vulntology
vulntology copied to clipboard
usnistgov
Add capability to communicate chronology for CWE and Actions
User Story:
When using the Vulntology to describe a vulnerability I may desire the ability to communicate the order that certain things occur within a scenario. Specifically this is applicable to communicating CWEs and Actions. If there were properties that allowed me to establish a chain of events within these properties I could better represent a given scenario.
Goals:
Add properties to
Exploited Weakness (https://github.com/usnistgov/vulntology/blob/master/specification/values/exploited-weakness.md) Actions (https://github.com/usnistgov/vulntology/blob/master/specification/objects/action.md) Barriers (https://github.com/usnistgov/vulntology/blob/master/specification/objects/barrier.md) Known Chains (https://github.com/usnistgov/vulntology/blob/master/specification/objects/vulnerability.md) That communicates a sequence of events (precedes/follows) between sister objects.
Dependencies:
both of these reference the same concept so a unified approach would be mandatory
Acceptance Criteria
- [ ] All readme documentation affected by the changes in this issue have been updated.
- [ ] A Pull Request (PR) is submitted that addresses the goals of this User Story. This issue is referenced in the PR. If the PR only partially addresses a given User Story, the specific goals addressed are identified in the PR.
- [ ] Properties are optional once more than one of the parent object exist (multiple CWEs and/or multiple Actions) within a single scenario
- [ ] Add example use of this to the JSON and Human Readable examples
We need to consider how to support sequencing for weaknesses, actions, barriers, etc. It would be ideal to come up with a common pattern that could be used in all cases. This will take some more significant design work than this issue indicates, but would greatly enhance the expressiveness of the vulntology.
@Chris-Turner-NIST We should set aside some time to design a way forward.
Vulntology Sequencing Requirements
Scope
Support sequencing capability for:
- Barriers
- Weaknesses
- Actions
- Known Chains (possibly different case since we only want direct hops)
Requirements
- Need to express options (e.g., A or B)
- Need to express sequencing (ordering/preconditions) (e.g., A then B)
- Need to express transitions (cause-effect/outcomes) (e.g., A leads to B)
Note: An array can provide for sequencing, but does not convey conditions or outcomes.
Example
> expresses allowed transition (i.e., A > B is A allows B)
= expresses a requirement (i.e., A = B is B requires A)
() indicates a combination of pre-conditions (i.e., (A B) is A then B)
-
CWE-A > CWE-B => CWE-C -
CWE-B => CWE-C -
(CWE-A > CWE-B) => CWE-D > CWE-E
can be expressed as:
YAMLish logical structure:
A:
allows: B
[other data]
B:
[other data]
allows: C (optional)
allows: D (optional)
C:
requires: B (implies B allows C)
[other data]
D:
precondition-1:
requires: A (implies A must come before B?)
requires: B (implies B allows D)
[other data]
JSONish logical structure
{
"A": {
"allows": [ "B" ]
},
"B": {
"allows": [ "C", "D" ]
}
"C": {
"requires": [ "B" ]
}
"D": {
"pre-condition": {
"requires": [ "A", "B" ]
},
"allows": [ "E" ]
}
}
A rough example of how this might look in practice.
{
"actions": [ {
"id": "action1",
"allows": "action2"
},
{
"id": "action2",
"requires": "action1"
}
]
}