SSVC

- addresses parts of oasis-tcs#803 - add SSVC decision point value selection 1.0.1 to schema - add SSVC decision point value selection 1.0.1 file into referenced schemas - adapt test scripts
tschmidtb51 · Jan 16, 2025 · 68e5ca0 · 68e5ca0
1 parent 6dcea01
commit 68e5ca0
Show file tree

Hide file tree

Showing 5 changed files with 107 additions and 3 deletions.
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -1268,6 +1268,9 @@
                     },
                     "cvss_v4": {
                       "$ref": "https://www.first.org/cvss/cvss-v4.0.json"
+                    },
+                    "ssvc_v1_0_1": {
+                      "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json"
                     }
                   }
                 },

diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
@@ -0,0 +1,98 @@
+{
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
+    "definitions": {
+	"id": {
+            "type": "string",
+            "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
+            "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"]
+	},	
+	"role": {
+            "type": "string",
+            "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
+            "examples": ["Supplier","Deployer","Coordinator"]
+        },
+	"timestamp" : {
+            "description": "Date and time in ISO format  ISO 8601 format",
+            "type": "string",
+            "format": "date-time"
+	},
+        "schemaVersion": {
+            "description": "Schema version used to represent this evaluation",
+            "type": "string",
+            "enum": ["1-0-1"]
+        },
+	"SsvcdecisionpointselectionSchema": {
+	    "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
+	    "properties": {
+		"name": {
+		    "description": "Name of the Decision Point that were evaluated", 
+		    "title": "name",
+		    "type": "string",
+		    "examples": ["Automatable", "Exploitation"]
+		},
+		"namespace": {
+		    "description": "SSVC Namespace that were used for defining the evaluated Decision Points",
+		    "title": "namespace",
+		    "type": "string",
+		    "examples": ["ssvc","cvvsv4"]
+		},
+		"values": {
+		    "description": "Evaluated values of the Decision Point",
+		    "title": "values",
+		    "type": "array",
+		    "minItems": 1,
+		    "items": {
+			"description": "Each value that were down-selected for a Decision Point",
+			"title": "values",
+			"type": "string"
+		    }
+		},
+		"version": {
+		    "description": "Version of the Decision Points that were evaluated",
+		    "title": "version",
+		    "type": "string"
+		}
+	    },
+	    "type": "object",
+	    "required": [
+		"name",
+		"namespace",
+		"values",
+		"version"
+	    ],
+	    "additionalProperties": false
+	}
+    },
+    "properties": {
+	"id": {
+	    "$ref": "#/definitions/id"
+	},
+	"role": {
+	    "$ref": "#/definitions/role"
+	},
+	"schemaVersion": {
+	    "$ref": "#/definitions/schemaVersion"
+	},
+	"timestamp": {
+	    "$ref": "#/definitions/timestamp"
+	},
+	"selections": {
+	    "description" : "An array of Decision Points and their Values that were down-selected or evaluated ",
+	    "title": "selections",
+	    "type": "array",
+	    "minItems": 1,
+	    "items": {
+		"$ref": "#/definitions/SsvcdecisionpointselectionSchema"
+	    }
+	}
+    }, 
+    "type": "object",
+    "required": [
+	"selections",
+	"id",
+	"timestamp",
+	"schemaVersion"
+    ],
+    "additionalProperties": false
+}
diff --git a/csaf_2.1/test/aggregator_schema/run_tests.sh b/csaf_2.1/test/aggregator_schema/run_tests.sh
@@ -8,6 +8,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -20,7 +21,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED

diff --git a/csaf_2.1/test/csaf_schema/run_tests.sh b/csaf_2.1/test/csaf_schema/run_tests.sh
@@ -7,6 +7,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
 TESTPATH=csaf_2.1/examples/csaf/$1/*.json
@@ -18,7 +19,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED

diff --git a/csaf_2.1/test/provider_schema/run_tests.sh b/csaf_2.1/test/provider_schema/run_tests.sh
@@ -7,6 +7,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json
 CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json
 CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json
 CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json
+SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json
 PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json
 VALIDATOR=csaf_2.1/test/validator.py
 STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py
@@ -19,7 +20,7 @@ cd `dirname $0`/../../..
 
 validate() {
   printf "%s" "Testing file $1 against schema ${SCHEMA} ... "
-  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then
+  if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then
     printf "%s\n" SUCCESS
   else
     printf "%s\n" FAILED