add "in KEV" decision point to address #317

src/ssvc/decision_points/critical_software.py

@@ -1,9 +1,20 @@
 #!/usr/bin/env python
 """
-file: eo_critical
-author: adh
-created_at: 9/21/23 2:03 PM
+Provides an SSVC decision point for critical software designation.
 """
+#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact [email protected] for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 YES = SsvcDecisionPointValue(

src/ssvc/decision_points/in_kev.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+"""
+Provides a decision point representing whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.
+"""
+#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact [email protected] for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+
+YES = SsvcDecisionPointValue(
+    name="Yes",
+    key="Y",
+    description="Vulnerability is listed in KEV.",
+)
+
+NO = SsvcDecisionPointValue(
+    name="No",
+    key="N",
+    description="Vulnerability is not listed in KEV.",
+)
+
+IN_KEV_1 = SsvcDecisionPoint(
+    name="In KEV",
+    description="Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
+    key="KEV",
+    version="1.0.0",
+    values=(
+        NO,
+        YES,
+    ),
+)
+
+
+def main():
+    print(IN_KEV_1.to_json(indent=2))
+
+
+if __name__ == "__main__":
+    main()

src/test/test_schema.py

@@ -1,3 +1,16 @@
+#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact [email protected] for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 import json
 import logging
 import unittest
@@ -8,6 +21,7 @@
 from ssvc.decision_points.base import REGISTERED_DECISION_POINTS
 from ssvc.decision_points.critical_software import CRITICAL_SOFTWARE_1  # noqa
 from ssvc.decision_points.high_value_asset import HIGH_VALUE_ASSET_1  # noqa
+from ssvc.decision_points.in_kev import IN_KEV_1
 # importing these causes the decision points to register themselves
 from ssvc.dp_groups.v1 import SSVCv1  # noqa
 from ssvc.dp_groups.v2 import SSVCv2  # noqa
@@ -36,7 +50,7 @@ def test_confirm_registered_decision_points(self):
         dps = list(REGISTERED_DECISION_POINTS)
         self.assertGreater(len(dps), 0)
 
-        extras = [CRITICAL_SOFTWARE_1, HIGH_VALUE_ASSET_1]
+        extras = [CRITICAL_SOFTWARE_1, HIGH_VALUE_ASSET_1, IN_KEV_1]
         for dpg in [SSVCv1, SSVCv2, SSVCv2_1, extras]:
             for dp in dpg:
                 self.assertIn(dp, REGISTERED_DECISION_POINTS)