UNPKG

ssvc

Version:

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS

github.com/trivialsec/typescript-ssvc

trivialsec/typescript-ssvc

155 lines (150 loc) 4.23 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: "AI/LLM Triage" description: "AI and LLM Vulnerability Triage for stakeholder-specific decision making" version: "1.0" enums: ExploitationStatus: - NONE - POC - ACTIVE StakeholderRole: - DEPLOYER - APPLICATION - USER DeployerAttackVector: - SUPPLY_CHAIN - MODEL_POISONING - INFRASTRUCTURE_COMPROMISE ApplicationAttackVector: - PROMPT_INJECTION - TOOL_MISUSE - PRIVILEGE_ESCALATION - MEMORY_MANIPULATION - ALIGNMENT_BYPASS UserAttackVector: - DATA_EXTRACTION - PROMPT_MANIPULATION - OUTPUT_MANIPULATION priorityMap: MONITOR: LOW ASSESS_RISK: LOW PROMPT_SANITIZATION: MEDIUM FINETUNE_GUARDRAILS: MEDIUM RETRAIN_MODEL: HIGH HIGH_RISK: HIGH LOW_TRUST: MEDIUM IMMEDIATE_ACTION: IMMEDIATE decisionTree: type: ExploitationStatus children: NONE: type: StakeholderRole children: DEPLOYER: type: DeployerAttackVector children: SUPPLY_CHAIN: ASSESS_RISK MODEL_POISONING: ASSESS_RISK INFRASTRUCTURE_COMPROMISE: MONITOR APPLICATION: type: ApplicationAttackVector children: PROMPT_INJECTION: MONITOR TOOL_MISUSE: PROMPT_SANITIZATION PRIVILEGE_ESCALATION: FINETUNE_GUARDRAILS MEMORY_MANIPULATION: MONITOR ALIGNMENT_BYPASS: MONITOR USER: type: UserAttackVector children: DATA_EXTRACTION: ASSESS_RISK PROMPT_MANIPULATION: LOW_TRUST OUTPUT_MANIPULATION: LOW_TRUST POC: type: StakeholderRole children: DEPLOYER: type: DeployerAttackVector children: SUPPLY_CHAIN: FINETUNE_GUARDRAILS MODEL_POISONING: RETRAIN_MODEL INFRASTRUCTURE_COMPROMISE: ASSESS_RISK APPLICATION: type: ApplicationAttackVector children: PROMPT_INJECTION: PROMPT_SANITIZATION TOOL_MISUSE: FINETUNE_GUARDRAILS PRIVILEGE_ESCALATION: RETRAIN_MODEL MEMORY_MANIPULATION: FINETUNE_GUARDRAILS ALIGNMENT_BYPASS: PROMPT_SANITIZATION USER: type: UserAttackVector children: DATA_EXTRACTION: FINETUNE_GUARDRAILS PROMPT_MANIPULATION: HIGH_RISK OUTPUT_MANIPULATION: HIGH_RISK ACTIVE: type: StakeholderRole children: DEPLOYER: type: DeployerAttackVector children: SUPPLY_CHAIN: IMMEDIATE_ACTION MODEL_POISONING: IMMEDIATE_ACTION INFRASTRUCTURE_COMPROMISE: RETRAIN_MODEL APPLICATION: type: ApplicationAttackVector children: PROMPT_INJECTION: FINETUNE_GUARDRAILS TOOL_MISUSE: RETRAIN_MODEL PRIVILEGE_ESCALATION: IMMEDIATE_ACTION MEMORY_MANIPULATION: RETRAIN_MODEL ALIGNMENT_BYPASS: FINETUNE_GUARDRAILS USER: type: UserAttackVector children: DATA_EXTRACTION: IMMEDIATE_ACTION PROMPT_MANIPULATION: IMMEDIATE_ACTION OUTPUT_MANIPULATION: IMMEDIATE_ACTION defaultAction: MONITOR # Vector string metadata vectorMetadata: prefix: AI_LLM version: v2 parameterMappings: exploitation: abbrev: E enumType: ExploitationStatus valueMappings: NONE: N POC: P ACTIVE: A stakeholder_role: abbrev: SR enumType: StakeholderRole valueMappings: DEPLOYER: D APPLICATION: A USER: U deployer_attack_vector: abbrev: DAV enumType: DeployerAttackVector valueMappings: SUPPLY_CHAIN: SC MODEL_POISONING: MP INFRASTRUCTURE_COMPROMISE: IC application_attack_vector: abbrev: AAV enumType: ApplicationAttackVector valueMappings: PROMPT_INJECTION: PI TOOL_MISUSE: TM PRIVILEGE_ESCALATION: PE MEMORY_MANIPULATION: MM ALIGNMENT_BYPASS: AB user_attack_vector: abbrev: UAV enumType: UserAttackVector valueMappings: DATA_EXTRACTION: DE PROMPT_MANIPULATION: PM OUTPUT_MANIPULATION: OM