From 868b769f169b9ff6f29f7755e775e5a9a70f0cd6 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Wed, 2 Oct 2024 11:19:50 -0500 Subject: [PATCH] adding SSVC v1.0.1 production schema to the CVE Record metrics block. --- schema/CVE_Record_Format.json | 4 ++ schema/imports/ssvc/ssvc-v1.0.1.json | 101 +++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 schema/imports/ssvc/ssvc-v1.0.1.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index f74450c32c..2501321685 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -859,6 +859,9 @@ { "required": ["cvssV2_0"] }, + { + "required": ["ssvcV1_0_1"] + }, { "required": ["other"] } @@ -898,6 +901,7 @@ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"}, + "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"}, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json new file mode 100644 index 0000000000..b15800d872 --- /dev/null +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -0,0 +1,101 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"] + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": ["1-0-1"] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": ["Automatable", "Exploitation"] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": ["ssvc","cvvsv4"] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + }, + "SsvcdecisionpointgroupselectionSchema": { + "properties": { + "id": { + "$ref": "#/definitions/id" + }, + "role": { + "$ref": "#/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + } + }, + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" +}