diff --git a/data/json/decision_points/automatable_2_0_0.json b/data/json/decision_points/automatable_2_0_0.json index 9a0369b2..90ac4a09 100644 --- a/data/json/decision_points/automatable_2_0_0.json +++ b/data/json/decision_points/automatable_2_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "2.0.0", + "schemaVersion": "1-0-1", "key": "A", "name": "Automatable", "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?", diff --git a/data/json/decision_points/exploitation_1_0_0.json b/data/json/decision_points/exploitation_1_0_0.json index 9f287310..d7099083 100644 --- a/data/json/decision_points/exploitation_1_0_0.json +++ b/data/json/decision_points/exploitation_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "E", "name": "Exploitation", "description": "The present state of exploitation of the vulnerability.", diff --git a/data/json/decision_points/exploitation_1_1_0.json b/data/json/decision_points/exploitation_1_1_0.json index bebf78a3..aed0a7af 100644 --- a/data/json/decision_points/exploitation_1_1_0.json +++ b/data/json/decision_points/exploitation_1_1_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.1.0", + "schemaVersion": "1-0-1", "key": "E", "name": "Exploitation", "description": "The present state of exploitation of the vulnerability.", diff --git a/data/json/decision_points/human_impact_1_0_0.json b/data/json/decision_points/human_impact_1_0_0.json index 9d056efa..051c3789 100644 --- a/data/json/decision_points/human_impact_1_0_0.json +++ b/data/json/decision_points/human_impact_1_0_0.json @@ -1,4 +1,5 @@ { + "schemaVersion": "1-0-1", "namespace": "ssvc", "version": "1.0.0", "key": "HI", diff --git a/data/json/decision_points/human_impact_2_0_0.json b/data/json/decision_points/human_impact_2_0_0.json index b2e5ab7a..ce7a8b4e 100644 --- a/data/json/decision_points/human_impact_2_0_0.json +++ b/data/json/decision_points/human_impact_2_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "2.0.0", + "schemaVersion": "1-0-1", "key": "HI", "name": "Human Impact", "description": "Human Impact is a combination of Safety and Mission impacts.", diff --git a/data/json/decision_points/human_impact_2_0_1.json b/data/json/decision_points/human_impact_2_0_1.json index 6c83e47e..fd21da49 100644 --- a/data/json/decision_points/human_impact_2_0_1.json +++ b/data/json/decision_points/human_impact_2_0_1.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "2.0.1", + "schemaVersion": "1-0-1", "key": "HI", "name": "Human Impact", "description": "Human Impact is a combination of Safety and Mission impacts.", diff --git a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json index 9751bded..d63cda57 100644 --- a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json +++ b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "MWI", "name": "Mission and Well-Being Impact", "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.", diff --git a/data/json/decision_points/mission_impact_1_0_0.json b/data/json/decision_points/mission_impact_1_0_0.json index 456db1bd..3ede44f1 100644 --- a/data/json/decision_points/mission_impact_1_0_0.json +++ b/data/json/decision_points/mission_impact_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "MI", "name": "Mission Impact", "description": "Impact on Mission Essential Functions of the Organization", diff --git a/data/json/decision_points/mission_impact_2_0_0.json b/data/json/decision_points/mission_impact_2_0_0.json index 9d096ce0..d1a578a3 100644 --- a/data/json/decision_points/mission_impact_2_0_0.json +++ b/data/json/decision_points/mission_impact_2_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "2.0.0", + "schemaVersion": "1-0-1", "key": "MI", "name": "Mission Impact", "description": "Impact on Mission Essential Functions of the Organization", diff --git a/data/json/decision_points/public_safety_impact_1_0_0.json b/data/json/decision_points/public_safety_impact_1_0_0.json index bc8ec442..0426c72b 100644 --- a/data/json/decision_points/public_safety_impact_1_0_0.json +++ b/data/json/decision_points/public_safety_impact_1_0_0.json @@ -1,4 +1,5 @@ { + "schemaVersion": "1-0-1", "namespace": "ssvc", "version": "1.0.0", "key": "PSI", diff --git a/data/json/decision_points/public_safety_impact_2_0_0.json b/data/json/decision_points/public_safety_impact_2_0_0.json index 81f414d8..4cf25b4f 100644 --- a/data/json/decision_points/public_safety_impact_2_0_0.json +++ b/data/json/decision_points/public_safety_impact_2_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "2.0.0", + "schemaVersion": "1-0-1", "key": "PSI", "name": "Public Safety Impact", "description": "A coarse-grained representation of impact to public safety.", diff --git a/data/json/decision_points/public_safety_impact_2_0_1.json b/data/json/decision_points/public_safety_impact_2_0_1.json index b993b033..2f76bbff 100644 --- a/data/json/decision_points/public_safety_impact_2_0_1.json +++ b/data/json/decision_points/public_safety_impact_2_0_1.