-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
technical impact quick fix - Technical Impact and CVSS Vector for scope = unchanged #62
base: develop
Are you sure you want to change the base?
Conversation
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact partial The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
Technical Impact total The mapping between CVSS v3 and Technical Impact is as follows: CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact Unchanged High (H) High (H) any Total Unchanged High (H) Low (L) or None (N) any Partial Unchanged Low (L) or None (N) High (H) any Partial Changed any any any (ambiguous) Fix for all the Technical Impact with CVSS Scope Unchanged
@ralvares Thank you for the report. We are looking into this. |
@amanion-cisa this probably needs some discussion internally to determine the right course of action. |
We're investigating our SSVC scoring and how it actually relates to these CVSS mappings. Note that in the documentation, this isn't a MUST for the mapping, but it is a MAY. We're currently not automatically injesting CVSS and making that the only input to SSVC scoring... but maybe we should? It certainly would make analysis easier. Keeping this open for just a bit. Don't worry about the merge conflicts, by the way -- I don't expect we'll be able to land this PR touching 400-plus CVEs since they're all generated on the backend and pushed up. But I'd like to still track this as an issue. |
Thanks for the updates; indeed, 400+ changes are not something that I would also merge! I'm a big SSVC advocate, and the feedback I get is that SSVC is not automatable; maybe, as a starting point, use the mapping. Of course, it can change depending on multiple factors, scope, environmental context, and so on; the same applies to automatable! I think the documentation that you provide is really GOOD, since people somehow got stuck with the SSVC v1! I have a goal that is to help the SSVC framework to be more automated as much as possible. Check this out, just for fun! I built this to showcase how to use SSVC to help with container images and repository scans using trivy. Impact = Human Impact! log4shell curl -s "https://api.ssvc.me/v1/vuln?vulnIds=CVE-2021-44228&exploits=true&exposure=open&impact=medium" | jq PHP (PHP-CGI) curl -s "https://api.ssvc.me/v1/vuln?vulnIds=CVE-2024-4577&exploits=true&exposure=open&impact=medium" | jq also, the API :) There is no documentation so far, but it is soon to be done! |
🗣 Description
Fixing the technical impact based on the https://certcc.github.io/SSVC/topics/information_sources/?h=tech#cvss-and-technical-impact
💭 Motivation and context
Based on SSVC documentation -
Technical Impact is directly related to the CVSS impact metric group. The interpretation is different for CVSS version 3 than version 4.
The mapping between CVSS v3 and Technical Impact is as follows:
CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact
Unchanged High (H) High (H) any Total
Unchanged High (H) Low (L) or None (N) any Partial
Unchanged Low (L) or None (N) High (H) any Partial
Changed any any any (ambiguous)
I wrote a small code to check the technical impact.
🧪 Python Code