UNPKG

ssvc

Version:

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS

github.com/trivialsec/typescript-ssvc

trivialsec/typescript-ssvc

83 lines (71 loc) 2.98 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
/** * Coordinator Triage Plugin Wrapper * * Wraps the generated Coordinator Triage plugin to integrate with the core plugin system. */ import { SSVCPlugin, SSVCDecision, SSVCOutcome } from '../core'; import { DecisionCoordinatorTriage, OutcomeCoordinatorTriage, ReportPublicStatus, SupplierContactedStatus, ReportCredibilityLevel, SupplierCardinalityLevel, SupplierEngagementLevel, UtilityLevel, PublicSafetyImpactLevel } from './coordinator_triage-generated'; export class CoordinatorTriagePlugin extends SSVCPlugin { readonly name = 'Coordinator Triage'; readonly description = 'CERT/CC Coordinator Triage Decision Model'; readonly version = '1.0'; createDecision(options: Record<string, any>): SSVCDecision { return new CoordinatorTriageDecisionWrapper(options); } } class CoordinatorTriageDecisionWrapper implements SSVCDecision { private decision: DecisionCoordinatorTriage; public outcome?: SSVCOutcome; constructor(options: Record<string, any>) { // Map the generic options to Coordinator Triage-specific parameters const coordinatorOptions = { reportPublic: this.mapValue(options.report_public || options.reportPublicStatus, ReportPublicStatus), supplierContacted: this.mapValue(options.supplier_contacted || options.supplierContactedStatus, SupplierContactedStatus), reportCredibility: this.mapValue(options.report_credibility || options.reportCredibilityLevel, ReportCredibilityLevel), supplierCardinality: this.mapValue(options.supplier_cardinality || options.supplierCardinalityLevel, SupplierCardinalityLevel), supplierEngagement: this.mapValue(options.supplier_engagement || options.supplierEngagementLevel, SupplierEngagementLevel), utility: this.mapValue(options.utility || options.utilityLevel, UtilityLevel), publicSafetyImpact: this.mapValue(options.public_safety_impact || options.publicSafetyImpactLevel, PublicSafetyImpactLevel) }; this.decision = new DecisionCoordinatorTriage(coordinatorOptions); } evaluate(): SSVCOutcome { const outcome = this.decision.evaluate(); this.outcome = { action: outcome.action, priority: outcome.priority }; return this.outcome; } private mapValue(value: any, enumType: any): any { if (!value) return undefined; // If it's already the right type, return it if (Object.values(enumType).includes(value)) { return value; } // If it's a string, try to find the matching enum value if (typeof value === 'string') { const upperValue = value.toUpperCase(); const enumKey = Object.keys(enumType).find(key => key === upperValue); if (enumKey) { return (enumType as any)[enumKey]; } // Try direct string value match const enumValue = Object.values(enumType).find(v => v === value.toLowerCase()); if (enumValue) { return enumValue; } } return value; } }