Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVSS-based (v1, v2, v3) decision points as python classes #343

Merged
merged 16 commits into from
Nov 7, 2023
Merged

Add CVSS-based (v1, v2, v3) decision points as python classes #343

merged 16 commits into from
Nov 7, 2023

Conversation

ahouseholder
Copy link
Contributor

Depends on

Adds Decision Point and Decision Point Group models for CVSS v1, v2, and v3 vectors.

Includes unit tests to validate output against json schema from #340.

@ahouseholder ahouseholder added enhancement New feature or request tools Software Tools labels Oct 16, 2023
@ahouseholder ahouseholder added this to the SSVC 2023Q4 milestone Oct 16, 2023
@ahouseholder ahouseholder self-assigned this Oct 16, 2023
@ahouseholder ahouseholder changed the title Feature/add cvss decision points py Add CVSS-based decision points as python classes Oct 16, 2023
@ahouseholder
Copy link
Contributor Author

Note: everything new in this PR that is not already in #342 is in commit 8f2bc07

This was referenced Oct 16, 2023
Closed
Closed
@ahouseholder ahouseholder changed the title Add CVSS-based decision points as python classes Add CVSS-based (v1, v2, v3) decision points as python classes Oct 16, 2023
@ahouseholder ahouseholder requested a review from j--- October 16, 2023 19:21
@ahouseholder ahouseholder mentioned this pull request Oct 17, 2023
Closed
1 task
j---
j--- requested changes Oct 27, 2023
View reviewed changes
Copy link
Collaborator

@j--- j--- left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm flagging some things here but the general question is about how we are applying SSVC decision point versioning.

If we accept any CVSS metric name change as a new object, we are essentially assuming that CVSS only changes names when the major/minor/patch version rules introduced in #350 don't apply. I do not believe that's the case, I think CVSS has changed metric names for messaging reasons. These are valid reasons, but they differ from our agreed SSVC decision point versioning rules. If we are properly integrating CVSS metrics as SSVC decision points, I suggest we apply our own versioning rules (which I think means we do not treat a metric name change as automatically a new object).

If this reasoning holds, AV and AC are the only ones it applies to here. It will come up again from v3 to v4.

src/ssvc/decision_points/cvss/attack_complexity.py Show resolved Hide resolved
src/ssvc/decision_points/cvss/access_complexity.py Outdated Show resolved Hide resolved
src/ssvc/decision_points/cvss/access_vector.py Outdated Show resolved Hide resolved
@ahouseholder ahouseholder requested a review from j--- October 31, 2023 19:03
This was referenced Oct 31, 2023
Closed
Merged
@ahouseholder ahouseholder merged commit 292a977 into CERTCC:main Nov 7, 2023
@ahouseholder ahouseholder deleted the feature/add_cvss_decision_points_py branch November 7, 2023 17:34
@ahouseholder ahouseholder mentioned this pull request Nov 8, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@j--- j--- j--- approved these changes

@sei-vsarvepalli sei-vsarvepalli Awaiting requested review from sei-vsarvepalli

@cgyarbrough cgyarbrough Awaiting requested review from cgyarbrough

Assignees

@ahouseholder ahouseholder

Labels
enhancement New feature or request tools Software Tools
Projects
None yet
Milestone
4Q23
Development

Successfully merging this pull request may close these issues.

Model CVSS v1, v2, v3 vector elements as decision points
3 participants
@ahouseholder @j--- @sei-vsarvepalli