Major modifications to the vuln graph to handle clearer representatio…

…ns of type/subtype/values/properties. Also added changes to handle issues #3, #15, #9, #16 and #14
usnistgov · Aug 31, 2018 · a845d08 · a845d08
1 parent 814c715
commit a845d08
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 6 deletions.
diff --git a/specification/figures/vulntology-graph.vsdx b/specification/figures/vulntology-graph.vsdx
diff --git a/specification/introduction/03-explanation.md b/specification/introduction/03-explanation.md
@@ -6,6 +6,8 @@ The vulntology framework is composed of simple components described below:
 
 **Objects**: A Conceptual entity; Objects can be related to other objects, have types, and properties. A list of Objects defined by the Vulntology framework is located under the [objects](../objects) directory. Each object, such as [Vulnerability](../objects/vulnerability.md) can have multiple properties and/or relationships with other components. 
 
+**Type/SubType**: Types and subtypes are categorizations and/or groupings of values. Subtypes are applicable to a specific value within a parent Type.
+
 **Values**: An explicit characteristic used to describe a detail of a Type or SubType. A list of value sets defined by the Vulntology framework is located under the [values](../values) directory. Values are contained within Type and SubType groups such as [Theatre](../values/theater.md).
 
 **Relationships**: A connection relating one object to another. relationships retain an expected cardinality or One to Many or Zero to Many.

diff --git a/specification/objects/vulnerability-identifier.md b/specification/objects/vulnerability-identifier.md
@@ -0,0 +1,12 @@
+# Vulnerability Identifier Object
+
+Examples include a knowledge base article number, patch number, a bug tracking database identifier or a common identifier such as a Common Vulnerabilities and Exposures (CVE) identifier. CVE is a widely adopted identifier used across many organizations.
+
+## Properties
+- **Identification Scheme** (one): a namespace and/or scheme to identify the rules regading how a given Vulnerability identifier should be enumerated. 
+- **Identifier Value** (one or many): The enumeration of the vulnerability ID based on the identification scheme 
+
+
+## Relationships
+
+N/A
diff --git a/specification/objects/vulnerability.md b/specification/objects/vulnerability.md
@@ -2,15 +2,13 @@
 
 A Vulnerability is any weakness in the computational logic found in products or devices that could be exploited by a threat source.
 
-An identifier for a vulnerability supplied by a source.
-
-Examples include a knowledge base article number, patch number, a bug tracking database identifier or a common identifier such as a Common Vulnerabilities and Exposures (CVE) identifier. CVE is a widely adopted identifier used across many organizations.
-
 ## Properties
 
 - **Sector of Interest** (zero or many): Supplemental information identifying potential sectors or use cases where the Vulnerability could have an impact. (See [Sector of Interest](../values/sector-of-interest.md))
-- **Known Chain** (zero or many): An identifier for another known Vulnerability that can be used in conjunction with the Vulnerability in question to achieve a different and likely greater impact. (See [Known Chain](../values/known-chain.md))
+
 
 ## Relationships
 
-* hasScenario: (one or many) [Scenario](scenario.md) values shall be associated with Vulnerability.
+* knownChain (zero or many): An identifier for another known Vulnerability that can be used in conjunction with the Vulnerability in question to achieve a different and likely greater impact
+* identifiedBy (one or many):  [Vulnerability Identifiers](vulnerability-identifier) may be associated with Vulnerability
+* hasScenario (one or many): [Scenarios](scenario.md) shall be associated with Vulnerability.