Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entity Role requires addition for System of Interest concept #153

Open
4 tasks
Chris-Turner-NIST opened this issue Oct 22, 2023 · 0 comments
Open
4 tasks

Entity Role requires addition for System of Interest concept #153

Chris-Turner-NIST opened this issue Oct 22, 2023 · 0 comments
Assignees
@Chris-Turner-NIST
Labels
enhancement New feature or request Value List Adjustment Issue is related to adding to or modifying valid values in the data model
Milestone
Vulntology 0.7.0 ...

Comments

@Chris-Turner-NIST
Copy link
Collaborator

Chris-Turner-NIST commented Oct 22, 2023
edited

Reasoning:
Currently, Entity Role's purpose is for defining relevant security boundaries across existing assessment systems. This change will enable tracking of these boundaries using the concept of System of Interest. (Used by CVSS v4.0 and SSVC 2.0)

CVSS v4.0 will release towards the end of 2023 (slated for 10/31/23 at the moment).
SSVC v2.0 has been released since 2020

Areas to enhance:

ADD
System of Interest: See CVSS v4.0 Section ?? for a full explanation of System of Interest

  • Vulnerable: Associated Context is considered to contain the vulnerability.

  • Subsequent: Associated Context is where impacts of the vulnerability are realized. The Subsequent System may or may not be the Vulnerable System.

  • JSON Schema

    vulntology/schema/vulntology-json-schema-1.0-draft.json

    Lines 200 to 208 in a0dd316

    "EntityRole": {
    "type": "string",
    "enum": [
    "Security Authority::Primary",
    "Security Authority::Secondary",
    "Component::Vulnerable",
    "Component::Impacted"
    ]
    },

ADD

                "System of Interest::Vulnerable",
                "System of Interest::Subsequent",
@Chris-Turner-NIST Chris-Turner-NIST added the Value List Adjustment Issue is related to adding to or modifying valid values in the data model label Oct 22, 2023
@Chris-Turner-NIST Chris-Turner-NIST changed the title Entity Role requires addition for CVSS v4.0 concepts Entity Role requires addition for System of Interest concept Oct 22, 2023
@Chris-Turner-NIST Chris-Turner-NIST added the enhancement New feature or request label Oct 23, 2023
@Chris-Turner-NIST Chris-Turner-NIST self-assigned this Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Chris-Turner-NIST Chris-Turner-NIST

Labels
enhancement New feature or request Value List Adjustment Issue is related to adding to or modifying valid values in the data model
Projects
None yet
Milestone
Vulntology 0.7.0 Release
Development

No branches or pull requests
1 participant
@Chris-Turner-NIST