UNPKG

ssvc

Version:

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS

github.com/trivialsec/typescript-ssvc

trivialsec/typescript-ssvc

117 lines (91 loc) 3.35 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization) [![NPM Version](https://img.shields.io/npm/v/ssvc?style=flat)](https://www.npmjs.com/package/ssvc) [![NPM License](https://img.shields.io/npm/l/ssvc?style=flat)](https://github.com/trivialsec/typescript-ssvc/blob/master/LICENSE) [![NPM Downloads](https://img.shields.io/npm/dt/ssvc.svg?style=flat)](https://www.npmjs.com/package/ssvc) [![NPM](https://nodei.co/npm/ssvc.png?downloads=true)](https://www.npmjs.com/package/ssvc) A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS. This library provides a comprehensive solution to using the SSVC framework with both CISA and FIRST methodologies. It includes examples of high, medium, and low severity decision prioritizations for each methodology. ## Installation ```sh npm install ssvc ``` ## Decision Trees ### CISA ![CISA](.assets/SSVC_CISA.png) ### FIRST ![FIRST](.assets/SSVC_PSIRT.png) ## Decision Class Usage Guide The `Decision` class is used to evaluate cybersecurity decisions based on different methodologies. This guide demonstrates how to use the class with both CISA and FIRST methodologies. ### Importing the Necessary Components First, import the required classes and enums: ```javascript import { Decision, Exploitation, Automatable, Utility, TechnicalImpact, MissionWellbeingImpact, SafetyImpact, Methodology } from 'ssvc'; ``` > **Note**: The `Decision` constructor also accepts string inputs for enum values: ### CISA Methodology Examples ```javascript const cisaHigh = new Decision({ methodology: Methodology.CISA, exploitation: Exploitation.ACTIVE, automatable: Automatable.YES, technical_impact: TechnicalImpact.TOTAL, mission_wellbeing: MissionWellbeingImpact.HIGH }); console.log(cisaHigh.evaluate()); // Expected output: OutcomeCISA { action: 'Act', priority: 'immediate' } ``` ```javascript const cisaStringInputs = new Decision({ methodology: 'CISA', exploitation: 'active', automatable: 'yes', technical_impact: 'total', mission_wellbeing: 'high' }); console.log(cisaStringInputs.evaluate()); // Expected output: OutcomeCISA { action: 'Act', priority: 'immediate' } ``` ```javascript const cisaMedium = new Decision({ methodology: Methodology.CISA, exploitation: Exploitation.POC, automatable: Automatable.NO, technical_impact: TechnicalImpact.PARTIAL, mission_wellbeing: MissionWellbeingImpact.MEDIUM }); console.log(cisaMedium.evaluate()); // Expected output: OutcomeCISA { action: 'Track*', priority: 'medium' } ``` ### FIRST Methodology Examples ```javascript const firstHigh = new Decision({ methodology: Methodology.FIRST, exploitation: Exploitation.ACTIVE, utility: Utility.SUPER_EFFECTIVE, technical_impact: TechnicalImpact.TOTAL, safety_impact: SafetyImpact.CATASTROPHIC }); console.log(firstHigh.evaluate()); // Expected output: OutcomeFIRST { action: 'immediate', priority: 'immediate' } ``` #### Example 3: Low Severity Case ```javascript const firstStringInputs = new Decision({ methodology: 'FIRST', exploitation: 'poc', utility: 'efficient', technical_impact: 'partial', safety_impact: 'major' }); console.log(firstStringInputs.evaluate()); // Expected output: OutcomeFIRST { action: 'out-of-band', priority: 'medium' } ```