UNPKG

ssvc

Version:

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS

github.com/trivialsec/typescript-ssvc

trivialsec/typescript-ssvc

150 lines (124 loc) 4.33 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
/** * SSVC Runtime Plugin Wrapper * * This module provides plugin wrappers that integrate runtime YAML evaluation * with the existing SSVC plugin architecture. */ import { SSVCDecision, SSVCOutcome, SSVCPlugin } from '../core'; import { RuntimeDecisionTreeEvaluator, RuntimeMethodology, RuntimeMethodologyValidator } from './core'; export class RuntimeSSVCPlugin extends SSVCPlugin { private methodology: RuntimeMethodology; private evaluator: RuntimeDecisionTreeEvaluator; constructor(methodology: RuntimeMethodology) { super(); this.methodology = methodology; this.evaluator = new RuntimeDecisionTreeEvaluator(methodology); } get name(): string { return this.methodology.name; } get description(): string { return this.methodology.description; } get version(): string { return this.methodology.version; } createDecision(options: Record<string, any>): SSVCDecision { return new RuntimeDecision(this.methodology, this.evaluator, options); } fromVector(vectorString: string): SSVCDecision { const parameters = this.evaluator.parseVectorString(vectorString); if (!parameters) { throw new Error(`Vector string parsing not supported for methodology: ${this.methodology.name}`); } return new RuntimeDecision(this.methodology, this.evaluator, parameters); } static fromYAML(yamlContent: string): RuntimeSSVCPlugin { const validator = new RuntimeMethodologyValidator(); const result = validator.validate(yamlContent); if (!result.valid || !result.methodology) { throw new Error(`Invalid YAML methodology: ${result.errors.join(', ')}`); } return new RuntimeSSVCPlugin(result.methodology); } } export class RuntimeDecision implements SSVCDecision { private methodology: RuntimeMethodology; private evaluator: RuntimeDecisionTreeEvaluator; private parameters: Record<string, any>; public outcome?: SSVCOutcome; constructor( methodology: RuntimeMethodology, evaluator: RuntimeDecisionTreeEvaluator, parameters: Record<string, any> ) { this.methodology = methodology; this.evaluator = evaluator; this.parameters = parameters; } evaluate(): SSVCOutcome { const runtimeOutcome = this.evaluator.evaluate(this.parameters); this.outcome = { action: runtimeOutcome.action, priority: runtimeOutcome.priority }; return this.outcome; } toVector(): string { if (!this.outcome) { this.evaluate(); } const runtimeOutcome = this.evaluator.evaluate(this.parameters); const vectorString = this.evaluator.generateVectorString(this.parameters, runtimeOutcome); if (!vectorString) { throw new Error(`Vector string generation not supported for methodology: ${this.methodology.name}`); } return vectorString; } // Additional runtime-specific methods getMethodology(): RuntimeMethodology { return this.methodology; } getParameters(): Record<string, any> { return { ...this.parameters }; } updateParameters(newParameters: Record<string, any>): void { this.parameters = { ...this.parameters, ...newParameters }; this.outcome = undefined; // Clear cached outcome } getAvailableEnums(): Record<string, string[]> { return this.methodology.enums; } getPriorityMap(): Record<string, string> { return this.methodology.priorityMap; } } // Factory function for creating runtime decisions from YAML export function createRuntimeDecisionFromYAML( yamlContent: string, parameters: Record<string, any> = {} ): RuntimeDecision { const plugin = RuntimeSSVCPlugin.fromYAML(yamlContent); return plugin.createDecision(parameters) as RuntimeDecision; } // Utility function for validating YAML without creating a decision export function validateYAMLMethodology(yamlContent: string): { valid: boolean; methodology?: RuntimeMethodology; errors: string[] } { const validator = new RuntimeMethodologyValidator(); return validator.validate(yamlContent); } // Utility function for evaluating YAML directly export function customFromYAMLMethodology( yamlContent: string, parameters: Record<string, any> ): SSVCOutcome { const decision = createRuntimeDecisionFromYAML(yamlContent, parameters); return decision.evaluate(); }