diff --git a/data/schema/v1/Decision_Point-1-0-1.schema.json b/data/schema/v1/Decision_Point-1-0-1.schema.json index 75b573d9..019accee 100644 --- a/data/schema/v1/Decision_Point-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point-1-0-1.schema.json @@ -5,7 +5,7 @@ "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.", "$defs": { "schemaVersion": { - "description": "Schema version used to represent this Decision Point", + "description": "Schema version used to represent this Decision Point.", "type": "string", "enum": ["1-0-1"] }, @@ -15,15 +15,21 @@ "properties": { "key": { "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" + "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.", + "minLength": 1, + "examples": ["P", "Y"] }, "name": { "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + "description": "A short label that identifies a Decision Point Value", + "minLength": 1, + "examples": ["Public PoC", "Yes"] }, "description": { "type": "string", - "description": "Description of the Decision Point Value" + "description": "A full description of the Decision Point Value.", + "minLength": 1, + "examples": ["One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.","Attackers can reliably automate steps 1-4 of the kill chain."] } }, "required" : [ @@ -41,26 +47,36 @@ }, "namespace": { "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point" + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", + "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", + "examples": ["ssvc", "cvss", "ssvc-jp", "ssvc/acme", "ssvc/example.com"] }, "version": { "type": "string", - "description": "Version (a semantic version string) that identifies this object" + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": ["1.0.1", "1.0.1-alpha"] }, "key": { "type": "string", - "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way" + "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point.", + + "minLength": 1, + "examples": ["E", "A"] }, "name": { "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + "description": "A short label that identifies a Decision Point.", + "minLength": 1, + "examples": ["Exploitation", "Automatable"] }, "description": { "type": "string", - "description": "q Description of the Decision Point or the Group of Decision Points as defined." + "description": "A full description of the Decision Point, explaining what it represents and how it is used in SSVC.", + "minLength": 1 }, "values": { - "description": "Decision Point Values are valid results from a Decision Point", + "description": "A set of possible answers for a given Decision Point", "uniqueItems": true, "type": "array", "minItems": 1, diff --git a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json index 7ff2f5dd..ec2768ab 100644 --- a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json @@ -1,10 +1,11 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "title": "Decision Points Group schema definition", + "title": "Decision Points Group schema definition.", "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group-1-0-1.schema.json", + "description": "Decision Point Groups are sets of decision points pinned to specific versions of those decision points. These groups may change over time.", "$defs": { "schemaVersion": { - "description": "Schema version used to represent Decision Point Group", + "description": "Schema version used to represent Decision Point Group.", "type": "string", "enum": ["1-0-1"] }, @@ -16,16 +17,19 @@ "$ref": "#/$defs/schemaVersion" }, "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies this object" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" }, "name": { "type": "string", - "description": "A short label that captures the description of the Decision Point or the Group of Decision Points." + "description": "A short label that captures the description of the Decision Point Group.", + "minLength": 1, + "examples": ["SSVC Supplier","Coordinator Triage", "SSVC Deployer"] }, "description": { "type": "string", - "description": "Description of the Decision Point or the Group of Decision Points." + "description": "A full description of the Decision Point Group.", + "minLength": 1, + "examples": ["These decision points used by the Coordinator during publication."] }, "decision_points": { "type": "array", diff --git a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json index 59022e04..ca5b1115 100644 --- a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json +++ b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json @@ -1,57 +1,45 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { "id": { "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"] + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"], + "minLength": 1 }, "role": { "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": ["Supplier","Deployer","Coordinator"] + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"], + "minLength": 1 }, "timestamp" : { - "description": "Date and time in ISO format ISO 8601 format", + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", - "format": "date-time" + "format": "date-time" }, - "schemaVersion": { - "description": "Schema version used to represent this evaluation", - "type": "string", - "enum": ["1-0-1"] - }, "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", "properties": { "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", - "type": "string", - "examples": ["Automatable", "Exploitation"] + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name" }, "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", - "type": "string", - "examples": ["ssvc","cvssv4"] + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace" }, "values": { - "description": "Evaluated values of the Decision Point", + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", "title": "values", "type": "array", "minItems": 1, "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name" } }, "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" } }, "type": "object", @@ -72,13 +60,13 @@ "$ref": "#/$defs/role" }, "schemaVersion": { - "$ref": "#/$defs/schemaVersion" + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion" }, "timestamp": { "$ref": "#/$defs/timestamp" }, "selections": { - "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", "title": "selections", "type": "array", "minItems": 1, diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py index 7fa233d9..c6b580e6 100644 --- a/src/test/test_dp_base.py +++ b/src/test/test_dp_base.py @@ -34,7 +34,7 @@ def setUp(self) -> None: key="bar", description="baz", version="1.0.0", - namespace="ns", + namespace="name1", values=tuple(self.values), ) @@ -90,7 +90,7 @@ def test_ssvc_decision_point(self): self.assertEqual(obj.key, "bar") self.assertEqual(obj.description, "baz") self.assertEqual(obj.version, "1.0.0") - self.assertEqual(obj.namespace, "ns") + self.assertEqual(obj.namespace, "name1") self.assertEqual(len(self.values), len(obj.values)) def test_ssvc_value_json_roundtrip(self):