UNPKG

ssvc

Version:

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS

github.com/trivialsec/typescript-ssvc

trivialsec/typescript-ssvc

314 lines (244 loc) 8.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
# SSVC Methodology Schema Validation This document describes the schema validation system for SSVC methodology YAML files, which ensures all methodologies follow a consistent hierarchical tree structure. ## Overview The schema validation system enforces consistent structure across all SSVC methodologies, ensuring: - **Hierarchical Tree Structure**: All methodologies must use nested decision trees (not flat arrays) - **Consistent Depth**: All decision paths within a methodology must have identical depth - **Complete Validation**: Schema validation, enum usage validation, and tree structure validation ## Schema Location The JSON Schema is located at: `methodologies/schema.json` ## Validation Script Run validation with: ```bash just validate-methodologies # or directly: npx ts-node scripts/validate-methodologies.ts ``` ## Required YAML Structure ### Basic Structure ```yaml name: "Methodology Name" description: "Description of the methodology" version: "1.0" url: "https://optional-documentation-url.com" # Optional enums: DecisionPointEnum: - VALUE_ONE - VALUE_TWO # ... more enums priorityMap: ACTION_ONE: priority_level ACTION_TWO: priority_level defaultAction: DEFAULT_ACTION decisionTree: type: FirstDecisionPointEnum children: VALUE_ONE: type: SecondDecisionPointEnum children: NESTED_VALUE: FINAL_ACTION VALUE_TWO: FINAL_ACTION ``` ### Tree Structure Requirements 1. **Hierarchical Structure**: Use nested `type` and `children` objects, not flat arrays 2. **Consistent Depth**: All paths from root to leaf must have the same number of levels 3. **Leaf Nodes**: Terminal nodes must be action strings (not objects) 4. **Type References**: All `type` values must reference declared enums ### Valid Tree Example (4 levels) ```yaml decisionTree: type: ExploitationStatus # Level 1 children: NONE: type: AutomatableStatus # Level 2 children: "YES": type: TechnicalImpactLevel # Level 3 children: TOTAL: type: MissionWellbeingImpactLevel # Level 4 children: HIGH: ATTEND # Leaf action MEDIUM: TRACK # Leaf action ``` ### Invalid Structures **Flat Array Structure**: ```yaml decisionTree: - conditions: exploitation: none automatable: "yes" action: track ``` **Inconsistent Depth**: ```yaml decisionTree: type: FirstLevel children: A: type: SecondLevel children: X: ACTION_ONE # 3 levels Y: type: ThirdLevel children: Z: ACTION_TWO # 4 levels - INCONSISTENT! ``` ## Enum Requirements ### Declaration All enum types used in the decision tree must be declared in the `enums` section: ```yaml enums: ExploitationStatus: - NONE - POC - ACTIVE # Must declare all enum types used in decisionTree ``` ### Usage Validation - All declared enums must be used in the decision tree - All enum types referenced in the tree must be declared - Unused enum declarations will cause validation errors ## Priority Mapping ### Structure ```yaml priorityMap: ACTION_NAME: priority_level # Both uppercase and lowercase supported another_action: priority # Mixed case and underscores allowed ``` ### Requirements - Every action used in the decision tree must have a priority mapping - Every priority mapping must correspond to an actual action - The `defaultAction` must also have a priority mapping - Action names support both uppercase and lowercase letters, plus underscores - Priority levels support both uppercase and lowercase letters, plus underscores ## Validation Checks The validator performs these checks: ### 1. JSON Schema Validation - Validates overall YAML structure - Ensures required fields are present - Validates data types and patterns ### 2. Tree Depth Consistency - Verifies all paths have identical depth - Reports inconsistent depths with specific values found ### 3. Enum Usage Validation - Checks that all declared enums are used - Verifies all referenced enums are declared - Reports unused or undeclared enum types ### 4. Priority Mapping Validation - Ensures all actions have priority mappings - Checks for orphaned priority mappings - Validates defaultAction has mapping ### 5. Coverage Analysis - Calculates percentage of possible paths explicitly defined - Issues warnings for