UNPKG

ssvc

Version:

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS

github.com/trivialsec/typescript-ssvc

trivialsec/typescript-ssvc

165 lines (139 loc) 5.91 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
/** * Coordinator Publication Plugin * * CERT/CC Coordinator Publication Decision Model * Generated from YAML configuration. */ export enum SupplierInvolvementLevel { fix_ready = "fix_ready", cooperative = "cooperative", uncooperative_unresponsive = "uncooperative_unresponsive" } export enum ExploitationStatus { none = "none", public_poc = "public_poc", active = "active" } export enum PublicValueAddedLevel { limited = "limited", ampliative = "ampliative", precedence = "precedence" } export enum ActionType { publish = "publish", dont_publish = "dont_publish" } export enum DecisionPriorityLevel { low = "low", high = "high" } export const priorityMap = { [ActionType.publish]: DecisionPriorityLevel.high, [ActionType.dont_publish]: DecisionPriorityLevel.low }; export class OutcomeCoordinatorPublication { priority: string; action: string; constructor(action: any) { this.priority = (priorityMap as any)[action]; this.action = action; } } interface DecisionCoordinatorPublicationOptions { supplierInvolvement?: SupplierInvolvementLevel | string; exploitation?: ExploitationStatus | string; publicValueAdded?: PublicValueAddedLevel | string; } export class DecisionCoordinatorPublication { supplierInvolvement?: SupplierInvolvementLevel; exploitation?: ExploitationStatus; publicValueAdded?: PublicValueAddedLevel; outcome?: OutcomeCoordinatorPublication; constructor(options: DecisionCoordinatorPublicationOptions = {}) { if (typeof options.supplierInvolvement === 'string') { this.supplierInvolvement = Object.values(SupplierInvolvementLevel).find(v => v === options.supplierInvolvement) as SupplierInvolvementLevel || undefined; } else { this.supplierInvolvement = options.supplierInvolvement; } if (typeof options.exploitation === 'string') { this.exploitation = Object.values(ExploitationStatus).find(v => v === options.exploitation) as ExploitationStatus || undefined; } else { this.exploitation = options.exploitation; } if (typeof options.publicValueAdded === 'string') { this.publicValueAdded = Object.values(PublicValueAddedLevel).find(v => v === options.publicValueAdded) as PublicValueAddedLevel || undefined; } else { this.publicValueAdded = options.publicValueAdded; } // Always try to evaluate if we have the minimum required parameters if (this.supplierInvolvement !== undefined && this.exploitation !== undefined && this.publicValueAdded !== undefined) { this.outcome = this.evaluate(); } } evaluate(): OutcomeCoordinatorPublication { const action = this.traverseTree(); this.outcome = new OutcomeCoordinatorPublication(action); return this.outcome; } private traverseTree(): any { // Traverse the decision tree to determine the outcome // Uncooperative/Unresponsive supplier scenarios if (this.supplierInvolvement === SupplierInvolvementLevel.uncooperative_unresponsive) { // Active exploitation always leads to publish if (this.exploitation === ExploitationStatus.active) { return ActionType.publish; } // Public PoC with any value added level leads to publish if (this.exploitation === ExploitationStatus.public_poc) { return ActionType.publish; } // None exploitation with precedence value added leads to publish if (this.exploitation === ExploitationStatus.none && this.publicValueAdded === PublicValueAddedLevel.precedence) { return ActionType.publish; } // None or Public PoC with limited or ampliative value added leads to dont_publish if ((this.exploitation === ExploitationStatus.none || this.exploitation === ExploitationStatus.public_poc) && (this.publicValueAdded === PublicValueAddedLevel.limited || this.publicValueAdded === PublicValueAddedLevel.ampliative)) { return ActionType.dont_publish; } } // Cooperative supplier scenarios if (this.supplierInvolvement === SupplierInvolvementLevel.cooperative) { // Active exploitation always leads to publish if (this.exploitation === ExploitationStatus.active) { return ActionType.publish; } // None exploitation with precedence value added leads to publish if (this.exploitation === ExploitationStatus.none && this.publicValueAdded === PublicValueAddedLevel.precedence) { return ActionType.publish; } // Public PoC with ampliative or precedence value added leads to publish if (this.exploitation === ExploitationStatus.public_poc && (this.publicValueAdded === PublicValueAddedLevel.ampliative || this.publicValueAdded === PublicValueAddedLevel.precedence)) { return ActionType.publish; } // Other combinations lead to dont_publish return ActionType.dont_publish; } // Fix Ready supplier scenarios if (this.supplierInvolvement === SupplierInvolvementLevel.fix_ready) { // Active exploitation always leads to publish if (this.exploitation === ExploitationStatus.active) { return ActionType.publish; } // Any exploitation with ampliative or precedence value added leads to publish if ((this.publicValueAdded === PublicValueAddedLevel.ampliative || this.publicValueAdded === PublicValueAddedLevel.precedence)) { return ActionType.publish; } // None or Public PoC with limited value added leads to dont_publish if ((this.exploitation === ExploitationStatus.none || this.exploitation === ExploitationStatus.public_poc) && this.publicValueAdded === PublicValueAddedLevel.limited) { return ActionType.dont_publish; } } // Default action for unmapped paths return ActionType.dont_publish; } }