Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Related to #348 SSVC1.0.1 additions. #350

Open
wants to merge 8 commits into
base: feature-144-SSVC
Choose a base branch
from
Open

Related to #348 SSVC1.0.1 additions. #350

wants to merge 8 commits into from
+254 −10

Conversation

sei-vsarvepalli
Copy link
Contributor

This should have the right files and fixes for #348

@ccoffin
Copy link
Collaborator

ccoffin commented Oct 4, 2024

I believe that "schema/docs/CVE_Record_Format_bundled.json" is an output file and shouldn't be updated. As long as "CVE_Record_Format.json" is updated to include an import of the ssvc schema in the imports directory, it should be ok and the bundled file will be created automatically.

@sei-vsarvepalli
Copy link
Contributor Author

I believe that "schema/docs/CVE_Record_Format_bundled.json" is an output file and shouldn't be updated. As long as "CVE_Record_Format.json" is updated to include an import of the ssvc schema in the imports directory, it should be ok and the bundled file will be created automatically.

It looks like all the _bundled.json file that are created are the following.

  1. CVE_Record_Format_bundled_cnaPublishedContainer.json
  2. CVE_Record_Format_bundled_cnaRejectedContainer.json
  3. CVE_Record_Format_bundled_adpContainer.json

cve-schema/schema/support/schema2markmap/schema-bundle.js

Lines 36 to 39 in 6af5c9c

for(let t of ['cnaPublishedContainer', 'cnaRejectedContainer', 'adpContainer']) {
var subSchema = {
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": `https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_${t}.json`,

The docs/CVE_Record_Format.json is created but it is not copied over to docs/CVE_Record_Format_bundled.json - at least not in the workflow file itself, so I just manually created it. We can fix the workflow file too, if that is preferred so all of this can be automated.

Also as seen in the log file for workflow

CVE_Record_Format.json created
CVE_Record_Format_bundled_adpContainer.json created
CVE_Record_Format_bundled_cnaRejectedContainer.json created
CVE_Record_Format_bundled_cnaPublishedContainer.json created

@sei-vsarvepalli sei-vsarvepalli mentioned this pull request Oct 5, 2024
Open
@ccoffin
Copy link
Collaborator

ccoffin commented Oct 7, 2024

Looks like i made a mistake when updating the schema-bundle.js a few months ago. 'CVE_Record_Format.json' should have been 'CVE_Record_Format_bundled.json.' I just made this fix in the develop branch.

This was referenced Oct 17, 2024
Open
Closed
@sei-vsarvepalli sei-vsarvepalli mentioned this pull request Nov 7, 2024
Open
@sei-vsarvepalli
Copy link
Contributor Author

From the Meeting - Matt @ElectricNroff noticed spelling error in examples

https://github.com/sei-vsarvepalli/cve-schema/blob/00989854805b16889a3f7692d2cb809a9eb2f37d/schema/imports/ssvc/ssvc-v1.0.1.json#L38

to be fixed in the PR

@MrMegaZone
Copy link
Collaborator

Discussed on today's QWG call. Personally I'm in favor of this. We have CISA as a provider of SSVC today, but they're forced to use the 'Other' field, which is unstructured. Moving SSVC to structured data would allow us to perform validation on the data, improving the corpus, as well as making the data easier to consume and use.

We have something of a chicken and egg problem with new types - we don't know exactly what the adoption will be until we make adoption easier. We do need to balance out schema bloat against possible value, but here we have something that is being used today, so we have some evidence of interest. And the cost, in data, CPU, etc., is minimal, so I think adding this is justified.

There is at least some information on SSVC adoption in the industry at large: CERTCC/SSVC#291

This is a non-breaking change to the schema with no real cost/pain that I can see, and it is an improvement over what we're doing now. To me that's a win-win to add this in the next schema update.

As was raised in the discussion, we do need to have some review of schemas at some point to determine what needs to be deprecated/removed if adoption never picks up, or falls off because the industry has moved on, etc. But I think that's a different, broader topic. Probably best done when a major version change is being made (5.x -> 6.x), and maybe minor versions (5.1.x -> 5.2.x).

@sei-vsarvepalli
Copy link
Contributor Author

Some more information/questions that came up offline - trying to capture it here

The newer schema came to try to make SSVC data useable for consumers of various forms. The idea is for vendors do provide informational elements in SSVC format, allowing consumers to collect data and merge it into their policies to take the best course of action according to their policies.

The schema can help gather specific description of the Decision Point. People can also provide other (CVSS metrics as information elements) in the new schema using "namespace" idea. For e.g., one can go from https://github.com/CERTCC/SSVC/blob/main/data/schema_examples/CVE-1969-0000-Decision_Point_Value_Selection.json

to

These two Decision Points as the inputs to the specific evaluation example.

https://github.com/CERTCC/SSVC/blob/main/data/json/decision_points/exploitation_1_1_0.json

https://github.com/CERTCC/SSVC/blob/main/data/json/decision_points/technical_impact_1_0_0.json

The Decision Points with namespace SSVC are defined and published centrally in the SSVC https://certcc.github.io/SSVC/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sei-vsarvepalli @ccoffin @MrMegaZone