Include support for SSVC

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code

https://github.com/oasis-tcs/csaf

Other

151 stars 40 forks source link

Include support for SSVC #803

Open justmurphy opened 1 month ago

justmurphy commented 1 month ago

We should include support for SSVC, as discussed in #462 and during July TC meeting.

justmurphy commented 1 month ago

Reasoning:

As referenced in the following blog post from former Executive Assistant Director for Cybersecurity, Eric Goldstein: "Transforming the Vulnerability Management Landscape", CISA believes the integration of Stakeholder-Specific Vulnerability Categorization (SSVC) is crucial for advancing vulnerability management practices across organizations.

SSVC enables organizations to prioritize their remediation efforts effectively by assessing various attributes of vulnerabilities, including exploitation status and technical impact.

We have recently added support for SSVC to our IT advisories seen at CISA's public CSAF repository: https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white/2024

santosomar commented 1 month ago

I completely agree. CSAF should provide support for SSVC. We should also eventually support EPSS.

sei-vsarvepalli commented 1 month ago

I support this effort as well and would like to see SSVC representation available in CSAF. By the way we also have an updated SSVC schema that addresses a number of concerns raised by analysts. The official SSVC schema that we would like to support is here:

https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json

An example CVE record with this representation of an SVC evaluation is provided here

https://github.com/CVEProject/cve-schema/blob/1c08e97929e22b1983557fe6ea5a9573831d49db/schema/docs/full-record-advanced-example.json#L134C1-L156C13

tschmidtb51 commented 1 month ago

@sei-vsarvepalli Is it possible to update the JSON Schema that to Draft 2020-12?

ahouseholder commented 3 weeks ago

Connecting some dots here:

CERTCC/SSVC#637 covers the specific request in https://github.com/oasis-tcs/csaf/issues/803#issuecomment-2436346492
CERTCC/SSVC#640 is the umbrella issue for CSAF+SSVC integration

santosomar commented 3 weeks ago

A motion was moved by Omar to include the changes suggested in this pull request, during the CSAF TC monthly meeting on 2024-10-30. The motion was seconded by Michael. The motion passed.