Tool to auto populate documentation examples for decision point objects

.gitignore

@@ -128,3 +128,4 @@ dmypy.json
 # Pyre type checker
 .pyre/
 ssvc2-applier-wip.xlsx
+_version.py

data/json/decision_points/automatable_2_0_0.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "ssvc",
+  "version": "2.0.0",
+  "key": "A",
+  "name": "Automatable",
+  "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+  "values": [
+    {
+      "key": "N",
+      "name": "No",
+      "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+    },
+    {
+      "key": "Y",
+      "name": "Yes",
+      "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+    }
+  ]
+}

data/json/decision_points/exploitation_1_0_0.json

@@ -0,0 +1,24 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "E",
+  "name": "Exploitation",
+  "description": "The present state of exploitation of the vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+    },
+    {
+      "key": "P",
+      "name": "PoC",
+      "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+    },
+    {
+      "key": "A",
+      "name": "Active",
+      "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+    }
+  ]
+}

data/json/decision_points/human_impact_1_0_0.json

@@ -0,0 +1,29 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "HI",
+  "name": "Human Impact",
+  "description": "Human Impact is a combination of Safety and Mission impacts.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Safety=None/Minor, Mission=None/Degraded/Crippled"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Safety=None/Minor, Mission=MEF Failure OR Safety=Major, Mission=None/Degraded/Crippled"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Safety=Hazardous, Mission=None/Degraded/Crippled/MEF Failure OR Safety=Major, Mission=MEF Failure"
+    },
+    {
+      "key": "VH",
+      "name": "Very High",
+      "description": "Safety=Catastrophic OR Mission=Mission Failure"
+    }
+  ]
+}

data/json/decision_points/mission_impact_1_0_0.json

@@ -0,0 +1,34 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "MI",
+  "name": "Mission Impact",
+  "description": "Impact on Mission Essential Functions of the Organization",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "Little to no impact"
+    },
+    {
+      "key": "NED",
+      "name": "Non-Essential Degraded",
+      "description": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+    },
+    {
+      "key": "MSC",
+      "name": "MEF Support Crippled",
+      "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+    },
+    {
+      "key": "MEF",
+      "name": "MEF Failure",
+      "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+    },
+    {
+      "key": "MF",
+      "name": "Mission Failure",
+      "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+    }
+  ]
+}

data/json/decision_points/mission_impact_2_0_0.json

@@ -0,0 +1,29 @@
+{
+  "namespace": "ssvc",
+  "version": "2.0.0",
+  "key": "MI",
+  "name": "Mission Impact",
+  "description": "Impact on Mission Essential Functions of the Organization",
+  "values": [
+    {
+      "key": "D",
+      "name": "Degraded",
+      "description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+    },
+    {
+      "key": "MSC",
+      "name": "MEF Support Crippled",
+      "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+    },
+    {
+      "key": "MEF",
+      "name": "MEF Failure",
+      "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+    },
+    {
+      "key": "MF",
+      "name": "Mission Failure",
+      "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+    }
+  ]
+}

data/json/decision_points/public_safety_impact_1_0_0.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "PSI",
+  "name": "Public Safety Impact",
+  "description": "A coarse-grained representation of impact to public safety.",
+  "values": [
+    {
+      "key": "M",
+      "name": "Minimal",
+      "description": "Safety impact of None or Minor."
+    },
+    {
+      "key": "S",
+      "name": "Significant",
+      "description": "Safety impact of Major, Hazardous, or Catastrophic."
+    }
+  ]
+}

data/json/decision_points/public_value_added_1_0_0.json

@@ -0,0 +1,24 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "PVA",
+  "name": "Public Value Added",
+  "description": "How much value would a publication from the coordinator benefit the broader community?",
+  "values": [
+    {
+      "key": "P",
+      "name": "Precedence",
+      "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
+    },
+    {
+      "key": "A",
+      "name": "Ampliative",
+      "description": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+    },
+    {
+      "key": "L",
+      "name": "Limited",
+      "description": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+    }
+  ]
+}

