-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CERT/CC SSVC metrics for CVE using ADP #144
Comments
I don't think that
will be accepted by CVE Services during an ADP container submission. CVE Services uses Amazon DocumentDB to store JSON documents, and doesn't allow a $ character in that context (even though the schema allows it):
$schema is not accepted by the implementation. See #145 for other information about what happens within the CVE Services code, and what error a client would see. |
Hello @ElectricNroff Thanks for your quick response. Happy to modify he $schema to be reference_schema (as below), avoid any $ references so it poses less trouble. I was using $schema from JSON doc recommendations. not really married to that notation. Let me know if there are any other concerns to address.
|
Just capturing these notes from QWG meeting on 2022/03/10. Currently the CVE Services 2.1 which is about to launch and be ready soon will not support publishing of ADP containers. It is planned somewhere in the fall time for CVE services next revision to accept JSON ADP containers. Once we are able publish, CERT/CC can request an update to the CVE 5.1 JSON schema to include a well-formatted SSVC ADP record as a metric. Vijay |
The QWG will need to address this as a new optional feature in v5.1. Marking this milestone. |
SPWG is prioritizing ADP, this came up at today's meeting in that certain ADPs, if they are approved to provide content that is not already part of the existing CNA container schema, would have to create custom schema. This is the case for an SSVC ADP. It seems that a references ADP may be the first pilot, however we'll need to develop process for custom schema development and inclusion at some point. |
Our ADP container updated setup has been updated as the following. We are also tracking this with discussions under our SSVC - CERTCC/SSVC#229
ADP testing is ready to start and we will be working with CVE AWG on feedback. Thanks |
We have a production schema now as version 1.0.1 using schemaVersion templates. This should be ready for the v5.2.0 integration. Please collect the latest from |
Created pull request #348 to implement SSVC as an imported schema. |
Please see #350 is the new PR that covers all the inclusions and fixes. |
This is a follow-up after discussions in CVE QWG meeting on the topic of being able to publish as an Authorized Data Provider (ADP) into CVE's current JSON schema. CERT/CC Stakeholder Specific Vulnerability Categorization (SSVC) project attempts to provides vulnerability metrics in the form of decision trees for different vulnerability management communities.
More information about SSVC can be found SSVC Overview. In practice, SSVC code, examples and customization information are available in GitHub repository (https://github.com/CERTCC/SSVC.
CERT/CC would like to publish such metrics in adherence to the CVE-5 JSON schema. We have a sample ADP enhanced CVE record that is available at https://democert.org/ssvc/cve-5/CVE-2022-0012-adp.json. This record validates properly for the current CVE-5.0 JSON schema.
The ADP container data from the example is also included here for convenience. Let us know how we can provide such data into CVE to support enrichment of the CVE JSON records.
Thanks
Vijay
Additional stakeholders highlighted:
@zmanion @david-waltermire-nist @chandanbn
The text was updated successfully, but these errors were encountered: