Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Related to #348 SSVC1.0.1 additions. #350

Open
wants to merge 12 commits into
base: feature-144-SSVC
Choose a base branch
from

Conversation

sei-vsarvepalli
Copy link
Contributor

This should have the right files and fixes for #348

@ccoffin
Copy link
Collaborator

ccoffin commented Oct 4, 2024

I believe that "schema/docs/CVE_Record_Format_bundled.json" is an output file and shouldn't be updated. As long as "CVE_Record_Format.json" is updated to include an import of the ssvc schema in the imports directory, it should be ok and the bundled file will be created automatically.

@sei-vsarvepalli
Copy link
Contributor Author

I believe that "schema/docs/CVE_Record_Format_bundled.json" is an output file and shouldn't be updated. As long as "CVE_Record_Format.json" is updated to include an import of the ssvc schema in the imports directory, it should be ok and the bundled file will be created automatically.

It looks like all the _bundled.json file that are created are the following.

  1. CVE_Record_Format_bundled_cnaPublishedContainer.json
  2. CVE_Record_Format_bundled_cnaRejectedContainer.json
  3. CVE_Record_Format_bundled_adpContainer.json

for(let t of ['cnaPublishedContainer', 'cnaRejectedContainer', 'adpContainer']) {
var subSchema = {
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": `https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_${t}.json`,

The docs/CVE_Record_Format.json is created but it is not copied over to docs/CVE_Record_Format_bundled.json - at least not in the workflow file itself, so I just manually created it. We can fix the workflow file too, if that is preferred so all of this can be automated.

Also as seen in the log file for workflow

CVE_Record_Format.json created
CVE_Record_Format_bundled_adpContainer.json created
CVE_Record_Format_bundled_cnaRejectedContainer.json created
CVE_Record_Format_bundled_cnaPublishedContainer.json created

@ccoffin
Copy link
Collaborator

ccoffin commented Oct 7, 2024

Looks like i made a mistake when updating the schema-bundle.js a few months ago. 'CVE_Record_Format.json' should have been 'CVE_Record_Format_bundled.json.' I just made this fix in the develop branch.

@sei-vsarvepalli
Copy link
Contributor Author

@MrMegaZone
Copy link
Collaborator

Discussed on today's QWG call. Personally I'm in favor of this. We have CISA as a provider of SSVC today, but they're forced to use the 'Other' field, which is unstructured. Moving SSVC to structured data would allow us to perform validation on the data, improving the corpus, as well as making the data easier to consume and use.

We have something of a chicken and egg problem with new types - we don't know exactly what the adoption will be until we make adoption easier. We do need to balance out schema bloat against possible value, but here we have something that is being used today, so we have some evidence of interest. And the cost, in data, CPU, etc., is minimal, so I think adding this is justified.

There is at least some information on SSVC adoption in the industry at large: CERTCC/SSVC#291

This is a non-breaking change to the schema with no real cost/pain that I can see, and it is an improvement over what we're doing now. To me that's a win-win to add this in the next schema update.

As was raised in the discussion, we do need to have some review of schemas at some point to determine what needs to be deprecated/removed if adoption never picks up, or falls off because the industry has moved on, etc. But I think that's a different, broader topic. Probably best done when a major version change is being made (5.x -> 6.x), and maybe minor versions (5.1.x -> 5.2.x).

@sei-vsarvepalli
Copy link
Contributor Author

Some more information/questions that came up offline - trying to capture it here

The newer schema came to try to make SSVC data useable for consumers of various forms. The idea is for vendors do provide informational elements in SSVC format, allowing consumers to collect data and merge it into their policies to take the best course of action according to their policies.

The schema can help gather specific description of the Decision Point. People can also provide other (CVSS metrics as information elements) in the new schema using "namespace" idea. For e.g., one can go from https://github.com/CERTCC/SSVC/blob/main/data/schema_examples/CVE-1969-0000-Decision_Point_Value_Selection.json

to

These two Decision Points as the inputs to the specific evaluation example.

https://github.com/CERTCC/SSVC/blob/main/data/json/decision_points/exploitation_1_1_0.json

https://github.com/CERTCC/SSVC/blob/main/data/json/decision_points/technical_impact_1_0_0.json

The Decision Points with namespace SSVC are defined and published centrally in the SSVC https://certcc.github.io/SSVC/

@sei-vsarvepalli
Copy link
Contributor Author

Hello @ccoffin

This update includes all the 5.1.1 updates for cpeApplicability field that was introduced in the development branch. You can merge it to develop at your convenience. All checks works out fine.

@sei-vsarvepalli
Copy link
Contributor Author

Hello @ccoffin

Looks like there is a diversion in the develop branch from the commit 30f59c7 - I am happy to resolve all these differences and make a PR specific to develop branch. The develop branch with 5.1.1 seems to not have all the issues resolved, for e.g., the CVE-1337 issue #310 by still is unresolved in the current develop branch. Somewhere these branches have diverged and the changes in PR #349 did not make it to develop branch.

I also created some scripts to run tests that will be part of GH workflow and added them to README.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants