You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As an enterprise security engineer with
• automated scanning tools (such as jfrog xray) that detect known CVEs in my software
I want to
• have a tool to program an SSVC decision tree
So that
• I can convince my superiors that we should use SSVC.
This tool should read in a csv or json of CVSS metrics and process them based on the SSVC decision tree that my team configures. The tool can exist as a script or a microservice.
The output should be a csv of CVEs labeled and categorized by defer, scheduled, ooc, immediate.
The text was updated successfully, but these errors were encountered:
An implementation of CVSS v4 exists there in the demo, however it has only the "lookup" functionality aligned the idea of Equivalent Sets this is mostly work form Jono Spring in CISA that has driven a more simple and explainable way for CVSS way forward (similar to SSVC). It entirely avoids any complicated math and equations to get "numbers" out of these raw lower-level metrics
Thanks Vijay. I don't think that resolved Renae's use case though. And the
CVSS community is interested in "custom" cvss scoring as well, which this
could also support. So should think it through and how to support, I think.
Yeh I see a different use case of evaluations being done from mapping CVSS metrics to SSVC. The discussions so far has been customizing SSVC tree in the tool itself. However this may be a distinct tool, not the Policy Explorer idea that creates and explores policy but looks at ways to consume commonly used metrics and gives SSVC equivalent evaluations. This may be worth a distinct discussion.
As an enterprise security engineer with
• automated scanning tools (such as jfrog xray) that detect known CVEs in my software
I want to
• have a tool to program an SSVC decision tree
So that
• I can convince my superiors that we should use SSVC.
This tool should read in a csv or json of CVSS metrics and process them based on the SSVC decision tree that my team configures. The tool can exist as a script or a microservice.
The output should be a csv of CVEs labeled and categorized by defer, scheduled, ooc, immediate.
The text was updated successfully, but these errors were encountered: