards]

🐛 Summary

For some CVEs, the SSVC values sometimes start with uppercase values and sometimes lower case values.

To reproduce

Examples

• Automatable
  • No:
    • CVE-2022-38028 is "No"
    • CVE-2010-5096 is "no"
  • Yes:
    • CVE-2019-7256 is "Yes"
    • CVE-2016-6531 is "yes"
• Exploitation
  • Active
    • CVE-2019-7256 is "Active"
    • CVE-2015-2051 is "active"
  • PoC
    • CVE-2023-42931 is "PoC"
    • CVE-2013-3245 is "poc"
  • None
    • CVE-2022-34381 is "None"
    • CVE-2010-5096 is "none"
• Technical Impact
  • Partial
    • CVE-2020-3259 is "Partial"
    • CVE-2010-5096 is "partial
  • Total
    • CVE-2019-7256 is "Total"
    • CVE-2012-5380 is "total"

Expected behavior

The values should be consistent across values. This isn't a huge impact on parsing the data, but did make me do a double take. I am ambivalent about which is "correct"

[jwoytek-cisa]

@bjedwards thank you for the report! We have some older SSVC score data and some newer data, and there are a few casing inconsistencies between them. Fixing the data may take a bit, but we are looking at the inconsistency issue so that they will match moving forward.

[bjedwards]

Thanks, @jwoytek-cisa ! If this is not really something that's an issue, feel free to close. If you'd like someone to do it, I could probably convert the data to one or the other and make a PR.

[amanion-cisa]

Appreciate the offer for a PR but it'll probably be more robust to fix this issue earlier in processing and closer to the data source. The case shall be lower, and lower shall be the case. Also SSVC values should be treated as case-insensitive, which should be documented publicly.

Edit: Not entirely sure if or when we'd convert to all lower case. In theory, we'd follow any existing external spec/schema, some part of SSVC in this case. But SSVC isn't entirely clear: https://github.com/CERTCC/SSVC/blob/c3ed2f4455cff6ebf5bcaf0d1d4eadf090dd4957/docs/ssvc-calc/CISA-Coordinator.json

For documention I'll suggest: "JSON element names and values in SSVC options are case insensitive."

[bjedwards]

@amanion-cisa Not exactly whether this is a vulnrichment comment or an ssvc comment, but since we've got the convo going I'll leave it here. From a consumer standpoint I would prefer "The case shall be lower, and lower shall be the case" (or upper, or title case for that matter.

By declaring it case insensitive you make it slightly easier for folks producing the score (one less thing to trip on in the schema), but harder for those of us consuming it. It means every consumer, which we hope are more than producers, has to do a lower(ssvc), when parsing values. My $0.02.

[jwoytek-cisa]

@bjedwards going forward, these will be lowercased in the data. There remain some inconsistencies in the current dataset that we will address.