Skip to content

Commit

Permalink
Updated SSVC schema with examples due to bug in json-schema-parser fo…
Browse files Browse the repository at this point in the history
…r root circular reference
  • Loading branch information
sei-vsarvepalli committed Oct 4, 2024
1 parent 1b1ae14 commit 9e5c220
Show file tree
Hide file tree
Showing 4 changed files with 156 additions and 21 deletions.
120 changes: 119 additions & 1 deletion schema/docs/CVE_Record_Format_bundled.json
Original file line number Diff line number Diff line change
Expand Up @@ -973,6 +973,11 @@
"cvssV2_0"
]
},
{
"required": [
"ssvcV1_0_1"
]
},
{
"required": [
"other"
Expand Down Expand Up @@ -3057,6 +3062,119 @@
],
"additionalProperties": false
},
"ssvcV1_0_1": {
"$schema": "http://json-schema.org/draft-07/schema#",
"definitions": {
"id": {
"type": "string",
"description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
"examples": [
"CVE-2024-101010",
"VU#11111",
"GHSA-11a1-22b2-33c3"
]
},
"role": {
"type": "string",
"description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
"examples": [
"Supplier",
"Deployer",
"Coordinator"
]
},
"timestamp": {
"description": "Date and time in ISO format ISO 8601 format",
"type": "string",
"format": "date-time"
},
"schemaVersion": {
"description": "Schema version used to represent this evaluation",
"type": "string",
"enum": [
"1-0-1"
]
},
"SsvcdecisionpointselectionSchema": {
"description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
"properties": {
"name": {
"description": "Name of the Decision Point that were evaluated",
"title": "name",
"type": "string",
"examples": [
"Automatable",
"Exploitation"
]
},
"namespace": {
"description": "SSVC Namespace that were used for defining the evaluated Decision Points",
"title": "namespace",
"type": "string",
"examples": [
"ssvc",
"cvvsv4"
]
},
"values": {
"description": "Evaluated values of the Decision Point",
"title": "values",
"type": "array",
"minItems": 1,
"items": {
"description": "Each value that were down-selected for a Decision Point",
"title": "values",
"type": "string"
}
},
"version": {
"description": "Version of the Decision Points that were evaluated",
"title": "version",
"type": "string"
}
},
"type": "object",
"required": [
"name",
"namespace",
"values",
"version"
],
"additionalProperties": false
}
},
"properties": {
"id": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/id"
},
"role": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/role"
},
"schemaVersion": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/schemaVersion"
},
"timestamp": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/timestamp"
},
"selections": {
"description": "An array of Decision Points and their Values that were down-selected or evaluated ",
"title": "selections",
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/SsvcdecisionpointselectionSchema"
}
}
},
"type": "object",
"required": [
"selections",
"id",
"timestamp",
"schemaVersion"
],
"additionalProperties": false
},
"other": {
"type": "object",
"description": "A non-standard impact description, may be prose or JSON block.",
Expand Down Expand Up @@ -3414,4 +3532,4 @@
"additionalProperties": false
}
]
}
}
38 changes: 31 additions & 7 deletions schema/docs/full-record-advanced-example.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"providerMetadata": {
"orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
"shortName": "example",
"dateUpdated": "2021-09-08T16:24:00.000Z"
"dateUpdated": "2021-09-08T16:24:00.000Z"
},
"title": "Buffer overflow in Example Enterprise allows Privilege Escalation.",
"datePublic": "2021-09-08T16:24:00.000Z",
Expand Down Expand Up @@ -111,15 +111,15 @@
},
{
"lang": "eo",
"value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn. Ĉi tiu afero efikas: 1.0-versioj antaŭ 1.0.6, 2.1-versioj de 2.16 ĝis 2.1.9.",
"value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "OS-komand-injekta vundebleco <tt>parseFilename</tt> funkcio de <tt>example.php</tt> en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.<br><br> Ĉi tiu afero efikas:<br><ul><li>1.0-versioj antaŭ 1.0.6</li><li>2.1-versioj de 2.16 ĝis 2.1.9.</li></ul>"
"value": "OS-komand-injekta vundebleco <tt>parseFilename</tt> funkcio de <tt>example.php</tt> en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.<br><br> \u0108i tiu afero efikas:<br><ul><li>1.0-versioj anta\u016d 1.0.6</li><li>2.1-versioj de 2.16 \u011dis 2.1.9.</li></ul>"
}
]
}
}
],
"metrics": [
{
Expand All @@ -130,11 +130,35 @@
"value": "GENERAL"
}
],
"cvssV4_0": {
"ssvcV1_0_1": {
"id": "CVE-1337-1234",
"selections": [
{
"namespace": "ssvc",
"name": "Exploitation",
"values": [
"Public PoC",
"Active"
],
"version": "1.1.0"
},
{
"namespace": "ssvc",
"name": "Technical Impact",
"values": [
"Total"
],
"version": "1.0.0"
}
],
"timestamp": "1999-04-23T18:25:43.511Z",
"schemaVersion": "1-0-1"
},
"cvssV4_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L",
"version":"4.0"
"version": "4.0"
},
"cvssV3_1": {
"version": "3.1",
Expand Down Expand Up @@ -313,4 +337,4 @@
]
}
}
}
}
17 changes: 5 additions & 12 deletions schema/imports/ssvc/ssvc-v1.0.1.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group_Selection-1-0-1.schema.json",
"definitions": {
"id": {
"type": "string",
Expand Down Expand Up @@ -61,9 +62,9 @@
"version"
],
"additionalProperties": false
},
"SsvcdecisionpointgroupselectionSchema": {
"properties": {
}
},
"properties": {
"id": {
"$ref": "#/definitions/id"
},
Expand All @@ -85,7 +86,7 @@
"$ref": "#/definitions/SsvcdecisionpointselectionSchema"
}
}
},
},
"type": "object",
"required": [
"selections",
Expand All @@ -94,12 +95,4 @@
"schemaVersion"
],
"additionalProperties": false
}
},
"type": "object",
"properties": {
"SsvcdecisionpointgroupselectionSchema": {
"$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema"
}
}
}
2 changes: 1 addition & 1 deletion schema/support/schema2markmap/schema-bundle.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ async function schemaBundle() {
delete metricProperties.cvssV3_1.license;
delete metricProperties.cvssV3_0.license;
delete metricProperties.cvssV2_0.license;

delete metricProperties.ssvcV1_0_1.$id;

fs.writeFile(`${dirName}/CVE_Record_Format.json`,
JSON.stringify(cveSchemaBundle, null, 2),
Expand Down

0 comments on commit 9e5c220

Please sign in to comment.