Skip to content
/ typescript-ssvc Public

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization)

License

MIT license
4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Vulnetix/typescript-ssvc

BranchesTags

Repository files navigation

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization)

NPM Version NPM License NPM Downloads

NPM

A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS.

This library provides a comprehensive solution to using the SSVC framework with both CISA and FIRST methodologies. It includes examples of high, medium, and low severity decision prioritizations for each methodology.

Installation

npm install ssvc

Decision Trees

CISA

CISA

FIRST

FIRST

Decision Class Usage Guide

The Decision class is used to evaluate cybersecurity decisions based on different methodologies. This guide demonstrates how to use the class with both CISA and FIRST methodologies.

Importing the Necessary Components

First, import the required classes and enums:

import { 
  Decision, 
  Exploitation, 
  Automatable, 
  Utility,
  TechnicalImpact, 
  MissionWellbeingImpact,
  SafetyImpact, 
  Methodology 
} from 'ssvc';

Note: The Decision constructor also accepts string inputs for enum values:

CISA Methodology Examples

const cisaHigh = new Decision({
  methodology: Methodology.CISA,
  exploitation: Exploitation.ACTIVE,
  automatable: Automatable.YES,
  technical_impact: TechnicalImpact.TOTAL,
  mission_wellbeing: MissionWellbeingImpact.HIGH
});
console.log(cisaHigh.evaluate());
// Expected output: OutcomeCISA { action: 'Act', priority: 'immediate' }
const cisaStringInputs = new Decision({
  methodology: 'CISA',
  exploitation: 'active',
  automatable: 'yes',
  technical_impact: 'total',
  mission_wellbeing: 'high'
});
console.log(cisaStringInputs.evaluate());
// Expected output: OutcomeCISA { action: 'Act', priority: 'immediate' }
const cisaMedium = new Decision({
  methodology: Methodology.CISA,
  exploitation: Exploitation.POC,
  automatable: Automatable.NO,
  technical_impact: TechnicalImpact.PARTIAL,
  mission_wellbeing: MissionWellbeingImpact.MEDIUM
});
console.log(cisaMedium.evaluate());
// Expected output: OutcomeCISA { action: 'Track*', priority: 'medium' }

FIRST Methodology Examples

const firstHigh = new Decision({
  methodology: Methodology.FIRST,
  exploitation: Exploitation.ACTIVE,
  utility: Utility.SUPER_EFFECTIVE,
  technical_impact: TechnicalImpact.TOTAL,
  safety_impact: SafetyImpact.CATASTROPHIC
});
console.log(firstHigh.evaluate());
// Expected output: OutcomeFIRST { action: 'immediate', priority: 'immediate' }

Example 3: Low Severity Case

const firstStringInputs = new Decision({
  methodology: 'FIRST',
  exploitation: 'poc',
  utility: 'efficient',
  technical_impact: 'partial',
  safety_impact: 'major'
});
console.log(firstStringInputs.evaluate());
// Expected output: OutcomeFIRST { action: 'out-of-band', priority: 'medium' }

About

TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization)

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

5 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages