A comprehensive Python implementation of the Stakeholder-Specific Vulnerability Categorization (SSVC) framework with a plugin-based architecture supporting multiple decision methodologies, vector string representation, and JSON schema validation.
SSVC is available in multiple programming languages:
- Python: This library - python-ssvc
- TypeScript: typescript-ssvc
- Go: 🚧 In Development
# Using pip
pip install ssvc
# Using uv (recommended for development)
uv add ssvc
# Using Poetry
poetry add ssvc
# Using Pipenv
pipenv install ssvc
# Using Conda
conda install -c conda-forge ssvc# Clone and install from GitHub source
git clone https://github.com/Vulnetix/python-ssvc.git
cd python-ssvc
uv sync
uv run python -m pip install -e .
# For development with all tools
just dev-installNew AI Methodology Available! We've recently added support for an AI-specific SSVC methodology designed for vulnerability assessment in artificial intelligence systems. This methodology addresses unique AI security considerations including:
- Model Exploitation: Assessment of AI model-specific attack vectors
- Training Data Impact: Evaluation of vulnerabilities in training datasets
- AI Safety Concerns: Consideration of AI alignment and safety risks
- Automated Decision Impact: Assessment of consequences from AI-driven decisions
The AI methodology is available alongside traditional cybersecurity methodologies and uses the same simple API. See the AI methodology documentation for complete usage examples and decision trees.
Here's a comprehensive example showing the library's key features:
import ssvc
# 1. List all available methodologies
print("Available SSVC methodologies:")
for methodology in ssvc.list_methodologies():
print(f" - {methodology}")
# 2. CISA methodology for enterprise vulnerability management
print("\n=== CISA Enterprise Assessment ===")
cisa_decision = ssvc.Decision(
methodology='cisa',
exploitation='active', # Exploits available in the wild
automatable='yes', # Can be automated by attackers
technical_impact='total', # Complete system compromise possible
mission_wellbeing_impact='high' # Significant organizational impact
)
print(f"Decision: {cisa_decision.outcome.action.value}")
print(f"Priority: {cisa_decision.outcome.priority.value}")
print(f"Vector: {cisa_decision.to_vector()}")
# 3. Coordinator triage for vulnerability disclosure
print("\n=== Coordinator Triage Assessment ===")
coord_decision = ssvc.Decision(
methodology='coordinator_triage',
report_public='no', # Report not yet public
supplier_contacted='yes', # Vendor has been notified
report_credibility='credible', # Report appears legitimate
supplier_cardinality='multiple', # Affects multiple vendors
utility='super_effective', # High exploit utility for attackers
public_safety_impact='significant' # Could impact public safety
)
print(f"Decision: {coord_decision.outcome.action.value}")
print(f"Priority: {coord_decision.outcome.priority.value}")
# 4. Supplier assessment for patch development prioritization
print("\n=== Supplier Patch Development ===")
supplier_decision = ssvc.Decision(
methodology='supplier',
exploitation='poc', # Proof of concept exists
utility='efficient', # Moderately useful to attackers
technical_impact='partial', # Limited system access
public_safety_impact='minimal' # Low public safety risk
)
print(f"Decision: {supplier_decision.outcome.action.value}")
print(f"Priority: {supplier_decision.outcome.priority.value}")
# 5. Vector string parsing and data exchange
print("\n=== Vector String Operations ===")
vector_string = cisa_decision.to_vector()
print(f"Generated vector: {vector_string}")
# Parse the vector back into a decision
parsed_decision = ssvc.Decision.from_vector(vector_string)
print(f"Parsed action: {parsed_decision.outcome.action.value}")
print(f"Decisions match: {cisa_decision.outcome.action == parsed_decision.outcome.action}")
# 6. Error handling and validation
print("\n=== Input Validation ===")
try:
