Merge pull request #871 from tschmidtb51/ssvc

SSVC
oasis-tcs · Mar 4, 2025 · ac5052f · ac5052f
2 parents ab891f7 + 8e19dc4
commit ac5052f
Show file tree

Hide file tree

Showing 59 changed files with 3,492 additions and 21 deletions.
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -1281,6 +1281,9 @@
                     },
                     "cvss_v4": {
                       "$ref": "https://www.first.org/cvss/cvss-v4.0.json"
+                    },
+                    "ssvc_v1": {
+                      "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json"
                     }
                   }
                 },

diff --git a/csaf_2.1/prose/edit/etc/bind.txt b/csaf_2.1/prose/edit/etc/bind.txt
@@ -76,6 +76,10 @@ tests-01-mndtr-42-purl-qualifiers.md
 tests-01-mndtr-43-use-of-multiple-stars-in-model-number.md
 tests-01-mndtr-44-use-of-multiple-stars-in-serial-number.md
 tests-01-mndtr-45-inconsistent-disclosure-date.md
+tests-01-mndtr-46-invalid-ssvc.md
+tests-01-mndtr-47-inconsistent-ssvc-id.md
+tests-01-mndtr-48-ssvc-decision-points.md
+tests-01-mndtr-49-prohibited-ssvc-decision-point-namespace.md
 tests-02-optional.md
 tests-03-informative.md
 distributing.md

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
@@ -605,7 +605,17 @@ Secondly, the program fulfills the following for all items of:
   > This is done to create a deterministic conversion.
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
+
 * `/vulnerabilities[]/disclosure_date`: If a `release_date` was given, the CSAF 2.0 to CSAF 2.1 converter MUST convert the key as `disclosure_date`.
+* `/vulnerabilities[]/metrics/ssvc_v1`: If a SSVC vector or decision points of an SSVC vector are given in an item of `notes` of the current
+  vulnerability using the `title` `SSVC` and the `category` `other`, the CSAF 2.0 to CSAF 2.1 converter MUST convert that data into the `ssvc_v1`
+  object within the current vulnerability.
+  If the CSAF 2.0 to CSAF 2.1 converter is able to construct a valid object without loosing any information, the corresponding `notes` item SHALL
+  be removed.
+  If the CSAF 2.0 to CSAF 2.1 converter is unable to construct a valid object with the information given, the CSAF 2.0 to CSAF 2.1 converter SHALL
+  remove the invalid `ssvc_v1` object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data failed.
+  If the CSAF 2.0 to CSAF 2.1 converter would loose information during the conversion, the CSAF 2.0 to CSAF 2.1 converter SHALL remove the `ssvc_v1`
+  object, keep the original item of `notes` and output a warning that the automatic conversion of the SSVC data would lead to loosing information.
 * `/vulnerabilities[]/remediations[]`:
   * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
     if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
@@ -623,6 +633,7 @@ Secondly, the program fulfills the following for all items of:
   * In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`.
   * The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
     including the products it was changed for.
+* The CSAF 2.0 to CSAF 2.1 converter SHALL provide the JSON path where the warning occurred together with the warning.
 
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
 

diff --git a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
@@ -34,23 +34,26 @@ Proven and intended usage patterns from practice are given where possible.
 
 Delegation to industry best practices technologies is used in referencing schemas for:
 
-* Platform Data:
+* Classification for Document Distribution
+  * Traffic Light Protocol (TLP)
+    * Default Definition: https://www.first.org/tlp/
+* Platform Data
   * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
-* Vulnerability Scoring:
+* Vulnerability Categorization
+  * Stakeholder-Specific Vulnerability Categorization [cite](#SSVC)
+    * JSON Schema Reference: https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
+* Vulnerability Classification
+  * Common Weakness Enumeration (CWE) [cite](#CWE)
+    * CWE List: http://cwe.mitre.org/data/index.html
+* Vulnerability Scoring
   * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v4.0.json
   * Common Vulnerability Scoring System (CVSS) Version 3.1 [cite](#CVSS31)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.1.json
   * Common Vulnerability Scoring System (CVSS) Version 3.0 [cite](#CVSS30)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v3.0.json
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v3.0.json
   * Common Vulnerability Scoring System (CVSS) Version 2.0 [cite](#CVSS2)
-    * JSON Schema Reference https://www.first.org/cvss/cvss-v2.0.json
-* Vulnerability Classification
-  * Common Weakness Enumeration (CWE) [cite](#CWE)
-    * CWE List: http://cwe.mitre.org/data/index.html
-* Classification for Document Distribution
-  * Traffic Light Protocol (TLP)
-    * Default Definition: https://www.first.org/tlp/
+    * JSON Schema Reference: https://www.first.org/cvss/cvss-v2.0.json
 