data/json/decision_points/report_credibility_1_0_0.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "RC",
+  "name": "Report Credibility",
+  "description": "Is the report credible?",
+  "values": [
+    {
+      "key": "C",
+      "name": "Credible",
+      "description": "The report is credible."
+    },
+    {
+      "key": "NC",
+      "name": "Not Credible",
+      "description": "The report is not credible."
+    }
+  ]
+}

data/json/decision_points/report_public_1_0_0.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "RP",
+  "name": "Report Public",
+  "description": "Is a viable report of the details of the vulnerability already publicly available?",
+  "values": [
+    {
+      "key": "N",
+      "name": "No",
+      "description": "No public report of the vulnerability exists."
+    },
+    {
+      "key": "Y",
+      "name": "Yes",
+      "description": "A public report of the vulnerability exists."
+    }
+  ]
+}

data/json/decision_points/safety_impact_1_0_0.json

@@ -0,0 +1,34 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "SI",
+  "name": "Safety Impact",
+  "description": "The safety impact of the vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The effect is below the threshold for all aspects described in Minor."
+    },
+    {
+      "key": "M",
+      "name": "Minor",
+      "description": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+    },
+    {
+      "key": "J",
+      "name": "Major",
+      "description": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+    },
+    {
+      "key": "H",
+      "name": "Hazardous",
+      "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+    },
+    {
+      "key": "C",
+      "name": "Catastrophic",
+      "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+    }
+  ]
+}

data/json/decision_points/supplier_cardinality_1_0_0.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "SC",
+  "name": "Supplier Cardinality",
+  "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+  "values": [
+    {
+      "key": "O",
+      "name": "One",
+      "description": "There is only one supplier of the vulnerable component."
+    },
+    {
+      "key": "M",
+      "name": "Multiple",
+      "description": "There are multiple suppliers of the vulnerable component."
+    }
+  ]
+}

data/json/decision_points/supplier_contacted_1_0_0.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "SC",
+  "name": "Supplier Contacted",
+  "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+  "values": [
+    {
+      "key": "N",
+      "name": "No",
+      "description": "The supplier has not been contacted."
+    },
+    {
+      "key": "Y",
+      "name": "Yes",
+      "description": "The supplier has been contacted."
+    }
+  ]
+}

data/json/decision_points/supplier_engagement_1_0_0.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "SE",
+  "name": "Supplier Engagement",
+  "description": "Is the supplier responding to the reporter\u2019s contact effort and actively participating in the coordination effort?",
+  "values": [
+    {
+      "key": "A",
+      "name": "Active",
+      "description": "The supplier is responding to the reporter\u2019s contact effort and actively participating in the coordination effort."
+    },
+    {
+      "key": "U",
+      "name": "Unresponsive",
+      "description": "The supplier is not responding to the reporter\u2019s contact effort and not actively participating in the coordination effort."
+    }
+  ]
+}

data/json/decision_points/supplier_involvement_1_0_0.json

@@ -0,0 +1,24 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "SI",
+  "name": "Supplier Involvement",
+  "description": "What is the state of the supplier\u2019s work on addressing the vulnerability?",
+  "values": [
+    {
+      "key": "FR",
+      "name": "Fix Ready",
+      "description": "The supplier has provided a patch or fix."
+    },
+    {
+      "key": "C",
+      "name": "Cooperative",
+      "description": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+    },
+    {
+      "key": "UU",
+      "name": "Uncooperative/Unresponsive",
+      "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+    }
+  ]
+}

data/json/decision_points/system_exposure_1_0_0.json

@@ -0,0 +1,24 @@
+{
+  "namespace": "ssvc",
+  "version": "1.0.0",
+  "key": "EXP",
+  "name": "System Exposure",
+  "description": "The Accessible Attack Surface of the Affected System or Service",
+  "values": [
+    {
+      "key": "S",
+      "name": "Small",
+      "description": "Local service or program; highly controlled network"
+    },
+    {
+      "key": "C",
+      "name": "Controlled",
+      "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+    },
+    {
+      "key": "U",
+      "name": "Unavoidable",
+      "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+    }
+  ]
+}