-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVSS Qualitative Severity Rating Scale decision point #712
Merged
ahouseholder
merged 4 commits into
main
from
711-consider-a-cvss-category-decision-point
Feb 21, 2025
Merged
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
12 changes: 12 additions & 0 deletions
12
docs/reference/decision_points/cvss/qualitative_severity.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # CVSS Qualitative Severity Rating Scale | ||
|
|
||
| ```python exec="true" idprefix="" | ||
| from ssvc.decision_points.cvss.qualitative_severity import LATEST | ||
| from ssvc.doc_helpers import example_block | ||
|
|
||
| print(example_block(LATEST)) | ||
| ``` | ||
|
|
||
| The [CVSS Qualitative Severity Rating Scale](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale) | ||
| is a set of labels that describe the severity of a vulnerability based on the | ||
| CVSS Score. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| #!/usr/bin/env python | ||
| """ | ||
| Provides a decision point for the [CVSS Qualitative Severity Rating Scale](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale). | ||
| """ | ||
| # Copyright (c) 2025 Carnegie Mellon University and Contributors. | ||
| # - see Contributors.md for a full list of Contributors | ||
| # - see ContributionInstructions.md for information on how you can Contribute to this project | ||
| # Stakeholder Specific Vulnerability Categorization (SSVC) is | ||
| # licensed under a MIT (SEI)-style license, please see LICENSE.md distributed | ||
| # with this Software or contact permission@sei.cmu.edu for full terms. | ||
| # Created, in part, with funding and support from the United States Government | ||
| # (see Acknowledgments file). This program may include and/or can make use of | ||
| # certain third party source code, object code, documentation and other files | ||
| # (“Third Party Software”). See LICENSE.md for more details. | ||
| # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the | ||
| # U.S. Patent and Trademark Office by Carnegie Mellon University | ||
|
|
||
| from ssvc.decision_points import SsvcDecisionPointValue | ||
| from ssvc.decision_points.cvss.base import CvssDecisionPoint | ||
| from ssvc.decision_points.helpers import print_versions_and_diffs | ||
|
|
||
| QS_NONE = SsvcDecisionPointValue( | ||
| name="None", | ||
| key="N", | ||
| description="No severity rating (0.0)", | ||
| ) | ||
|
|
||
| LOW = SsvcDecisionPointValue( | ||
| name="Low", | ||
| key="L", | ||
| description="Low (0.1 - 3.9)", | ||
| ) | ||
| MEDIUM = SsvcDecisionPointValue( | ||
| name="Medium", | ||
| key="M", | ||
| description="Medium (4.0 - 6.9)", | ||
| ) | ||
| HIGH = SsvcDecisionPointValue( | ||
| name="High", | ||
| key="H", | ||
| description="High (7.0 - 8.9)", | ||
| ) | ||
| CRITICAL = SsvcDecisionPointValue( | ||
| name="Critical", | ||
| key="C", | ||
| description="Critical (9.0 - 10.0)", | ||
| ) | ||
|
|
||
| QUALITATIVE_SEVERITY = CvssDecisionPoint( | ||
| name="CVSS Qualitative Severity Rating Scale", | ||
| key="QS", | ||
| description="The CVSS Qualitative Severity Rating Scale provides " | ||
| "a categorical representation of a CVSS Score.", | ||
| version="1.0.0", | ||
| values=( | ||
| QS_NONE, | ||
| LOW, | ||
| MEDIUM, | ||
| HIGH, | ||
| CRITICAL, | ||
| ), | ||
| ) | ||
|
|
||
| VERSIONS = (QUALITATIVE_SEVERITY,) | ||
| LATEST = VERSIONS[-1] | ||
|
|
||
|
|
||
| def main(): | ||
| print_versions_and_diffs(VERSIONS) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| main() | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a lingering CVSS versioning question on my mind. May be it should be an issue. The CVSS V4 is sometime represented with
namespaceversioncombo ofcvssand3.0.1like in ATTACK_VECTOR_3_0_1 (in src/ssvc/decision_points/cvss/attack_vector.py file) forCVSS v4 Attack Vector- can we track mapping this way? This seems to be the case in this PR as well where CVSSv4 Quality metric shows us as version1.0.0with names spacecvssThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The decision point versions are the decision point versions. They have no connection to CVSS versions.
The qualitative severity scale was added in CVSS v3.0 and has not changed (search each of these for "qualitative severity" to confirm), so by our decision point versioning rules, this one is
1.0.0.