invalid_decision = ssvc.Decision('cisa', exploitation='invalid_value')
except ValueError as e:
print(f"Validation error caught: {e}")
# 7. Case-insensitive input handling
print("\n=== Case-Insensitive Input ===")
flexible_decision = ssvc.Decision(
methodology='CISA', # Uppercase methodology
exploitation='ACTIVE', # Uppercase parameters
automatable='No', # Mixed case
technical_impact='total', # Lowercase
mission_wellbeing_impact='HIGH' # Uppercase
)
print(f"Flexible input result: {flexible_decision.outcome.action.value}")Output:
Available SSVC methodologies:
- ai_llm_triage
- cisa
- coordinator_triage
- coordinator_publication
- supplier
- deployer
=== CISA Enterprise Assessment ===
Decision: act
Priority: immediate
Vector: CISAv1/E:A/A:Y/T:T/M:H/2025-08-29T17:53:26.057876/
=== Coordinator Triage Assessment ===
Decision: coordinate
Priority: high
=== Supplier Patch Development ===
Decision: scheduled
Priority: medium
=== Vector String Operations ===
Generated vector: CISAv1/E:A/A:Y/T:T/M:H/2025-08-29T17:53:26.057876/
Parsed action: act
Decisions match: True
=== Input Validation ===
Validation error caught: 'INVALID_VALUE' is not a valid ExploitationStatus
=== Case-Insensitive Input ===
Flexible input result: act
The Stakeholder-Specific Vulnerability Categorization (SSVC) framework was developed by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute to address the limitations of traditional vulnerability scoring systems like CVSS.
Key Problems SSVC Solves:
- Context-Specific Decisions: Unlike CVSS which provides universal scores, SSVC recognizes that vulnerability prioritization depends heavily on the stakeholder's role and context
- Decision-Oriented: Focuses on actionable outcomes rather than abstract numeric scores
- Qualitative Assessment: Uses meaningful categories instead of potentially misleading precision of numeric scales
- Multiple Perspectives: Provides different decision models for different stakeholder roles (CISA, Coordinators, Suppliers, Deployers)
- Practical Decision Making: Provides clear, actionable guidance rather than numeric scores that require interpretation
- Stakeholder-Specific: Different methodologies for different organizational roles and responsibilities
- Evidence-Based: Built on research into how vulnerability management decisions are actually made
- Transparent Logic: Decision trees make the reasoning process explicit and auditable
- Community Endorsed: Adopted by CISA and other major cybersecurity organizations
This library supports multiple SSVC methodologies through a plugin-based architecture:
| Methodology | Description | Documentation | Official Source |
|---|---|---|---|
| AI LLM Triage | AI-specific vulnerability triage for ML LLMs | docs/ai_llm_triage.md | NIST AI Risk Management |
| CISA | CISA Stakeholder-Specific Vulnerability Categorization | docs/cisa.md | CISA SSVC Guide |
| Coordinator Triage | CERT/CC Coordinator Triage Decision Model | docs/coordinator_triage.md | CERT/CC Coordinator Triage |
| Coordinator Publication | CERT/CC Coordinator Publication Decision Model | docs/coordinator_publication.md | CERT/CC Publication Decision |
| Supplier | CERT/CC Supplier Decision Model for patch prioritization | docs/supplier.md | CERT/CC Supplier Tree |
| Deployer | CERT/CC Deployer Decision Model for patch deployment | docs/deployer.md | CERT/CC Deployer Tree |
Each methodology documentation includes:
- Complete Decision Tree Diagrams (Mermaid format for GitHub rendering)
- Decision Point Descriptions and valid values with examples
- Priority Mappings showing how actions map to priority levels
- Usage Examples with comprehensive code samples
- Vector String Support with parameter abbreviations and format
- File Integrity Verification with SHA1 checksums
- References to official methodology sources and specifications
import ssvc
# List all available methodologies
methodologies = ssvc.list_methodologies()
print("Available methodologies:", methodologies)
# Output: ['ai_llm_triage', 'cisa', 'coordinator_triage', 'coordinator_publication', 'supplier', 'deployer']
# CISA Methodology - Government/Enterprise vulnerability prioritization
decision = ssvc.Decision(
methodology='cisa', # Can be omitted (CISA is default)
exploitation='active',
automatable='no',
technical_impact='total',
mission_wellbeing_impact='high'
)
print(f"CISA Decision: {decision.outcome.action.value} (Priority: {decision.outcome.priority.value})")
# Output: CISA Decision: act (Priority: immediate)
# Coordinator Triage - Vulnerability coordination center decisions
decision = ssvc.Decision(
methodology='coordinator_triage',
report_public='no',
supplier_contacted='yes',
report_credibility='credible',
supplier_cardinality='multiple',
utility='super_effective',
public_safety_impact='significant'
)
print(f"Coordinator Triage: {decision.outcome.action.value} (Priority: {decision.outcome.priority.value})")
# Output: Coordinator Triage: coordinate (Priority: high)
# Supplier Decision - Software vendor patch development prioritization
decision = ssvc.Decision(
methodology='supplier',
exploitation='active',
utility='super_effective',
technical_impact='total',
public_safety_impact='significant'
)
print(f"Supplier Decision: {decision.outcome.action.value} (Priority: {decision.outcome.priority.value})")
# Output: Supplier Decision: immediate (Priority: immediate)
# Deployer Decision - IT organization patch deployment prioritization
decision = ssvc.Decision(
methodology='deployer',
exploitation='active',
system_exposure='open',
utility='super_effective',
human_impact='very_high'
)
print(f"Deployer Decision: {decision.outcome.action.value} (Priority: {decision.outcome.priority.value})")
# Output: Deployer Decision: immediate (Priority: immediate)
# Coordinator Publication - Coordinated disclosure timing decisions
decision = ssvc.Decision(
methodology='coordinator_publication',
supplier_involvement='uncooperative_unresponsive',
exploitation='active',
public_value_added='precedence'
)
print(f"Publication Decision: {decision.outcome.action.value} (Priority: {decision.outcome.priority.value})")
# Output: Publication Decision: publish (Priority: high)import ssvc
# Start with methodology, add parameters incrementally
decision = ssvc.Decision(methodology='cisa')
# Set parameters step by step (useful for interactive tools)
decision.exploitation = 'poc'
decision.automatable = 'yes'
decision.technical_impact = 'partial'
decision.mission_wellbeing_impact = 'medium'
# Evaluate when ready
outcome = decision.evaluate()
print(f"Result: {outcome.action.value} (Priority: {outcome.priority.value})")
# Output: Result: track (Priority: low)import ssvc
# All of these work (case-insensitive)
decision1 = ssvc.Decision('cisa', exploitation='ACTIVE', automatable='NO')
decision2 = ssvc.Decision('cisa', exploitation='active', automatable='no')
decision3 = ssvc.Decision('cisa', exploitation='Active', automatable='No')
# All produce the same result
print(decision1.exploitation == decision2.exploitation == decision3.exploitation)
# Output: Trueimport ssvc
try:
# Invalid methodology
decision = ssvc.Decision(methodology='invalid_method')
except ValueError as e:
print(f"Error: {e}")
# Output: Error: Unknown methodology: invalid_method
try:
# Invalid parameter value
decision = ssvc.Decision(methodology='cisa', exploitation='invalid_value')
except ValueError as e:
print(f"Error: {e}")
# Output: Error: 'INVALID_VALUE' is not a valid ExploitationStatusAll methodologies support SSVC vector strings for compact representation and data exchange:
import ssvc
# Create decision and generate vector string
decision = ssvc.Decision('cisa',
exploitation='active',
automatable='yes',
technical_impact='total',
mission_wellbeing_impact='high'
)
# Generate compact vector representation
vector = decision.to_vector()
print(vector)
