SSVC icon indicating copy to clipboard operation
SSVC copied to clipboard

Published 20 hours ago verified publisher icon CERTCC

Enterprise adoption SSVC tool

Open sei-renae opened this issue 1 year ago • 6 comments

As an enterprise security engineer with • automated scanning tools (such as jfrog xray) that detect known CVEs in my software I want to • have a tool to program an SSVC decision tree So that • I can convince my superiors that we should use SSVC. This tool should read in a csv or json of CVSS metrics and process them based on the SSVC decision tree that my team configures. The tool can exist as a script or a microservice. The output should be a csv of CVEs labeled and categorized by defer, scheduled, ooc, immediate.

sei-renae avatar Dec 02 '24 14:12 sei-renae

Look at the demo work current in progress and related discussion https://github.com/CERTCC/SSVC/discussions/649

https://democert.org/ssvc/simple/

An implementation of CVSS v4 exists there in the demo, however it has only the "lookup" functionality aligned the idea of Equivalent Sets this is mostly work form Jono Spring in CISA that has driven a more simple and explainable way for CVSS way forward (similar to SSVC). It entirely avoids any complicated math and equations to get "numbers" out of these raw lower-level metrics

https://www.first.org/cvss/v4.0/faq#:~:text=Equivalent%20Sets,of%20vectors%20for%20each%20set.

sei-vsarvepalli avatar Dec 02 '24 19:12 sei-vsarvepalli

Thanks Vijay. I don't think that resolved Renae's use case though. And the CVSS community is interested in "custom" cvss scoring as well, which this could also support. So should think it through and how to support, I think.

j--- avatar Dec 06 '24 16:12 j---

Yeh I see a different use case of evaluations being done from mapping CVSS metrics to SSVC. The discussions so far has been customizing SSVC tree in the tool itself. However this may be a distinct tool, not the Policy Explorer idea that creates and explores policy but looks at ways to consume commonly used metrics and gives SSVC equivalent evaluations. This may be worth a distinct discussion.

Vijay

sei-vsarvepalli avatar Dec 06 '24 17:12 sei-vsarvepalli

The output should be a csv of CVEs labeled and categorized by defer, scheduled, ooc, immediate.

Should this outcome be generalized to a csv of CVE's labeled and sorted by the outcome set of choice? Agree with this as the default.

j--- avatar Mar 04 '25 17:03 j---

The output should be a csv of CVEs labeled and categorized by defer, scheduled, ooc, immediate.

Should this outcome be generalized to a csv of CVE's labeled and sorted by the outcome set of choice? Agree with this as the default.

I'm actually working on trying to achieve that kind of outcome. Still very much in development stages but thinking it'd be in the form of a read-only Google sheet that people can eventually download/copy to play around with.

sei-bkoo avatar Mar 04 '25 18:03 sei-bkoo

The output should be a csv of CVEs labeled and categorized by defer, scheduled, ooc, immediate.

Should this outcome be generalized to a csv of CVE's labeled and sorted by the outcome set of choice? Agree with this as the default.

That sounds ok to me.

sei-renae avatar Mar 05 '25 14:03 sei-renae