 Even though the JSON schema does not prohibit specifically additional properties and custom keywords,
 it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC's GitHub.
@@ -65,5 +68,3 @@ consumers to verify rules from the specification which can not be tested by the
 Section [sec](#distributing-csaf-documents) states how to distribute and where to find CSAF documents.
 Safety, Security and Data Protection are considered in section [sec](#safety-security-and-data-protection-considerations).
 Finally, a set of conformance targets describes tools in the ecosystem.
-
-
diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -80,6 +80,8 @@ An array SHOULD NOT have more than:
   * `/vulnerabilities[]/acknowledgments[]/urls`
   * `/vulnerabilities[]/cwes`
   * `/vulnerabilities[]/ids`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values`
   * `/vulnerabilities[]/remediations[]/entitlements`
 
 * 40 000 items for
@@ -208,6 +210,12 @@ A string SHOULD NOT have a length greater than:
   * `/vulnerabilities[]/metrics[]/content/cvss_v2/vectorString`
   * `/vulnerabilities[]/metrics[]/content/cvss_v3/vectorString`
   * `/vulnerabilities[]/metrics[]/content/cvss_v4/vectorString`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/id`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/role`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/name`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/namespace`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/values[]`
+  * `/vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]/version`
   * `/vulnerabilities[]/metrics[]/products[]`
   * `/vulnerabilities[]/notes[]/audience`
   * `/vulnerabilities[]/notes[]/title`
@@ -267,6 +275,7 @@ The maximum length of strings representing a temporal value is given by the form
 * `/vulnerabilities[]/discovery_date`
 * `/vulnerabilities[]/flags[]/date`
 * `/vulnerabilities[]/involvements[]/date`
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp`
 * `/vulnerabilities[]/remediations[]/date`
 * `/vulnerabilities[]/threats[]/date`
 
@@ -284,6 +293,7 @@ It seems to be safe to assume that the length of this value is not greater than
 
 For all other values, it seems to be safe to assume that the length of each value is not greater than 50.
 This applies to:
+
 * `/document/csaf_version` (3)
 * `/document/distribution/tlp/label` (12)
 * `/document/notes[]/category` (16)
@@ -373,6 +383,7 @@ This applies to:
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnConfidentialityImpact` (4)
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnerabilityResponseEffort` (11)
 * `/vulnerabilities[]/metrics[]/content/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/metrics[]/content/ssvc_v1/schemaVersion` (5)
 * `/vulnerabilities[]/notes[]/category` (16)
 * `/vulnerabilities[]/references[]/category` (8)
 * `/vulnerabilities[]/remediations[]/category` (14)

diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -102,6 +102,9 @@ SemVer
 SPDX301
 :    _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, <https://spdx.github.io/spdx-spec/>.
 
+SSVC
+:    _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, <https://certcc.github.io/SSVC/reference/>
+
 VERS
 :    _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
 

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
@@ -447,6 +447,9 @@ A Content object has at least 1 property.
           },
           "cvss_v4": {
             // ...
+          },
+          "ssvc_v1": {
+            // ....
           }
         }
 ```
@@ -461,6 +464,9 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
 The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at
 [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
 
+The property SSVC v1 (`ssvc_v1`) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at
+[https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json](https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json).
+
 ##### Vulnerabilities Property - Metrics - Products
 
 Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given content applies.

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-45-inconsistent-disclosure-date.md
@@ -41,4 +41,4 @@ The relevant path for this test is:
   ]
 ```
 
-> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the date of newest item in the `revision_history`.
+> The document is labeled `TLP:CLEAR` and in status `final` but the `disclosure_date` is newer than the `date` of newest item in the `revision_history`.
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-46-invalid-ssvc.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-46-invalid-ssvc.md
@@ -0,0 +1,23 @@
+### Invalid SSVC
+
+It MUST be tested that the given SSVC object is valid according to the referenced schema.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/metrics[]/content/ssvc_v1
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "ssvc_v1": {
+    "id": "CVE-1900-0001",
+    "schemaVersion": "1-0-1",
+    "timestamp": "2024-01-24T10:00:00.000Z"
+  }
+```
+
+> The required element `selections` is missing.
+
+> A tool MAY add the missing property `id` based on the values given in `cve` respectively `ids[]/text` as quick fix.
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-47-inconsistent-ssvc-id.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-47-inconsistent-ssvc-id.md
@@ -0,0 +1,44 @@
+### Inconsistent SSVC ID
+
+For each `ssvc_v1` object it MUST be tested that `id` is either the CVE of the vulnerability given in `cve` or the `text` of an item in the `ids` array.
+The test MUST fail, if the `id` equals the `/document/tracking/id` and the CSAF document contains more than one vulnerability.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/id
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0002",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The SSVC ID does not match the CVE ID.
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-48-ssvc-decision-points.md
@@ -0,0 +1,57 @@
+### SSVC Decision Points
+
+For each SSVC decision point given under `selections` with a registered `namespace`, it MUST be tested that given decision point exists, is valid and the items in `values` are ordered correctly.
+
+> According to the SSVC project, the following values are currently registered:
+>
+> ```
+>   cvss
+>   nciss
+>   ssvc
+> ```
+>
+> A list of all valid decision points including their values is available at the [SSVC repository](https://github.com/CERTCC/SSVC/tree/main/data/json/decision_points).
+> The items in `values` need to have the same order as in their definition.
+
+The relevant path for this test is:
+
+```
+   /vulnerabilities[]/metrics[]/content/ssvc_v1/selections[]
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Mission Impact",
+                  "namespace": "ssvc",
+                  "values": [
+                    "None",
+                    "Degraded"
+                  ],
+                  "version": "1.0.0"
+                }
+              ],
+              "timestamp": "2024-01-24T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The SSVC decision point `Mission Impact` doesn't have the value `Degraded` in version `1.0.0`.
+
+> If applicable, a tool MAY sort the items in `values` according to the order of their definition as a quick fix.
diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-49-inconsistent-ssvc-timestamp.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-49-inconsistent-ssvc-timestamp.md
@@ -0,0 +1,66 @@
+### Inconsistent SSVC Timestamp
+
+For each vulnerability, it MUST be tested that the SSVC `timestamp` is earlier or equal to the `date` of the newest item of the `revision_history`
+if the document status is `final` or `interim`.
+As the timestamps might use different timezones, the sorting MUST take timezones into account.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/metrics[]/content/ssvc_v1/timestamp
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "document": {
+    // ...
+    "distribution": {
+      "tlp": {
+        "label": "CLEAR"
+      }
+    },
+    // ...
+    "tracking": {
+      // ...
+      "revision_history": [
+        {
+          "date": "2024-01-24T10:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      // ...
+    }
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1900-0001",
+      "metrics": [
+        {
+          "content": {
+            "ssvc_v1": {
+              "id": "CVE-1900-0001",
+              "schemaVersion": "1-0-1",
+              "selections": [
+                {
+                  "name": "Exploitation",
+                  "namespace": "ssvc",
+                  "values": [
+                    "Active"
+                  ],
+                  "version": "1.1.0"
+                }
+              ],
+              "timestamp": "2024-07-13T10:00:00.000Z"
+            }
+          },
+          // ...
+        }
+      ]
+    }
+  ]
+```
+
+> The document is in status `final` but the SSVC `timestamp` is newer than the `date` of newest item in the `revision_history`.
-Original file line number
+Diff line change
@@ Expand Up / @@ -102,6 +102,9 @@ SemVer @@
     SPDX301
     :    _The System Package Data Exchange® (SPDX®) Specification Version 3.0.1_, Linux Foundation and its Contributors, 2024, <https://spdx.github.io/spdx-spec/>.
+    SSVC
+    :    _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, <https://certcc.github.io/SSVC/reference/>
     VERS
     :    _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, <https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst>.
@@ Expand Down @@