# Output: CISAv1/E:A/A:Y/T:T/M:H/2025-08-29T17:53:26.057876/
# Parse vector string back to decision
parsed_decision = ssvc.Decision.from_vector(vector)
outcome = parsed_decision.evaluate()
print(f"Parsed result: {outcome.action.value} (Priority: {outcome.priority.value})")
# Output: Parsed result: act (Priority: immediate)Vector strings follow this format:
{methodology_prefix}v{version}/{parameter_abbreviations}/{timestamp}/
Examples by methodology:
- CISA:
CISAv1/E:A/A:Y/T:T/M:H/2025-08-29T17:53:26.057876/ - Coordinator Triage:
COORD_TRIAGEv1/RP:N/SC:Y/RC:C/CA:M/U:S/PS:S/2025-08-29T17:53:26.079151/ - Supplier:
SUPPLIERv1/E:A/U:S/T:T/PS:S/2025-08-29T17:53:26.082345/
- Data Storage: Compact database storage of SSVC decisions
- API Integration: RESTful API request/response payloads
- Logging: Structured logging of vulnerability decisions
- Reporting: CSV exports and data interchange
- Caching: Cache keys for decision results
All methodology definitions are validated against a comprehensive JSON schema:
# Schema location: src/ssvc/methodologies/schema.json
# Validates:
# - Methodology metadata (name, description, version, url)
# - Enum definitions and value consistency
# - Decision tree structure and completeness
# - Priority mappings and action definitions
# - Vector string metadata and parameter mappings
# Validation is automatic during plugin generation# Validate all YAML files against schema
uv run python scripts/validate_methodologies.py
# Or use the justfile
just validate-methodologies- Consistency: Ensures all methodologies follow the same structure
- Completeness: Validates that decision trees cover all possible paths
- Correctness: Catches errors in methodology definitions early
- Interoperability: Guarantees compatibility across different implementations
The CISA methodology uses a hierarchical decision tree to evaluate vulnerabilities:
flowchart LR
ExploitationStatus_1{ExploitationStatus}
AutomatableStatus_2{AutomatableStatus}
ExploitationStatus_1 -->|NONE| AutomatableStatus_2
TechnicalImpactLevel_3{TechnicalImpactLevel}
AutomatableStatus_2 -->|YES| TechnicalImpactLevel_3
MissionWellbeingImpactLevel_4{MissionWellbeingImpactLevel}
TechnicalImpactLevel_3 -->|TOTAL| MissionWellbeingImpactLevel_4
Action_ATTEND_5[ATTEND]
MissionWellbeingImpactLevel_4 -->|HIGH| Action_ATTEND_5
TechnicalImpactLevel_6{TechnicalImpactLevel}
AutomatableStatus_2 -->|NO| TechnicalImpactLevel_6
MissionWellbeingImpactLevel_7{MissionWellbeingImpactLevel}
TechnicalImpactLevel_6 -->|TOTAL| MissionWellbeingImpactLevel_7
Action_TRACK_STAR_8[TRACK_STAR]
MissionWellbeingImpactLevel_7 -->|HIGH| Action_TRACK_STAR_8
AutomatableStatus_9{AutomatableStatus}
ExploitationStatus_1 -->|ACTIVE| AutomatableStatus_9
TechnicalImpactLevel_10{TechnicalImpactLevel}
AutomatableStatus_9 -->|YES| TechnicalImpactLevel_10
MissionWellbeingImpactLevel_11{MissionWellbeingImpactLevel}
TechnicalImpactLevel_10 -->|TOTAL| MissionWellbeingImpactLevel_11
Action_ACT_12[ACT]
MissionWellbeingImpactLevel_11 -->|HIGH| Action_ACT_12
CISA Methodology Decision Points:
- Exploitation Status (NONE, POC, ACTIVE)
- Current state of exploit availability and usage
- Automatable Status (YES, NO)
- Whether the vulnerability can be exploited automatically
- Technical Impact Level (PARTIAL, TOTAL)
- Scope of system compromise possible
- Mission & Wellbeing Impact Level (LOW, MEDIUM, HIGH)
- Impact on organizational mission and public wellbeing
Resulting Actions:
- TRACK: Monitor vulnerability, no immediate action required (Priority: LOW)
- TRACK* Monitor with enhanced attention (Priority: MEDIUM)
- ATTEND: Schedule remediation in current cycle (Priority: MEDIUM)
- ACT: Immediate action required (Priority: IMMEDIATE)
When designing decision methodologies, SSVC uses qualitative categorical values rather than quantitative ranges for several important reasons:
-
Manageable Complexity: Quantitative ranges exponentially increase decision tree complexity. A 0-10 scale creates 11 branches per node, making trees unwieldy quickly.
