The JSON for "other" (SSVC) "options" is not succinct json #40
Comments
|
@jayjacobs and @todb-cisa the schema used inside the SSVC metrics object follows the SSVC JSON schema (example). We don't define that, but wanted to use existing standards where applicable. |
|
I opened a related issue in SSVC, fixing this would make it much easier to parse into structured data. Plus, If I'm reading the SSVC schema correctly, the Therefore, this |
|
Near as I can tell, this is blocked by CERTCC/SSVC#576 |
todb-cisa
added
the
blocked
|
Still blocked by CERTCC/SSVC#576 |
|
I have thoughts. BRB. |
|
AFAICT, the JSON fragment used in vulnrichment for SSVC decision point values doesn't validate against any current schema in SSVC. It's a fragment of a valid JSON object, but there's no standalone schema to verify it. We've created CERTCC/SSVC#595 to create a schema to represent a downselect from a list of decision points. That issue includes some requirements for SSVC that aren't represented in any of our existing schemas as well (decision point namespacing and versioning was added after the SSVC computed schema, for example). So there is a bit of engineering we're working through to sort this out. We'd be happy to have further discussion on that in CERTCC/SSVC#595 or any subsequent PRs. A number of other issues have spawned out of CERTCC/SSVC#576, so I think CERTCC/SSVC#595 is more focused specifically on how to represent a list of selected values. |
|
We've merged CERTCC/SSVC#599 which resolves CERTCC/SSVC#595. We're interested to have CISA's feedback on any subsequent implementation concerns. |
|
A follow-up after eve-schema working group discussions. Please see CVEProject/cve-schema#350 where we are hoping to have the latest SSVC schema using sechemaVersion based schema that will be validated for CVE record. CISA can use the legacy SSVC metric with "other" till your tooling is upgraded too. |
|
Also see https://github.com/CVEProject/cve-schema/blob/1c08e97929e22b1983557fe6ea5a9573831d49db/schema/docs/full-record-advanced-example.json for example CVE Record that will have a SSVC official schema embedded. |
|
The metrics block should look like below for metrics of CVE-2007-3484 - we are hoping to have this validated by the CVE Program as well as CSAF to provide one forward looking schema for SSVC Metrics. All using the latest Decision Points definitions as in https://certcc.github.io/SSVC/reference/decision_points/ |
This is purely a suggestion, but the way data is stored in the "containers.adp.metrics.other.content.options" is suboptimal. All of the records at the time I created this issue are encoded this way, but I will use CVE-2007-3484 as an example.
The current encoding looks like this:
Right now there is only one value in the "options" array across the 6500 or so CVEs so that could just be a json object instead of array, but maybe you want future expansion. However, the separation of the three key-values into their own object is unnecessary and could be simplified to look like this:
The current method causes some headache when flattening the JSON since it treats each of those objects as unique array entries and the missing keys as unset values:
But like I mentioned, you only ever have one array entry currently, so the whole thing could just be a single object (but your schema would have to be updated, since it allows for .* as a string or an array):
And if you don't need the array in options, you could copy the way CVSS data is encoded and just drop the whole "options" section and just have keys for the three SSVC values:
which would make the SSVC content simple and not nested JSON.
The text was updated successfully, but these errors were encountered: