From 08199ed5e801c41e1826fade3068a5c648d2a802 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 6 Mar 2025 12:05:35 -0500 Subject: [PATCH 1/7] change type hints on OutcomeGroup class --- src/ssvc/outcomes/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py index 11eaf873..2262c816 100644 --- a/src/ssvc/outcomes/base.py +++ b/src/ssvc/outcomes/base.py @@ -31,7 +31,7 @@ class OutcomeGroup(_Base, _Versioned, BaseModel): Models an outcome group. """ - outcomes: list[OutcomeValue] + outcomes: tuple[OutcomeValue, ...] def __iter__(self): """ From 32137ee7263877a1ff1688fdc362d6cc4317c1bd Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 6 Mar 2025 12:06:44 -0500 Subject: [PATCH 2/7] black reformat --- src/ssvc/outcomes/groups.py | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py index 5326b6d9..c1fea1d0 100644 --- a/src/ssvc/outcomes/groups.py +++ b/src/ssvc/outcomes/groups.py @@ -40,9 +40,7 @@ description="The publish outcome group.", version="1.0.0", outcomes=( - OutcomeValue( - name="Do Not Publish", key="N", description="Do Not Publish" - ), + OutcomeValue(name="Do Not Publish", key="N", description="Do Not Publish"), OutcomeValue(name="Publish", key="P", description="Publish"), ), ) @@ -150,6 +148,7 @@ See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc """ + YES_NO = OutcomeGroup( name="Yes, No", description="The Yes/No outcome group.", @@ -170,9 +169,7 @@ outcomes=( # drop, reconsider later, easy win, do first OutcomeValue(name="Drop", key="D", description="Drop"), - OutcomeValue( - name="Reconsider Later", key="R", description="Reconsider Later" - ), + OutcomeValue(name="Reconsider Later", key="R", description="Reconsider Later"), OutcomeValue(name="Easy Win", key="E", description="Easy Win"), OutcomeValue(name="Do First", key="F", description="Do First"), ), @@ -187,9 +184,7 @@ version="1.0.0", outcomes=( OutcomeValue(name="Track 5", key="5", description="Track"), - OutcomeValue( - name="Track Closely 4", key="4", description="Track Closely" - ), + OutcomeValue(name="Track Closely 4", key="4", description="Track Closely"), OutcomeValue(name="Attend 3", key="3", description="Attend"), OutcomeValue(name="Attend 2", key="2", description="Attend"), OutcomeValue(name="Act 1", key="1", description="Act"), From 0595725e020e0b8f7f853dcd3fc073ee8a2e474a Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 6 Mar 2025 12:07:11 -0500 Subject: [PATCH 3/7] replace `Track *` with `Monitor` --- docs/ssvc-calc/findex.html | 2 +- docs/ssvc-calc/old_index.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ssvc-calc/findex.html b/docs/ssvc-calc/findex.html index 63456ee2..1562e0b1 100644 --- a/docs/ssvc-calc/findex.html +++ b/docs/ssvc-calc/findex.html @@ -294,7 +294,7 @@
Mission Prevelance choices
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
- Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion. + Monitor   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
diff --git a/docs/ssvc-calc/old_index.html b/docs/ssvc-calc/old_index.html index 9d99945f..2e6b13b2 100644 --- a/docs/ssvc-calc/old_index.html +++ b/docs/ssvc-calc/old_index.html @@ -292,7 +292,7 @@
Mission Prevelance choices
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
- Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion. + Monitor   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
From 6f2cbc648872d0a279688a12eafcab406110f36e Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 6 Mar 2025 12:09:55 -0500 Subject: [PATCH 4/7] carve a new version of CISA OutcomeGroup to reflect `Track *` -> `Monitor` --- src/ssvc/outcomes/groups.py | 45 +++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py index c1fea1d0..e06e70ca 100644 --- a/src/ssvc/outcomes/groups.py +++ b/src/ssvc/outcomes/groups.py @@ -107,7 +107,7 @@ The CVSS outcome group. """ -CISA = OutcomeGroup( +CISA_1 = OutcomeGroup( name="CISA Levels", description="The CISA outcome group. " "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", @@ -122,7 +122,7 @@ ), OutcomeValue( name="Track*", - key="T*", + key="R", description="The vulnerability contains specific characteristics that may require closer monitoring for changes. " "CISA recommends remediating Track* vulnerabilities within standard update timelines.", ), @@ -135,7 +135,48 @@ ), OutcomeValue( name="Act", + key="C", + description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. " + "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. " + "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. " + "CISA recommends remediating Act vulnerabilities as soon as possible.", + ), + ), +) +""" +The CISA outcome group. Based on CISA's customizations of the SSVC model. +See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc +""" + +CISA = OutcomeGroup( + name="CISA Levels", + description="The CISA outcome group. " + "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.", + version="1.1.0", + outcomes=( + OutcomeValue( + name="Track", + key="T", + description="The vulnerability does not require action at this time. " + "The organization would continue to track the vulnerability and reassess it if new information becomes available. " + "CISA recommends remediating Track vulnerabilities within standard update timelines.", + ), + OutcomeValue( + name="Monitor", + key="M", + description="The vulnerability contains specific characteristics that may require closer monitoring for changes. " + "CISA recommends remediating Track* vulnerabilities within standard update timelines.", + ), + OutcomeValue( + name="Attend", key="A", + description="The vulnerability requires attention from the organization's internal, supervisory-level individuals. " + "Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. " + "CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.", + ), + OutcomeValue( + name="Act", + key="C", description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. " "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. " "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. " From 643e90112ed1e2d825236e95f0dcc1ccccfdd806 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 6 Mar 2025 12:13:09 -0500 Subject: [PATCH 5/7] replace `Track*` with `Monitor` in json --- docs/ssvc-calc/CISA-Coordinator.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/ssvc-calc/CISA-Coordinator.json b/docs/ssvc-calc/CISA-Coordinator.json index 7bffef4b..a9bbee2e 100644 --- a/docs/ssvc-calc/CISA-Coordinator.json +++ b/docs/ssvc-calc/CISA-Coordinator.json @@ -209,8 +209,8 @@ "color": "#28a745" }, { - "label": "Track*", - "key": "R", + "label": "Monitor", + "key": "M", "description": "Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.", "color": "#ffc107" }, @@ -266,7 +266,7 @@ "Mission & Well-being": "medium" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "none", "Automatable": "no", "Technical Impact": "total", @@ -329,7 +329,7 @@ "Mission & Well-being": "medium" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "poc", "Automatable": "no", "Technical Impact": "partial", @@ -343,7 +343,7 @@ "Mission & Well-being": "low" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "poc", "Automatable": "no", "Technical Impact": "total", @@ -385,7 +385,7 @@ "Mission & Well-being": "low" }, { - "Decision": "Track*", + "Decision": "Monitor", "Exploitation": "poc", "Automatable": "yes", "Technical Impact": "total", From 4a19246b555075ded52124a309988ba4fbcfea4e Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 6 Mar 2025 12:34:34 -0500 Subject: [PATCH 6/7] replace CISA.json with Monitor outcome value --- data/json/outcomes/CISA.