-
Practical Decision-Making: Qualitative categories align with human decision-making. Rather than scoring something as "7.3", decision-makers can reliably assess "High" vs "Critical".
-
Clear Boundaries: Qualitative categories provide clearer decision boundaries. Numeric scores can have arbitrarily close values (6.9 vs 7.0) falling on different sides of decision points.
-
Reduced Overconfidence: Numeric scoring can create false precision. Qualitative categories better reflect inherent uncertainty in vulnerability assessment.
Some users may want to integrate CVSS scores directly into decision trees, but this is problematic:
- CVSS has 100 possible values (0.0-10.0), creating 100 branches per node
- This makes trees exponentially complex and harder to maintain
- Decision processes become less transparent and harder to explain
Better approach: Use qualitative mappings of quantitative scores:
# Example: CVSS to qualitative severity mapping
cvss_to_severity = {
(0.0, 3.9): 'low',
(4.0, 6.9): 'medium',
(7.0, 8.9): 'high',
(9.0, 10.0): 'critical'
}This preserves quantitative analysis benefits while maintaining decision tree usability.
The library maintains backward compatibility with the original API while encouraging migration to the new plugin-based system:
# Legacy API - shows deprecation warnings but still works
from ssvc import ExploitationLevel, Automatable, TechnicalImpact, MissionWellbeingImpact
from ssvc import LegacyDecision # Shows deprecation warning
decision = LegacyDecision(
ExploitationLevel.ACTIVE,
Automatable.NO,
TechnicalImpact.TOTAL,
MissionWellbeingImpact.HIGH
)Old approach:
from ssvc import LegacyDecision, ExploitationLevel, Automatable
decision = LegacyDecision(ExploitationLevel.ACTIVE, Automatable.NO, ...)New approach:
import ssvc
decision = ssvc.Decision('cisa', exploitation='active', automatable='no', ...)The library supports extensible methodologies through a YAML-based plugin system:
name: "Your Methodology Name"
description: "Brief description of methodology purpose"
version: "1.0"
url: "https://example.com/methodology-docs"
enums:
DecisionPointName:
- VALUE_ONE
- VALUE_TWO
- VALUE_THREE
ActionType:
- ACTION_ONE
- ACTION_TWO
- ACTION_THREE
DecisionPriorityLevel:
- LOW
- MEDIUM
- HIGH
priorityMap:
ACTION_ONE: LOW
ACTION_TWO: MEDIUM
ACTION_THREE: HIGH
decisionTree:
type: DecisionPointName
children:
VALUE_ONE: ACTION_ONE
VALUE_TWO:
type: AnotherDecisionPoint
children:
OPTION_A: ACTION_TWO
OPTION_B: ACTION_THREE
VALUE_THREE: ACTION_THREE
defaultAction: ACTION_ONE
# Vector string support (optional)
vectorMetadata:
prefix: CUSTOM
version: v1
parameterMappings:
decision_point_name:
abbrev: D
enumType: DecisionPointName
valueMappings:
VALUE_ONE: V1
VALUE_TWO: V2
VALUE_THREE: V3-
Metadata Fields:
name: Human-readable methodology namedescription: Brief purpose descriptionversion: Version string (e.g., "1.0")url: Reference URL for methodology documentation
-
Enums Section:
- Define all decision points as enum classes
- Must include
ActionTypeenum for possible actions - Must include priority enum ending with "PriorityLevel"
- Use UPPERCASE values, quote boolean-like values (
"YES","NO")
-
Priority Map Section:
- Maps each action to priority level
- Keys must match
ActionTypeenum values - Values must match priority enum values
-
Decision Tree Section:
- Hierarchical tree structure
- Each node has
type(enum name) andchildren(value mappings) - Leaf nodes contain action names directly
- Non-leaf nodes contain nested decision structures
-
Default Action:
- Fallback action for unmapped decision paths
- Must match an
ActionTypeenum value
-
Vector Metadata (Optional):
- Enables vector string support
- Defines parameter abbreviations and value mappings
- Required for
to_vector()andfrom_vector()methods
# 1. Create YAML file in methodologies directory
# src/ssvc/methodologies/my_methodology.yaml
# 2. Validate against schema
just validate-methodologies
# 3. Generate Python plugin
just generate-plugins
# 4. Generated files:
# - src/ssvc/plugins/my_methodology.py (Python code)
# - docs/my_methodology.md (Documentation)
# 5. Test your methodology
python -c "
import ssvc
decision = ssvc.Decision('my_methodology', param1='value1', param2='value2')
print(decision.outcome.action.value)
"The generator creates:
- Enum classes for all decision points
- Priority mapping dictionary
- Outcome class with priority/action mapping
- Decision class with parameter validation and case-insensitive input
- Decision tree traversal logic with complete path coverage
- Vector string methods (if metadata provided)
- Comprehensive documentation with Mermaid diagrams and usage examples
Plugins are automatically discovered and registered:
- Auto-discovery: Library scans
src/ssvc/plugins/directory at import - Registration: Registers Decision classes found in plugin modules
- Usage: Access via
ssvc.Decision(methodology='plugin_name') - Listing: View all available via
ssvc.list_methodologies()
Ensure comprehensive testing for new methodologies:
import pytest
import ssvc
def test_custom_methodology_complete_coverage():
"""Test all decision paths in custom methodology."""
# Test each possible combination of inputs
test_cases = [
{'param1': 'value1', 'param2': 'option_a', 'expected': 'action_one'},
{'param1': 'value2', 'param2': 'option_b', 'expected': 'action_two'},
# ... cover all decision tree paths
]
for case in test_cases:
decision = ssvc.Decision('custom', **{k: v for k, v in case.items() if k != 'expected'})
assert decision.outcome.action.value == case['expected']
def test_custom_methodology_vector_strings():
"""Test vector string generation and parsing."""
decision = ssvc.Decision('custom', param1='value1', param2='option_a')
vector = decision.to_vector()
# Parse back and verify equivalence
parsed = ssvc.Decision.from_vector(vector)
assert parsed.outcome.action.value == decision.outcome.action.value
def test_custom_methodology_edge_cases():
"""Test error handling and validation."""
with pytest.raises(ValueError):
ssvc.Decision('custom', param1='invalid_value')To contribute a methodology to the official library:
- YAML Definition: Well-structured methodology following schema
- Official Source: Link to authoritative methodology documentation
- Complete Testing: 100% code coverage for all decision paths
- Clear Documentation: Usage examples and methodology overview
- Validation: All existing tests must continue passing
- Fork Repository: github.com/Vulnetix/python-ssvc
- Create YAML: Define methodology in
src/ssvc/methodologies/ - Generate Plugin: Run generator to create Python code
- Add Tests: Comprehensive test coverage in
tests/ - Update Documentation: Add methodology to README and docs
- Submit Pull Request: Include all generated files and tests
- Accuracy: Correct implementation of official methodology
- Completeness: Full decision tree coverage with no gaps
- Quality: Clean, well-documented, maintainable code
- Testing: Comprehensive test suite with edge cases
- Compatibility: No conflicts with existing methodologies
Approved methodologies become part of the official library distribution.
