Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include support for SSVC #803

Open
justmurphy opened this issue Oct 23, 2024 · 7 comments
Open

Include support for SSVC #803

justmurphy opened this issue Oct 23, 2024 · 7 comments
Assignees
@tschmidtb51
Labels
csaf 2.1 csaf 2.1 work motion_passed A motion has passed

Comments

@justmurphy
Copy link

We should include support for SSVC, as discussed in #462 and during July TC meeting.
@justmurphy
Copy link
Author

Reasoning:

As referenced in the following blog post from former Executive Assistant Director for Cybersecurity, Eric Goldstein: "Transforming the Vulnerability Management Landscape", CISA believes the integration of Stakeholder-Specific Vulnerability Categorization (SSVC) is crucial for advancing vulnerability management practices across organizations.

SSVC enables organizations to prioritize their remediation efforts effectively by assessing various attributes of vulnerabilities, including exploitation status and technical impact.

We have recently added support for SSVC to our IT advisories seen at CISA's public CSAF repository: https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white/2024

@santosomar
Copy link
Contributor

I completely agree. CSAF should provide support for SSVC. We should also eventually support EPSS.

@tschmidtb51 tschmidtb51 self-assigned this Oct 24, 2024
@sei-vsarvepalli
Copy link

I support this effort as well and would like to see SSVC representation available in CSAF. By the way we also have an updated SSVC schema that addresses a number of concerns raised by analysts. The official SSVC schema that we would like to support is here:

https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json

An example CVE record with this representation of an SVC evaluation is provided here

https://github.com/CVEProject/cve-schema/blob/1c08e97929e22b1983557fe6ea5a9573831d49db/schema/docs/full-record-advanced-example.json#L134C1-L156C13

@sei-vsarvepalli sei-vsarvepalli mentioned this issue Oct 24, 2024
Open
@tschmidtb51
Copy link
Contributor

@sei-vsarvepalli Is it possible to update the JSON Schema that to Draft 2020-12?

@sei-vsarvepalli sei-vsarvepalli mentioned this issue Oct 24, 2024
Closed
@ahouseholder ahouseholder mentioned this issue Oct 28, 2024
Closed
@ahouseholder
Copy link

Connecting some dots here:

@tschmidtb51 tschmidtb51 added motion_passed A motion has passed and removed tc-discussion-needed labels Oct 30, 2024
@santosomar
Copy link
Contributor

A motion was moved by Omar to include the changes suggested in this pull request, during the CSAF TC monthly meeting on 2024-10-30. The motion was seconded by Michael. The motion passed.

@sthagen sthagen mentioned this issue Dec 6, 2024
Open
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Jan 16, 2025
@tschmidtb51
SSVC
68e5ca0 
- addresses parts of oasis-tcs#803
- add SSVC decision point value selection 1.0.1 to schema
- add SSVC decision point value selection 1.0.1 file into referenced schemas
- adapt test scripts
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Jan 16, 2025
@tschmidtb51
SSVC
4eecfc2 
- addresses parts of oasis-tcs#803
- add SSVC link in informative references
- mention SSVC in design consideration principles
- add SSVC to metrics section
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Jan 16, 2025
@tschmidtb51
SSVC
a38b394 
- addresses parts of oasis-tcs#803
- update SSVC key in schema to align with CVSS
@tschmidtb51
Copy link
Contributor

tschmidtb51 commented Jan 16, 2025
edited
Loading

Todos:

  • include in schema
  • add in referenced schema
  • add link in informative references
  • mention in design consideration principles
  • add to vulnerability section
  • add to guidance on size
  • check that link is correct
  • add conversion rule
  • add tests:
    • id must be consistent with cve (if CVE) or part of ids
    • for known namespaces/version/name, values must match given schema
    • warn on unknown versions for known namespaces/name
    • info on old versions for known namespace/name
    • info for unknown namespaces/name
    • info for unknown role for known namespaces

tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Jan 16, 2025
@tschmidtb51
SSVC
789785c 
- addresses parts of oasis-tcs#803
- update referenced SSVC schema to reflect change from CERTCC/SSVC#654
- reformat JSON schema
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Jan 16, 2025
@tschmidtb51
SSVC
599b150 
- addresses parts of oasis-tcs#803
- update referenced SSVC schema
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue Jan 16, 2025
@tschmidtb51
SSVC
7ac9c47 
- addresses parts of oasis-tcs#803
- add SSVC to guidance on size
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tschmidtb51 tschmidtb51

Labels
csaf 2.1 csaf 2.1 work motion_passed A motion has passed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@santosomar @ahouseholder @sei-vsarvepalli @tschmidtb51 @justmurphy