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "2.0.1", + "schemaVersion": "1-0-1", "key": "PSI", "name": "Public Safety Impact", "description": "A coarse-grained representation of impact to public safety.", diff --git a/data/json/decision_points/public_value_added_1_0_0.json b/data/json/decision_points/public_value_added_1_0_0.json index 566b80c4..772e5de0 100644 --- a/data/json/decision_points/public_value_added_1_0_0.json +++ b/data/json/decision_points/public_value_added_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "PVA", "name": "Public Value Added", "description": "How much value would a publication from the coordinator benefit the broader community?", diff --git a/data/json/decision_points/public_well-being_impact_1_0_0.json b/data/json/decision_points/public_well-being_impact_1_0_0.json index 7e6556f4..a963ea06 100644 --- a/data/json/decision_points/public_well-being_impact_1_0_0.json +++ b/data/json/decision_points/public_well-being_impact_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "PWI", "name": "Public Well-Being Impact", "description": "A coarse-grained representation of impact to public well-being.", diff --git a/data/json/decision_points/report_credibility_1_0_0.json b/data/json/decision_points/report_credibility_1_0_0.json index 0b1c910a..f9ff77f7 100644 --- a/data/json/decision_points/report_credibility_1_0_0.json +++ b/data/json/decision_points/report_credibility_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "RC", "name": "Report Credibility", "description": "Is the report credible?", diff --git a/data/json/decision_points/report_public_1_0_0.json b/data/json/decision_points/report_public_1_0_0.json index 195b8c33..67151fd2 100644 --- a/data/json/decision_points/report_public_1_0_0.json +++ b/data/json/decision_points/report_public_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "RP", "name": "Report Public", "description": "Is a viable report of the details of the vulnerability already publicly available?", diff --git a/data/json/decision_points/safety_impact_1_0_0.json b/data/json/decision_points/safety_impact_1_0_0.json index f76474e1..e25fc5d3 100644 --- a/data/json/decision_points/safety_impact_1_0_0.json +++ b/data/json/decision_points/safety_impact_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "SI", "name": "Safety Impact", "description": "The safety impact of the vulnerability.", diff --git a/data/json/decision_points/safety_impact_2_0_0.json b/data/json/decision_points/safety_impact_2_0_0.json index 795813bb..0c78a0e6 100644 --- a/data/json/decision_points/safety_impact_2_0_0.json +++ b/data/json/decision_points/safety_impact_2_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "2.0.0", + "schemaVersion": "1-0-1", "key": "SI", "name": "Safety Impact", "description": "The safety impact of the vulnerability. (based on IEC 61508)", diff --git a/data/json/decision_points/supplier_cardinality_1_0_0.json b/data/json/decision_points/supplier_cardinality_1_0_0.json index 36088dcc..b4ad4c7c 100644 --- a/data/json/decision_points/supplier_cardinality_1_0_0.json +++ b/data/json/decision_points/supplier_cardinality_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "SC", "name": "Supplier Cardinality", "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?", diff --git a/data/json/decision_points/supplier_contacted_1_0_0.json b/data/json/decision_points/supplier_contacted_1_0_0.json index 526ef3e0..8eaf7976 100644 --- a/data/json/decision_points/supplier_contacted_1_0_0.json +++ b/data/json/decision_points/supplier_contacted_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "SC", "name": "Supplier Contacted", "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?", diff --git a/data/json/decision_points/supplier_engagement_1_0_0.json b/data/json/decision_points/supplier_engagement_1_0_0.json index cce9d92a..2f741598 100644 --- a/data/json/decision_points/supplier_engagement_1_0_0.json +++ b/data/json/decision_points/supplier_engagement_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "SE", "name": "Supplier Engagement", "description": "Is the