Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/issue 576 #588

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Feature/issue 576 #588

wants to merge 9 commits into from

Conversation

sei-vsarvepalli
Copy link
Contributor

This is a major change in Schemas to resolve #576 and try to create new schemas that can be processed by third parties efficiently. This requires some changes to vulnrichment project with ADP exports. Our schema has been updated, but there are external dependencies.

cisagov/vulnrichment#40

There is a new option in the schema called outcome which is optional and can be used represent the comprehensive outcomes of the current Decision Tree. This can provide outcomes of the full decision tree, just like the outcomes from a decision point, so the next consumer can use this values to restrict outputs from the decision tree.

The JavaScript code also has been updated. This requires a bit of thorough review as there may be other dependencies that are impacted by this schema comprehesnive update. Currently there is a version number in the Computed Schema, but that should be managed before parsers are written to read Computed schema when used alongside of ADP or other data providers.

@j--- may need to help coordinate with CISA developers to ensure the new schema is adopted by CISA developers.

@sei-vsarvepalli sei-vsarvepalli mentioned this pull request Jun 25, 2024
Open
ahouseholder
ahouseholder reviewed Jun 26, 2024
View reviewed changes
data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json
],
"$schema": "https://democert.org/ssvc/SSVC_Computed_v2.02.schema.json",
"decision_tree_url": "https://democert.org/ssvc/CISA-Coordinator-v2.0.3.json",
"decision_tree_url": "https://democert.org/ssvc/CISA-Coordinator-v2.0.3.json",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are removing the CISA-Coordinator.json, should we redo this example to use a schema we are including?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I remember, the file removed was actually a dead symlink.

data/schema_examples/Computed-CVE-2014-0751-Coordinator.json
"Public Well-being Impact": ["Material"],
"Mission & Well-being": ["medium"]
},
"outcomes": ["Act"],
"decision_tree_url": "https://democert.org/ssvc/CISA-Coordinator-v2.0.3.json"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment about removing CISA tree

data/schema/SSVC_Computed.schema.json Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General comment on the Computed Schema: is there a way for us to have the computed schema directly draw on the Decision_Point.schema.json or possibly the Decision_Point_Group.schema.json? I'll elaborate my thinking in a comment on the PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeh - Computed Schema should tie to a Decision Point Group Schema, so the plan was to hav ea pedigree like version tracking

Decision Points (multiple) => Decision Point Group (Set selected and a combined versioned) => Provisioned Schema (DP's ordered and versioned) => Computed Schema (tied to Provision version )

This may need a short discussion, I can see it is not clear in the Schema docs, it should be more explicit that DP_Group is tied to a Provisioned schema with a specific version.

@ahouseholder
Copy link
Contributor

ahouseholder commented Jun 26, 2024
edited
Loading

Following up on this comment and expanding on this comment from #576:

It seems like we need the list of chosen items to include more specificity about what decision point they're drawn from. I was thinking something like:

{
  "decision_points": [
    {
      "namespace": "ssvc",
      "name": "Exploitation",
      "version": "1.0.0",
      "key": "E",
      "values": [ "None" ]
    },
    {
      "namespace": "ssvc",
      "name": "Automatable",
      "version": "2.0.0",
      "key": "A",
      "values": [ "Yes" ]
    }
  ]
}

Which shares the namespace, name, version, key, and values properties from the DP schema but only includes the name(s) of the chosen values. Note that description is present in the DP schema but omitted in the example, as I don't think it's necessary in this case, we're not defining the decision point with this record we're just downselecting from the available options. Since each decision point has a namespace, a name, and a version, it seems important to fully identify them though.

In the current Computed example we have

{
"Exploitation": "active"
},
{
  "Automatable": "no"
}

which is now underspecified since there can be different versions of Exploitation and Automatable.

@sei-vsarvepalli
Copy link
Contributor Author

Following up on this comment and expanding on this comment from #576:

It seems like we need the list of chosen items to include more specificity about what decision point they're drawn from. I was thinking something like:

{
  "decision_points": [
    {
      "namespace": "ssvc",
      "name": "Exploitation",
      "version": "1.0.0",
      "key": "E",
      "values": [ "None" ]
    },
    {
      "namespace": "ssvc",
      "name": "Automatable",
      "version": "2.0.0",
      "key": "A",
      "values": [ "Yes" ]
    }
  ]
}

Which shares the namespace, name, version, key, and values properties from the DP schema but only includes the name(s) of the chosen values. Note that description is present in the DP schema but omitted in the example, as I don't think it's necessary in this case, we're not defining the decision point with this record we're just downselecting from the available options. Since each decision point has a namespace, a name, and a version, it seems important to fully identify them though.

In the current Computed example we have

{
"Exploitation": "active"
},
{
  "Automatable": "no"
}

which is now underspecified since there can be different versions of Exploitation and Automatable.

Optionally the full Decision Tree ordered with outcomes (compliant to Provisioned schema) can be embedded to show all the information. In the compressed form, the chained version pedigree will be the way to be clear about what DP's are being used.

@sei-vsarvepalli
Copy link
Contributor Author

Some more issues to be concerned about

@sei-vsarvepalli
Copy link
Contributor Author

The example
https://github.com/CERTCC/SSVC/blob/7d5aadf71fec2f388f483d50856ab5384a665c8f/data/schema_examples/Decision_Point_Group_Selection.json
does not have an identifier such as a CVE or VU# or GHSA etc. This needs to be discussed further too..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahouseholder ahouseholder ahouseholder left review comments

@j--- j--- Awaiting requested review from j---

@cgyarbrough cgyarbrough Awaiting requested review from cgyarbrough cgyarbrough is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The JSON for SSVC "options" splits out keys into individual records
2 participants
@sei-vsarvepalli @ahouseholder