Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enterprise adoption SSVC tool #655

Open
sei-renae opened this issue Dec 2, 2024 · 3 comments
Open

Enterprise adoption SSVC tool #655

sei-renae opened this issue Dec 2, 2024 · 3 comments
Assignees
Labels
enhancement New feature or request

Comments

@sei-renae
Copy link

As an enterprise security engineer with
• automated scanning tools (such as jfrog xray) that detect known CVEs in my software
I want to
• have a tool to program an SSVC decision tree
So that
• I can convince my superiors that we should use SSVC.
This tool should read in a csv or json of CVSS metrics and process them based on the SSVC decision tree that my team configures. The tool can exist as a script or a microservice.
The output should be a csv of CVEs labeled and categorized by defer, scheduled, ooc, immediate.

@sei-renae sei-renae added the enhancement New feature or request label Dec 2, 2024
@sei-vsarvepalli
Copy link
Contributor

Look at the demo work current in progress and related discussion #649

https://democert.org/ssvc/simple/

An implementation of CVSS v4 exists there in the demo, however it has only the "lookup" functionality aligned the idea of Equivalent Sets this is mostly work form Jono Spring in CISA that has driven a more simple and explainable way for CVSS way forward (similar to SSVC). It entirely avoids any complicated math and equations to get "numbers" out of these raw lower-level metrics

https://www.first.org/cvss/v4.0/faq#:~:text=Equivalent%20Sets,of%20vectors%20for%20each%20set.

@sei-vsarvepalli sei-vsarvepalli self-assigned this Dec 2, 2024
@j---
Copy link
Collaborator

j--- commented Dec 6, 2024 via email

@sei-vsarvepalli
Copy link
Contributor

Yeh I see a different use case of evaluations being done from mapping CVSS metrics to SSVC. The discussions so far has been customizing SSVC tree in the tool itself. However this may be a distinct tool, not the Policy Explorer idea that creates and explores policy but looks at ways to consume commonly used metrics and gives SSVC equivalent evaluations. This may be worth a distinct discussion.

Vijay

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants