Standardize Severity Tag on CVSS 3.0 Terms

mitre / inspec_tools

A command-line and ruby API of utilities, converters and tools for creating, converting and processing security baseline formats, results and data

https://inspec-tools.mitre.org/

Other

92 stars 30 forks source link

Standardize Severity Tag on CVSS 3.0 Terms #107

Closed Bialogs closed 4 years ago

Bialogs commented 4 years ago

The severity tag should standardize on the CVSS terms 'none', 'low', 'medium', 'high' and 'critical'

CAT 4 or IV = none CAT 3 or III = low CAT 2 or II = medium CAT 1 or I = high

So if I have an input source: XCCDF, CSV, PDF, XLS all have severity and impact in different forms. In the end our 'inspec stubs' will always have the CVSS 3.0 standard of:

severity: 'none|low|medium|high|critical' impact: '0.0 | 0.3 | 0.5 | 0.7 | 1.0'

Bialogs commented 4 years ago

Documented in Wiki https://github.com/mitre/inspec_tools/wiki/Expected-Output

Bialogs commented 4 years ago

There is currently a bug where we do not set severity when converting to inspec from anything other than xlsx.

Bialogs commented 4 years ago

We should look into updating the get_impact_string function to handle the case where we want to convert into a non-CVSS format like the CKL.

Maybe: Pass in an option to convert 'critical' to 'high' automatically.