From 868b769f169b9ff6f29f7755e775e5a9a70f0cd6 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Wed, 2 Oct 2024 11:19:50 -0500 Subject: [PATCH 1/4] adding SSVC v1.0.1 production schema to the CVE Record metrics block. --- schema/CVE_Record_Format.json | 4 ++ schema/imports/ssvc/ssvc-v1.0.1.json | 101 +++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 schema/imports/ssvc/ssvc-v1.0.1.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index f74450c32c..2501321685 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -859,6 +859,9 @@ { "required": ["cvssV2_0"] }, + { + "required": ["ssvcV1_0_1"] + }, { "required": ["other"] } @@ -898,6 +901,7 @@ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"}, + "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"}, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json new file mode 100644 index 0000000000..b15800d872 --- /dev/null +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -0,0 +1,101 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"] + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": ["1-0-1"] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": ["Automatable", "Exploitation"] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": ["ssvc","cvvsv4"] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + }, + "SsvcdecisionpointgroupselectionSchema": { + "properties": { + "id": { + "$ref": "#/definitions/id" + }, + "role": { + "$ref": "#/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + } + }, + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" +} From 54fbea8afc49f2375bb9e858552d40427ae3a977 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 10:30:44 -0500 Subject: [PATCH 2/4] added properties to root of schema to fix definition reference issue. --- schema/imports/ssvc/ssvc-v1.0.1.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index b15800d872..77f9b5adb6 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -97,5 +97,9 @@ "additionalProperties": false } }, - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + "properties": { + "SsvcdecisionpointgroupselectionSchema": { + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + } + } } From 54f561c4fc8d1595de9039314b5dd43979cbe4a3 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 10:48:57 -0500 Subject: [PATCH 3/4] added object type to properties. --- schema/imports/ssvc/ssvc-v1.0.1.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 77f9b5adb6..f5b1ae3e98 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -99,7 +99,10 @@ }, "properties": { "SsvcdecisionpointgroupselectionSchema": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + "type": "object", + "items": { + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + } } } } From 1b1ae14c9d7be95f8919feb32ce4ce1cdc6dd6da Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 11:22:07 -0500 Subject: [PATCH 4/4] removed and value and added type object to root. --- schema/imports/ssvc/ssvc-v1.0.1.json | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index f5b1ae3e98..4643a01f17 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,6 +1,5 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", "definitions": { "id": { "type": "string", @@ -97,12 +96,10 @@ "additionalProperties": false } }, + "type": "object", "properties": { "SsvcdecisionpointgroupselectionSchema": { - "type": "object", - "items": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" - } + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" } } }