How to integrate SSVC into CVE ADP?

[ahouseholder]

Starting a discussion to continue discussion between @j--- and @sei-vsarvepalli and others.

General gist:

• We want SSVC information to be conveyable as CVE ADP data
• The primary expected data to include are Decision point values
  • May depend on how decision points are versioned (see other discussion TBD)?
• Trees and decisions (defer, immediate, etc.) are likely out of scope for CVE ADP data

[ahouseholder]

Discussion #289 may have some bearing on this topic too.

[zmanion]

Confirming and adding some detail:

• Exploitation, Automatable, Technical Impact
• Extracted from an internal SSVC application
• No trees or decisions, at least at this point
• In documentation, remind SSVC consumers to assess their own stakeholder-specific decision points

It would be nice to have one official SSVC JSON schema even if the CISA SSVC ADP pilot only uses a subset or slight adaptation as needed to fit into CVE ADP JSON.

[zmanion]

Work in progress on the ADP JSON cc @jwoytek

"metrics": [
    {
        "other": {
            "type": "ssvc",
            "content": {
                "id": string (vul id, in this case CVE ID),
                "options": [
                    {
                        "Exploitation": string
                    },
                    {
                        "Automatable": string
                    },
                    {
                        "Technical Impact": string
                    }
                ],
                "role": string,
                "timestamp": string(ISO8601 format date score created),
                "version": string (major.minor.patch),
                "computed": string(optional),
                "decision_tree": object (full decision tree, optional),
                "decision_tree_url": string (URL to decision tree, optional),
                "generator": string(optional),
            }
        }
    }

[jwoytek]

The above is an informal take after iterating on it for a few rounds, adapted from the published SSVC JSON schema. I can formalize this if that would make it easier to iterate and discuss.

[j---]

We should sync this with / try to resolve #289 (comment) before committing too hard to a schema.

[ahouseholder]

This topic has evolved toward

• The JSON for SSVC "options" splits out keys into individual records #576
• and its follow-on We need a schema for an array of decision point downselects #595