supplier responding to the reporter\u2019s contact effort and actively participating in the coordination effort?", diff --git a/data/json/decision_points/supplier_involvement_1_0_0.json b/data/json/decision_points/supplier_involvement_1_0_0.json index 0adcf48d..e43b79c7 100644 --- a/data/json/decision_points/supplier_involvement_1_0_0.json +++ b/data/json/decision_points/supplier_involvement_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "SI", "name": "Supplier Involvement", "description": "What is the state of the supplier\u2019s work on addressing the vulnerability?", diff --git a/data/json/decision_points/system_exposure_1_0_0.json b/data/json/decision_points/system_exposure_1_0_0.json index 60b5dc75..5b77eb1b 100644 --- a/data/json/decision_points/system_exposure_1_0_0.json +++ b/data/json/decision_points/system_exposure_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "EXP", "name": "System Exposure", "description": "The Accessible Attack Surface of the Affected System or Service", diff --git a/data/json/decision_points/system_exposure_1_0_1.json b/data/json/decision_points/system_exposure_1_0_1.json index f287944d..d2fca848 100644 --- a/data/json/decision_points/system_exposure_1_0_1.json +++ b/data/json/decision_points/system_exposure_1_0_1.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.1", + "schemaVersion": "1-0-1", "key": "EXP", "name": "System Exposure", "description": "The Accessible Attack Surface of the Affected System or Service", diff --git a/data/json/decision_points/technical_impact_1_0_0.json b/data/json/decision_points/technical_impact_1_0_0.json index a844a82b..6b9c8676 100644 --- a/data/json/decision_points/technical_impact_1_0_0.json +++ b/data/json/decision_points/technical_impact_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "TI", "name": "Technical Impact", "description": "The technical impact of the vulnerability.", diff --git a/data/json/decision_points/utility_1_0_0.json b/data/json/decision_points/utility_1_0_0.json index c71273ce..a54ebebd 100644 --- a/data/json/decision_points/utility_1_0_0.json +++ b/data/json/decision_points/utility_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "U", "name": "Utility", "description": "The Usefulness of the Exploit to the Adversary", diff --git a/data/json/decision_points/utility_1_0_1.json b/data/json/decision_points/utility_1_0_1.json index a1b72bce..53e39a8a 100644 --- a/data/json/decision_points/utility_1_0_1.json +++ b/data/json/decision_points/utility_1_0_1.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.1", + "schemaVersion": "1-0-1", "key": "U", "name": "Utility", "description": "The Usefulness of the Exploit to the Adversary", diff --git a/data/json/decision_points/value_density_1_0_0.json b/data/json/decision_points/value_density_1_0_0.json index 2c2db1a4..f0022b5e 100644 --- a/data/json/decision_points/value_density_1_0_0.json +++ b/data/json/decision_points/value_density_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "VD", "name": "Value Density", "description": "The concentration of value in the target", diff --git a/data/json/decision_points/virulence_1_0_0.json b/data/json/decision_points/virulence_1_0_0.json index dfa91097..98eee786 100644 --- a/data/json/decision_points/virulence_1_0_0.json +++ b/data/json/decision_points/virulence_1_0_0.json @@ -1,6 +1,7 @@ { "namespace": "ssvc", "version": "1.0.0", + "schemaVersion": "1-0-1", "key": "V", "name": "Virulence", "description": "The speed at which the vulnerability can be exploited.", diff --git a/data/schema/Decision_Point.schema.json b/data/schema/Decision_Point.schema.json deleted file mode 100644 index f4ddb450..00000000 --- a/data/schema/Decision_Point.schema.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "title": "Decision Point schema definition", - "$id": "https://github.com/CERTCC/SSVC/tree/main/data/schema/Decision_Point.schema.json", - "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.", - "type": "object", - "additionalProperties": false, - "properties": { - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point" - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies this object" - }, - "key": { - "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" - }, - "name": { - "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." - }, - "description": { - "type": "string", - "description": "Description of the Decision Point or the Group of Decision Points." - }, - "values": { - "description": "Decision Point Values are valid results from a Decision Point", - "uniqueItems": true, - "type": "array", - "items": { - "type": "object", - "properties": { - "key": { - "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" - }, - "name": { - "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." - }, - "description": { - "type": "string", - "description": "Description of the Decision Point or the Group of Decision Points." - } - } - } - } - }, - "required": [ - "namespace", - "version", - "key", - "name", - "description", - "values" - ] -} diff --git a/data/schema/Decision_Point_Group.schema.json b/data/schema/Decision_Point_Group.schema.json deleted file mode 100644 index dd7cb4a0..00000000 --- a/data/schema/Decision_Point_Group.schema.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "title": "Decision Points Group schema definition", - "$id": "https://github.com/CERTCC/SSVC/tree/main/data/schema/Decision_Point_Group.schema.json", - "type": "object", - "additionalProperties": false, - "properties": { - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies this object" - }, - "name": { - "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." - }, - "description": { - "type": "string", - "description": "Description of the Decision Point or the Group of Decision Points." - }, - "decision_points": { - "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.", - "additionalProperties": false, - "type": "array", - "items": { - "type": "object", - "properties": { - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point" - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies this object" - }, - "key": { - "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" - }, - "name": { - "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." - }, - "description": { - "type": "string", - "description": "Description of the Decision Point or the Group of Decision Points." - }, - "values": { - "description": "Decision Point Values are valid results from a Decision Point", - "uniqueItems": true, - "type": "array", - "items": { - "type": "object", - "properties": { - "key": { - "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" - }, - "name": { - "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." - }, - "description": { - "type": "string", - "description": "Description of the Decision Point or the Group of Decision Points." - } - } - } - } - } - } - } - }, - "required": [ - "version", - "name", - "description", - "decision_points" - ] -} diff --git a/data/schema/current/Decision_Point.schema.json b/data/schema/current/Decision_Point.schema.json new file mode 120000 index 00000000..b1e5866a --- /dev/null +++ b/data/schema/current/Decision_Point.schema.json @@ -0,0 +1 @@ +../v1/Decision_Point-1-0-1.schema.json \ No newline at end of file diff --git a/data/schema/current/Decision_Point_Group.schema.json b/data/schema/current/Decision_Point_Group.schema.json new file mode 120000 index 00000000..22a4f53a --- /dev/null +++ b/data/schema/current/Decision_Point_Group.schema.json @@ -0,0 +1 @@ +../v1/Decision_Point_Group-1-0-1.schema.json \ No newline at end of file diff --git a/data/schema/current/Decision_Point_Value_Selection.schema.json b/data/schema/current/Decision_Point_Value_Selection.schema.json new file mode 120000 index 00000000..b708b5d7 --- /dev/null +++ b/data/schema/current/Decision_Point_Value_Selection.schema.json @@ -0,0 +1 @@ +../v1/Decision_Point_Value_Selection-1-0-1.schema.json \ No newline at end of file diff --git a/data/schema/v1/Decision_Point-1-0-1.schema.json b/data/schema/v1/Decision_Point-1-0-1.schema.json new file mode 100644 index 00000000..ff9f3d48 --- /dev/null +++ b/data/schema/v1/Decision_Point-1-0-1.schema.json @@ -0,0 +1,84 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "title": "Decision Point schema definition", + "$id": "https://certcc.github.io/data/schema/v1/Decision_Point.schema-1-0-1.json", + "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.", + "definitions": { + "schemaVersion": { + "description": "Schema version used to represent this Decision Point", + "type": "string", + "enum": ["1-0-1"] + }, + "decision_point_value": { + "type": "object", + "additionalProperties": false, + "properties": { + "key": { + "type": "string", + "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" + }, + "name": { + "type": "string", + "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + }, + "description": { + "type": "string", + "description": "Description of the Decision Point Value" + } + }, + "required" : [ + "key", + "name", + "description" + ] + }, + "decision_point": { + "type": "object", + "additionalProperties": false, + "properties": { + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "namespace": { + "type": "string", + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point" + }, + "version": { + "type": "string", + "description": "Version (a semantic version string) that identifies this object" + }, + "key": { + "type": "string", + "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" + }, + "name": { + "type": "string", + "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + }, + "description": { + "type": "string", + "description": "q Description of the Decision Point or the Group of Decision Points as defined." + }, + "values": { + "description": "Decision Point Values are valid results from a Decision Point", + "uniqueItems": true, + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/decision_point_value" + } + } + }, + "required": [ + "namespace", + "version", + "key", + "name", + "description", + "values", + "schemaVersion" + ] + } + }, + "$ref": "#/definitions/decision_point" +} diff --git a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json new file mode 100644 index 00000000..b1c1a4e7 --- /dev/null +++ b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "title": "Decision Points Group schema definition", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group-1-0-1.schema.json", + "definitions": { + "schemaVersion": { + "description": "Schema version used to represent Decision Point Group", + "type": "string", + "enum": ["1-0-1"] + }, + "decision_point_group": { + "type": "object", + "additionalProperties": false, + "properties": { + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "version": { + "type": "string", + "description": "Version (a semantic version string) that identifies this object" + }, + "name": { + "type": "string", + "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + }, + "description": { + "type": "string", + "description": "Description of the Decision Point or the Group of Decision Points." + }, + "decision_points": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json" + } + } + }, + "required": [ + "version", + "name", + "description", + "decision_points", + "schemaVersion" + ] + } + }, + "$ref": "#/definitions/decision_point_group" + +} diff --git a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json new file mode 100644 index 00000000..d9455057 --- /dev/null +++ b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json @@ -0,0 +1,101 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group_Selection-1-0-1.schema.json", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"] + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": ["1-0-1"] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": ["Automatable", "Exploitation"] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": ["ssvc","cvvsv4"] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + }, + "SsvcdecisionpointgroupselectionSchema": { + "properties": { + "id": { + "$ref": "#/definitions/id" + }, + "role": { + "$ref": "#/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + } + }, + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" +} diff --git a/data/schema_examples/CVE-1969-0000-Decision_Point_Value_Selection.json b/data/schema_examples/CVE-1969-0000-Decision_Point_Value_Selection.json new file mode 100644 index 00000000..5ec025a4 --- /dev/null +++ b/data/schema_examples/CVE-1969-0000-Decision_Point_Value_Selection.json @@ -0,0 +1,31 @@ +{ + "id": "CVE-1969-0000", + "timestamp": "2021-09-29T15:29:44Z", + "schemaVersion": "1-0-1", + "selections": [ + { + "namespace": "ssvc", + "name": "Exploitation", + "version": "1.1.0", + "values": [ + "Active" + ] + }, + { + "namespace": "ssvc", + "name": "Automatable", + "version": "2.0.0", + "values": [ + "Yes" + ] + }, + { + "namespace": "ssvc", + "name": "Technical Impact", + "version": "1.0.0", + "values": [ + "Total" + ] + } + ] +} diff --git a/requirements.txt b/requirements.txt index 281a9356..3b073b90 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,15 +1,15 @@ -mkdocs==1.6.0 -mkdocs-bibtex==2.16.0 -mkdocs-include-markdown-plugin==6.2.1 -mkdocs-table-reader-plugin==2.2.2 -mkdocs-material==9.5.28 +mkdocs==1.6.1 +mkdocs-bibtex==2.16.2 +mkdocs-include-markdown-plugin==6.2.2 +mkdocs-table-reader-plugin==3.1.0 +mkdocs-material==9.5.36 mkdocs-material-extensions==1.3.1 -mkdocstrings==0.25.1 -mkdocstrings-python==1.10.5 -mkdocs-print-site-plugin==2.5.0 +mkdocstrings==0.26.1 +mkdocstrings-python==1.11.1 +mkdocs-print-site-plugin==2.6.0 dataclasses-json==0.6.7 thefuzz==0.22.1 -pandas==2.2.2 -scikit-learn==1.5.1 -jsonschema==4.22.0 +pandas==2.2.3 +scikit-learn==1.5.2 +jsonschema==4.23.0 networkx==3.3 diff --git a/src/ssvc/__init__.py b/src/ssvc/__init__.py index 87d6fd03..31995ad1 100644 --- a/src/ssvc/__init__.py +++ b/src/ssvc/__init__.py @@ -13,3 +13,5 @@ """ Provides SSVC modules. """ + +_schemaVersion = "1-0-1" diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py index c68db33e..609c7b73 100644 --- a/src/ssvc/_mixins.py +++ b/src/ssvc/_mixins.py @@ -22,6 +22,7 @@ from dataclasses_json import config, dataclass_json +from . import _schemaVersion @dataclass_json @dataclass(kw_only=True) @@ -31,7 +32,7 @@ class _Versioned: """ version: str = "0.0.0" - + schemaVersion: str = _schemaVersion @dataclass_json @dataclass(kw_only=True) diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py index 9acce2c1..b52e20b1 100644 --- a/src/ssvc/policy_generator.py +++ b/src/ssvc/policy_generator.py @@ -328,7 +328,7 @@ def _is_topological_order(self, node_order: list) -> bool: def main(): - from ssvc.decision_points.automatable import AUTOMATABLE_1 + from ssvc.decision_points.automatable import AUTOMATABLE_2 from ssvc.decision_points.exploitation import EXPLOITATION_1 from ssvc.decision_points.human_impact import HUMAN_IMPACT_2 from ssvc.decision_points.system_exposure import SYSTEM_EXPOSURE_1_0_1 @@ -347,7 +347,7 @@ def main(): decision_points=[ EXPLOITATION_1, SYSTEM_EXPOSURE_1_0_1, - AUTOMATABLE_1, + AUTOMATABLE_2, HUMAN_IMPACT_2, ], ) diff --git a/src/test/test_schema.py b/src/test/test_schema.py index 401371ca..4fb346fb 100644 --- a/src/test/test_schema.py +++ b/src/test/test_schema.py @@ -16,6 +16,9 @@ import unittest import jsonschema +from jsonschema import Draft202012Validator +from referencing import Registry, Resource +import os import ssvc.decision_points # noqa F401 from ssvc.decision_points.base import REGISTERED_DECISION_POINTS @@ -29,15 +32,16 @@ # importing these causes the decision points to register themselves from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1 # noqa +def retrieve_local(uri): + fileuri = uri.replace("https://certcc.github.io/SSVC", os.getcwd()) + if os.path.exists(fileuri): + fh = open(fileuri) + schema = json.load(fh) + fh.close() + return Resource.from_contents(schema) + raise FileNotFoundError(f"Could not find DEBUG path issues {fileuri}") -def find_schema(basepath: str) -> str: - import os - - for pfx in (".", "..", "../.."): - path = os.path.join(pfx, basepath) - if os.path.exists(path): - return path - raise FileNotFoundError(f"Could not find {basepath}") +registry = Registry(retrieve=retrieve_local) class MyTestCase(unittest.TestCase): @@ -64,8 +68,7 @@ def test_confirm_registered_decision_points(self): def test_decision_point_validation(self): # path relative to top level of repo - schema_file = find_schema("data/schema/Decision_Point.schema.json") - schema = json.load(open(schema_file)) + schema_url = "https://certcc.github.io/SSVC/data/schema/current/Decision_Point.schema.json" decision_points = list(REGISTERED_DECISION_POINTS) self.assertGreater(len(decision_points), 0) @@ -76,31 +79,29 @@ def test_decision_point_validation(self): loaded = json.loads(as_json) try: - jsonschema.validate(loaded, schema) + Draft202012Validator({"$ref": schema_url}, registry=registry).validate(loaded) except jsonschema.exceptions.ValidationError as e: exp = e self.assertIsNone(exp, f"Validation failed for {dp.name} {dp.version}") self.logger.debug( - f"Validation passed for ({dp.namespace}) {dp.name} v{dp.version}" + f"Validation passed for Decision Point ({dp.namespace}) {dp.name} v{dp.version}" ) def test_decision_point_group_validation(self): - schema_file = find_schema("data/schema/Decision_Point_Group.schema.json") - schema = json.load(open(schema_file)) - + schema_url = "https://certcc.github.io/SSVC/data/schema/current/Decision_Point_Group.schema.json" for dpg in self.dpgs: exp = None as_json = dpg.to_json() loaded = json.loads(as_json) try: - jsonschema.validate(loaded, schema) + Draft202012Validator({"$ref": schema_url},registry=registry).validate(loaded) except jsonschema.exceptions.ValidationError as e: exp = e self.assertIsNone(exp, f"Validation failed for {dpg.name} {dpg.version}") - self.logger.debug(f"Validation passed for {dpg.name} v{dpg.version}") + self.logger.debug(f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}") if __name__ == "__main__":