# Clone repository
git clone https://github.com/Vulnetix/python-ssvc.git
cd python-ssvc
# Setup development environment
uv sync
uv run python -c "import ssvc; print('SSVC ready for development!')"
# Install development tools
just dev-install
# Verify setup
just qa # Runs linting, type checking, and tests# Testing
just test # Run tests with coverage (requires 100%)
just check # Quick test run without coverage
just qa # Run all quality checks
# Plugin Development
just validate-methodologies # Validate YAML against schema
just generate-plugins # Generate plugins from YAML
just dev # Full development cycle
# Code Quality
just lint # Lint with ruff
just format # Format code with ruff
just typecheck # Type check with mypy
# Container Development
just container-build # Build dev container
just container-dev # Start container development session
just container-test # Run tests in container
# Security & Compliance
just sarif # Generate SARIF security reports
just sbom # Generate CycloneDX software bill of materials
# Build & Publish
just build # Build distribution packages
just publish # Complete publish workflow
just version # Show current versionpython-ssvc/
├── src/ssvc/ # Main library code
│ ├── __init__.py # Public API exports
│ ├── core.py # Plugin registry and Decision class
│ ├── legacy.py # Backward compatibility (deprecated)
│ ├── methodologies/ # YAML methodology definitions
│ │ ├── schema.json # JSON schema for validation
│ │ ├── cisa.yaml # CISA methodology
│ │ ├── coordinator_triage.yaml
│ │ ├── supplier.yaml
│ │ └── ...
│ └── plugins/ # Generated Python plugins
│ ├── __init__.py
│ ├── cisa.py # Generated from cisa.yaml
│ └── ...
├── tests/ # Test suite (100% coverage)
│ ├── test_ssvc.py # Core API tests
│ ├── test_ssvc_new.py # Plugin system tests
│ └── test_ssvc_legacy.py # Backward compatibility tests
├── docs/ # Generated documentation
│ ├── cisa.md # Generated from cisa.yaml
│ └── ...
├── scripts/ # Development utilities
│ ├── generate_plugins.py # YAML to Python generator
│ └── validate_methodologies.py # Schema validator
├── justfile # Task runner commands
├── pyproject.toml # Project configuration
├── PYPI.md # PyPI package description
└── README.md # This file
The test suite ensures reliability across three areas:
tests/test_ssvc.py: Core functionality using new APItests/test_ssvc_new.py: Comprehensive plugin system teststests/test_ssvc_legacy.py: Backward compatibility tests
Test Coverage Areas:
- Plugin discovery and auto-registration
- Decision matrix tests for all methodology combinations
- Input validation and error handling
- Vector string generation and parsing
- Schema validation and YAML processing
- Cross-methodology compatibility
Coverage Requirement: 100% code coverage is enforced for all contributions.
- Main SSVC Site: certcc.github.io/SSVC
- CISA SSVC Guide: cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
- CERT/CC Documentation: certcc.github.io/SSVC/howto
- Original Paper: Design decisions for building a vulnerability management decision pipeline
- GitHub Repository: github.com/Vulnetix/python-ssvc
- PyPI Package: pypi.org/project/ssvc
- Issue Tracker: github.com/Vulnetix/python-ssvc/issues
- Discussions: github.com/Vulnetix/python-ssvc/discussions
- TypeScript Implementation: typescript-ssvc
- Official SSVC Tools: github.com/CERTCC/SSVC
Licensed under the Apache License 2.0. See LICENSE for the full license text.
We welcome contributions! Please see our Contributing Guidelines and Code of Conduct.
- Report Bugs: Use the issue tracker
- Feature Requests: Discuss new features in discussions
- Add Methodologies: Contribute new SSVC methodologies via pull request
- Improve Documentation: Help improve examples and explanations
- Code Quality: Help with testing, performance, or code organization
For major changes, please open an issue first to discuss the proposed changes.