vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

cravex2-reachability: Collect available SSVC in VulnerableCode

Open pombredanne opened this issue 5 months ago • 2 comments

Code to collect and store SSVC decision trees in VulnerableCode.

We have some elements of the scoring system already in place, in particular for vulnrichhment, the goal is to systematically store the data as trees to support context-aware decision down the road in DejaCode.

We need further design.

References:

  • https://github.com/CERTCC/SSVC
  • https://github.com/theparanoids/PrioritizedRiskRemediation
  • https://github.com/aboutcode-org/www.aboutcode.org/issues/21
  • https://github.com/aboutcode-org/dejacode/issues/366
  • https://github.com/aboutcode-org/vulnerablecode/issues/1457
  • https://github.com/aboutcode-org/vulnerablecode/issues/1719
  • https://github.com/aboutcode-org/vulnerablecode/blob/abf81d5b66e78c4a43466fc27eee41a02aae0ff2/vulnerabilities/importers/vulnrichment.py#L191
  • https://github.com/aboutcode-org/vulnerablecode/blob/abf81d5b66e78c4a43466fc27eee41a02aae0ff2/vulnerabilities/severity_systems.py#L203

pombredanne avatar Jul 23 '25 13:07 pombredanne

class SSVC: vector options advisory decision

In dejacode, we get a package, and it's vulnerable to a know advisory ID.

We can send the SSVC's options and decision to the user, and give the reference to SSVC calc to show how we came up to the decision.

TG1999 avatar Aug 08 '25 11:08 TG1999

Problem:

How shall we store and relate SSVC scores and trees to advisories

Explanation:

We have a vulnrichment importer that today imports SSVC as scores in severity and do not store decision and tree with it, only stores the vector.

What we thought initially was to store SSVC in a separate table and relate it to advisories that share the alias/advisory ID, but the issue is that those SSVC does not come from those advisories with which we are trying to relate those SSVCs, so it would be wrong to show those SSVCs. So what shall we do?

Probable Solutions:

  • Store SSVC in the separate table with the original CVE that's coming from the importer, and do not relate it to any advisory

  • In UI show some tooltip stating that the SSVC does not come from the advisory source it's coming from this URL and it's just a computed relation. In API document that and also show the original SSVC source data URL

TG1999 avatar Dec 09 '25 10:12 TG1999

This is done now

Reference:

  • https://github.com/aboutcode-org/vulnerablecode/pull/2050
Image Image

TG1999 avatar Dec 15 '25 17:12 TG1999