very low coverage (< 25%) - Sparse trees with default actions are acceptable ## Methodology Examples ### CISA (Sparse Tree) - **Depth**: 4 levels consistently - **Coverage**: ~47% (acceptable with default action) - **Structure**: Hierarchical with some branches undefined (uses defaultAction) ### Coordinator Publication (Complete Tree) - **Depth**: 3 levels consistently - **Coverage**: 100% (all combinations explicitly defined) - **Structure**: Fully enumerated hierarchical tree ### Coordinator Triage (Complex Tree) - **Depth**: 6 levels consistently - **Coverage**: ~100% (nearly all combinations defined) - **Structure**: Deep hierarchical tree with complete enumeration ### Deployer (Complete Tree) - **Depth**: 4 levels consistently - **Coverage**: 100% (all combinations explicitly defined) - **Structure**: Fully enumerated hierarchical tree ### Supplier (Complete Tree) - **Depth**: 4 levels consistently - **Coverage**: 100% (all combinations explicitly defined) - **Structure**: Fully enumerated hierarchical tree ### AI/LLM Triage (Complete Tree) - **Depth**: 4 levels consistently - **Coverage**: 100% (all combinations explicitly defined) - **Structure**: Fully enumerated hierarchical tree for AI-specific vulnerability assessment ## Integration with Build Process The validation is integrated into the build process: ```bash # Validation runs before plugin generation just generate-plugins # Runs validate-methodologies first # Full development cycle just dev # Includes validation, generation, build, and test ``` ## Error Messages ### Common Error Types **Schema Validation Errors**: ``` /decisionTree: must be object /priorityMap: must NOT have additional properties ``` **Depth Consistency Errors**: ``` Inconsistent tree depth: found depths 4, 5, 6. All paths should have the same depth. ``` **Enum Usage Errors**: ``` Decision tree uses undeclared enum type: UndefinedEnum Declared enum type is never used: UnusedEnum ``` **Priority Mapping Errors**: ``` Action 'NEW_ACTION' has no priority mapping Priority mapping exists for unused action: OLD_ACTION ``` ## Migration Guide ### Converting Flat Arrays to Trees **Before (Flat Array)**: ```yaml decisionTree: - conditions: param1: value1 param2: value2 action: result1 - conditions: param1: value1 param2: value3 action: result2 ``` **After (Hierarchical Tree)**: ```yaml decisionTree: type: Param1Enum children: value1: type: Param2Enum children: value2: result1 value3: result2 ``` ### Ensuring Consistent Depth 1. **Identify the maximum depth** needed across all decision paths 2. **Pad shorter paths** by adding intermediate decision points or using default actions 3. **Verify all paths** reach the same depth before terminating in actions ## Troubleshooting ### "Inconsistent tree depth" Error - Map out all decision paths from root to leaf - Identify paths with different lengths - Restructure to ensure consistent depth across all branches ### "Declared enum type is never used" Error - Remove unused enum declarations from the `enums` section - Or add the enum to the decision tree if it should be used ### "Priority mapping" Errors - Ensure every action in the tree has a priority mapping - Remove priority mappings for actions not used in the tree - Verify the defaultAction has a priority mapping ## Best Practices 1. **Design First**: Plan your decision tree structure before writing YAML 2. **Consistent Naming**: Use consistent naming patterns for enums and actions 3. **Document Decisions**: Use clear, descriptive enum and action names 4. **Validate Early**: Run validation frequently during development 5. **Complete Coverage**: Aim for complete enumeration or ensure default action is appropriate 6. **Test Integration**: Verify generated plugins work correctly after structural changes ## Schema Evolution When updating the schema: 1. **Test Backwards Compatibility**: Ensure existing methodologies still validate 2. **Update Documentation**: Reflect schema changes in this guide 3. **Version the Schema**: Consider schema versioning for breaking changes 4. **Coordinate Changes**: Update both schema and validator logic together The validation system ensures all SSVC methodologies maintain consistent, predictable structure while allowing for different coverage patterns and complexity levels appropriate to each use case.