From 68e5ca0b3dce1db2e982a21424143617a842bbe8 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 16 Jan 2025 11:20:44 +0100 Subject: [PATCH] SSVC - addresses parts of oasis-tcs/csaf#803 - add SSVC decision point value selection 1.0.1 to schema - add SSVC decision point value selection 1.0.1 file into referenced schemas - adapt test scripts --- csaf_2.1/json_schema/csaf_json_schema.json | 3 + ...on_Point_Value_Selection-1-0-1.schema.json | 98 +++++++++++++++++++ csaf_2.1/test/aggregator_schema/run_tests.sh | 3 +- csaf_2.1/test/csaf_schema/run_tests.sh | 3 +- csaf_2.1/test/provider_schema/run_tests.sh | 3 +- 5 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 1319a9039..6cdae8fc9 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -1268,6 +1268,9 @@ }, "cvss_v4": { "$ref": "https://www.first.org/cvss/cvss-v4.0.json" + }, + "ssvc_v1_0_1": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json" } } }, diff --git a/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json new file mode 100644 index 000000000..48c9e562c --- /dev/null +++ b/csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json @@ -0,0 +1,98 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"] + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": ["1-0-1"] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": ["Automatable", "Exploitation"] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": ["ssvc","cvvsv4"] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/definitions/id" + }, + "role": { + "$ref": "#/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false +} diff --git a/csaf_2.1/test/aggregator_schema/run_tests.sh b/csaf_2.1/test/aggregator_schema/run_tests.sh index fbaf761af..3f8ef7660 100755 --- a/csaf_2.1/test/aggregator_schema/run_tests.sh +++ b/csaf_2.1/test/aggregator_schema/run_tests.sh @@ -8,6 +8,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json +SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py @@ -20,7 +21,7 @@ cd `dirname $0`/../../.. validate() { printf "%s" "Testing file $1 against schema ${SCHEMA} ... " - if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then + if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA} ${PROVIDER_STRICT_SCHEMA}; then printf "%s\n" SUCCESS else printf "%s\n" FAILED diff --git a/csaf_2.1/test/csaf_schema/run_tests.sh b/csaf_2.1/test/csaf_schema/run_tests.sh index d24a9ed4f..e737c33e0 100755 --- a/csaf_2.1/test/csaf_schema/run_tests.sh +++ b/csaf_2.1/test/csaf_schema/run_tests.sh @@ -7,6 +7,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json +SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py TESTPATH=csaf_2.1/examples/csaf/$1/*.json @@ -18,7 +19,7 @@ cd `dirname $0`/../../.. validate() { printf "%s" "Testing file $1 against schema ${SCHEMA} ... " - if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then + if python3 ${VALIDATOR} ${SCHEMA} $1 ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then printf "%s\n" SUCCESS else printf "%s\n" FAILED diff --git a/csaf_2.1/test/provider_schema/run_tests.sh b/csaf_2.1/test/provider_schema/run_tests.sh index 0ec6b8648..572d97af6 100755 --- a/csaf_2.1/test/provider_schema/run_tests.sh +++ b/csaf_2.1/test/provider_schema/run_tests.sh @@ -7,6 +7,7 @@ CVSS_20_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v2.0_strict.json CVSS_30_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.0_strict.json CVSS_31_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v3.1_strict.json CVSS_40_STRICT_SCHEMA=csaf_2.1/referenced_schema/first/cvss-v4.0_strict.json +SSVC_101_SCHEMA=csaf_2.1/referenced_schema/certcc/Decision_Point_Value_Selection-1-0-1.schema.json PROVIDER_STRICT_SCHEMA=${STRICT_BUILD}/provider_strict_schema.json VALIDATOR=csaf_2.1/test/validator.py STRICT_GENERATOR=csaf_2.1/test/generate_strict_schema.py @@ -19,7 +20,7 @@ cd `dirname $0`/../../.. validate() { printf "%s" "Testing file $1 against schema ${SCHEMA} ... " - if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA}; then + if python3 ${VALIDATOR} ${SCHEMA} $1 ${CSAF_STRICT_SCHEMA} ${CVSS_20_STRICT_SCHEMA} ${CVSS_30_STRICT_SCHEMA} ${CVSS_31_STRICT_SCHEMA} ${CVSS_40_STRICT_SCHEMA} ${SSVC_101_SCHEMA}; then printf "%s\n" SUCCESS else printf "%s\n" FAILED