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json index c4ebbd2a..c9e0c311 100644 --- a/data/json/outcomes/CISA.json +++ b/data/json/outcomes/CISA.json @@ -1,8 +1,8 @@ { - "version": "1.0.0", + "version": "1.1.0", "schemaVersion": "1-0-1", "name": "CISA Levels", - "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", + "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.", "outcomes": [ { "key": "T", @@ -10,8 +10,8 @@ "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." }, { - "key": "T*", - "name": "Track*", + "key": "M", + "name": "Monitor", "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." }, { @@ -20,9 +20,9 @@ "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." }, { - "key": "A", + "key": "C", "name": "Act", "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." } ] -} \ No newline at end of file +} From d6f2141a27cd4622dd1b31703f6b1b5d840b0673 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 6 Mar 2025 12:38:14 -0500 Subject: [PATCH 7/7] more substitutions --- data/json/outcomes/CISA.json | 2 +- docs/ssvc-calc/sample-ssvc.txt | 4 ++-- docs/ssvc-calc/ssvc.js | 2 +- src/ssvc/outcomes/groups.py | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json index c9e0c311..15e03647 100644 --- a/data/json/outcomes/CISA.json +++ b/data/json/outcomes/CISA.json @@ -12,7 +12,7 @@ { "key": "M", "name": "Monitor", - "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Monitor vulnerabilities within standard update timelines." }, { "key": "A", diff --git a/docs/ssvc-calc/sample-ssvc.txt b/docs/ssvc-calc/sample-ssvc.txt index e273d496..b6ac3788 100644 --- a/docs/ssvc-calc/sample-ssvc.txt +++ b/docs/ssvc-calc/sample-ssvc.txt @@ -1,8 +1,8 @@ CVE Vulnerability CVSS (v3.x Base Score) SSVC (Decision) Exploit Virulence Technical Mission/Well-Being (Impact) CVE-2020-7961 Liferay Portal JSON web services (JSONWS) deserialization 9.8 Track PoC Yes Total Low (Minimal/Minimal) CVE-2020-5847 Unraid 6.8.0 PHP RCE 9.8 Track PoC Yes Total Low (Minimal/Minimal) -CVE-2019-0708 Microsoft Windows Remote Desktop RCE (BlueKeep) 9.8 Track* PoC Yes Total Medium (Support/Material) -CVE-2019-13918 Rockwell Automation MicroLogix Controller open redirect 6.1 Track* PoC No Partial High (Essential/Material) +CVE-2019-0708 Microsoft Windows Remote Desktop RCE (BlueKeep) 9.8 Monitor PoC Yes Total Medium (Support/Material) +CVE-2019-13918 Rockwell Automation MicroLogix Controller open redirect 6.1 Monitor PoC No Partial High (Essential/Material) CVE-2019-19781 Citrix directory traversal and Perl RCE 9.8 Critical Active Yes Total Medium (Support/Minimal) CVE-2014-0751 GE CIMPLICITY HMI/SCADA directory traversal RCE (Black Energy) 9.8 Critical Active No Total High (Essential/Material) CVE-2018-5734 BIND 9 SERVFAIL assertion failure in badcache.c 7.5 Track None Yes Partial Medium (Support/Minimal) diff --git a/docs/ssvc-calc/ssvc.js b/docs/ssvc-calc/ssvc.js index f9d6cdc6..35568ef8 100644 --- a/docs/ssvc-calc/ssvc.js +++ b/docs/ssvc-calc/ssvc.js @@ -21,7 +21,7 @@ var diagonal,tree,svg,duration,root var treeData = [] /* Deefault color array of possible color options */ var acolors = ["#28a745","#ffc107","#EE8733","#dc3545","#ff0000","#aa0000","#ff0000"] -var lcolors = {"Track":"#28a745","Track*":"#ffc107","Attend":"#EE8733","Act":"#dc3545"} +var lcolors = {"Track":"#28a745","Monitor":"#ffc107","Attend":"#EE8733","Act":"#dc3545"} var ssvc_short_keys = {}; /* These variables are for decision tree schema JSON aka SSVC Provision Schema */ var export_schema = {decision_points: [],decisions_table: [], lang: "en", diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py index e06e70ca..e61c9d9a 100644 --- a/src/ssvc/outcomes/groups.py +++ b/src/ssvc/outcomes/groups.py @@ -165,7 +165,7 @@ name="Monitor", key="M", description="The vulnerability contains specific characteristics that may require closer monitoring for changes. " - "CISA recommends remediating Track* vulnerabilities within standard update timelines.", + "CISA recommends remediating Monitor vulnerabilities within standard update timelines.", ), OutcomeValue( name="Attend",