ssvc
v0.1.3
Published
TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS
Downloads
104
Maintainers
Readme
TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization)
A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS.
This library provides a comprehensive solution to using the SSVC framework with both CISA and FIRST methodologies. It includes examples of high, medium, and low severity decision prioritizations for each methodology.
Installation
npm install ssvc
Decision Trees
CISA
FIRST
Decision Class Usage Guide
The Decision
class is used to evaluate cybersecurity decisions based on different methodologies. This guide demonstrates how to use the class with both CISA and FIRST methodologies.
Importing the Necessary Components
First, import the required classes and enums:
import {
Decision,
Exploitation,
Automatable,
Utility,
TechnicalImpact,
MissionWellbeingImpact,
SafetyImpact,
Methodology
} from 'ssvc';
Note: The
Decision
constructor also accepts string inputs for enum values:
CISA Methodology Examples
const cisaHigh = new Decision({
methodology: Methodology.CISA,
exploitation: Exploitation.ACTIVE,
automatable: Automatable.YES,
technical_impact: TechnicalImpact.TOTAL,
mission_wellbeing: MissionWellbeingImpact.HIGH
});
console.log(cisaHigh.evaluate());
// Expected output: OutcomeCISA { action: 'Act', priority: 'immediate' }
const cisaStringInputs = new Decision({
methodology: 'CISA',
exploitation: 'active',
automatable: 'yes',
technical_impact: 'total',
mission_wellbeing: 'high'
});
console.log(cisaStringInputs.evaluate());
// Expected output: OutcomeCISA { action: 'Act', priority: 'immediate' }
const cisaMedium = new Decision({
methodology: Methodology.CISA,
exploitation: Exploitation.POC,
automatable: Automatable.NO,
technical_impact: TechnicalImpact.PARTIAL,
mission_wellbeing: MissionWellbeingImpact.MEDIUM
});
console.log(cisaMedium.evaluate());
// Expected output: OutcomeCISA { action: 'Track*', priority: 'medium' }
FIRST Methodology Examples
const firstHigh = new Decision({
methodology: Methodology.FIRST,
exploitation: Exploitation.ACTIVE,
utility: Utility.SUPER_EFFECTIVE,
technical_impact: TechnicalImpact.TOTAL,
safety_impact: SafetyImpact.CATASTROPHIC
});
console.log(firstHigh.evaluate());
// Expected output: OutcomeFIRST { action: 'immediate', priority: 'immediate' }
Example 3: Low Severity Case
const firstStringInputs = new Decision({
methodology: 'FIRST',
exploitation: 'poc',
utility: 'efficient',
technical_impact: 'partial',
safety_impact: 'major'
});
console.log(firstStringInputs.evaluate());
// Expected output: OutcomeFIRST { action: 'out-of-band', priority: 'medium' }